The State of EU-US Data Transfer Mechanisms in 2023

Since 2000 regulators have tried to keep an EU-US data transfer mechanism in place. From 2000-2015 it was Safe Harbor. From 2016 until 2020 it was Privacy Shield. And now through the EU-US Data Privacy Framework, the US is once again deemed as adequate for data transfers by the EU.

Despite taking different approaches to data protection in each region, there’s a desire to cooperate from both sides of the Atlantic. That’s because the “European Union and the United States have the largest bilateral trade and investment relationship and enjoy the most integrated economic relationship in the world,” according to the EU.

And, “The transatlantic relationship is a key feature of the overall global economy and trade flows. For most countries, either the EU or the US is the largest trade and investment partner.”

Businesses in the EU and US have a constant need to transfer data across borders. This includes information about users as well as employees. Trade between these nations directly supports 9.4 million jobs and indirectly 16 million jobs.

Additionally, as society becomes more digital, the number of vendors and third party service providers continues to increase. These partnerships often rely on data transfers, or in other words, information sharing, to achieve desired outcomes.

Examples of Non-Obvious Data Transfers from the EU to the US

EU-US data transfers can be tricky due to different regulations and individual protections in each country. Sharing data has become such a normal part of business operations that some may not even realize they’re conducting a cross border data transfer. Below are just a few of the many possible data transfer examples.

• Storing data in a cloud service provider located in the US, where the personal information of EU individuals is uploaded and stored.
• Sending emails containing personal data to recipients or email servers located in the US.
• Allowing employees located in the US to access and process personal data originating from the EU.
• Using a CRM platform hosted in the US to store and manage customer data originating from the EU.
• Replicating and storing data backups in servers located in the US.
• Transferring personal data to social media platforms headquartered in the US when individuals from the EU use these platforms.
• Utilizing analytics tools or trackers hosted in the US that collect and process data from EU visitors on websites or mobile applications.
• Employing SaaS solutions hosted in the US that involve processing personal data originating from the EU.
• Using HR management platforms hosted in the US that handle the personal data of EU employees or job applicants.

What Data Transfer Methods from the EU Exist?

After Privacy Shield was invalidated in 2020, businesses had to use other EU-US data transfer mechanisms. Chapter 5 of the GDPR is dedicated to transfers of personal data to third countries or international organizations and Articles 44 – 50 explain the authorized data transfer methods.

EU Transfers on the Basis of an Adequacy Decision

Adequacy decisions are made by the European Commission about transferring data to a third country, territory, or international organization. Once a country is deemed adequate, the data transfer won’t require any specific authorization or further safeguards.

The decision will be reviewed at least once every four years to ensure adequate protection of personal data. The commission takes into account the third party’s rule of law, the existence of a supervisory authority, and the international commitments entered into by the third party.

Standard Contractual Clauses

Most businesses implemented SCCs as a result of the Schrems II ruling. Revised in 2021, SCCs can be applied to data transfers where the recipient’s organization would not be directly subject to the GDPR for the processing operation. If an organization offers goods or services or monitors individuals’ behavior in the European Economic Area, SCCs can’t be used.

SCCs are approved by the European Commission and are incorporated into data transfer agreements between the EU data exporter and the US data importer to provide appropriate safeguards for the transferred data.

Binding Corporate Rules

This transfer method allows multinational organizations to implement BCRs for transfers of personal data within their group of companies. The BCR must be approved by relevant data protection authorities and provides legally binding commitments to protect personal data across the organization.

Explicit Consent

GDPR Article 49 permits the transfer of personal data to a third country, including the US, based on the explicit and informed consent of the individual. However, explicit consent should meet the GDPRs stringent requirements and must be freely given, specific, informed, and unambiguous.

Comparing EU-US Data Transfer Mechanisms: Which is Best?

While each has its pros and cons, using the EU-US Data Privacy Framework (an adequacy decision) is the most cost-effective – both in terms of time and money for businesses. It’s the fastest and most scalable option. Businesses must certify for the Data Protection Framework once and verify annually. There are no TIAs or supplementary measures required.

The framework ensures that a well implemented privacy program is in place and is a public facing commitment to using personal information fairly, lawfully, and transparently. A DPF verification demonstrates accountability to regulators and the Department of Commerce and provides your business credibility as a vetted trading partner, vendor, and service provider.

The Problems with Using SCCs for EU-US Personal Data Transfers

Standard contractual clauses are a tedious process. They must be completed for every vendor, service provider, and client. (A separate SCC is required for each business activity that transfers personally identifiable information to the US.)

And SCCs require Transfer Impact Assessments (TIA) for each contract and may also require supplementary measures. New transfers don’t fit into the existing process, and every contract needs to be updated for every new transfer.

Using SCCs as your data transfer method can put the business at risk of delay with vendors, providers, service contractors, and clients. Some vendors may even refuse to agree to SCC terms or sign altogether.

View the infographic

The Difficulties of Using BCRs for EU-US Personal Data Transfers

Binding Corporate Rules aren’t an option for all companies; they’re often the least used. BCRs need approval from data protection authorities and depending on the entity this could involve several authorities.

The main difficulty of BCRs is the sheer amount of internal resources and legal fees spent to evaluate risk, write contracts, and develop BCRs for all areas of personal data across the organization. This process is cumbersome and can take several years.

As a transfer mechanism, BCRs aren’t flexible and are very limited in scope. Lastly, Binding Corporate Rules don’t address governance and enforceability.

What About Using Consent for EU-US Personal Data Transfers?

The problem with relying on consent for EU-US personal data transfers is its lack of scalability. Consent in this case was designed for infrequent transfers of very few records.

Additionally, this opens your company up to upstream and downstream responsibilities concerning how your vendors and service providers meet GDPR requirements with your customer’s data.