Data Protection: Data Transmission Between the USA and the EU
Table of Contents
- Privacy Shield
- How Is Data Privacy Regulated in the United States?
- Further Information
- The future of secure transfers of personal data to the United States.
U.S. data privacy laws may seem like a distant topic to most individuals living outside of the USA, but some American laws do, in fact, have an effect on both private individuals and companies in Europe. A good example is the use of cloud storage services that are based in the USA, and thus are subject to the national laws there. According to the EU Commission data protection outside the EU is insufficient, with a few exceptions such as Switzerland.
The EU is striving to find a solution allowing safe global data exchange despite this difference in data protection standards. The Privacy Shield was a concrete attempt to bring data transfers involving companies based in the USA, Europe and Switzerland up to the high level of data protection requirements in the EU. However, this agreement was already overturned by the European Court of Justice in 2020 as the legal regimes of the EU and the USA are too different.
What Does the End of Privacy Shield Mean?
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the Controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
According to Article 44 of the GDPR, personal data may only be transferred to a third country given an adequate level of protection. In addition, Articles 45 and 46 of the GDPR specify that the level of protection needs to be ensured, for example, by means of an adequacy decision or another guarantee. This was previously regulated using the Privacy Shield, as the EU considered the level of protection in the USA to be adequate. Due to the discontinuation of the Privacy Shield, the transfer of personal data to the United States is no longer considered secure.
To learn more about the Privacy Shield as well as the consequences of the Court's ruling, we recommend watching the following video from Privacy Kitchen.
Who Is Affected by the End of Privacy Shield?
The ruling affects all companies that transfer personal data into the United States. This includes e.g. using cloud storage from providers with servers in the US or transferring data to international branches within the company. In the future, companies that transfer data to other third countries based on standard data protection clauses could also be affected. It's also possible that these agreements will be reviewed once again by the European Court of Justice (ECJ).
Standard Contractual Clauses (SCC) for Data Transfer to the USA
With the end of the Privacy Shield agreement, companies must find new ways to ensure the protection of personal data in third countries. One of these alternatives are standard contractual clauses.
According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries.
(Source: European Comission)
There are two types of standard contractual clauses, which can be concluded:
- The first regulates the transfer of data between the company and the processor.
- The second clause concerns the transfer of personal data to third countries.
The EU Commission's sample contracts must be adopted without modification in order to be valid.
All standard contractual clauses, i.e. including existing ones, must be adapted to the new ones. This means that companies, who have previously transferred customer data to the USA under the Privacy Shield, need to comply. The transition period for adapting existing contractual relationships to the new standard contractual clauses is 18 months and ends on December 27, 2022.
How Can Companies Take Action?
The Stuttgart Region Chamber of Commerce and Industry has published a guide that companies can follow when setting up their new standard contractual clauses. Here's an excerpt:
In-house assessment report
- Is customer data processed in third countries, especially the USA?
- Is customer data processed by companies based in the USA?
Do service providers and processors use suppliers, such as web hosts, from the United States?
Agreement on the standard contractual clauses
- Third-party companies must be asked to provide the new standard contractual clauses.
- Ask processors if they have standard contractual clauses with their subcontractors in third countries.
Check technical protection measures
- Ask third-country providers to specify their security measures, such as encryption.
- Ask processors whether subcontractors can prove that they apply protective measures.
These processes must be documented as well as protocolized by the respective company. It should also be noted that the standard contractual clause per se is usually not sufficient in individual cases. The European Commission provides a FAQ sheet to answer common questions on SCCs with regards to Privacy Shield.
What Follows After Privacy Shield?
To ensure a secure transfer of personal data from Europe to the United States, work has already begun on negotiating a new agreement. US President Biden is willing to talk with the EU about a new data protection agreement. Currently, no concrete details on its content are known.
Bloomberg reported in February 2022 that the Meta Group, as part of an internal risk assessment, expects to shut down its services in Europe if a new data protection agreement does not follow. Without a legal basis for cross-border data transfer, the group would no longer be able to offer services like Facebook or Instagram in Europe.
Max Schrems on Privacy Shield 2.0
Privacy activist Max Schrems has successfully appealed against the Safe Harbour agreement back in 2015 as well as the Privacy Shield before the European Court of Justice in 2020. Schrems has published a statement on "Privacy Shield 2.0" via his data protection organization Noyb.
