5 Sorensen Steen
The Fundraiser's Transfer of Personal Data from
the European Union to the United States in
Context of Crowdfunding Activities
Nicolai Kjærgaard Sørensen* & Ulla Steen**
* Assistant Attorney, Master of Laws.
** Chief Consultant, PhD.
NJCL 2022/2 117
1. INTRODUCTION ................................................................................... 119
2. TRANSFER OF PERSONAL DATA TO INDIEGOGO IN THE LIGHT OF
EU LAW ................................................................................................ 120
3. SAFE TRANSFER OF DATA TO THE US – EU REQUIREMENTS ....... 122
4. THE FUNDRAISERS USE OF STANDARD CONTRACTUAL CLAUSES . 125
5. ANOTHER LAYER OF SECURITY - TRANSFER IMPACT ASSESSMENT
(TIA) ..................................................................................................... 126
6. INDIEGOGO TERMS OF USE AND TIA IN VIEW OF EDPB
RECOMMENDATIONS ........................................................................... 129
7. CROWDFUNDING AND SUPPLEMENTARY MEASURES - ENCRYPTED
DATA – LIKELY TO WORK ? ................................................................ 131
8. IN SEARCH OF VALID MEANS FOR TRANSFER OF PERSONAL DATA
TO INDIEGOGO .................................................................................... 133
9. THE WAY AHEAD FOR THE FUNDRAISER'S TRANSFER OF PERSONAL
DATA TO THE US ................................................................................. 135
PERSONAL DATA TRANSFER TO THE US 118
ABSTRACT
European start-up companies must overcome more ‘transfer
hurdles’ when personal data is transferred from the European Union to
the US (United States of America) as part of crowdfunding campaign
activities. Transfer of personal data is commonly not associated with
(small scale) crowdfunding activities. However, the strict rules of the EU
GDPR (European General Data Protection Regulation) on safeguarding
personal data apply to all companies when data is transferred from the EU
to the US - regardless the size of the business.
This article identifies exchange of personal data that takes place
between primarily fundraiser and crowdfunding service provider in
different steps of fundraising campaigns. The framework for reward-
based crowdfunding for goods production that is provided by the US
based Indiegogo platform is used as example and context. The article
highlights by way of example the obligations that must be met by
European fundraisers as "data controllers" when personal data is
transferred to Indiegogo. No easy solutions are provided by either
European Union or national data protection authorities on how to
establish an adequate level of personal data protection. Paradigms on how
to secure transfer of personal data to third countries are available in form
of so-called standard contractual clauses, but still conditions for transfer
of personal data from Europe to the US are hard to comply with. Apart
from entering into an inter partes agreement on use of standard contractual
clauses with the crowdfunding platform provider, a European fundraiser
must furthermore make a so-called "transfer impact assessment" to ensure
that third party access to personal data is avoided. In the case of transfer
of personal data from the EU to the US the fundraiser must consider using
encryption of data as a "supplementary measure" to block third party
access. Encryption of data is however not suitable for exchange of data in
a dynamic crowdfunding campaign so other means for protection of data
must be found and applied.
The reason and explanation for making data transfers from the EU
to the US that hard for e.g., fundraisers are thus to be found at interstate
level in the relation between the EU and the US. According to EU law,
more specifically the GDPR and several of the provision of the Charter
of Fundamental Rights of the European Union, US security legislation
authorises a disproportionate access for US intelligence services to
citizens' personal data. A solution on manageable transfer of personal data
from the EU to the US may be found before the end of 2022, since a new
TADP (Trans-Atlantic Data Privacy Framework) is currently being
negotiated between EU and US at top politician level. However, the
implementation of the TADP may take som time since the EU legislative
framework needs adjustments to make the new transfer possibilities
operational.
NJCL 2022/2 119
1. INTRODUCTION
The overall legal framework that governs transfer of personal data
from the EU (European Union) to the US (United States of America) is
the GDPR (the General Data Protection Regulation)1. However,
electronical transfer of personal data to the US is currently hard to
combine with GDPR compliance for more reasons, even though transfers
of personal data from the EU to the US form part of every-day business
around the EU – e.g. when European companies approach crowdfunding
platforms located in the US.2
"Indiegogo" is an example of an US based platform bringing
fundraisers and backers together around reward-based crowdfunding
having production of goods as target. The platform provider offers
various services supporting especially fundraisers in the process from
start-up of a campaign over prototype and product production to
shipping.3 The flows of "investments" (or contributions) from backers to
fundraisers are enormous viewed in context of Indiegogo's annual
turnover.4
"Indiegogo" is based in the US, and both fundraisers and backers
approaching the platform are inquired to agree to the crowdfunding
platform's Privacy Policy and make themselves familiar with further
Terms of Use, Cookie Policies etc.5
Both fundraisers and backers must transfer personal data to the
service provider in the process of start-up of a fundraising campaign, and
possibly in later production steps of goods. Transfer of money from
backer to fundraiser involves e.g. use of personal data to which the
crowdfunding service provider or third party transfer manager needs
access.6
European based companies that consider crowdfunding for goods
production at Indiegogo or other US based platform should carefully
1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF
THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.
2 European Commission, 'EU trade relationships by country/region, United States'
<https://ec.europa.eu/trade/policy/countries-and-regions/countries/united-states/>
accessed 26 June 2022.
3 Indiegogo, Inc., 'What We Do' <https://www.indiegogo.com/about/what-we-do>
accessed 26 June 2022.
