New EU-USA data transfer agreement? Everything you need to know

25 May 2022 / Article

Uncertainty as to how and when US cloud services can be used in the public sector has been widespread, ever since the Schrems II ruling, two years ago. Is it, for example, possible to use American cloud services while maintaining EU citizens’ privacy? Then in March this year, the EU and USA announced that they had reached a new agreement in principle on the regulation of trans-Atlantic data flows. So what’s the actual situation now, and what’s the approach going forward? Rakeel Khawar, Data Protection Officer at Iver and Johan Christensson, founder of Cleura, explain the significance of what has previously happened and what it will mean going forward for public sector organisations.

GDPR and the data legislation passed since 2018 notwithstanding, there is still considerable uncertainty about what the rules actually are when it comes to public sector use of US cloud services. To understand why, we need to look at the stages that have led to the current situation, according to Rakeel Khawar, Data Protection Officer at Iver;

– The desire for a trans-Atlantic agreement has been around for a long time, but previous agreements have been legally unsustainable. The first EU-USA data transfer agreement, Safe Harbour, was declared invalid by the European Court of Justice in 2015 after the whistleblower, Edward Snowden, successfully revealed that investigative authorities in the US could access information without the consent of that information’s owner. The findings of the legal case known as Schrems I were a recognition that data held on American servers could be accessed by the US intelligence services and that this contravened the provisions of the EU’s Charter of Fundamental Rights, governing the individual’s right to respect for private life.

The data transfer agreement between the continents required revision in the light of the Schrems I ruling, and the response was a new agreement in principle – Privacy shield. This, agreement was, however, also declared invalid by the European Court of Justice in the Schrems II case, when it became known that Facebook Ireland had transferred European personal data to the USA.

The right to respect for the individual’s private life is a fundamental one in the EU and its constitutional law, which is deliberately wide-ranging in order to protect EU citizens’ privacy.

– The Data Protection Regulation does not undermine this principle – something that became clear in the light of the rulings in the Schrems I and Schrems II cases, says Rakeel Khawar.


New data transfer agreement in March 2022 – what has changed?

We are now in a situation where the EU and USA are once again looking at drafting an agreement that will generate the preconditions for a more viable dataflow between the continents, and on 25 March, the US President, Joe Biden, and the European Commissioner, Ursula von der Leyen, announced that a new agreement in principle for a new agreement had been achieved.

– The joint statement by the USA and EU shows the desire to find a solution to the problem. But drafting an agreement that is legally sustainable will require changes to US legislation, and until this is achieved, we’re stuck in the same position, legally speaking, says Rakeel Khawar, Data Protection Officer at Iver.

Johan Christensson, founder of Cleura, explains;

– In practice, as things currently stand, nothing has changed. We know that the USA and EU want to come up with a shared solution and that there are forces working to make progress. But nothing has actually happened, other than that they’re officially working to reach an agreement in the hope of coming up with some form of agreement. US cloud services are still unable to guarantee that European personal data will not be disclosed to a third-party country, so every European organisation has to take a stance on this.


What does the uncertainty about US cloud services mean for digitalisation in the public sector?

One argument not infrequently heard as part of the debate about uncertainty in connection with public sector use of US cloud services is that the strict legislation has a negative effect on the degree of digitalisation in the sector. Johan Christensson explains.

– Getting to grips with the situation has been difficult for many, and in many respects, it’s been up to individual organisations to make their own assessments. And this kind of uncertainty can obviously result in a “wait and see” approach when it comes to the investments people want to make in connection with digitalisation. It’s important, however, to remember that public sector digitalisation is not going to stop, just because US cloud services can’t be used for certain types of data. There are numerous European alternatives available, and there are also good Multi-Cloud solutions that use data mapping to enable the data being processed and stored in the right cloud, thereby ensuring regulatory compliance.


What should the public sector’s approach to US cloud services be until a functional agreement is in place?

– Infrastructural investments planning and implementation usually entail a long-term view, so public sector organisations need to look around for solutions that support their desired digitalisation journey and where compliance and regulatory conformity work from a longer-term perspective. No organisation, not least a public sector one, can afford to have their technical choices invalidated for a third time. In simple terms, they need to ensure that the compliance level of the infrastructure they’re building is so high that it can handle legislative amendments, the introduction of new laws – or changes in the geopolitical situation. The latter perspective has become increasingly important and organisations are recognising an ever greater need to “bring data home”, given the changing global situation, concludes Johan Christensson.