In today’s globalized world, many European companies directly or indirectly use American software or services. On these occasions, data, sometimes personal, are transferred from the EU to the US.

These data transfers must have a sufficient level of protection to be considered as valid under the General Data Protection Regulation (GDPR). However, the instability of the European policy on the subject makes the required level of protection to be guaranteed by the companies change. Companies are therefore forced to be particularly careful with these data flows to avoid the risk of penalties

Transfers of personal data from the EU to the US

Rhe transfer of personal data to the US is regulated by the provisions of the GDPR.

For companies, the level of protection to be guaranteed is not the same whether there is an agreement between the European Union and the United States.

Indeed, the EU-US agreements (or adequacy decisions) considerably facilitate the data transfers they cover.In fact, they allow companies to establish the legality of certain transfers without having to implement additional protection measures.

Without an agreement, any transfer of personal data from the EU to the U.S. must be subject to additional protection measures to be considered valid under the GDPR.

Companies facing legal uncertainty

Transfers of personal data between the EU and the United States suffer from significant legal uncertainty. For the past ten years, the conditions of validity of these transfers have considerably changed from one period to the next.

Since 2020, any transfer of personal data from the EU to the US must subject to additional protection measures to be considered valid under the GDPR.

Today, a new agreement between the EU and the US is about to be signed and could once again facilitate these transfers for companies.

We will probably enter a new favourable era for data transfers between these two continents, but we can strongly assume that this will only last for a while once again.

In fact, we can expect a new decision by the Court of Justice of the EU (CJEU) to strike down the agreement reached. This can be explained by the fact that the US and EU data protection approaches are not easily reconcilable.

The incompatibility of these two views makes it highly unlikely that a lasting agreement will be reached.

Thus, just as Safe Harbour was struck down by the CJEU in a so-called Schrems decision in 2015, the Privacy Shield in 2020 in a Schrems II decision, the potential new agreement will most certainly be struck down in a few years. This will again lead to a challenging time for companies, which will have to review their contracts again and guarantee a higher level of protection.

The uncertainty is all the more difficult to bear for companies as the rules change overnight. The lack of a transitional period means that companies must be particularly reactive to avoid being penalized.

Legal uncertainty as a source of risk for companies

Companies that do not comply with the requirements of the GDPR, particularly regarding the transfer of personal data, are exposed to various risks.

It is important to notice that the state institutions guaranteeing the protection of personal data, such as the CNIL, are now stricter than in the early days of the RGPD.

Indeed, both the number and the amount of fines imposed in Europe to punish companies and organizations that do not comply with the provisions of the GDPR have steadily increased since 2018.

Thus, there is a growing financial risk for companies. They must take this risk into account when choosing the means to be allocated to comply with the GDPR.

Considering this context of legal uncertainty on personal data and the risks involved, it is particularly advisable to implement processes and tools that promote flexibility and reactivity in terms of contracts, IT and organization.

Digital Contract Management, a response to legal uncertainty    

The control of contractual processes and assets is essential. It is one of the keys for a company to ensure its compliance with the GDPR.

To reach such levels of control over its contractual assets, Digital Contract Management represents a real opportunity for companies.

This transformation must be carefully managed to be truly successful. This means considering technical, organizational, functional, cultural, and legal aspects. We are also convinced that this digital transformation of contract management cannot benefit the company without a shared culture of enthusiasm.

Wavestone brings its expertise to companies to make this transformation a success.