Can we still use American companies to manage personal data?

When you are looking for a solution to host your data and your website, to send an email campaign, to manage the visits on your website, the big names of American companies come to mind very quickly, whether it is Microsoft, Amazon, Google or others. If using European companies does not pose any problem, it should be remembered that entrusting personal data to non-European companies (outside the European Economic Area) can pose a problem because these countries do not necessarily respect the RGPD. Of course, there are countries that the European Commission considers to have equivalent regulations, these are the countries that have obtained an "adequacy decision", and the USA is not among them.

As the European market is very interesting for the USA, and as Europe has an interest in the smooth exchange of data, a first agreement, called the "Safe Harbour" was signed by both parties. As this agreement was annulled by the European Court of Justice, for not respecting privacy, a new agreement, the Privacy Shield, was signed. But, unfortunately, the Court of Justice cancelled it again in July 2021. 

The reasons are very clear: several American regulations allow the American authorities to ask American companies to have access to information concerning the data they have, even concerning European citizens or residents. 

And these access requests are real, several thousand requests per year are made on this basis and as some are confidential, the persons concerned are not informed. This regulation is obviously contrary to the RGPD, one of the principles of which is transparency and information to data subjects.

And so since July 2021, using American companies is not simple!

The European Data Protection Board, which gathers all the European data protection authorities, has proposed recommendations, which are quite complex to put in place, and which consist in analyzing the legal possibilities that would allow the use of American companies. But it must be admitted that, after having examined them and after having analyzed the numerous documents proposed by American companies to try to convince European companies and organizations, there is still a possibility that the American authorities will have access to your data and therefore, working with an American company poses a problem with respect to the RGPD.

There is a technical solution that allows you to use the services of American companies, in certain cases. Indeed, the data that you host in an American cloud, if they are encrypted by you and your American subcontractor can therefore not have access to the data the RGPD is respected. But this kind of solution only works for hosting for example, not if you entrust email addresses for an emailing campaign.

On the other hand, we often hear that if the servers of the American company are in Europe, there is no problem. Nothing could be further from the truth. In fact, American law requires that American companies respond to requests from the authorities regardless of the location of their servers. 

Let's not forget that several data protection authorities have taken a clear decision regarding Google Analytics, which is now banned in Europe because it is contrary to the GDPR. Other decisions could come down regarding other American online services.

Nevertheless, there are European solutions that can in some cases replace the services offered by American companies.

In March 2022, President Biden and the President of the European Commission reported that an agreement had been reached to revive data trade between Europe and the United States. But no text was proposed and it was not until October 2022 that President Biden signed an Executive Order and the European Commission announced that it was working on an adequacy decision, which would recognize the United States as a country whose legislation would be assimilated to the GDPR.

In fact, in order for the matching decision to be formalized, several steps must be taken:

• obtain the opinion of the European Data Protection Board
• the European Parliament is likely to take up this issue
• the European Council will have to give its agreement

And so it will be mid-2023 at best before these milestones are achieved, if at all.

Indeed, the specialists of the RGPD are unanimous! President Biden's executive order does not address all the criticisms raised by the Court of Justice and it is likely that this new EU-US agreement will be overturned by the Court again, which would prolong the current legal uncertainty.

When European solutions exist, and there are more and more of them, we recommend that you choose these solutions. When you cannot find equivalent European solutions, the minimum is to document your decision to choose a US solution and to limit data transfers as much as possible.