He calls the new agreement a merely political proclamation with no legal basis. In terms of content, he assumes that the final text will show no major differences compared to Privacy Shield. Therefore, he has already announced that he will analyze the final version of the legislative text together with US legal experts and, if necessary, challenge it for a third time.
It is regrettable that the EU and US have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies. Customers and businesses are facing yet more years of legal uncertainty.
Privacy activist Max Schrems on the planned "Privacy Shield 2.0" agreement.
How Is Data Privacy Regulated in the United States?
In contrast to the European GDPR, there is no general and comprehensive data protection law in the United States. Individual industries and states have their own data protection laws, such as business, healthcare, or the financial sector. These govern the handling as well as storage of personal data. The lack of competent bodies which data subjects can contact in the event of a data protection incident poses a major problem.
Why Is There a Difference Between Data Protection in the US and the EU?
In the EU, the protection of personal data is considered a fundamental right_. This is stated, among other things, in Article 8 of the EU Charter of Fundamental Rights:
Everyone has the right to the protection of personal data concerning him or her.
In the U.S., however, data privacy is seen as part of Consumer Protection Law and thus as part of the business sector. After all, the Federal Trade Commission (FTC) takes on the role of data protection supervision in the Unted States. In the EU, independent data protection authorities and commissioners carry out this task.
Why Are There Limitations on Data Privacy in the United States?
The US data protection standards are not appropriate from the EU's perspective. This can be primarily attributed to the US government. As a response to the terrorist attacks of September 11, 2001, the USA PATRIOT Act was passed, which considerably expanded the authorizations of government agencies. Thus, authorities can access data stored on US servers at any time.
Keep reading to learn how the questionable data protection laws of the USA affect the respective individuals and companies that purchase products and services from companies based in the USA.
The US CLOUD Act
The CLOUD Act ("Clarifying Lawful Overseas Use of Data Act") allows US authorities to access all data stored on servers operated by American cloud providers. As the title suggests, this also includes users who do not reside in the US. This means the CLOUD Act deliberately overrides existing and applicable data protection laws protecting citizens of other countries, such as the EU's GDPR.
Can a company simultaneously comply with the GDPR and the CLOUD Act?.
The CLOUD Act forces U.S. companies into an illegal dichotomy. They cannot comply with the CLOUD Act as well as the GDPR at the same time since the two laws contradict each other. In addition, the CLOUD Act prohibits cloud operators from informing their customers if American authorities have accessed their data.
A brief description of the CLOUD Act, as well as its implications, is explained in the following video by Pryor Cashman.
The EARN IT Act 2022
The encroaching transformation of the USA into a surveillance state is being accelerated under the pretext of protecting children. The EARN IT Act ("Eliminating Abusive and Rampant Neglect of Interactive Technologies Act") poses a threat to end-to-end encryption (E2EE). Under this law, companies are pressured into being liable for the content of their users. To enable such control, strong encryption shall either be abolished and/or backdoors inserted.
What are the implications of the EARN IT Act regarding civil rights?
In the future, private individuals and law enforcement agencies will be able to sue Internet platforms directly based on the EARN IT Act if crimes against children are prosecuted as a result. This is an effective pressure tool with the ulterior motive of requiring providers to give authorities access to user accounts and content. From the perspective of citizens, however, the enactment of the EARN IT Act would be fatal and would imply the further expansion of the surveillance state.
Sense Chat provides a summary of the EARN IT Act and its implications for our civil rights in the following video.
The LAED Act - Government-Imposed Backdoors
The LAED Act ("Lawful Access to Encrypted Data Act"), is yet another US law which poses a threat to strong end-to-end encryption. To detect illegal behavior, US providers and platforms will have the ability to issue a decryption order. This is intended to facilitate law enforcement.
Backdoors or Vulnerabilities?
Similar to the EARN IT Act, the LAED Act seeks to build backdoors into encryption software. However, under the pretext that only authorized entities can utilize them, this would effectively abolish end-to-end encryption. Moreover, the backdoors - or rather vulnerabilities - could be abused for attacks. While tech-savvy individuals with criminal intent can switch to alternative networks, the LAED Act signifies the expansion of the surveillance state for "averagely tech-savvy" private individuals.
In the video EARN IT and LAED Acts Want to Eliminate Encryption Seth Rosenblatt, lead reporter for the cybersecurity magazine “The Parallax”, talks about how both legislations affect encryption.
