Illegality of data transfers to the USA (cepStudy)


Numerous companies from the EU are still illegally transferring personal data to the USA. This is the result of a study by the Centre for European Policy (cep), which examines the consequences of the ECJ ruling of July 2020.


The judgement had declared the data transfer on the basis of the so-called Privacy Shield decision, which had been widely used as a legal basis for transfers, to be illegal. The use of standard data protection clauses as a legal basis for transfers remains lawful, in principle. "However, data transfers from companies in the EU to US-based cloud services such as Microsoft, Amazon, Google or Dropbox are illegal if the data recipients in the USA are subject to US surveillance laws and have access to the data in plaintext," says cep lawyer Dr Anja Hoffmann. 


According to Hoffmann, in such cases, even supplementary data protection measures cannot effectively prevent access by the US authorities.  This also applies if the companies rely on Binding Corporate Rules.


This cepStudy examines the "Schrems II" ruling and its consequences, including its possible implementation, and also takes into account the draft versions of the recommendations of the European Data Protection Board and of the EU Commission’s amended standard data protection clauses.


The cepStudy is published in German.

To find the complete german version please follow this link:

cepStudie: Unzulässigkeit der Datenübermittlung in die USA