How Catalan administrations could transfer data to US providers safetly?

The Catalan Data Protection Authority (APDCAT) analyzed this Wednesday the implications of the new privacy framework agreed between Europe and the United States to enable data transfers with guarantees to suppliers or companies based in this American country, agreed by the European Commission last July.

In this sense, the conference "New rules of the game for dealing with personal data with the United States" has made it possible to go deeper with the help of people who are experts in this matter. The session is part of the events commemorating the International Data Protection Day, which takes place next January 28.

In her speech, the director of the APDCAT, Meritxell Borràs, recalled that the new privacy framework between Europe and the United States has been approved in a context of strong criticism and doubts as to whether or not it really constitutes a an improvement over the previous agreements, Harbor and Privacy Shield, annulled by the Court of Justice of the European Union.

Borràs has insisted that public administrations must analyze in detail the digital service providers they hire, when they process personal data, because they are often companies from third countries. And the European Data Protection Regulation also applies to entities not established in the EU, when they process personal data of indivudials from the EU. Thus, any transfer implies a loss of control over personal data and, therefore, it is necessary to incorporate in the contract with this type of entity the obligations they assume as data processors.

For his part, Albert Castellanos, doctor of law, lawyer and associate professor at the Autonomous University of Barcelona, has delved into the new privacy framework between Europe and the United States. Specifically, in the new rights and duties and obligations that it introduces, as well as the shortcomings that are detected.

The new adequacy decision of the European Commission has enabled international data transfers between Europe and the United States, with certain conditions. This changes the relationship between the entities responsible for personal data in the European Union and the service providers that process them, when they are based in the United States.