Is the transfer of data to the USA illegal? / What obligations do entities transferring data to the USA have?

ANSWER

No. The Schrems II judgment of the Court of Justice of the European Union (CJEU) does not completely eliminate the possibility of transferring personal data to the United States.

However, the Court stated that controllers or processors acting as data exporters are responsible for verifying, in each individual case and, where appropriate, in cooperation with the recipient in the third country, whether the laws or practices of that third country affect the effectiveness of the Standard Contractual Clauses (SCCs).

If they do, the Court leaves data exporters with the possibility of implementing supplementary measures that would fill the gaps in protection and raise it to the level required under EU law. The Court did not specify what these measures should be; therefore, data exporters must identify them individually on a case-by-case basis.

The Recommendations 01/2020, which were shared with you as part of the webinar summary, contain (in Annex 2) a non-exhaustive list of examples of additional measures, together with some of the conditions they would need to meet in order to be effective.

As for assessing the laws and practices of a third country to determine whether they affect the effectiveness of Standard Contractual Clauses, an increasingly common method of verifying a third-country contractor is the use of a transfer assessment questionnaire. This is similar to a general processor due diligence questionnaire but focuses specifically on issues related to the legality of the data transfer.