EU-US Data Transfer Agreement: What does it mean for your Whistleblowing System?

On March 25th, 2022, European Commission’s President Ursula von der Leyen and United States’ President Joe Biden reached common ground and announced a new agreement for transatlantic data privacy and transfer framework. After the previous Privacy Shield was invalidated in July 2020, a new framework was greatly anticipated to ensure the security of data between Europe and the United States.
While this agreement is still in its early stages and we don’t have sufficient information to proceed to an in-depth analysis of the legal details it will entail, some of its general direction can already impact your whistleblowing system.

Key elements of the agreement

Who is concerned?

If your Organization operates in the EU and the US, or if you have business from one side of the Atlantic to the other, the data collected from reports in your whistleblowing system might need to be transferred.

Why?

Since the Privacy Shield is no longer valid to protect the security of your data transfers, Organizations were referring to Schrems 2. This mechanism implied that Organizations needed to verify themselves the compliance with the receiving country standards (the GDPR for Europe and SCC for the US), which meant additional work and greater restrictions for transferring data which can still be necessary for some investigation cases related to whistleblowing. Moreover, the US verifications processes conducted by the information services often left European parties with no means to ensure their data protection.

The new provisional agreement should bring a solid legal basis allowing secure EU-US data transfers. Here are some key principles of this agreement :

• New restrictions imposed on American information services, limiting their access to European data
• New safeguards put in place to ensure that signals surveillance activities are necessary and proportionate according to the national security objectives
• Establishment of a two-level independent mechanism with binding authority, in order to direct remedial measures

Data security around your whistleblowing system

Managing sensitive and personal data such as whistleblowing reports information requires a high level of security, whether it be for storage or transfer. The choice of your whistleblowing solution provider is key when you want to guarantee the safety of your data in the long run, regardless of the evolution of jurisdictions.

Security is at the heart of Whispli’s values. Because of our origin and specialization, we take security very seriously and our platform is fully compliant with the new requirements of the “Privacy Shield 2.0” for transatlantic data transfers.

How and where does Whispli store your data?

• By working with EU-based providers in multiple locations, you can choose to store your data where it is safer for you, and Whispli will never transfer or allow the processing of European data to the US or any other non-EU country. Storing your data in Europe remains the safest policy to follow for your Organization.
• For Organizations operating in both Europe and the US, Whispli offers multi-region hosting. This means that international organizations can host data for their American subsidiaries in the U.S. and data for their European subsidiaries in Europe without transferring any data between the two regions.
• All our trusted partners (including Microsoft, AWS) are providing a sufficient level of security in accordance with data protection laws - and you can even choose your hosting provider based on your own security requirements (like Doctolib did with AWS for example).

How does Whispli manage data disclosure?

• Whispli is ISO 27001 certified and fully compliant with the GDPR requirements as well as the EU Whistleblower protection directive. This means that we cannot disclose any of our customer data. We are following the highest standards to ensure the security of your data.
• Whispli also provides a private cloud to their customers and protects your messages and uploaded documents by erasing all meta-data associated with them.
• You remain in full control of your data with the possibility to handle your very own encryption keys to your data.

The impact of the new agreement on Whispli

The new agreement doesn’t impact the compliance of Whispli with the GDPR or EU whistleblower protection directive since no transfer of data is made when choosing one of our EU-based servers. In the same way, thanks to our multi-server hosting, Whispli remains fully compliant with both US and EU regulations while avoiding data transfers.

If a whistleblowing report or investigation is opened to a third party outside of the EU, the supervision and restriction of access to the user data are guaranteed by the case manager or person in charge of security within the Organization.

What’s next?

The agreement can take several months before its final form sees the light of day. In the meantime, its elaboration will be looked upon and reviewed very closely to ensure that both the US and Europe are providing the best possible way to protect the security and privacy of the data flowing across the Atlantic.

You can anticipate the outcome of this agreement today by making sure your whistleblowing system can handle the highest security requirements.