Ever since the EU and US announced a new agreement in principle on a reviewed trans-Atlantic data flows deal, allegedly giving a definitive answer to the legality of using US-based cloud services, we have received a lot of questions.
We talked to our CSO, Kinh Luan Nguyen, and our DPO, Kim Hindart, about some of the most commonly asked questions by our customers and partners.
- Q: Is it legal to use the American cloud services again?
- Q: Why do some media outlets and articles state that the situation has been resolved?
- Q: Can I keep using American cloud services and just wait for the new proposal?
- Q: But they rushed through the Privacy Shield framework when Safe harbor was invalidated and even agreed not to challenge Privacy Shield for two years. What says it won’t be the same this time?
- Q: Can’t we count on this to work itself out?
Q: Is it legal to use the American cloud services again?
It has never been illegal, per se, to use American cloud services. However it has been, and still is, prohibited to transfer personal data without legal basis and/or mechanism and/or consent, from the EU to a country that doesn’t protect personal information under human rights. For reference, the Privacy Shield Framework, which was invalidated in 2020, was one such mechanism that allowed for data transfers between the EU and the US.
The reason being that the American mass surveillance programs, which give the US government extraterritorial rights to extract data from American cloud services, no matter where the data resides, are an infringement on the privacy of EU citizens.
Given the tone of this topic in the media, though, the short answer is no since absolutely nothing has changed.
- The GDPR is still in effect.
- The Privacy Shield Framework (which previously allowed for legal data transfers between the EU and the US) is still invalid since July 16, 2020.
- There is no new data transfer framework or agreement that allows for legal data transfers yet.
Q: Why do some media outlets and articles state that the situation has been resolved?
The widely publicized agreement between the EU and the US is to initiate a new proposal for the “New Trans-Atlantic Data Privacy Framework” to ensure that you can legally transfer data between the EU and the USA [in the future].
Again, the agreement is to initiate a new proposal. The EU and US have not reached a legal contract, and absolutely nothing has changed from one day to another. You still need:
- A legal basis to transfer EU citizens’ data to the US.
- Consent to transfer EU citizens’ data to the US.
Q: Can I keep using American cloud services and just wait for the new proposal?
Yes, at the prolonged expense of your data subjects, whose privacy, and human rights, you are jeopardizing and potentially violating.
First, the negotiations between the EU and the US have not produced any proposal on how the US will ensure to not infringe on human rights.
Second, if the EU and the US manage to draft an agreement on the matter, it must first be ratified across all EU member states. The ratification process of gathering approval from 27 different parliaments will take time.
Q: But they rushed through the Privacy Shield framework when Safe harbor was invalidated and even agreed not to challenge Privacy Shield for two years. What says it won’t be the same this time?
The Trans-Atlantic Data Privacy Framework will be the third version of a mechanism that could allow data transfers between the EU and the US. The European Data Protection Board (EDPB) and the European Court of Justice (EUCJ) are unlikely to approve a solution that doesn’t comply with EU data protection law.
Both the EDPB and EUCJ are independent organizations that do not need to honor any agreements made by the Commission if they believe that such an agreement is violating human rights.
Q: Can’t we count on this to work itself out?
You can, but you will be facing a precarious future unless you evaluate your options.
The problem is not the brilliant American, Chinese, or Indian companies that provide excellent cloud services. The problem is how our digital selves and data are not viewed the same way by countries outside the EU, thereby making our personal information subject to legal systems and mass surveillance programs that do not respect our human rights.