Data Transferring 101: A Guide to International Data Transfers

You are here:
  1. Home
  2. Information and information technology
  3. Data Transferring 101: A Guide…

In today’s interconnected global business environment, organizations need to move personal data across country boundaries for business, research, or communication purposes. Between completing transatlantic business transactions and sharing cloud infrastructure, there is an increasing need for organizations to transfer data between the European Union (EU) and the United States (US).

International data transfers often require careful consideration of both EU and US regulations. In the EU, transfers collectively fall under the General Data Protection Regulation, or GDPR, which imposes some of the most comprehensive and stringent data protection standards on the transfer process. In doing so, the GDPR hopes to achieve its goal of securing fundamental privacy rights to consumers across the EU. 

Comparatively, the US does not have a central data protection legislation. Instead, each state has different pieces of legislation that guarantee different degrees of privacy. For organizations operating in the US, it is important to understand the Italian data protection requirements under the GDPR and adapt data processing systems to comply with those requirements.

This article details the process of transferring personal data between Italy and the US (and other non-EU countries) under the current GDPR requirements. It first explains the legal differences and bases for data transfer in both nations. Then, it specifies the most common and efficient methods for transferring data internationally. Finally, it suggests how US-based organizations can remain compliant with GDPR requirements and avoid penalties for non-compliance.

Personal Data Transfer Under the GDPR

Article 4(1) of the GDPR identifies personal data as any information that can be linked to “[an] identified or identifiable natural person.” This includes several forms of information that reveal personal details about an individual, including:

  • Name
  • Contact information
  • Financial data
  • Healthcare information
  • Biometric data

When personal data is moved from one location to another and intended to undergo processing, it is referred to as personal data transfer under GDPR Article 44. There are two types of personal data transfers. On the one hand, internal data transfers happen between data controllers within the European Economic Area, or EEA. Conversely, international transfers happen when data is moved across the borders of the EEA. Such international transfers are subject to specific legal requirements under Chapter V of the GDPR. Three examples of international data transfer include:

  • Data exchange between a controller or processor in the EU and another in a third (non-EU) country or international organization.
  • Disclosing personal data to another entity in a third country.
  • GDPR requirements binding either the controller or the processor for the given transfer.

The Regulatory Divide Between Italian and US Data Protection Law

Compared to the US standards, the GDPR in Europe imposes wider-reaching, more comprehensive, and consumer-focused data protection regulations. These regulatory differences suggest that most US organizations do not offer an “adequate level of protection” per the adequacy decision in GDPR Article 45(1). When assessing adequacy levels, supervisory authorities look for three key features.

  • Rule of law: The third country shows significant care and respect for human rights, including in sectors such as public security, defence, national security, and criminal law.
  • Independent supervisory authority: The third country has at least one independent agency that is responsible for ensuring and enforcing organizational compliance and accountability with data protection laws.
  • International commitments: The third country’s commitments to international entities, legal obligations, participation in multilateral systems, and alignment with adequate data protection standards.

Since US data protection standards tend to trail those in Italy, data transfers between the nations often require specific authorization. Thus, US organizations looking to move data into Italy almost always implement additional regulations and consumer data protections. Organizations should consider several key elements about the US and Italian data protection legal differences.

Italy

Italian data protection law is incredibly comprehensive, thorough, centralized, and focused on maintaining consumer privacy. It treats personal data protection and privacy as a fundamental right. More specifically, Italian law is managed by the centralized Italian Data Protection Authority, known as the Garante Privacy. The Garante acts as a privacy code meant to enforce the GDPR within the Italian political and economic state. Among its numerous responsibilities, the Garante is responsible for supervising and overseeing international data transfers between Italian entities and entities outside of the EU. 

  • Garante applies strict interpretations of the GDPR.
  • Garante requires documentation proving the employment of lawful data transfer mechanisms.
  • Garante actively collaborates with international authorities to coordinate data protection enforcement.

In addition, all entities within the EEA are required to adhere to a strict set of standards and expectations within data protection law. These principles are outlined in the GDPR.

