TLTR: Since July 10th you can start again using US service providers like AWS, Google Cloud, and Azure, without any trouble (and additional safeguards).
This is thanks to the new Adequacy Decision approved by the EU Commission for the United States.
If you want to start using your favourite US service provider again (we know you have been waiting for this for a long time 😉), make sure to read this article!
Before diving into the topic, make sure to subscribe to our newsletter to get monthly updates on compliance, data privacy, and security.
What is the new Adequacy Decision?
According to the European Commission’s press release, the Adequacy Decision declares that the United States ensures an adequate level of protection (comparable to that of the EU) for personal data transferred from the EU to US companies under the new EU-US Data Privacy Framework that has been at the centre of attention for the last months.
What happened before? The Privacy Shield
July 2020 saw the ECJ (European Court of Justice) strike down the previous Adequacy Decision, the Privacy Shield, after the Schrems II Case, on the basis that the US has certain domestic laws that enable access by the U.S. Public Authorities to personal data transferred from the EU to the U.S, violating the principles of data protection in the EU.
As a result of that decision, the EU - US Privacy Shield Framework was no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
If you want to know more about the Privacy Shield, make sure to read this blog article.
So, can I use Google Cloud now?
The rules of the game have changed again (for now, at least).
With the new EU-US Data Privacy Framework, the United States is no longer perceived as a Country which does not provide adequate protection regarding data transfers.
US-based companies and service providers who wish to benefit from the Adequacy Decision have to adhere to the framework and go through a voluntary self-assessment process to show how they are going to comply with the GDPR and the data protection principles.
For this purpose, The U.S. International Trade Administration went live with a website that includes all the relevant information on the topic.
For reference, you can see the complete list of participants here.
Let’s assume you want to use OpenAI (or any other US provider) for your digital health app.
The first thing you will need to do is to check whether the service provider and the specific service/product are both part of the framework.
✅ If yes: you can benefit from the Adequacy Decision, and you can use a standard Data Processing Agreement (as if you were transferring data to another EU company).
In any case, keep in mind that when acting as a Controller (a.k.a. the one determining what you want to achieve and how you want to achieve it), you will still have to verify the compliance of your provider (otherwise, you will be in trouble).
Many tools that have been previously declared unlawful, such as Meta login tools, are now approved by the Adequacy Decision framework.
🚫 If no: in this case, you can’t benefit directly from the Adequacy Decision: it’s as if nothing has changed in terms of risk. For this reason, if you want to use the service or product, you will have to use a Data Processing Agreement with Standard Contractual Clauses to implement additional security measures and document them with a Transfer Impact Assessment (TIA).
🖊 Side note: a TIA is a written document to assess the impact of a data transfer to a country outside the EU
This means you can use a US cloud service provider, but you have to put in place the proper organisational and technical safeguards and the SCCs (Standard Contractual Clauses) to do it.
In this particular case, OpenAI is still not on the list of self-assessed companies. This means that you will need to act as if there is no Adequacy Decision in place.
However, the fact that the European Commission has declared that the US offers an adequate level of protection to personal data would make your choice to use a US service provider safer, even though that US company is not yet on the self-assessed list of organizations.
Do you want to know more? Book a 30-minute free meeting with our experts!
Does this mean we can consider ourselves compliant if we use AWS/Azure/Google Cloud?
Unfortunately, it’s not that simple.
Just because your cloud provider is compliant, it doesn't mean that you or your product is GDPR compliant: you still need to do all your GDPR homework!
Will US providers be OK with DTx reimbursement schemes (DVG, PECAN, etc.)?
If you are a digital health company developing your own digital therapeutics, the Data Privacy Framework applies to you as well.
DiGAs (for the German DVG) and DMD (for the French PECAN reimbursement scheme) are allowed to use US providers (if included in the list of self-assessed companies, as we have seen before).
However, the risk of instability is still high, and, as happened in the past, your organisational setup can suddenly become forbidden.
What are the risks if this agreement is revoked or deemed insufficient to provide the required guarantees of data privacy according to the GDPR?
Well, your product can be blocked or delisted from the reimbursement scheme!
For this reason, it is still a good practice to put in place the proper organisational and technical safeguards and the SCCs. In fact, when transferring sensitive data, it is always a good practice to keep the highest level of security measures in place (especially if you are dealing with health data, as in the DTx space).
Want to know more? Open in a new tab this article.
How long will this last?
The feeling is that another official complaint is quite certain (as it happened with cases Schrems I and II). It has already been stated by Max Schrems and the NOYB legal team.
We are not sure if the new framework will be able to withstand these legal challenges and if there is going to be a step back to the situation prior to July 10th.
One thing is certain: we will keep you updated on this topic, and in the meantime, let’s enjoy the advantages of this Adequacy Decision while we can!
Looking at how to be GDPR compliant?
Chino.io is your trusted compliance partner!
Working with experts can reduce time-to-market and technical debt and ensure a clear roadmap you can showcase to partners and investors (see our latest case study with Embie).
At Chino.io, we have been combining our technological and legal expertise to help hundreds of companies like yours navigate through EU and US regulatory frameworks enabling successful launches and GDPR compliance.
We offer tailored solutions to support you in meeting the GDPR, HIPAA, DVG, or DTAC mandated for listing your product as DTx or DiGA.
Want to know how we can help you? Reach out to us and learn more.