The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: If a United States company has entered into Privacy Shield, can it transfer European personal information to a processor or sub processor (i.e., a service provider) that is outside of the United States?

Answer: Yes. The Privacy Shield framework contemplates situations where “onward transfers of personal data take place from a Privacy Shield certified organization in the U.S. to a recipient in a third country.”¹  In order to comply with the requirement within the GDPR (and the identical requirement in the Privacy Directive that predated the GDPR) that data only be processed in a jurisdiction that has adequate privacy protections, Privacy Shield states that the US-based entity should contractually bind its processor to “the same level of privacy protection as is required by the [Privacy Shield] Principles.”  

The Department of Commerce has not given any real indication of what it means for a company that is not based within the United States to agree to the same level of privacy protections that are required by the Privacy Shield Principles, and requiring that an entity located outside of the United States adhere to the Privacy Shield Principles raises a number of conceptual difficulties. For example, one of the Privacy Shield Principles is that an “organization . . . inform individuals about . . . its participation in the Privacy Shield.”²  As organizations that are located outside of the United States and are not subject to Federal Trade Commission enforcement are not permitted to participate in Privacy Shield (i.e., they cannot be added to the Privacy Shield list), presumably they cannot inform individuals about their framework participation.  Another Privacy Shield Principle is that an organization be “obligated to arbitrate claims” and agree to an “independent recourse mechanism.”³  Again, organizations that are not formally part of the Privacy Shield program are not necessarily permitted to participate in the Privacy Shield arbitration framework.

In its review of the “robustness” of the Privacy Shield Framework, representatives of the Article 29 Working Party found that the United States Department of Commerce had failed to provide “guidance and clear information” on how companies can or should accomplish “onward transfers.”⁴  While the Working Party stated that they would “engage in advising the US authorities in drafting new guidance” concerning onward transfers that would, presumably, include information on how  companies should structure an agreement to guarantee that a sub-processor was abiding by the Privacy Shield principles, little additional guidance has been forthcoming.⁵. 

The net result is that while US companies should attempt to require that subprocessors outside of the United States apply “the same level of privacy protection as is required by the Privacy Shield Principles” there may be ambiguity on the part of the contracting parties (and regulators) as to what precisely that requires.

As an alternative, some EEA controllers prefer to structure onward transfers contemplated by a US processor to a non-US subprocessor as a direct transfer from the EEA controller to the non-EEA, non-US subprocessor.  The Article 29 Working Party appeared to validate that approach by stating, in a document that analyzed potential gaps concerning the Privacy Shield Framework, that if an EEA controller is aware that a Privacy Shield participating processor intends to make an onward transfer to a third party outside of the US “the transfer should be considered as a direct transfer from the EU to the third country outside the US.  This means Article 25 and 26 of the Directive are applicable to the transfer instead of the Privacy Shield onward transfer principle.”[6]  If a company uses this approach the non-EEA, non-US subprocessor would be presented with a Standard Contractual Clause between itself and the EEA controller.  The EEA controller would be listed in the document as the exporting entity, the non-EEA, non-US sub processor would be listed as the importing entity, and the US Privacy Shield participant would not necessarily need to be a party to the agreement.

1. Article 29 Working Party, WP 238: Opinion 01/2016 on the EU- US Privacy Shield Draft Adequacy Decision (Apr. 13, 2016) at 30 (discussing issues raised by Privacy Shield framework).

2. European Commission, Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, Annex II (hereinafter the “Privacy Shield Principles”) at Section II(1)(a)(i).

3. Privacy Shield at Section II(7)(b), (c).

4. Article 29 Working Party, WP 255: EU-U.S. Privacy Shield – First Annual Joint Review (Nov. 28, 2017) at 2.

5. Id. at 4.

6. Article 29 Working Party, WP 238: Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision (Apr. 13, 2016) at 21.

[View source.]