  • Data minimization: The data minimization principle falls under Article 5(1)(c) of the GDPR and instructs that organizations should only collect, transfer, store, or receive the minimum amount of personal data necessary to complete an action.
  • Purpose limitation: Under the GDPR Article 5(1)(b), the data an organization sends out should be limited to what is strictly necessary, accurate, and needed for “specified, explicit, and legitimate” reasons. Essentially, organizations and controllers must have a specific purpose or reason for transferring any personal data. 
  • Privacy rights: Under Article 25 of the GDPR, organizations sending or receiving data in the EU must implement reasonable data protection measures “by design and by default.” There are several ways to guarantee the highest degree of consumer privacy and confidentiality throughout the data transfer process, including limiting third-party access to personal data and implementing additional steps to anonymize personal data (e.g., pseudonymization or encryption technologies).
  • International transfers: GDPR Articles 44-50 highlight several guidelines that organizations must comply with when transferring data across European borders. More specifically, Article 45 requires organizations to notify the affected consumers before the data transfer takes place. Further, Article 46(2) orders entities to comply with standard data protection clauses and guarantee full compliance with consumer privacy rights.

Along with following GDPR expectations, organizations transferring data to Italy must also align with the sector-specific EU requirements, such as those in the financial, health, or public administration industries.

United States

US data protection law is a complex and decentralized system. Unlike in Italy, there is no central authority that comprehensively regulates US law. Instead, privacy and protection standards vary by state and sector, which creates legal complexities for international data transfers. 

At the federal level, there is no single, comprehensive data protection authority akin to the GDPR. Instead, the limited federal authority is distributed across various laws and agencies that each address specific contexts.

Federal Legislation and Sectoral Laws

  • The Federal Trade Commission (FTC) acts as a privacy enforcement agency over the commercial sector, which primarily comes from its authority to prohibit unfair and deceptive trade practices under Section 5 of the FTC Act.
  • US Code Title 47 (e.g., the Telecommunications Act) sets minimal, general standards for handling personally identifiable information by telecommunications providers; however, these do not apply broadly across industries.
  • Federal legislation that governs sector-specific data protection. Some examples include the Health Insurance Portability and Accountability Act (HIPAA) for health data, the Gramm-Leach-Bliley Act (GLBA) for financial data, or the Foreign Intelligence Surveillance Act (FISA) for government surveillance and data collection.
  • Executive Orders (EO) such as EO 12333, which authorizes authorities to collect and retain foreign intelligence information, or EO 14086, which increases privacy and civil liberty protection for US intelligence activities.

International Court Systems

Court decisions can also impact multinational legal proceedings. Although US courts are not directly bound by European legal decisions, rulings from the Court of Justice of the European Union (CJEU) can be profoundly impactful. For instance, the Schrems I and Schrems II (Maximillian Schrems vs Data Protection Commissioner) cases invalidated the prior Safe Harbor and Privacy Shield frameworks, citing inadequate protection against US government surveillance and a lack of enforceable rights for EU citizens. As a result, US organizations receiving personal data from within the EEA must now rely on additional safeguards, such as Standard Contractual Clauses (SCCs) or participation in the EU-U.S. Data Privacy Framework (DPF).

State Legislation

Given the limited scope of federal data protection legislation, US states have the opportunity to step in and enact their own unique legislation. Although this allows states to accommodate their various needs, it also complicates GDPR compliance for both national and international entities.

As of 2024, at least 14 states have enacted comprehensive data protection laws. Among the most notable and extensive of these states are:

  • California Privacy Rights Act of (CPRA): The closest US data protection law to the GDPR standards. CRPA grants California residents extensive rights to access, delete, correct, and opt out of the sale of their personal data. It also established the California Privacy Protection Agency (CPPA) as an independent enforcement agency.
  • Washington My Health My Data Act (MHMD): Establishes state-level protections for health data beyond those laid out in HIPAA. MHMD applies broadly to healthcare and non-healthcare related entities that collect health information.
  • Colorado Privacy Act (CPA): The CPA imposes restrictions on organizations that complete large-scale processing activities (over 100,000 Colorado residents) or make revenue from the selling of personal data. The act mandates opt-outs, data protection assessments, and transparency measures.
Come comportarsi in caso di malasanità

Transferring Data Between the US and Italy

Transferring personal data from Italy to the United States is a complex process that requires careful consideration of the differences in legal, technical, and organizational standards. Navigating these differences requires thorough research and great flexibility. Five of the elements that may complicate the international data transfer process include:

  • Differences in legal standards
  • Technological constraints and availability 
  • Legislation change and policy monitoring
  • Garante guidance on specific data transfer circumstances
  • Cultural differences

These legal differences mean that many US organizations are, by default, not GDPR compliant. Thus, US organizations should consider several steps before expanding their operations or transferring data to Italy.