4 Growjo, 'Indiegogo Revenue and Competitors'
<https://growjo.com/company/Indiegogo> accessed 26 June 2022.
5 Indiegogo, Inc., 'Terms of Use' (Effective December 20, 2021)
<https://www.indiegogo.com/about/terms> accessed 26 June 2022; Indiegogo, Inc.,
'Privacy Policy' (Effective December 20, 2021) <https://indiegogo.trsnd.co/policies>
accessed 26 June 2022.
6 Indiegogo, Inc., 'Privacy Policy' (Effective December 20, 2021)
<https://indiegogo.trsnd.co/policies> accessed 26 June 2022.
PERSONAL DATA TRANSFER TO THE US 120
identify and analyse the nature of the wanted data in a broader (legal)
perspective before signing up for campaign and transfer of any personal
data.
When EU based companies transfer personal data to US based
crowdfunding platforms, according to the EU legal framework, including
the GDPR, the companies must ensure a "adequate level" of protection
of the personal data transferred. However, under EU law the US is
classified an "unsafe" country in context of transfer of personal data from
the EU, since US security legislation provides NSA (the National Security
Agency) disproportionate access to personal data, including personal data
kept by US companies. The US security legislation thus conflicts with the
data protection requirements as set out in the GDPR and several of the
provision of the Charter (Charter on Fundamental Rights in the European
Union)7, including article 8 on protection of personal data.8 This makes
transfer of personal data from the EU as set out in Chapter V of the
GDPR complicated and time consuming.
2. TRANSFER OF PERSONAL DATA TO INDIEGOGO IN THE
LIGHT OF EU LAW
Indiegogo is a crowdfunding platform located in San Francisco and
is known to attract tech products.9 The life-cycle process of crowd funding
for goods production includes at least four stages; concept, prototype,
production, and shipping. The backer or contributor may contribute to
the campaign when it’s launched or as long as the campaign runs to get
access to the potential/up-coming project.10
Fig. 1. Source: Indiegogo, 'What We Do' <https://www.indiegogo.com/about/what-we-do> accessed
26 June 2022.
Crowdfunding for goods production includes lots of activities
related to development and promotion of the potential up-coming
7 Charter of Fundamental Rights of the European Union [2012] OJ C326/391.
8 Case C-311/18 Facebook Ireland and Schrems [2020], paras 168-202.
9 Indiegogo, Inc., 'Terms of Use' (Effective December 20, 2021)
<https://www.indiegogo.com/about/terms> accessed 26 June 2022.
10 Indiegogo, Inc., ‘Backer FAQ’, <https://support.indiegogo.com/hc/en-
us/articles/115002383767-Backer-FAQ> accessed 28 June 2022.
NJCL 2022/2 121
product, including transfer of personal data from the fundraiser to the
crowdfunding platform.11
Pursuant to Article 2(1) GDPR, "processing of personal data" is subject
to GDPR in the EU. The Indiegogo platform addresses this fact in its
Privacy Policy, stating that GDPR applies to individuals in the EU.12 The
question whether the EU-based fundraiser's transfer of personal data to
Indiegogo in the US also constitutes "processing of personal data" emerges
clearly from the so-called Schrems II-judgment from June 2020.13
According to the CJEU, the operation of having personal data
transferred from an EU Member State to a third country constitutes
processing of personal data carried out in a Member State.14 Therefore,
also when the fundraiser transfers data out of the EU to Indiegogo based
in the US, the GDPR must be complied with.
The so-called data controller has the main responsibility when it
comes to GDPR compliance.15 Pursuant to Art. 4(7) GDPR, the data
controller means the natural or legal person which, alone or jointly with
others, determines the purposes and means of the processing of personal
data. The following appears from Indiegogo's Privacy Policy:
"Indiegogo is "the data controller" of personal data
collected by all of Indiegogo, and we are responsible for
deciding how personal data is collected, used, and disclosed."16
Afterwards, Indiegogo gives an account of its legal grounds for use
and disclosure of personal data and the rights of the individuals in the EU
pursuant to GDPR.17 This may have a reassuring effect for the fundraiser
transferring personal data to this platform. Everything seems totally
compliant at first glance.
However, Indiegogo's Privacy Policy should not be overvalued in
relation to the specific processing of personal data, which takes place when
transferring personal data to Indiegogo. Even though the fundraiser
transfers personal to a data controller, also the fundraiser classifies as data
controller in this context. Therefore, both Indiegogo and the fundraiser
are data controllers in relation to the personal data transferred from the
fundraiser to Indiegogo. This is due to the fact that the fundraiser also
11 Indiegogo, Inc., 'Privacy Policy' (Effective December 20, 2021)
<https://indiegogo.trsnd.co/policies> accessed 26 June 2022.
12 Indiegogo, Inc., 'Privacy Policy' (Effective December 20, 2021)
<https://indiegogo.trsnd.co/policies> accessed 26 June 2022.
13 Case C-311/18 Facebook Ireland and Schrems [2020].
14 Case C-311/18 Facebook Ireland and Schrems [2020], para 83.
15 Peter Blume, Den nye persondataret (2nd edition, Jurist- og Økonomforbundets Forlag,
2018) 73 ff.
16 Indiegogo, Inc., 'Privacy Policy' (Effective December 20, 2021)
<https://indiegogo.trsnd.co/policies> accessed 26 June 2022.
17 Indiegogo, Inc., 'Privacy Policy' (Effective December 20, 2021)
<https://indiegogo.trsnd.co/policies> accessed 26 June 2022.
