EU-US Data Transfer's Implications for Researchers

EU-US Data Transfer

Since the rise of global tech giants, mainly based in the US, the flow of personal data has been the epicenter of a number of political debates in which questions were raised around who controls, which type of data and what do they do with it. 

Researchers, especially academic researchers usually work with sensitive data. Mainly due to this fact, data security and GDPR compliance are imperative to protect the anonymity of the participants whom they interview - which is also one of their top responsibilities as data controllers. Before we dive deeper into the current situation around EU-US data transfer regulations, understanding the context of transatlantic data flows might help shed light on Privacy Shield which has been abolished on July 16, 2020, and what to expect in the future.

Disclaimer: This post does not provide legal advice. The purpose is to help researchers to build a better understanding of the latest insights on data transfer schemes between the EU and third countries which can be relevant for their practices.

Why was the Privacy Shield invalidated?

One of the problematic aspects of EU-US data flows stems from the differences between US national security and surveillance practices and EU data protection standards. The current US legislation does not completely prevent government entities’ abilities to access personal user data. This is one of the reasons why both Privacy Shield and its predecessor - Safe Harbour were abolished. A fundamental concern and criticism towards the Privacy Shield by some of the EU officials, citizens, and activists was that it didn’t stop or limit the U.S. government entities from accessing EU citizens’ data in a way that violated the EU law.

General Data Protection Regulation (GDPR) was implemented on May 25, 2018, and set the standards around which data protection and privacy should be handled within the EU. Its impact extends beyond the borders of the EU, as it also entails European citizens living abroad. Essentially, GDPR provided much stricter guidelines on how personal data should be processed and stored by individuals and companies. This has been a huge positive trigger for raising awareness around privacy issues around the globe.

In July 2020, the Court of Justice of the European Union invalidated the Privacy Shield Agreement. Almost 3 months later, Swiss authorities followed the same ruling and invalidated their bilateral Privacy Shield agreement with the US.

What do all these mean for researchers?

The advancement in technology has created unmatched convenience for academics both for teaching and conducting research. More and more software tools are available to help researchers simplify their workflows when using qualitative and quantitative methods. 

The potential shift to cloud-based services can raise doubts for some researchers because they are understandably concerned about the privacy of their data, which in many cases include sensitive information. 

Researchers would like to know whether the content of the private conversations and interviewees’ sensitive information is managed with care and utmost security. Protecting privacy is the essence of research integrity.

The abolishment of the Privacy Shield means that companies who handle interview data should not transfer this information to third countries nor should keep this data in servers outside of the EU where there is no adequate decision. The data processors should take actions to minimize exposing sensitive information of their users (data controllers) to third countries and if possible, apply principles of data minimization.

If there is any data that might be transferred to the US or any other third country, the data exporter should carefully assess whether it is possible to do so by analyzing the recipient’s country regulations, apply additional measures such as encryption where necessary or correspondent research should explicitly provide her/his consent for such a transfer to occur if it occurs in specific and non-systemic occasions.

The Swedish Data Protection Authority stated that instead of waiting for clear guidance from the authorities, companies are advised to start taking responsibility for their data processing actions by mapping out which personal data flows are or might be flowing to 3rd countries including the US.

We care about security and privacy

At Scrintal, we are taking additional steps to satisfy the privacy of our users while closely monitoring the developments surrounding the new enhanced regulatory framework that will enable more secure data transactions across the Atlantic. We know that there is no one-size-fits-all type of solution without a clear-cut answer which is why we are continuously following the latest developments and reviewing what we can do better.

In the meantime, we make sure that:

  • All sensitive information including our users' interview data is encrypted during the transfer and storage of data that conform to the state-of-the-art.
  • All sensitive information related to our users' interview data is stored in secure data center providers physically located in the EU.
  • We provide a Data Processing Agreement that follows GDPR regulations and sets out Scrintal's responsibilities and obligations in relation to our users.
  • We do not sell or share our users' audio or video files with 3rd parties for any purpose, including to develop their algorithms.
  • We continuously document our process thoroughly in line with the latest changes in the regulations.

For more information, please visit our security page to learn more about our data privacy and GDPR policies.

Ece Kural's profile picture

Ece Kural

PhD Candidate @ Stockholm University