Start of main content

Legal guide for companies to transfer data to the US safely

| News | Privacy, IT & Digital Business

Isabel Martínez and María Zarzalejos present in Cinco Días a legal guide for companies to transfer data to the U.S. safely after the European Union Court of Justice ruling that invalidated the Privacy Shield, an agreement between the U.S. and the EU to regulate data transfers between both territories

In July this year, the European Court of Justice (ECJ) issued a ruling invalidating the Privacy Shield, the agreement between the US and the EU to regulate data transfers between the two territories. The Community judges considered that the system did not comply with the guarantees required by the General Data Protection Regulation (GDPR). 

The ruling drew a complicated scenario for many Spanish companies. "At first there was a lot of concern, since a large number of companies have their servers at US entities", recalls María Zarzalejos, associate in the Andersen privacy area. No wonder: data protection infringements carry fines of up to 20 million euros, or 4% of the company's global turnover in the most serious cases.

So, what must organisations do to make data transfers legitimate? "To begin with, they should contact the servers to cancel the transfer of information to the United States," he advises. In this sense, shortly after the ruling was published, technological giants such as Amazon, Google and Apple announced that they were going to transfer the information coming from European companies to their servers located on the continent.

Standard clauses

Another legal route are standard contract clauses, or SCCs to use the anacronym in English. This legal instrument allows international transfers to be made with guarantees, by signing a contract between the exporter and importer of the data by which the latter undertakes to process the information in compliance with European regulations.

In its ruling, the European court confirmed the validity of these clauses, although it qualified that the person responsible must make a prior assessment of the content of the SCC to ensure that a level of protection equivalent to that established in the GDPR is maintained.

In this regard, the European Data Protection Board (EDPB) has issued several documents in which it specifies that the analysis must cover from the specific circumstances of the transfer to the legal regime applicable in the importing country. 

In other words, the entities must assess whether the legislation or practice of the country receiving the information could constitute an obstacle to compliance with the privacy obligations. If this is the case, the European body advises adopting extra safeguards.

 Proactive attitude

Isabel Martinez, director of the privacy area at Andersen, stresses that companies must comply with "the principle of accountability". In other words, they must show a proactive attitude and implement any additional measures they deem appropriate to comply with European regulations. Likewise, they must monitor the decisions taken "to ensure that international data transfers are being carried out correctly", the legal expert states.

Although the European bodies have shed some light on their recommendations, the truth is that companies have not got it easy. After all, reviewing SCCs is a very thorough job that requires extra effort made by the entities. 

In this regard, Zarzalejos is optimistic and rules out the possibility that the data protection authorities will sanction companies that continue to transfer data to the United States, "provided they show a proactive attitude and have analysed the standard contractual clauses".

In any event, the lawyer recommends avoiding signing new contracts or carrying out operations that involve the transfer of personal data to the United States, opting instead for platforms based in European countries "where the GDPR is also applicable".

The full article can be read in Cinco Días.

End of main content