The Fundraiser's Transfer of Personal Data from the European Union to the United States in Context of Crowdfunding Activities

Abstract

European start-up companies must overcome more ‘transfer hurdles’ when personal data is transferred from the European Union to the US (United States of America) as part of crowdfunding campaign activities. Transfer of personal data is commonly not associated with (small scale) crowdfunding activities. However, the strict rules of the EU GDPR (European General Data Protection Regulation) on safeguarding personal data apply to all companies when data is transferred from the EU to the US - regardless the size of the business.

This article identifies exchange of personal data that takes place between primarily fundraiser and crowdfunding service provider in different steps of fundraising campaigns. The framework for rewardbased crowdfunding for goods production that is provided by the US based Indiegogo platform is used as example and context. The article highlights by way of example the obligations that must be met by European fundraisers as "data controllers" when personal data is transferred to Indiegogo. No easy solutions are provided by either European Union or national data protection authorities on how to establish an adequate level of personal data protection. Paradigms on how to secure transfer of personal data to third countries are available in form of so-called standard contractual clauses, but still conditions for transfer of personal data from Europe to the US are hard to comply with. Apart from entering into an inter partes agreement on use of standard contractual clauses with the crowdfunding platform provider, a European fundraiser must furthermore make a so-called "transfer impact assessment" to ensure that third party access to personal data is avoided. In the case of transfer of personal data from the EU to the US the fundraiser must consider using encryption of data as a "supplementary measure" to block third party access. Encryption of data is however not suitable for exchange of data in a dynamic crowdfunding campaign so other means for protection of data must be found and applied.

The reason and explanation for making data transfers from the EU to the US that hard for e.g., fundraisers are thus to be found at interstate level in the relation between the EU and the US. According to EU law, more specifically the GDPR and several of the provision of the Charter of Fundamental Rights of the European Union, US security legislation authorises a disproportionate access for US intelligence services to citizens' personal data. A solution on manageable transfer of personal data from the EU to the US may be found before the end of 2022, since a new TADP (Trans-Atlantic Data Privacy Framework) is currently being negotiated between EU and US at top politician level. However, the implementation of the TADP may take som time since the EU legislative framework needs adjustments to make the new transfer possibilities operational.