On 19 August, 2021 Belgium's highest administrative court ruled that a contract tendered by a public authority could be awarded to a company whose bid was reliant on personal data being transferred to the US in order to fulfil the contract.
The contract in question was for the design and operation of a mobility centre, issued by the Flemish regional government to ViaVan Technologies, a Belgian subsidiary of a New York-headquartered company. Executing the contract requires the processing of mobility centre users' personal data on a large scale, and includes categories of personal data that are sensitive, including:
- financial information, such as bank details; and
- health data, such as users' physical limitations.
ViaVan reportedly indicated that in order to fulfil the contract, personal data would need to be transferred to Amazon Web Services, and another American company, River North Transit LLC.
Two Dutch companies challenged the awarding of the contract to ViaVan. One of the arguments made by the claimants was that the international transfer of personal data in this manner would breach the General Data Protection Regulation (GDPR). The claimants asserted that there were no protective measures, in addition to standard contractual clauses (SCCs), which could be applied by ViaVan to ensure that personal data, once transferred to the US, received the same level of protection as it would under the GDPR.
The Belgian court disagreed with the claimants, and ruled that:
- as the Schrems II judgment did not invalidate SCCs, they remain a mechanism by which personal data can be transferred internationally; and
- data processors can use the recommendations published by the European Data Protection Board (EDPB), available here, to ensure that international transfers of personal data from the EU to the US are carried out in a GDPR-compliant manner.
In particular, the Belgian court noted that the measures used in this instance to ensure the personal data was adequately protected included:
- full encryption of the personal data before it is provided to the service provider; and
- control of the encryption keys to unlock the personal data by the Flemish regional government.
This case serves as a useful reminder that international transfers of personal data from the EU to the US are possible, and provides welcome confirmation that a practical approach to compliance with the GDPR is possible within the EU.
Care should be taken, however, to ensure that appropriate technical measures are utilised to ensure that the EDPB's recommendations are met when transferring personal data from the EU to the US. This will require companies to take a nuanced approach, and consider in each instance how the measures they are taking meet the standards set out in the EDPB's recommendations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
