The Fundraiser's Transfer of Personal Data from the European Union to the United States in Context of Crowdfunding Activities

European start-up companies must overcome more ‘transfer hurdles’when personal data is transferredfrom the European Union totheUS (United Statesof America) as part of crowdfunding campaignactivities. Transfer of personal data iscommonly notassociated with(small scale)crowdfunding activities. However, the strict rules of theEU GDPR(European General Data Protection Regulation) on safeguarding personal data apply toall companieswhen data is transferred from the EUto the US-regardless the size of the business.This articleidentifies exchange of personal data that takesplace between primarilyfundraiser andcrowdfunding service providerin different steps of fundraising campaigns.Theframework for reward-based crowdfunding for goods production that is provided by the US based Indiegogo platform is used as exampleand context. Thearticle highlightsby way of examplethe obligations that must be met by European fundraisers as "data controllers"when personal data is transferred to Indiegogo.No easy solutionsare provided byeitherEuropean Union or national data protection authoritieson how to establish an adequate level ofpersonal data protection. Paradigms on how to secure transfer of personal data to third countries are available in form of so-called standard contractual clauses, but still conditions for transfer of personal data from Europe to the USare hard to comply with.Apart from entering into an interpartesagreement on use of standard contractual clauseswith the crowdfunding platform provider, a European fundraiser mustfurthermoremake a so-called"transfer impact assessment" to ensure that third party access to personal data is avoided. In the case of transfer of personal data from the EU to the US the fundraiser must consider usingencryptionof data as a "supplementary measure"to block third party access. Encryptionof datais however not suitablefor exchange of data in a dynamic crowdfunding campaign so other means for protection of data must be found and applied.The reason and explanation for makingdata transfersfromtheEUto the USthat hard for e.g.,fundraisers arethusto be found atinterstate level in the relation between the EUand theUS.According to EU law, more specifically the GDPR and several of the provision of the Charter of Fundamental Rights of the European Union, US security legislation authorises a disproportionate access for US intelligence services to citizens' personal data. A solution on manageable transfer of personal data from the EUto the USmaybe found before the end of 2022, since a new TADP (Trans-Atlantic Data Privacy Framework)is currently being negotiated betweenEUand US attop politician level. However, the implementation of the TADP may take som time since the EU legislative framework needs adjustments to make the new transfer possibilities operational.