Anyone who sends data to the USA must observe strict rules. An update of the data protection framework should now make this less complicated. An expert explains what you have to do now.
A new EU-US data protection mechanism should also bring more legal security for startups. Getty Images/BlackJack3D
A guest post by Alexander Ingelheim, CEO of Proliance and datenschutzexperte.de
No more ChatGPT: In April 2023, the AI chatbot of the US company Open AI fell silent throughout Italy. The Italian data protection authority accused the provider of not complying with European data protection regulations. Open AI saw things differently. It is not the first discussion of this kind, but the most recent example shows once again how radical the GDPR can be in terms of transatlantic differences in data protection. And how urgently clear regulations are needed for secure data transmission between the EU and the USA.
The previous “Agreement” Safe Harbor and the subsequent EU-US Privacy Shield have failed due to the strict application of the legal requirements by the European Court of Justice (ECJ). For this reason, the USA was no longer considered a safe third country for a long time. This has had a significant impact on the necessary data protection management, especially for start-ups, but also for the majority of German companies whose digital workflows are based on tools from Silicon Valley. This includes standard tools such as Amazon Web Services or Microsoft Office 365.
A new data protection mechanism should now bring more legal certainty. The USA made the push for a “Privacy Shield 2.0” with an executive order. The EU Commission then submitted the draft for an adequacy decision to the European Data Protection Board (EDPB), which was approved on July 10. The new agreement between the EU and the USA is called the “EU-US Data Privacy Framework”.
Follow these rules if you use ChatGPT in the startup – otherwise there will be penalties
Das is behind the reload of the Privacy Shield
In theory, this means that the EU Commission classifies the level of data protection in the USA as equivalent to the level of protection in the EU. But does that mean in practice that companies with digital processes can now use tools from US providers without hesitation?
For years, the EU and the US have been trying to regulate the protection of EU citizens’ personal data when it is transferred to the US or possibly accessed from the US. If data leaves the EU or can be accessed from other countries, it must be ensured that there is an appropriate level of data protection in the third country.
US companies can be certified under the new framework. In the future, the US consumer protection authority FTC will publish a list of certified companies that undertake to comply with the framework. It can be assumed that big players like Google, Meta and Co. will be found there. This gives startups a certain legal certainty when using products from providers in the USA, in particular from Google, Meta or Microsoft.
Explained with examples: This is what you need to know about data protection in a startup
What’s the problem?
The biggest problem from the EU’s point of view is the curiosity of the US secret services. Europeans are concerned that information about EU citizens on servers in the US and other countries is not adequately protected from access by US authorities. The new framework is intended to enable a higher level of protection for EU data with regard to intelligence activities, so that both transatlantic data exchange in compliance with strict European requirements and surveillance to protect national security are possible in moderation.
The secret services need to overhaul their privacy protection procedures. Mass surveillance may only be carried out in the event of certain threats, such as combating terrorism or cybercrime, and to an “appropriate” and “proportionate” extent. A complaints mechanism is also new: EU citizens can lodge a complaint against the collection of their data by US authorities. A civil rights commissioner in the US reviews these complaints. In a second step, its decisions are then reviewed by a new Data Protection Review Court – a kind of data protection review court.
With the adoption of the adequacy decision on the EU-US Data Privacy Framework, the EU has again declared the USA a “safe third country”. But even if this brings some calm, it is likely that the new mechanism, like its predecessors, will be challenged in court and data protection in the USA will again be declared insufficient. For example, data protection activist Max Schrems, who has successfully challenged previous agreements, says US surveillance law needs to be changed for an EU-US agreement on secure data transmission to be effective.
One investor says these five cybersecurity startups could get really big
What will change specifically for startups?
Until the new framework was adopted, legally compliant and secure data transmission from Europe to the USA was complex and time-consuming. For startups that use tools such as Dropbox, Google Analytics or Microsoft Teams in their day-to-day business, this means in concrete terms:
Startups had to ensure an appropriate level of data protection when transferring or disclosing data when using such tools. To do this, they had to conclude the Standard Contractual Clauses (SCC) provided by the EU Commission with providers from the USA. Startups were required to complete a “Transfer Impact Assessment” (TIA) before using the tools. To do this, they had to check all the risks associated with the data transmission, document the check and define countermeasures. In addition, additional technical, organizational or contractual measures had to be agreed and checked. When using business tools, startups were regularly unable to fall back on other options provided by the GDPR to secure data transfers. These included Group-internal Binding Corporate Rules (BCR) or the consent of data subjects to the transfer of data to a third country in individual cases. In the case of usage contracts concluded with a company based in the EU that belongs to a US group, startups had to check whether SCC had been agreed between the EU company and the parent company and whether additional measures had been taken to secure data transmission.
Even with these safety precautions, there was always a residual risk for startups due to the lack of an agreement. Thanks to the new framework, all of these measures are initially no longer necessary. However, those who cannot do without the use of tools from the USA should ensure that the provider is certified under the new framework. As long as this is not the case, the previous procedure is recommended.
Already completed or planned TIA and existing SCC should be checked and evaluated again with a view to the new framework. In addition, the relevant documents should continue to be kept in order to be able to document the data protection-compliant use of a service provider until its certification on the basis of the framework. A data protection check-up is also worthwhile for startups with established processes: Which tools send data to the USA? Is data transfer compliant with standard contractual clauses? And is the company’s internal data protection concept still up to date?
“Less time to pitch” – what this founder learned during his US expansion
This is what startups can do with an eye on the future
If the new framework is overturned again, the same rules apply as before. Companies whose employee and customer data is processed by providers from the USA would then have to ensure their data protection compliance again with cumbersome procedures. Anyone who already uses providers who conclude SCC and take additional measures is well prepared for this case.
In principle, dealing with data protection remains important, as does the possibility of reacting flexibly to changes. Regardless of agreements between the EU and the USA, startups can actively optimize their data protection. Young companies in the start-up phase have the advantage of being flexible in their choice of marketing, accounting or HR tools. For them it is worth taking a look at the range of SaaS providers from other European countries. Because they have to meet the strict European data protection regulations just like German companies.
It doesn’t matter whether the framework lasts or not: the never-ending story of the Privacy Shield will cost data protection officers in companies a lot of time. Avoiding data protection violations saves startups high fines. Unplanned costs like these often hit young companies particularly hard. However, high data protection standards are also a desirable goal for image reasons. Anyone who takes data protection seriously and actively takes measures to ensure secure data transfer to the USA creates trust among customers and secures competitive advantages.