  • Identify the transfer: Understand what type of data needs to be transferred, who the data sender and receiver are, which parties need to access or store the data, and what measures need to be taken to complete the transfer.
  • Conduct a Transfer Impact Assessment (TIA): Following the Schrems II decision in 2020, organizations are required to assess the risks associated with international data transfers. On the Italian side, this includes understanding whether US laws and regulations undermine the effectiveness of GDPR data protection laws.
  • Draft a Data Processing Agreement (DPA): The data receiver and sender draft an agreement regarding the nature and details of the data transfer. Since US-based organizations do not benefit from adequacy decisions under Article 45(1) of the GDPR, such entities should rely on international agreements or contract arrangements to transfer data across borders. 
  • Take additional measures: Organizations should adopt precautionary technical, contractual, and organizational measures to address the risks left uncovered by the TIA.
    • Technical: Adopt end-to-end encryption, EU-only data access, or pseudonymization.
    • Contractual: Add clauses to require notification of data access, define auditing procedures, and introduce transparency reporting.
    • Organizational: Adopt organization-wide protocols such as internal access controls, staff training, and data minimization practices.
  • Formalize the data transfer: Finalize all documentation, ensure that the DPA reflects GDPR compliant actions, and keep detailed records of the transfer process. After the documents are finalized, a supervisory authority will review them.
  • Monitor and reassess: International data transfers need to be continually monitored before, during, and after the transfer occurs. Organizations should periodically assess DPA, legal standards, and security frameworks.

The Role of the EU-US Data Privacy Framework

In July 2023, the EU-US Data Privacy Framework, or DPF, was adopted to ensure that US entities receiving personal data from Europe were self-certified and compliant with the GDPR. It replaced the earlier Privacy Shield agreement as the method for guaranteeing lawful transatlantic access to personal data. The DPF made several significant changes to international data transfer law, including:

  • Mandated US commitment to following the GDPR data protection principles and guaranteeing consumer privacy rights when transferring data to Europe.
  • Created the Data Protection Review Court for EU individuals to challenge US surveillance and data usage activities.
  • Limited US data intelligence collected to what is strictly necessary and appropriate to enforce the purpose limitation on US data usage.

Additional Safeguards for International Data Transferring

In the US, data protection laws do not meet an adequacy decision per GDPR Article 45(1), meaning that its legal standards trail the GDPR criteria. When non-EEA organizations do not have an adequacy decision, they must adopt “appropriate safeguards” to transfer personal data across European borders. Article 46 of the GDPR lists several transfer tools that organizations can use to transfer data internationally and ensure cross-border compliance with the GDPR.

International employment contract

Standard Contractual Clauses (SCCs)

Standard Contractual Clauses are a primary tool used for international data transfers with countries outside the EEA. These are pre-approved contracts that the European Commission issues to bind both the data sender and receiver to specific, GDPR-level data protection obligations. In Italy, organizations are required to: 

  • Sign SCC contracts with non-EEA entities.
  • Assess foreign surveillance risks using TIAs.
  • Keep SCCs readily available for audits or other regulatory assessments.

It is important to note that SCCs alone might not be considered an “appropriate safeguard.” Organizations may need to implement additional technical or organizational measures, such as encryption with EU-controlled keys, to remain in compliance with the GDPR. Thus, organizations should consider adopting multiple high-level safeguards to protect against the risks associated with GDPR non-compliance.

Transfer Impact Assessments (TIAs)

Transfer Impact Assessments are risk assessments that an organization conducts before transferring data to a third country. They inform organizations about the risk level and potential impact of transferring data to a third country and thus help dictate strategic action surrounding the transfer process. More specifically, TIAs must assess the likelihood of access by US authorities in light of national regulations such as FISA and EO 12333. The European Data Protection Board (EDPB) offers guidance on how to complete a TIA. In short, TIAs are important because they evaluate several elements of organizations’ data processes, including:

  • The nature of the personal data being transferred, collected, or processed.
  • The legal environment in the country where the organization is located.
  • The likelihood of government access to personal data.
  • The extent to which additional safeguards are needed.
Prescrizione del risarcimento danni contro la Pubblica Amministrazione

Binding Corporate Rules (BCRs)

Binding Corporate Rules are internal policies that multinational organizations use to transfer data within their corporate group, even when recipients are based outside of the EEA. Unlike SCCs, which are clauses included in contract agreements, BCRs are internal, organization-wide private policies that apply across all offices and locations in a multinational corporation. Once approved, they allow organizations to streamline and simplify the data transfer process throughout the organization. According to Article 47 of the GDPR, BCRs:

CCNL
  • Standardize data protection, collection, transfer, processing, and accountability across a multinational organization.
  • Establish enforceable consumer privacy rights across all group entities to ensure the organization remains GDPR compliant.
  • Facilitate a lawful, efficient, transparent, and accountable transfer process across an organization’s entire corporate group.
  • Mandate internal audits, training, and complaint handling procedures across the group.

