Previously there were two main ways for transferring personal data from the EU to the US

Until July 16th 2020, there were two main ways for transferring personal data from the EU to the US: to rely on the EU-US Privacy Shield (an agreement between the EU and the US where parties in the US can sign up and assure that they will live up to the standard of privacy protection required by the EU General Data Protection Regulation (GDPR)) or to base the transfer on Standard Contractual Clauses (where the party in the EU exporting data and the party in the US importing it reach an agreement that meets the requirements of the GDPR).

Privacy Shield is no longer a valid basis for the transfer of personal data

On July 16th 2020 the European Court of Justice ruled that the Privacy Shield is no longer a valid basis for the transfer of personal data. Furthermore, it stated that when it comes to Standard Contractual Clauses, the exporter of data (such as SU researchers sending personal data to partners in the US) must ensure that the importer of data will in fact be able to respect the agreement. In the case of the US, this risks being very challenging given the scope of US authorities’ rights to access data. 

In light of this, it is crucial that researchers with ongoing or planned transfers of personal data to the US ensure that it is legal for them to do so. In practice, it is advisable to try to limit such transfers as far as possible. Apart from risks of harming public trust in research, it is also worth noting that for breaches of this kind of rules, sanction fees are high. 

Contact

For research projects where transfers of personal data to the US cannot be avoided, please contact the ethics support function at the Office for Research, Engagement and Innovation Services (etik@fs.su.se) or the legal counsels at the Office of the President (Fråga Juristen via Serviceportalen).

* The General Data Protection Regulation (GDPR) provides the following definition in article 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Further readings:

Some information on the broader context is given in this article from the BBC: https://www.bbc.com/news/technology-53418898
A statement from the European Data Protection Board on the decision by the European Court of Justice: https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_en