In our quest to understand the challenges faced while complying with data protection regulations, we reached out to professionals around the globe. Our members, Erika Heveus and Arvid Rosenlöf from Hellström Advokatbyrå offered their valued insights highlighting the importance of businesses staying updated with the relevent decisions in the field of GDPR.

Transferring personal data from the EU/EES to third countries such as the United States is common for businesses. For example, when sending emails with personal data to someone in the US, hiring a processor in the US, or storing personal data on a so called “cloud-service” based in the US. 

In accordance with the General Data Protection Regulation, (GDPR), the general rule is that personal data should not be transferred to countries outside of the EU/EES (article 44). There are certain exemptions making such transfers legal, for example when a country receives an adequacy decision from the European Commission or when companies are using standard contractual clauses developed by the European Commission (article 45 and 46.2 c). 

The EU Court of Justice (CJEU) ruled in the Schrems II-decision from 2020, that the US did not meet the requirements to withhold an adequacy decision, making standard contractual clauses a common solution for businesses instead. 

This summer, the Swedish data protection authority (IMY) issued fines (up to 12 million SEK) to Swedish companies transferring personal data to the US using the Google Analytics-tool. IMY found that the technical protection measures implemented by the audited companies, such as encryption, were not sufficient to ensure a level of protection substantially equivalent to that guaranteed in the EU/EEA.

Shortly after the decision, a new adequacy decision for the US entered into force, the EU-US Data Privacy Framework. The Framework remedies the problems highlighted in the Schrems II-decision, making transfers of personal data to the US legal again. For Swedish companies, the decision from IMY is still worth noting since the new Framework can be tried by the CJEU in the future. Also, for other third countries than the US, the right technical protection measures must be conducted when using standard contractual clauses. The above-mentioned highlights the importance for businesses staying updated with the relevant decisions in the field of GDPR. 

The insights shared by our Sweden members highlight the importance of adherence to relevant judgments and standard contractual clauses for seamless compliance, particularly in the transfer of personal data from EU/EEA to third countries.