PERSONAL DATA TRANSFER TO THE US 122
decides the purpose and means of the processing of the personal data in
question, including making the decision that the personal data should be
transferred to Indiegogo in order to receive Indiegogo's crowdfunding
service.18 When the fundraiser as a data controller wants to proceed with
a transfer of personal data to Indiegogo, the fundraiser is subject to several
requirements under EU law.
3. SAFE TRANSFER OF DATA TO THE US – EU REQUIREMENTS
First, the fundraiser must identify the transfers of personal data to
Indiegogo that will take place as a part of the specific crowdfunding
activity. This must be done before the transfer takes place.19 Indiegogo
inquires different kinds of data from a fundraiser in the support of
crowdfunding for goods production, which also emerges from
Indiegogo’s Privacy Policy that together with Indiegogo’s Terms of Use
constitute the full agreement between the fundraiser and Indiegogo:
- “Identifiers: Registration information such as name, country
of residence, gender, date of birth, email address, phone
number, username, and password.
- Commercial information: Fundraiser - (and backer)
- Financial information: information to be submitted to Third-
party payment processor when creating a Campaign
including limited banking information, contact information
such as your phone number, email address, mailing address.
- Compliance information, including e.g., government ID,
information needed for tax forms, other information
required by our third-payment processor.
- Information chosen to public share, including information
sent to other platform user, post etc. that Indiegogo must
collect according to US Federal/State Law
- Internet/network or device information
18 Datatilsynet and Justitsministriet, 'Vejledning om dataansvarlige og databehandlere'
[2017] page 7-12
<https://www.datatilsynet.dk/Media/7/6/Dataansvarlige%20og%20databehandlere.p
df> accessed 26 June 2022.
19 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 10-11
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
NJCL 2022/2 123
o Information obtained from a third party, such as a site
or platform provider, about the use of our Site or
Services on third-party platforms or devices.
o Location information, including provided by a mobile or
other device interacting with one of our Sites or
applications (including through beacon technologies), or
associated with your IP address, where We are permitted
by law to process this information.
o Activity information about your use, and the use by any
person(s) you authorize through your account, of our
sites and applications, such as the content you view or
post, how often you use our Services, and your
preferences.
o Usage, viewing, technical, and device data when you visit
our Sites, use our applications on third-party sites or
platforms, or open emails We send, including your
browser or device type, unique device identifier, and IP
address.
- Any miscellaneous data provided by a fundraiser, including
professional or employment related data, public gender
reveal, photo, video, etc.”20
"Personal data" is a very broad concept as personal data is not only
any information relating to an identified person such as name, but also
information relating to an identifiable person according to Article 4(1)
GDPR. This means that data like an email address, a phone number,
banking information, government ID or an IP address, that Indiegogo
according to it's Privacy Policy may inquire from the fundraiser, also falls
within the material scope of GDPR, if this data alone or combined with
other data can be ascribed to a natural person.21 However, not every kind
of data is "personal data" that falls within the material scope of GDPR
according to Article 2(1) GDPR, and thereby the rules on third country
transfers. For instance, data regarding a legal entity, more specifically the
company itself (company name, CVR number, contact information etc.),
is not "personal data".22 On the other hand, the rules apply to all personal
20 Indiegogo, Inc., 'Privacy Policy' (Effective December 20, 2021)
<https://indiegogo.trsnd.co/policies> accessed 26 June 2022.
21 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF
THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, preamble
26, 30.
22 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF
THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to
PERSONAL DATA TRANSFER TO THE US 124
data relating to natural persons in the course of a professional activity,
such as the employees of a company/organisation, business email
addresses that reveals the identity of a natural personal or employees’
phone numbers. Moreover, information in relation to one-person
companies may constitute personal data where it allows the identification
of a natural person. This fact is important to stress in a crowdfunding
context, as many of the fundraisers are entrepreneurs launching their first
company.
When the above-mentioned "personal data" is identified, the
fundraiser must identify the transfer tools to rely on when transferring
personal data to Indiegogo according to chapter V of the GDPR. These
transfer tools aim to ensure that the level of protection of natural persons
guaranteed by the GDPR is not undermined when transferring personal
data out of the EU to a third country like the USA. 23
Article 45 GDPR provides for the transfer of personal data to a third
country, which pursuant to a Commission decision, provides an "adequate
level of protection", also known as a secure third country. The USA is not
a safe third country, and for now, in case of third country transfers to
Indiegogo Article 45 GDPR cannot be used as a basis for the transfer.
GDPR art. 46, however, contains several additional transfer bases that can
be used when transferring personal data to an insecure third country such
as the United States. For private companies like fundraisers transferring
personal data to another private company like Indiegogo, the following
transfer bases are currently available:24
• "Binding corporate rules" pursuant to Article 46(2)(b) and 47
GDPR
• Standard contractual clauses adopted by the European
Commission pursuant to Article 46(2)(c) GDPR.
• Contractual clauses entered into between the fundraiser and
Indiegogo on an ad hoc basis pursuant to Article 46(3)(a).
In situations where neither Article 45 nor 46 GDPR can be used as
a tool for transfer, a third country transfer can also be carried out on the
basis of the exceptions in Article 49 GDPR. However, the exceptions
the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, preamble
14.
23 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 11-13
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
24 Datatilsynet, 'Overførsel af personoplysninger til tredjelande' [2022] 4th edition, page
16.
