Next Steps for users & FAQs

Data Transfers
 /  24 July 2020
GDPR

On this page we have summarized the options for users that want to stop their data being transferred to the United States after the CJEU judgment in C-311/18 ("Schrems II") on the Privacy Shield and Standard Contractual Clauses ("SCCs"). In addition we added a couple of FAQs that may help you identify cases where you have a right to request a stop to data transfers.

 

What can I do now?

The GDPR gives you strong rights to get information on your data and take action – use them!

STEP 1: Ask whether your data is transferred outside of the EU

You can ask the organisation processing your data (a business, a public institution, or any other entity) whether they are transferring your data outside of the EU, and where, to whom, and on which basis they are transferring it. This is part of your right to access and your right to be informed. Such a request can be addressed to the organisation in question via email (usually they provide an email where you can send such requests). Since this answer does not require a deep analysis from the organisation, and considering that the CJEU’s judgment does not provide for a grace period for illegal international transfers, they should provide you with an answer quite quickly. 

You can use the following text to write your request:

Dear Sir/Madam,

I am one of your customers. In accordance with Articles 12, 13, 14 and 15 of the GDPR, I make the following requests:

  • Do you transfer data outside of the EU? If yes, to which countries?
  • What is the legal basis relied on for each transfer (e.g. adequacy decision, SCCs, BCRs, derogations...)? If you used SCCs or BCRs, please provide a copy of the SCCs or BCRs used for each transfer.
  • If you send personal data to the US, do any of your partners fall under 50 USC §1881a (“FISA 702”) or provide data to the US government under EO 12.333?
  • If you send personal data to the US, which technical measures are you taking so that my personal data is not exposed to interception by the US government in transit?

Please reply within one week as the GDPR requires you to reply ‘without undue delay’. This is a simple request that does not require extensive analysis. Further identification beyond my email does not seem necessary given that I do not demand a copy of my personal data. Should you require any further information, please do not hesitate to contact me.

Regards,

[Your Name]

We would welcome if you can send us a copy of any response to info@noyb.eu

 

STEP 2: Request that your data is no longer transferred to the US

If the company or organisation tells you that your data is sent to a US company that falls under the mass surveillance laws above, you can demand that the EU company stops the transfer of such data.

You can use the following text to write your request:

Dear Sir/Madam,

I am one of your customers. I have reason to believe that you illegally transfer my personal data to the United States.

If you transfer personal data to a US-based “electronic communication service provider” as defined in 18 U.S. Code §1881(4)(b), or, should you still rely on the Privacy Shield for such transfers, I request that you stop the transfer of my personal data immediately. Please let me know within one week by when you will stop the transfer. Please inform me within one week of the date by which you will have stopped any such transfers.

Should you need any further information, please do not hesitate to contact me.

Kind Regards,

[Your Name]

We would welcome if you can send us a copy of any response to info@noyb.eu

 

STEP 1+2: Request information and that your data is not transferred to the US anymore

You can also combine a request for information with a request to stop the data transfers:

You can use the following text to write your request:

Dear Sir/Madam,

I am one of your customers. In accordance with Articles 12, 13, 14 and 15 of the GDPR, I make the following requests:

  • Do you transfer data outside of the EU? If yes, to which countries?
  • What is the legal basis relied on for each transfer (e.g. adequacy decision, SCCs, BCRs, derogations...)? If you used SCCs or BCRs, please provide a copy of the SCCs or BCRs used for each transfer.
  • If you send personal data to the US, do any of your partners fall under 50 USC §1881a (“FISA 702”) or provide data to the US government under EO 12.333?
  • If you send personal data to the US, which technical measures are you taking so that my personal data is not exposed to interception by the US government in transit?
  • If you transfer personal data to a US-based “electronic communication service provider” as defined in 18 U.S. Code §1881(4)(b), or, should you still rely on the Privacy Shield for such transfer, I request that you stop the transfer of my personal data immediately.

Please reply within one week as the GDPR requires you to reply ‘without undue delay’. This is a simple request that does not require extensive analysis. Further identification beyond my email does not seem necessary given that I do not demand a copy of my personal data. Should you need any further information please do not hesitate to contact me.

Kind Regards,

[Your Name]

We would welcome if you can send us a copy of any response to info@noyb.eu

 

STEP 3: File a complaint with your Data Protection Authority to stop the transfer to the US

If your company does not stop unnecessary transfers to the US or does not respond, you can always file a complaint with your local Data Protection Authority.

