Will the USA now (again) become a safe third country?
A large proportion of the cloud service providers and software providers used by European companies are based in the USA. Actually not a big problem, one would think, after all, goods worth billions of euros and dollars are exchanged between the two economic areas every day.
However, just as a European car has to comply with some special American specifications for registration in the USA, software providers from the USA must also guarantee their European customers compliance with the provisions of the General Data Protection Regulation (GDPR).
The problem is less that US companies would like to sell European data to third parties for a profit or use it themselves (Facebook/Meta and dodgy data dealers excluded), but rather the relevant US laws and regulations (executive orders) that are contained in the passed decades ago to prevent terrorism and other “national security” threats. “National security” is interpreted very broadly and this can lead to disproportionate surveillance measures. This is not only often implied by eager screenwriters of American films and series, but was also first made known to a broader public in 2012 by Edward Snowden with solid evidence.
So how could US companies or the US government guarantee that the data of European citizens is not misused and that there is a level of data protection comparable to that of the EU? In particular, since data protection is becoming an increasingly important issue in the USA, it is formally lagging decades behind European legislation. Individual states such as California with the CCPA have meanwhile passed the first data protection laws, the principles of which are also based on the GDPR, but are by no means as comprehensive. And only a few activists and forward-thinking lawyers are currently dreaming of a uniform national law for data protection in the USA.
In some cases, the US companies have established their own subsidiaries in the European Union (often in Ireland because of the favorable tax laws) which formalize the contracts of European customers, giving the impression that only European companies are involved in data processing . Examples would be Microsoft Ireland Operations Ltd. or Google Cloud EMEA Ltd.
The large corporations mentioned can easily afford such legal constructs. They also have their own data centers in the European Union. From a purely technical point of view, however, access is usually also possible from the “headquarters” in the USA, so that the relevant US laws still apply.
It becomes even more difficult for providers of special solutions. Then the agreements on order processing are actually concluded with the US companies and the data is also obviously in US data centers.
The current means of choice for using these providers are the “EU Standard Contractual Clauses”, which were last updated and approved by the EU Commission on June 4, 2021. Earlier versions of the standard contractual clauses are no longer valid or the agreements with the new clauses must be re-concluded.
However, the European Court of Justice made it clear in its much-noticed “Schrems II” judgment that the standard contractual clauses can only be used if these clauses can also be enforced accordingly in the target country. If that is not possible, additional technical or organizational means would have to be found to protect the data, and a “transfer impact assessment” would have to be used to estimate how great the risk of unauthorized access to the data by foreign bodies would be .
Sound complicated? It is!
Therefore, the whole industry is eagerly awaiting a new agreement between the European Union and the United States, in which the latter will guarantee European citizens an adequate level of data protection. However, a simple declaration of intent without a legal basis and the formation of corresponding bodies in the USA would probably be judged insufficient by the European Court of Justice with the same arguments as was the case with “Privacy Shield”.
While data protection matters used to be negotiated in the second row (= the US Department of Commerce on the one hand and the responsible EU Commissioner on the other), the topic has now become a “top priority” that the Commission President and the US President deal with deal with. A basic agreement should already have been found. That’s not nothing, but unfortunately not much either. Only when concrete steps such as presidential decrees, new authorities for the concerns of non-US citizens or similar have been set up can the situation ease up. Since there is currently no lack of other important political issues, rapid progress is not foreseeable here.
So the only thing left at the moment is the detailed documentation of an expected low risk in data transmission and the establishment of additional measures when working with US service providers. Microsoft, for example, is currently in the process of so technically separating the European data centers from the parent company that access would only be possible if a large number of internal regulations were violated. It can be expected that other large service providers will also take similar measures. In addition, companies should also check whether European providers can provide comparable services.
It is better to invest some effort in researching and evaluating alternative solutions than to live with the constant uncertainty about objections from the supervisory authorities. And even if the research should show that there is no equivalent European offer, this information is still valuable. As part of the documentation, it can also be used as an argument for using a specific service provider and thus shows the authority that the problem has been seen and dealt with.