<https://www.datatilsynet.dk/Media/637902777513932912/Vejledning%20om%20ov
erf%C3%B8rsel%20til%20tredjelande.pdf> accessed 26 June 2022
NJCL 2022/2 125
must be interpreted restrictively and relate mainly to processing activities
that are occasional and not characterised by repetition25 . As crowdfunding
for goods production includes development of the potential up-coming
product, the fundraiser may transfer personal data to Indiegogo on an
ongoing basis. For this reason, the fundraiser may not rely on the
exceptions in Article 49 GDPR.
In consequence, it may only be the binding corporate rules, standard
contractual clauses and ad hoc-contractual clauses that are available as
transfer tools. However, binding corporate rules are primary intended for
major concerns and may be resource demanding to compose. Also, the ad
hoc-contractual clauses are resource demanding to compose. Moreover,
the corporate rules and ad hoc-contractual clauses must be approved by
the national data protection authority and the European Data Protection
Board (EDPB).26 Therefore, in practice, the most relevant transfer tool for
the fundraiser is the standard contractual clauses adopted by the European
Commission pursuant to Article 46(2)(c) GDPR.
4. THE FUNDRAISERS USE OF STANDARD CONTRACTUAL
CLAUSES
In a legal context, the standard contractual provisions form an annex
to a decision adopted by the Commission, and the Standard contractual
clauses can be found on the European Commission's website.27 The
standard contractual clauses enjoin the fundraiser and Indiegogo a range
of liabilities, which, in overall, correspond to the liabilities in the GDPR.28
The standard contractual clauses combine general clauses with a modular
approach to cater for various transfer scenarios. In addition to the general
clauses, the parties should only select the module applicable to their
situation29. As both the fundraiser and Indiegogo are data controllers, they
25 Henrik Udsen, IT-ret (4th edition, Ex Tuto Publishing A/S, 2019) 448; European Data
Protection Board, 'Guidelines 2/2018 on derogations of Article 49 under Regulation
2016/679' [2018] page 4 f.
<https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_dero
gations_en.pdf> accessed 26 June 2022.
26 Datatilsynet, 'Overførsel af personoplysninger til tredjelande' [2022] 4th edition, page
16.
<https://www.datatilsynet.dk/Media/637902777513932912/Vejledning%20om%20ov
erf%C3%B8rsel%20til%20tredjelande.pdf> accessed 26 June 2022.
27 European Commission, 'Standard contractual clauses for international transfers' (4
June 2021) <https://ec.europa.eu/info/law/law-topic/data-protection/international-
dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-
clauses-international-transfers_en> accessed 26 June 2022
28 Henrik Udsen, IT-ret (4th edition, Ex Tuto Publishing A/S, 2019) 439 ff.
29 COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on
standard contractual clauses for the transfer of personal data to third countries pursuant
to Regulation (EU) 2016/679 of the European Parliament and of the Council [2021] OJ
L199/31, preamble 10.
PERSONAL DATA TRANSFER TO THE US 126
should select the module 1-clauses, which apply to controller-to-controller
transfers.
Indiegogo's Terms of Use underlines that especially the standard
contractual clauses form an important transfer tool when the fundraiser
transfers personal data to Indiegogo. According to the Terms of Use, the
fundraiser is entitled to ensure compliance with the European data
controller obligations under applicable European data protection law,
including the current standard contractual clauses.30 Moreover, Indiegogo
has published the relevant standard contractual clauses on its own website,
more specifically the standard contractual clauses applicable for transfers
from one data controller to another. However, in the pre-filled annexes of
the standard contractual clauses, Indiegogo presupposes that the standard
contractual clauses applies when Indiegogo itself transfers personal data
about a contributor/backer to a campaign owner/fundraiser.31 Therefore,
when transferring personal data to Indiegogo, the fundraiser must take
initiative to enter the standard contractual clauses with Indiegogo and to
make sure to adapt the annexes so that they reflect the specific transfers
from the fundraiser to Indiegogo in question.
However, even though the fundraiser may manage to enter the
standard contractual clauses with Indiegogo, the fundraiser cannot use the
standard contractual clauses uncritically without any further
considerations, even though that the standard contractual clauses are
accepted as a valid starting point for transfer of personal data to unsafe
third country.
5. ANOTHER LAYER OF SECURITY - TRANSFER IMPACT
ASSESSMENT (TIA)
In the Schrems II-judgment, the CJEU thus stated that the use of
the standard contractual clauses implies that the European data controller
must verify, on a case-by-case basis, whether the law of the third country
ensures adequate protection "essentially equivalent” to that guaranteed by EU
law, specified GDPR as interpreted in the light of the fundamental rights
guaranteed by the Charter.32 This assessment can be called a "TIA"
("transfer impact assessment").
The CJEU's requirement for a TIA originates from Article 44
GDPR, which sets out that a third country data transfer must have legal
basis in chapter V of the GPDR Regulation, but also the additional rules in
GDPR. One of these additional rules includes Article 5(2) GDPR
30 Indiegogo, Inc., 'Terms of Use' (Effective December 20, 2021)
<https://www.indiegogo.com/about/terms> accessed 26 June 2022.
31 Indiegogo, Inc., Standard Contractual Clauses for Campaign Owners (Effective
December 20, 2021) <https://indiegogo.trsnd.co/policies?name=standard-contractual-
clauses-for-campaign-owners#european-commission-standard-contractual-clauses>
accessed 26 June 2022.
