GDPR – Transfers of data to the United States

In July the European Court of Justice (ECJ) ruled that the US privacy shield, which had previously allowed data transfers of personal data from the EU to the US in respect of businesses who were signed up to it, did not provide sufficient safeguards for the protection of EU citizens personal data. What does this ruling mean for businesses who need to transfer personal data?

The GDPR restricts the transfer of personal data outside of the EU, unless the country in question is considered safe or other safeguards are in place. Where a country is considered to offer adequate protection for personal data, the EU will issue an adequacy decision – a formal notice which organisations can rely upon as a basis for transferring data to that country. A partial adequacy notice has previously been applicable to organisations in the USA who were signed up to a privacy shield scheme, however the ECJ decision now means that businesses who have been relying on the privacy shield to transfer data to the USA can no longer do so. If they do, they will be in breach of the GDPR and should therefore suspend such transfers until such a time they can establish an alternative lawful basis.

Transfer of data includes actually sending personal data to a US based client, customer or supplier but also where data is included in software hosted in the US or backed up on US based servers. However, all is not lost and there are other safeguards or exceptions that can be applied. These include; obtaining the explicit consent of the individual concerned, legal proceedings where necessary, some one-off transfers or using EU approved Standard Contractual Clauses (SCCs).

Use of standard contractual clauses is common where data is transferred on a regular or ongoing basis, with the clauses part of the contractual agreement between the parties. However, with both the standard terms, care must be taken to ensure that they are used correctly and that all conditions are met, as otherwise the transfer may be in breach of the GDPR.

If you require any advice on the international transfer of personal data or any other aspect of data protection the Lawspeed data protection team can assist. Please contact them on 01273 236 236 or email