Sending personal data to non-EU countries (in particular the US)

Last changed: 12 January 2021

As of July 2020, transferring personal data to the US using the Privacy Shield framework is not allowed. If you have suppliers or cooperation partners in the US, you need to be aware of this and take the measures needed. On this page, you will find recommendations from SLU’s Legal Affairs Unit and information on using Privacy Shield.

According to an EU Court of Justice judgment from July 2020, transferring personal data to the US using the Privacy Shield self-certification framework is illegal.

Consequently, arrangements for the transfer of personal data using Privacy Shield must be replaced by agreements that include the European Commission’s standard contractual clauses.

SLU’s Legal Affairs Unit recommends not procuring any new US suppliers, or starting new cooperation projects with US partners, if it involves the transfer of personal data.

Transfers within the EU, or to one of the following countries, are not affected: Andorra, Argentina, Bailiwick of Guernsey, Faroe Islands, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay.

What do I need to do?

Cancel transfers and negotiate new agreements

If you know that personal data are transferred to the US using Privacy Shield, you must act as soon as possible and replace this framework with the European Commission’s standard contractual clauses.

This applies regardless of what kind of study or project you are working on if it involves transferring personal data to a US partner using Privacy Shield, or with no framework to secure the integrity of the data.

Consequently, all SLU agreements with US partners where there is no regulatory support for the transfer of personal data need to be renegotiated.

The European Commission’s standard contractual clauses must also be part of any new agreement signed if it involves the transfer of personal data to countries outside the EU/EEA.

For the following countries, no new agreements are needed: Andorra, Argentina, Bailiwick of Guernsey, Faroe Islands, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay.

Contact your partners

If you have an agreement based on Privacy Shield, we suggest you send the following message to your partner:

“Dear [name of partner],

Due to legal developments in the EU following the Schrems II case in the EU Court of Justice, we need to adjust our partnership agreement. The Privacy Shield framework has been declared invalid and instead, we need to include the EU Commission’s standard contractual clauses in our agreement to be able to continue to transfer personal data to you. The clauses are available on this web page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

We thank you for your understanding. Please get back to us as soon as possible regarding this change in legal formalities.”

Encrypt or remove personal identifiers before the transfer

We recommend that you encrypt all files transferred to your partner, or protect them using a password. This applies to personal data about anyone not working on the project.

The passwords or encryption keys must not be sent together with the protected file. They should preferably be sent separately, e.g. by text message.

If possible, remove all data that can be used to identify individuals before you make the transfer. Think about whether you need to be able to identify individuals from the data you transfer.

Background

What is Privacy Shield?

According to the General Data Protection Regulation (GDPR), transferring personal data to a non-EU/EEA country is only allowed if the receiving country can guarantee adequate protection of the data.

The European Commission has identified a number of non-EU/EEA countries considered to provide adequate protection of personal data, meaning you can transfer personal data from EU countries to them (Andorra, Argentina, Bailiwick of Guernsey, Faroe Islands, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay).

Canada and the US have also, under certain circumstances, been approved as recipients of personal data.

In the US, companies and organisations have been able to join the Privacy Shield framework through a self-certification process. This framework has been used to guarantee that personal data transferred to the US has been adequately protected.

Privacy Shield can no longer be used

Privacy Shield has been declared invalid in a judgment from the EU Court of Justice as it does not provide adequate protection of personal data.

This judgment means that all transfers of personal data to recipients in the US that use Privacy Shield are incompatible with both Swedish legislation and EU law. This means that transfers to non-EU/EEA countries that do not offer adequate protection need another regulatory basis.

US legislation grants US authorities the right, under certain circumstances, to access data transferred to the US. In some such cases, the organisation accessing the personal data is now allowed to inform anyone else of this, not even the entity transferring the data, like SLU, or the data subjects themselves. This, in turn, means that neither SLU nor the data subject can object to the US authority processing the data. This is contrary to the provisions of the General Data Protection Regulation (GDPR).

The European Commission’s standard contractual clauses

The European Commission’s standard contractual clauses can be used as a basis for transferring personal data to non-EU countries provided that the recipient country applies these clauses. To enable SLU to determine whether this is the case, we need to look at each case individually and assess if the data will be adequately protected.

This assessment needs to take into account whether the recipient country’s legislation allows national authorities to access the data transferred without offering legal recourse. This type of legislation can be found in several countries and includes the US “Cloud Act”, the UK 2016 Investigatory Powers Act and similar legislation in China, Australia and India.

You must make this assessment before you transfer the data. You should, therefore, investigate what personal data really must be transferred. Can you change the way you work so it does not involve the transfer of personal data?


Contact

dataskydd@slu.se, 018-67 20 90

Anna Jarmar, Legal Counsel/Data Protection Officer, Vice-Chancellor's Office, 018-67 22 75

Simon Åkerblom, Legal Counsel, special responsibility for digitalisation and data protection issues, 018 – 67 20 42