The end of Privacy Shield - What is the status and what are the consequences for companies and internet users?
by Svenja Koch
In July 2020, the ECJ declared the data protection agreement between the EU and the US, called "Privacy Shield", invalid with immediate effect. The reasoning: Citizens and companies in the EU are not sufficiently protected against data access by US authorities.
The standard for handling European personal data in the USA is thus a thing of the past. This does not mean the end of all data transfers from Europe to the US - companies can continue to transfer user data of EU residents to the US under standard contractual clauses. However, as the Luxembourg judges of the ECJ emphasised, data protection authorities are obliged to prohibit the transfer of data as soon as the standard contractual clauses are not complied with in the recipient country. Find out in this article what this all means for companies and whether private internet users also have to fear consequences.
Privacy Shield - How the data shield should protect EU citizens
The internet has made every one of us a global citizen. A few clicks, an email account at Google or a login at Facebook are enough to distribute private user data all over the world. Much of the data ends up, how could it be otherwise, with the big tech companies in the USA. The Privacy Shield agreement was supposed to regulate how the personal data of EU citizens could be processed in the USA. Among other things, the shield wanted to ensure that
- Personal data should be safe from mass surveillance by US authorities.
- An ombudsperson in the US State Department should be the direct contact person for EU citizens with complaints.
- Personal data should not be allowed to be stored indefinitely by a company, according to the agreement.
Critics considered Privacy Shield unsuitable from the start
While officials firmly believed that the US was taking Europeans' concerns about data protection and secure data transfers seriously, critics of the shield saw things completely differently. Among the best-known critics is the Austrian Max Schrems, who is convinced that data of EU citizens in the US is not sufficiently safe from access by US intelligence agencies. Schrems had successfully taken his case to the ECJ and managed to get the predecessor of Privacy Shield called "Safe Harbour" overturned in 2015. This groundbreaking ruling made the new Privacy Shield regulation necessary. But Max Schrems also considers the new regulation to be unsuitable, because "the surveillance in the USA is just as bad as before, nothing has changed for EU citizens. And the ECJ has said that this is not possible". Schrems firmly expected that Privacy Shield would be overturned as soon as there was a lawsuit that made it to the ECJ. "This thing is probably illegal," Schrems said at the time about the new privacy shield. And he was to be proved right.
Why the ECJ overturned the Privacy Shield
With the ruling in case "C-311/18 Schrems II", the ECJ has spoken out against the Privacy Shield. The judges' reasoning: personal data of EU citizens may only be transferred to third countries outside the European Economic Area if the data in the third country enjoys a level of protection that is essentially equivalent to the level of protection in the EU. And it is precisely this adequate level of protection that the ECJ has denied for the USA.
Companies should act immediately - because there is no grace period!
Since the sensational ruling, companies have been forced to act, because the supervisory authorities do not give a grace period. Above all, companies that use cloud services in the USA are obliged to check the data transfers to third countries and the basis used for this according to Chapter V of the GDPR in terms of data protection law. In concrete terms, this means that the data transfer, which was previously based on the agreement, must be secured by protective measures according to Article 46 of the GDPR. For data transfers to the USA, additional measures must be introduced to ensure adequate data protection at all times. There is no grace period for companies in Europe - a review of the legal basis for the data transfer is unavoidable.
What do companies now have to consider when transferring data to the USA?
The Federal Data Protection Commissioner has set out in a checklist what European companies must now do in terms of data protection. It is definitely worth taking a look at the document, because the checklist, in combination with the publications of the EDSA (European Data Protection Committee), provides very concrete tasks for the companies concerned. Among other things, it requires
- Examination of the legal basis for the data transfer
- Determination of new legal basis if necessary
- the stop of data transfer if Privacy Shield has been the only legal basis so far and no new legal basis has been found.
European law offers so-called standard contractual clauses as a legal basis. However, caution is advised here: Because as soon as the data transfer to third countries (and thus also to the USA) is to take place on the basis of standard contractual clauses, the data controller must reliably assess whether the rights of the individuals affected by the data transfer are secured in the third country at the same level of protection as in the EU.
And this is where the problems start. Because in the case of the USA, the ECJ has denied the equivalent level of data protection. Thus, additional measures are necessary if data transfer is to take place on the legal basis of standard contractual clauses. Possible measures include organisational, technical and legal methods - however, the actual effectiveness of the measures must not be impaired by the legal system of the third country.