32 Case C-311/18 Facebook Ireland and Schrems [2020], paras 105 and 134.
NJCL 2022/2 127
regarding the "accountability" principle, stating that the data controller is
responsible for compliance with GDPR, but also that the controller must
be able to demonstrate this compliance. By conducting a TIA, the fundraiser
may demonstrate how it will ensure adequate protection when transferring
personal data to a third country by transferring personal data to Indiegogo.
When the fundraiser wants to transfer personal data to the US based
Indiegogo, the fundraiser must, as part of its TIA, consider paragraph 168
to 202 in the Schrems II-Judgment. In these paragraphs, the CJEU took
into account the fundamental rights of the Charter.33 Pursuant to Article
6(1) of the TEU (Treaty on European Union), the Charter applies at
treaty-level in EU law. 34 The Charter codifies several fundamental rights.
35 According to the preamble 4 of the GDPR, the GDPR respects all
fundamental rights and observes the freedoms and principles recognised
in the Charter. Therefore, the Charter must be taken into account in the
interpretation of the GDPR, and the CJEU ascribe great importance to
the Charter when ruling on questions relation to data protection law.36
In the Schrems II-Judgment, the CJEU compared American national
security legislating authorising mass surveillance of non-US citizens with
Article 7, 8, 47 and 52(1) of the Charter. 37 Article 7 states the right to
respect for private and family life. Article 8 determines the right to
protection of personal data. Article 47 the right to an effective remedy and
to a fair trial. Article 52(1) determines that any limitation on the exercise
of the rights recognized by the Charter must be provided for by law and
that any limitation may be made only if they are necessary and genuinely
meet objectives of general interest etc. (proportionality).
In the Schrems II-judgment, the CJEU held, among other things,
that the US security legislation in the Foreign Intelligence Surveillance Act
(hereafter "FISA") Section 702, Executive Order 12333 and Presidential
Policy Directive 28, does not lay down limitations of the US intelligence
services' collection of personal data on non-US citizens.38
Consequently, the fundraiser transferring personal data to Indiegogo
is facing a legal barrier arising from a conflict between US security
legislation and the fundamental rights of the EU Charter of Fundamental
Rights.39 This conflict applies although the fundraiser has entered standard
33 Case C-311/18 Facebook Ireland and Schrems [2020], paras 168-202.
34 Jonas Christoffersen and others, EU’s Charter om Grundlæggende Rettigheder med
kommentarer (2nd edition, Jurist- og Økonomforbundets Forlag, 2018) 40.
35 Christina D. Tvarnø and Ruth Nielsen, Retskilder og retsteorier (5th edition, Jurist- og
Økonomforbundets Forlag, 2017) 102.
36 Peter Blume, Databeskyttelsesret (5th edition, Jurist- og Økonomforbundets Forlag,
2018) 60.
37 Case C-311/18 Facebook Ireland and Schrems [2020], paras 168-202.
38 Case C-311/18 Facebook Ireland and Schrems [2020], paras 168-202.
39 Nicolai Kjærgaard Sørensen, 'Overførsel af personoplysninger til USA og Europa-
Kommissionens standardkon-traktbestemmelser i lyset af EU-retten og grundlæggende
rettigheder' (2021), page 31-33
PERSONAL DATA TRANSFER TO THE US 128
contractual clauses with Indiegogo, as those clauses are not legally binding
for authorities in third countries.40 Therefore, transfer of personal data to
the US on the basis of standard contractual clauses shows a clash between
the legislative framework, more specifically EU law and US security
legislation, and the contractual framework, namely the standard
contractual clauses entered into between the fundraiser and Indiegogo.
As the standard contractual clauses in force were adopted by the
European Commission in the wake of the Schrems II-judgment, the
standard contractual clauses contain several provisions addressing this
issue. For instance, clause 14 - regarding local laws and practices affecting
compliance with the standard contractual clauses - requires the data
exporter (the fundraiser) and the data importer (Indiegogo) to
"[…] warrant that they have no reason to believe that the
laws and practices in the third country of destination applicable
to the processing of the personal data by the data importer,
including any requirements to disclose personal data or
measures authorising access by public authorities, prevent the
data importer from fulfilling its obligations under these
Clauses."41
Moreover, clause 14 states that the parties, in providing the above-
mentioned warranty, have taken due account to a number of elements,
including the laws and practices of the third country of destination.42 In
other word, the parties shall - in accordance with the Schrems II-jugdment
- conduct a TIA.
Also Indiegogo's Terms of Use seems to reflect the Schrems II-
judgment. Here, Indiegogo underlines that the fundraiser as a data
controller under applicable EU law must ensure transfers and conduct any
required data protection impact assessments (TIA).43
<https://projekter.aau.dk/projekter/files/415520765/Specialet.pdf> accessed 26 June
2022.
40 Case C-311/18 Facebook Ireland and Schrems [2020], paras 125 and 132.
41 ANNEX to the COMMISSION IMPLEMENTING DECISION on standard
contractual clauses for the transfer of personal data to third countries pursuant to
Regulation (EU) 2016/679 of the European Parliament and of the Council [2021]
C(2021) 3972 final, Clause 14.
42 ANNEX to the COMMISSION IMPLEMENTING DECISION on standard
contractual clauses for the transfer of personal data to third countries pursuant to
Regulation (EU) 2016/679 of the European Parliament and of the Council [2021]
C(2021) 3972 final, Clause 14.
43 Indiegogo, Inc., 'Terms of Use' (Effective December 20, 2021)
<https://www.indiegogo.com/about/terms> accessed 26 June 2022.