FINRA, SOX, FIPS - Compliance and Data Protection for the US Financial Industry
_What is FINRA?
FINRA ("Financial Regulatory Authority") oversees individuals and firms who trade securities on US stock exchanges. Specifically certified providers as well as encryption solutions, allow the use of the cloud in compliance with FINRA without concerns. Here are some examples of instances supervised by FINRA:
- Duration of data retention
- Storage of data in the cloud
- Encryption of data.
What is SOX?
The SOX Act ("Sarbanes-Oxley Act") is responsible for the quality and reliability of corporate reporting from companies participating in the public capital market. The three central application areas of the SOX Act are Corporate Governance, Compliance and external reporting. The Act also regulates the use of cloud storage and requires affected companies to encrypt data with a 256-bit AES key regardless of content.
What is FIPS 140-2?
FIPS stands for Federal Information Processing Standard Publication and is an American security standard for the release of cryptographic modules. In addition, FIPS coordinates requirements and standards for encryption procedures used in hardware and software. FIPS 140-2 certification is divided into four levels and certifies the physical security of software. The higher the level, the higher the security standard.
The different security levels as well as application areas of FIPS 140-2, are explained in the video Understanding FIPS 140-2.
HIPAA/HITECH - Health Data Security in the United States.
Handling personal data in healthcare.
President Bill Clinton passed the HIPAA Act ("Health Insurance Portability and Accountability Act") in 1996. HIPPA prescribes how personal data in healthcare is to be handled and sets the groundwork for secure processing of personal data in the electronic health record (EHR).
Additionally, in 2009, the HITECH Act ("Health Information Technology for Economic and Clinical Health Act") was introduced, which is designed to facilitate the introduction of technology as well as simplified processing of patient data. This applies to the electronic health record (EHR), which is widely used in America.
The electronic health record - added benefit or vulnerability?
Data processed in the EHR belongs to a "special category of personal data." The EHR allows for ease of use and transparency for physicians so that all important patient information can be found immediately and in one place. However, the sensitive information about a person's health and well-being, also makes the EHR particularly prone to cyberattacks. Therefore, it is important to effectively protect this sensitive health data from any attacks so that important information does not fall into the wrong hands.
Watch "The HIPAA Privacy Rule" video for an overview of HIPAA and HITECH laws along with their use cases.
CCPA and CPRA – Data Privacy in California.
Companies that are already GDPR compliant only need to make small adjustments in order to process personal data in California and stay compliant with the California Consumer Privacy Act (CCPA). The terms of the CCPA are aimed at large IT companies in Silicon Valley. The legislation introduces some new rights for individuals living in California, regarding:
- Their personal information
- A ban on discrimination
- Claiming damages.
The California Privacy Rights Act (CPRA) is an ascertainment of the CCPA and is intended to give California consumers the right to prevent the disclosure of sensitive information. The CPRA will take effect in January 2023 and will apply retrospectively to all data collected since January 01, 2022.
A comparison of the California Data Protection Act and the GDPR can be found in the "CCPA vs. GDPR" video.
The future of secure transfers of personal data to the United States.
Negotiations between US President Biden and head of EU Commission Von der Leyen give some hope for a trustworthy successor to the Privacy Shield. Nevertheless, privacy activists such as Max Schrems will closely review and, if necessary, appeal the agreement__ if there is no fundamental change in the attitude of the United States towards data protection.
Since the largest technology corporations are based in the United States, it is important to ensure that the personal data of EU citizens are treated with the highest possible protection. Secret services and authorities from the USA try to force backdoors in end-to-end encryption via various laws like the EARN IT or LAED Act. However, these backdoors are inherently vulnerabilities and provide a way for people with criminal intent to get their hands on users' sensitive data.
It is unclear whether and, above all, when a "Privacy Shield 2.0" will come into force and is also unobjectionable in terms of data protection. However, companies and private individuals already have the option to protect sensitive data effectively. Through encryption solutions like Boxcryptor, your data is protected before it is uploaded to the cloud. This way, neither the cloud providers nor any third country authorities can access your data.
With zero-knowledge providers, you have the assurance that you retain full control over your data, since the provider literally has neither knowledge nor access to your data. For more information on what you should consider when choosing suitable encryption software, see the following article.