Standard contractual clauses continue to be a possible basis for data transfer, according to the Federal Data Protection Commissioner. However, a transfer of data to the US can only be justified via standard contractual clauses if "additional measures are taken to ensure the same level of data protection as in the EU". This means: the circumstances of the data transfer must be considered on a case-by-case basis - and also and in particular for the transfer of data to other countries.
And how does one now check the validity of a legal basis for data transfer to the USA?
Privacy Shield is history - and consequently companies have to put data transfer and data protection to the test. The first step is to take stock - because knowing exactly what data is being transferred is essential for further action. The inventory must be followed by an examination of the legal basis on which the data transfer of personal data to the USA is carried out. If standard contractual clauses are used for the data export, it must be clarified, among other things:
- Are there appropriate guarantees from the data controller in terms of data protection?
- Are there enforceable remedies for data subjects affected by data transfers?
- Can the data controller check on a case-by-case basis whether the legal system of the third country offers an adequate level of protection?
- Or, alternatively, can additional measures be taken to ensure data protection?
In the USA, the secret services in particular have the greatest interest in personal data, so access by NSA and Co. must be prevented. Conceivable here would be, for example, encryption that cannot be cracked by secret services and for which only the data exporter has the key. Complete anonymisation of personal data would also be in line with data protection - however, in this case it must be checked whether the transmitted data would still fulfil its purpose. If no protective measures can be taken, the data transfer to the USA is prohibited.
Quick start Privacy Shield: Urgent need for action and what you need to know now!
We would like to take this opportunity to recommend a webinar of the "Privacy Shield" working group of the Hamburg Chamber of Commerce, which was co-initiated by our Managing Director Marcus Henschel:
In the recording from 31.3.2021, you will receive a quick introduction to the topic, which will enable you to assess how your company is affected and your own need for action. In a discussion with the Chamber of Commerce, the Hamburg Commissioner for Data Protection and Freedom of Information, Prof. Dr. Johannes Caspar, and the Managing Director of hamburg.de, Carsten Ludowig, shed light on the topic from the perspective of the responsible supervisory authority and an affected company.
What must not be forgotten: documentation and duty to inform
The top priority for all companies that transfer data to the USA must be: The verification of the lawfulness of the data transfer to the USA must be documented at all times in a way that is verifiable for supervisory authorities. For this purpose, information obligations, for example the data protection declaration on the website, must be updated. All changes to the legal basis must be entered in the lists of processing activities and thus made known to the users.
All changes and reviews must be documented after implementation. On the one hand, as proof to the supervisory authorities, and on the other hand, also to the customers whose data is transferred to the USA. Of course, customers are also entitled to information about the basis on which the data transfer takes place. If companies cannot provide a legally compliant answer, they will not only face sanctions - but also angry customers.
What pleases some annoys others
The end of the data protection shield pleases critics of the shield. The aforementioned activist Max Schrems, for example, sees the end as a statement for more data protection, because the ECJ has "now made clear for the second time that there is a conflict of EU data protection law and US surveillance law". And since the EU "will not change its fundamental rights to satisfy the NSA, the only way to overcome this conflict is for the US to introduce solid data protection rights for all people - including foreigners".
Critical voices naturally see the end of the shield differently. The head of the digital association eco fears "fatal consequences for the internet economy", because without the Privacy Shield there are now "hardly any alternatives for transferring data from the EU to the USA in an uncomplicated and legally secure way". Other critical voices see the ruling as creating "massive legal uncertainty" for companies.
Does the end of the Privacy Shield now mean the end of all data transfers?
For the time being, the dispute is only about the data protection of personal data transferred by companies to the USA. A data transfer that can be justified under Article 49 of the GDPR, for example, is thus not affected by the ruling. Just like voluntary data transfers by users who send emails abroad or book a hotel stay in the USA via a website. In any case, data protection experts expect a strengthening of the fundamental rights of EU citizens - because for the exchange of data with the USA, special protective measures must now be taken without excuses. Also strengthened are the powers of the data protection supervisory authorities, which now have to check whether the ECJ's data protection requirements are met for every data processing operation. Conversely, this also means that data transfers can be prohibited if the requirements are not met.
The end of the data protection umbrella is not the end of data transfers between the EU and the US. Rather, the ECJ's ruling is about effective protection of fundamental rights. Personal data of EU citizens should be protected much more reliably from US authorities in the future - which should not only be in the interest of companies, but also and especially of private individuals. So what is the easiest way to avoid the data transfer dispute? Well, either the directives and laws are implemented in detail - or the data of European citizens are stored on European servers. In any case, the future of intercontinental data transfer remains exciting.