NJCL 2022/2 129
6. INDIEGOGO TERMS OF USE AND TIA IN VIEW OF EDPB
RECOMMENDATIONS
In the Schrems II Judgment, the CJEU did not make any clear
definition of the factors that may be included as part of the data
controller's TIA. Therefore, when conducting the TIA, further guidance
is required. In this context European Data Protection Board EDPB is
central. Pursuant to Article 70(1) GDPR, EDPB shall ensure the
consistent application of GDPR, and for the purpose of this, EDPB can
issue guidelines and recommendations.
In the wake of the Schrems II Judgment, EDPB issued
Recommendations 01/2020 (Recommendations 01/2020 on measures
that supplement transfer tools to ensure compliance with the EU level of
protection of personal data)44, that among other things aims to help data
exporters (entities transferring data to third countries) with the conduct of
the TIA. It is important to note that the recommendations are not legally
binding according to Article 288, last sentence of the TFEU (Treaty on
the Functioning of the European Union).45 However, according to Article
68(3) GDPR, EDPB - among other things - consists of the head of the
data protection authorities from each Member State. Therefore, it must be
expected that each data protection authority supervises in accordance with
the recommendations, which is why the recommendations is of great
practical significance.46
The recommendations underline that the TIA first and foremost
must be based on legislation publicly available.47 Consequently, when the
fundraiser transfers personal data to Indiegogo in the USA, the fundraiser
should consider whether the personal data transferred may be subject to
the US security legislation that the CJEU deemed to be contrary to the
data protection afforded by EU law.
44 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 9, 11-13
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
45 Consolidated version of the Treaty on the Functioning of the European Union [2012]
OJ C 326/49, 288.
46 Peter Blume, Persondatarettens kilder og metode (1st edition, Djøf Forlag, 2020) 48 f. and
64; Udsen, Henrik Udsen, IT-ret (4th edition, Ex Tuto Publishing A/S, 2019) 457 and
473.
47 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 17 <https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
PERSONAL DATA TRANSFER TO THE US 130
Regarding FISA Section 702, this legislation authorizes collection of
"foreign intelligence information"48. This definition is very broad as it does
not only include information that is necessary in the interest of national
security, but any information from a foreign power or territory that is
merely related to the conduct of foreign affairs49. Therefore, if the
fundraiser is based in the EU, the personal data transferred may be
"foreign intelligence information", even though that the data is transferred
as part of a crowdfunding purpose. However, pursuant to FISA Section
702, the American authorities may only collect personal data from
"electronic communications service providers"50. However, this definition
may include any company that gives others, including the company's own
employees, access to communicate electronically via, for example, e-mail.
This regardless of what else might be the company's primary business
area.51 Therefore, Indiegogo may also fall within this definition.
Regarding E.O. 12333, this legislation authorises the intelligence
services to collect and store data before it reaches the US and there is
subject to the provisions of FISA. The surveillance activities based on
E.O. 12333 are thus not regulated by law, and therefore the fundraiser
cannot give any formal guarantee that personal data transferred to
Indiegogo will not be subject to surveillance under E.O. 12333.52
The assessment above reveals that the personal data transferred to
Indiegogo might be subject to surveillance that is contrary to the data
protection afforded by EU law, as the American legislation gives wide
authority for surveillance. However, it is unsure whether the personal data
transferred to Indiegogo falls within the practical scope of the American
application of FISA Section 702 and E.O. 12333. In this situation, the
American legislation is - according to the Recommendations 01/2020 -
"problematic legislation".53
As it also appears from Recommendations 01/2020, it should be
noted that it is not only the US security legislation itself that the fundraiser
needs to take into account when conducting the TIA. For instance, the
fundraiser should also take into consideration all the actors participating
48 50 U.S.C. § 1881a(h)(2)(A)(v) (2018).
49 50 U.S.C. § 1801(e)(2)(B) (2018).
50 50 U.S.C. § 1881a(h)(2)(A)(vi) (2018).
51 H. Marshall Jarrett and Michael W. Bailie, Searching and Seizing Computers and Obtaining
Electronic Evidence in Criminal Investigations (Office of Legal Education, Executive Office
for United States Attorneys) 117 <https://www.justice.gov/file/442111/download>
accessed 26 June 2022.
52 Case C-311/18 Facebook Ireland and Schrems [2020], para 63.
53 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 17-18
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
NJCL 2022/2 131
in the transfer, including other data controllers, and any envisaged onward
transfer from Indiegogo to another company.54 In a crowdfunding context
this could be a third-party transfer manager who may need personal data
from the fundraiser transferred to Indiegogo for financial compliance
purposes etc. 55
Such onward transfers might undermine the protection afforded by
the standard contractual clauses, as the third-party transfer manager not
just like that is bound by the standard contractual clauses entered into
between the fundraiser and Indiegogo. However, the standard contractual
clauses address this issue, as it appears from clause 8 that the data
importer, Indiegogo, shall not disclose the personal data to a third party
located outside the EU, for instance a third-party transfer manager located
in the US or another third country, unless this third party is or agrees to
be bound by the standard contractual clauses which the fundraiser and
Indiegogo have adopted. Otherwise, Indiegogo may only transfer the
personal data to the third-party transfer manager under certain particulars,
for instance if the third-party transfer manager is located in a safe third
country according to Article 45 GDPR.56
7. CROWDFUNDING AND SUPPLEMENTARY MEASURES -
ENCRYPTED DATA – LIKELY TO WORK ?