You can find a link to your local Data Protection Authority (DPA) on this page: https://edpb.europa.eu/about-edpb/board/members_en. The exact process for filing a complaint depends on the laws of the country where you file it, but the process is generally rather informal. Most DPA  websites provide a complaint form where you can explain your situation.

For guidance you can use the following text to file a complaint:

We may offer more specific texts in the future. Please do not forget to add an explanation your personal situation to this text.

Dear Sir/Madam,

I am a customer of [name and address of the company].

My account details are [fill in here].

I believe that [name of the company] continues to transfer my personal data illegally because [include any indication, such an their privacy policy or response they sent to you]

I refer to the CJEU judgment in C-311/18 - Schrems II. Considering that [name of the organisation] continues to transfer my personal data to the US without an appropriate legal basis, I request that you investigate the matter and order a suspension or a ban of the processing. 

Kind Regards,

[Your Name]

We would welcome if you can send us a copy of any response to info@noyb.eu

 

FAQs for users

Why did the Court consider there were problems with EU-US data transfers?

EU law grants everyone a right to privacy, data protection and redress before a court. The EU Court of Justice upheld these rights in relation to data transfers to the US in its judgment on the Privacy Shield and SCCs. In brief, the Court said that mass surveillance in the US and the lack of legal protection against illegal surveillance often (but not always) makes it illegal for companies to send your data to the US.

Which data transfers are still legal?

Under Article 49 GDPR, some “necessary” transfers are still legal in any circumstance (e.g. when you book a hotel in the US and the booking is sent to the US hotel). It is still legal to transfer data when you were informed about US laws and you have explicitly and freely agreed to it. You must be able to withdraw this consent at any time, without negative consequence.

You can also always send you own data to the US (if you wish to directly use a provider that is only in the US).

Which data transfers are illegal?

Transfers to US companies that fall under a US “mass surveillance” law like FISA 702 (also called 50 USC §1881a) are usually illegal. The companies that cannot rely on them are the so-called “electronic communication service providers”. This is a broad term under US law and covers most IT and cloud providers.

Examples of these providers include AT&T, Amazon (AWS), Apple, Cloudflare, Dropbox, Facebook, Google, Microsoft, Verizon  Media (known as Oath & Yahoo) or Verizon. The links of each of the companies will take you to their transparency reports that tell you how often they were subject to US government data access requests.

This means that typical “outsourcing” situations (when an EU business is forwarding your data to a US company that is in turn processing your data) are in most cases illegal.

Remember that when residing in the EU, you often have a contract with an EU subsidiary of that US company (e.g. Facebook users have a contract with Facebook Ireland). If they outsource the processing of your data fully or partly to the US parent company, the transfer is equally illegal.

What is “Privacy Shield”, and what are “Standard Contractual Clauses” or “SCCs”?

Under the GDPR, personal data may not leave the EU. As an exception to this rule, companies can use certain legal tools to permit the transfers. Two of the most common tools companies rely on to transfer your data from the EU to the US are “Standard Contractual Clauses” (or “SCCs”) and the “Privacy Shield”.

The Privacy Shield was invalidated by the Court of Justice, so it does not exist anymore. Data cannot be transferred to the US under the Privacy Shield since 16 July 2020.

Almost the same prohibition applies to the use of SCCs: All companies that fall under a US “mass surveillance” law can no longer use the SCCs . This is because the SCCs cannot override US law.

What does this mean in everyday life?

Below, you can find some examples of common cases that are likely to include the transfer of your personal data to the US.

Cases that are typically affected by the judgment:

If you are a customer of an EU/EEA company that:

  • is an integrated affiliate of a US company (e.g. Google, Apple, Amazon, Microsoft, Facebook, Instagram, Twitter, Yahoo and alike) or
  • relies on storage or other type of processing in the US (many “average” EU businesses).

Cases that are typically not affected by the judgment:

Necessary transfers that are still legal, some examples include the following:

  • Booking a hotel or other accommodation directly in the US or through a travel agency in the EU (e.g. a room in San Francisco);
  • Booking a flight to the US;
  • Reservation for a rental car in the US;
  • Ordering goods online from a US-based company;
  • Using online services provided by a US-based company (with no establishment in the EU);
  • Sending an email to the US;
  • Sending your data to your lawyer in the US in the context of a lawsuit;
  • Contacting a Facebook friend that is located in the US;
  • Video calls to the US.