Personal data transfers to the US

Checking if the organisation participates in the Data Privacy Framework

You first have to check if the organisation in the US to which you want to transfer personal data participates in the Data Privacy Framework. You check this on the website of the Data Privacy Framework.

If an organisation participates, it does not automatically mean that all products of this organisation fall under the Data Privacy Framework. Do you want to use a specific product of an (big) organisation, such as certain software? In that case, the Dutch Data Protection Authority (Dutch DPA) advises you to make additional enquiries with this organisation yourself to find out whether this product also falls under the Data Privacy Framework.

Organisation participates in the Data Privacy Framework

Does the organisation in the US to which you want to transfer personal data participate in the Data Privacy Framework? And if you want to use a specific product, does this product also fall under the Data Privacy Framework? If this is the case, you are allowed to transfer the personal data. You do not have to use another transfer tool for this purpose. You also do not have to take additional measures to protect the data.

Organisation does not participate in the Data Privacy Framework

Does the organisation in the US to which you want to transfer personal data not participate in the Data Privacy Framework? Then you are only allowed to transfer the personal data if these 2 requirements are met:

1. You use a transfer tool for transfer to a country outside the EEA, such as a model contract or binding corporate rules (BCR).
2. You take additional measures to protect the personal data if necessary.

Additional measures for personal data transfers to the US

To determine which additional measures are needed, you can use the Recommendations on measures that supplement transfer tools of the EDPB.

The EDPB mentions several safeguards that you can consider, such as good encryption and pseudonymisation. You have to assess on a case-by-case basis which measure or combination of measures is necessary for proper protection of personal data.

This is the Data Privacy Framework

On 10 July 2023, new agreements between the European Commission (EC) and the US about the transfer of personal data from the EEA to the US entered into effect. These agreements are known under the name Data Privacy Framework.

The EC has made an adequacy decision about the US. This means that the EC has found that the level of protection of personal data in the US is comparable to that in the EEA. This adequacy decision is part of the Data Privacy Framework.

Organisations in the US can participate in the Data Privacy Framework. Personal data transfers from the EEA to these organisations are then permitted without the European party having to take additional legal and technical measures.

Successor of the Privacy Shield

The Data Privacy Framework is the successor of the Privacy Shield. In 2020, the Court of Justice of the European Union (CJEU) declared the Privacy Shield invalid in the Schrems II case. As a result, organisations could no longer use the Privacy Shield for personal data transfers to the US.

With the Data Privacy Framework, new agreements apply between Europe and the US. According to the EC, it is now safe to transfer personal data to organisations in the US that participate in the Data Privacy Framework.

Complaint about an American company

Are your personal data transferred to an American company that participates in the Data Privacy Framework? And do you disagree with the manner in which this company handles your personal data? Then you can submit a complaint. You do this to your national data protection authority. In the Netherlands, this is the Dutch Data Protection Authority (Dutch DPA).

You submit a complaint to the Dutch DPA by means of the American company complaint form. 

Send the completed form by email to KlachtenformulierDPF@autoriteitpersoonsgegevens.nl

You can also print out the form and send it by post to:

Dutch Data Protection Authority (DPA)
(Autoriteit Persoonsgegevens)
Postbus 93374
2509 AJ DEN HAAG.

Do you want to know the progress of your complaint? Read Procedure for a complaint against an American company.

Access by American intelligence services

Under the Data Privacy Framework, personal data of citizens in the EU or EEA may be transferred to companies in the US. If this is the case, American intelligence services may, on strict conditions, be given access to these data. 

Part of the adequacy decision of the European Commission is Executive Order (EO) 14086 on Enhancing Safeguards for United States Signals Intelligence Activities, signed by President Biden on 7 October 2022. This EO with associated regulations pertains to this access by American intelligence services to personal data of European citizens. 

The EDPB has issued an advice on the adequacy decision and the Data Privacy Framework. This advice also pertains to access by American intelligence services to personal data. 

Protection of European citizens

For European citizens whose personal data are transferred to the US, the EO must provide for:

• binding safeguards that limit access by American intelligence services to data to what is necessary and proportionate for the protection of national security;
• tightened monitoring of the activities of the American intelligence services, to ensure that the restrictions on monitoring activities are complied with;
• the establishment of an independent and impartial complaints mechanism, including a new court for data protection, to investigate and deal with complaints by citizens about the access by American intelligence services to their data.

Complaint about American intelligence services

Do you feel that American intelligence services have had unlawful access to your personal data? Or that American intelligence services have unlawfully processed your personal data? Then you can submit a complaint to your national data protection authority. In the Netherlands, this is the Dutch Data Protection Authority (Dutch DPA). 

You submit a complaint to the Dutch DPA by means of the American intelligence services complaint form. 

Send the completed form by email to KlachtenformulierDPF@autoriteitpersoonsgegevens.nl

You can also print out the form and send it by post to:

Dutch Data Protection Authority (DPA)
(Autoriteit Persoonsgegevens)
Postbus 93374
2509 AJ DEN HAAG.

Handling of your complaint

The Dutch DPA will:

• check your identity;
• assess if your complaint meets the requirements;
• check if your complaint is complete;
• translate your complaint into English, if necessary;
• send your complaint digitally, through a secure connection, to the secretariat of the EDPB.

The EDPB will then forward your complaint to the American competent authority. Is your complaint about access to your personal data obtained by American security services for purposes of national security? Then this competent authority is the Civil Liberties Protection Officer (CLPO) from the Office of the Director of National Intelligence (ODNI).

Do you want to know more about the progress of your complaint? Read the Procedure for a complaint against American security services.