If the fundraiser's TIA shows that the standard contractual clauses
does not ensure a protection essentially equivalent to that guaranteed by
EU law due to "problematic legislation", according to the Schrems II
judgment the fundraiser may provide "supplementary measures" to those
offered by the standard contractual clauses 57. As the ECJ in the Schrems
II judgment did not define the supplementary measures and what those
measures could consist of, also in this connection is Recommendations
01/2020 very useful, as the recommendations also aims to help with the
identification of appropriate "supplementary measures". According to the
recommendations, there will be situations where only appropriately
implemented "technical measures" might impede or render ineffective
access by public authorities in third countries to personal data, for
54 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 15, 22
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June.
55 Indiegogo, Inc., 'Privacy Policy' (Effective December 20, 2021)
<https://indiegogo.trsnd.co/policies> accessed 26 June 2022.
56 ANNEX to the COMMISSION IMPLEMENTING DECISION on standard
contractual clauses for the transfer of personal data to third countries pursuant to
Regulation (EU) 2016/679 of the European Parliament and of the Council [2021]
C(2021) 3972 final, Clause 8.
57 Case C-311/18 Facebook Ireland and Schrems [2020], para 133.
PERSONAL DATA TRANSFER TO THE US 132
surveillance purposes. Such technical measure could be encryption of the
data transferred to the third country which exclude access to the data
transferred.58 In the Indiegogo Privacy Policy, Indiegogo appears to know
that technical measures should be taken into consideration:
"HOW WE PROTECT YOUR INFORMATION AND
DATA RENTENTION
[…] We have implemented technical, administrative, and
physical security measures that are designed to protect User
information from unauthorized access, disclosure, use, and
modification. We regularly review our security procedures to
consider appropriate new technology and methods. However,
please be aware that despite our best efforts, no security
measures are perfect or impenetrable."59
Indeed, no security measures are perfect or impenetrable, and in its
Privacy Policy, Indiegogo does not mention anything about encryption of
data before it is transferred to Indiegogo. This may be for good reasons:
If the fundraiser encrypts the personal data before transferring the data to
Indiegogo, this will prevent the entire purpose of the transfer as Indiegogo
may only store the data but cannot access the data in the clear.
Regardless of this fact, in the annex 2 of the Recommendations
01/2020, EDPB states that transfer of personal data for business purposes
where the data importer (in this case Indiegogo) needs access to data
transferred, and the data importer is located in a third country where the
public authorities are granted a disproportionate access to the data the
EDPB is incapable of envisioning an effective technical measure to
prevent that access from infringing on the data subject’s fundamental
rights.60 This applies even though Indiegogo encrypts the data after having
received the personal data from the fundraiser, as Indiegogo according to
58 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 21-23
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
59 Indiegogo, Inc., 'Privacy Policy' (Effective December 20, 2021)
<https://indiegogo.trsnd.co/policies> accessed 26 June 2022.
60 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 34 and 35
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
NJCL 2022/2 133
FISA section 702 may also be obligated to hand over encryption keys to
US intelligence agencies.61
However, according to the Recommendations 01/2020, the
fundraiser has a last option, as it can decide to proceed with the transfer
without being required to implement supplementary measures, if the
fundraiser considers that it has no reason to believe that the American
"problematic legislation" will be applied, in practice, to the transferred data
and/or Indiegogo.62 It is important to stress that this is not a risk-based
assessment, and the fundraiser cannot take into consideration the likelihood
of American surveillance of the transferred data in question.
This must be seen in the context of the fact that the requirement for
a legal ground for transfers in chapter V of the GDPR Regulation is binary:
Either the fundraiser has a legal ground or not. This is reflected in the
Recommendations 01/2020, as the fundraiser according to EDPB needs
to demonstrate the practical application of the American legislation with
a "detailed report" based on "relevant", "objective", "reliable", "verifiable" and
"publicly available or otherwise accessible" information.63
8. IN SEARCH OF VALID MEANS FOR TRANSFER OF
PERSONAL DATA TO INDIEGOGO
In Annex 3 of the Recommendations, EDPB mentions examples of
sources where the information could be obtained from, for instance
relevant case-law, resolutions and reports from intergovernmental
organization, reports, and analysis from competent regulatory networks
etc. Moreover, the fundraiser can take into consideration whether
Indiegogo can confirm that it has not received requests for access to data
61 50 U.S.C. § 1881a(a),(i)(1) (2018); European Data Protection Board,
'Recommendations 01/2020 on measures that supplement transfer tools to ensure
compliance with the EU level of protection of personal data' [2021] Version 2.0, page 29
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
62 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 18 and 19
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
63 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 19 <https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
PERSONAL DATA TRANSFER TO THE US 134
from U.S. public authorities in the past and that it is not prohibited from
providing information about such requests or their absence.64
Taking into consideration Indiegogo's comprehensive Privacy
Policy, nothing indicates that Indiegogo is in possession of the above-
mentioned requested information. Quite the reverse, as Indiegogo seems
to acknowledge that US national security law affects the possibility of
compliance with EU law:
"We may share the categories of information identified
above for the following business and commercial purposes:
[…]
6. When we share your personal information with third
parties […] to comply with legal process (including to comply
with national security or law enforcement requirements)
[…]."65
However, because of the fundraiser's customer relation to
Indiegogo, the fundraiser may - particularly if this is done in cooperation
with other fundraisers - be able to ask Indiegogo for the above-mentioned
relevant information so that the transfer maybe can take place in
accordance with EU law. As it appears from Recommendations 01/2020,
the data exporter and data importer need to cooperate to make the
assessment, even though, when all come to all, it is the data exporter's, the
fundraisers, responsibility that the transfer from the EU to the US takes
place in accordance with EU law.66 However, as it appears from the above-
mentioned presentation, a TIA is a piece of hack work. Conduction a TIA
requires resources and time - which is something that a fundraiser may not
have, especially not in the start-up phase.