To have a valid BCR, organizations must meet several requirements laid out in Article 47 of the GDPR. Once drafted, organizations must file the document with the lead supervisory authority (e.g., Garante Privacy in Italy) for approval. Then, both the national authority and the EDPB review the document in a typically 12 to 18 month process. After review, the authority will note any necessary modifications before formally authorizing the document.

Derogations For Occasional International Data Transfers

Normally, Article 46 of the GDPR requires third countries to adopt additional privacy safeguards. Further, Section 3(a) pushes organizations to receive prior authorization from the Garante when safeguards such as SCCs are not in place. However, there is an occasional exception. According to the GDPR Article 49, in the absence of an adequacy decision and appropriate safeguards, one-off data transfers to third countries can be completed. Such a scenario must be considered an exceptional circumstance, such as:

  • Explicit consent of the consumer
  • Performance of a contract with the consumer
  • Performance of a contract in the consumers’ interest, but involving another party
  • Public interest as recognized by the EU
  • Establishment, exercise, or defense of legal claims
  • Protection of vital interests when the consumer cannot give consent
  • Transfers from public entities where lawful access is permitted under the EU

These derogations are few and far between. In fact, under GDPR Article 49, such measures are intended for exceptional circumstances, occasional use, irregular data transfer, must be well-documented, and are not a substitute for the DPF framework. Additionally, they are narrowly interpreted, hard to qualify for, and meant for one-time, small-scale transfers. 

Accountability and Compliance Requirements

must demonstrate compliance with the GDPR requirements. In particular, the Accountability Principle under the GDPR Article 5(2) specifies several requirements that organizations must satisfy to demonstrate compliance.

  • Maintain a record of all data processing, collection, and transfer activities under the GDPR Article 30.
  • Update contracts that contain SCCs or BCRs regularly.
  • Provide adequate documentation of TIAs and other supplementary measures.
  • Develop standard procedures for responding to consumer requests.
  • Create a plan for breach notification, as required under the GDPR Articles 33 (to the supervisory authority) and Article 34 (to the consumer).

It is important that organizations implement the proper security measures and demonstrate the highest degree of compliance with the GDPR. European supervisory authorities, including the Garante in Italy, are permitted to audit data transfer mechanisms, investigate consumer complaints, or impose large fines for GDPR violations. It is an organization’s best practice to avoid such penalties because fines can be as high as 20 million euros or 4% of global turnover for large violations and 10 million euros for small ones.

Conclusion: Best Practices for International Data Transfer Compliance

The regulatory difference between Italy and the US can make international data transfer a complex and lengthy process. Italy harbors one of the most comprehensive and consumer-centric data protection legislations in the GDPR. Contrastingly, US data protection law is overwhelmingly decentralized, with some general privacy protections at the federal level along with more thorough state-dependent legislation. Nonetheless, there are several strategies that this article touched on to streamline the process while remaining GDPR compliant.

  • Monitor all international data flows and update records regularly.
  • Utilize supplementary measures such as SCCs, TIAs, or BCRs.
  • Implement techniques to anonymize data, such as encryption, pseudonymization, and access controls.
  • Understand changing legal standards and guidance from the EDPB.
  • Invest in staff training on cross-border data protection and consumer privacy obligations.

At A.L. Assistenza Legale, our team of lawyers assists clients in Italy, the US, and other third countries. We help clients remain GDPR compliant, move business operations into Italy, and adapt to the legal differences between countries. Whether a startup handling transatlantic consumer data or a multinational corporation with a complex cloud infrastructure, we can help you master the international data transfer process while remaining aligned with the GDPR requirements. If you have any questions about GDPR compliance, international data transfers, or data protection law in Italy, feel free to contact us!

Audrey Brower
image_pdfScarica articolo in formato PDF

RELATED POSTS