64 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 47 and 48
<https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
65 Indiegogo, Inc., 'Privacy Policy' (Effective December 20, 2021)
<https://indiegogo.trsnd.co/policies> accessed 26 June 2022.
66 European Data Protection Board, 'Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with the EU level of protection of
personal data' [2021] Version 2.0, page 18 <https://edpb.europa.eu/system/files/2021-
06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.p
df> accessed 26 June 2022.
NJCL 2022/2 135
9. THE WAY AHEAD FOR THE FUNDRAISER'S TRANSFER OF
PERSONAL DATA TO THE US
The current European legal framework for transfer of personal data
to third countries is made to ensure an adequate level of protection of the
personal data transferred from the EU.
The analyses above reveal that fundraising campaigns involve supply
of personal data from fundraiser (and backer) to crowdfunding service
provider in the different steps of a crowdfunding campaign. As shown
above such exchange of data is however hardly manageable in context of
the strict rules of the GDPR and the Charter when the crowdfunding
platform is based in the US.
The American intelligence and surveillance laws and possible US
government access to EU citizens personal data have established barriers
to transfer of personal data from the EU to the US in many different data
exchange contexts. This has left European and US companies with cross
border transfers problems that can only be solved at interstate level.
Solutions have been discussed between the European Commission
and the US, and on 25 March 2022, the European Commission, and the
U.S Government announced that they had agreed in principle on a new so-
called "Trans-Atlantic Data Privacy (TADP) Framework". Currently, the
U.S Government and the European Commission are cooperating with a
view to translate the framework into legal document that will need to be
adopted by both the EU and the US to put the new TADP Framework in
place. 67 Therefore, European companies cannot rely on the statement
from the European Commission and the US yet.
Reportedly, under the new framework the US is to put in place new
safeguards to ensure that US surveillance activities are necessary and
proportionate etc., and the US intelligence agencies is to adopt procedures
to ensure effective oversight of the coming new privacy standard. 68
On 7 October 2022, President Biden signed the "Executive Order on
Enhancing Safeguards for United States Signals Intelligence Activities". According
to the White House, the executive order among other things "adds further
safeguards for U.S. signals intelligence activities, including requiring that such activities
[are] conducted only in pursuit of defined national security objectives" and only when
the intelligence activities are "necessary" and "proportionate". Moreover, a new
"multi-layer mechanism" is intended to be established for individuals to
obtain "independent and binding review and redress of claims" that personal data
67 European Commission, 'European Commission and United States Joint Statement on
Trans-Atlantic Data Privacy Framework' (25 March 2022)
<https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2087> accessed 26
June 2022
68 European Commission, 'European Commission and United States Joint Statement on
Trans-Atlantic Data Privacy Framework' (25 March 2022)
<https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2087> accessed 26
June 2022
PERSONAL DATA TRANSFER TO THE US 136
collected through US intelligence services was collected or handled
illegally. An appeal body, "the Civil Liberties Protection Officer", will conduct
an initial investigation of qualifying complaints received, and a new "Data
Protection Review Court" is to "provide independent and binding review" of the Civil
Liberties Protection Officer's decisions.69
What from fundraisers’ perspective is important is to be ensured that
well-functioning, valid and reliable settings are established on both US and
European side to be able to do everyday business: Transferring of personal
data to the US. However, some further political, legal and juridical steps
have to be taken and the European business sector still needs to have
patience.
Now, the European Commission has to determine whether the new
executive order provides an "adequate level of protection" and, if so, draft an
"adequacy decision" under Article GDPR 45 stating that the TADP. It
should be noticed that the organization "NOYB", founded by Max
Schrems who filed the claim leading to the Schrems II-judgment, as a "first
reaction" to the new executive order has stated that the executive order is
"unlilely to satisfy EU". Despite that the new executive order uses words as
"necessary" and "proportionate", NOYB does not think that there is any
indication that the US mass surveillance will change in practice, as the EU
and US have different understandings of these words. Moreover,
according to NOYB the new "Court" mentioned in the executive order will
not be a court in the normal legal meaning of Article 47 of the Charter or
the US Constitution, but a "body within the US government's executive branch."70.
Until a new framework for transfer of personal data from Europe to
the US has been established, European fundraisers transferring personal
data to crowdfunding platforms located in the US are advised to conduct
a TIA as good as possible and in compliance with Recommendation
01/2020 in order to demonstrate "accountability" pursuant to Article 5(2)
GDPR. If the TIA shows that the fundraiser cannot ensure an adequate
protection of the personal data transferred, it must consider using a
European based crowdfunding platform instead.
69 The White House, 'FACT SHEET: President Biden Signs Executive Order to
Implement the European Union-U.S. Data Privacy Framework' (7 October 2022)
<https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-
sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-
data-privacy-framework/> accessed 30 October 2022.
70 NOYB, 'First reaction: Executive Order on US Surveillance unlikely to satisfy EU law'
(7 October 2022) <https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-
law> accessed 30 October 2022.