Business Keeper AGeufirstname.lastname@example.org
The European Court of Justice declares the EU-US Privacy Shield for the protection of personal data invalid
On 16 July 2020, the European Court of Justice (ECJ) declared the European Commission’s decision regarding the Privacy Shield to be invalid (C-311/18). It was further decided that data transfers to non-EU countries on the basis of standard contract clauses are in fact legal but must be evaluated in each individual case. The ruling was designated “Schrems II”.
Why was the EU-US Privacy Shield struck down?
The Privacy Shield was struck down because the level of data protection in the USA is insufficient owing to the fact that public authorities have a variety of legal mechanisms for accessing the data that the ECJ considers excessive, and EU citizens do not enjoy sufficient legal protection options in the USA. For example, the ECJ determined that a rule permitting public authorities and intelligence agencies to access the content of digital communications violates the basic right of EU citizens to the preservation of their privacy. Already in the year 2015, the ECJ stopped the Safe Harbor agreement that was in force at the time. This means that the legal basis for the transmission of personal data from the EU to the USA has been eliminated for the second time.
Evaluate your contracts with cloud providers
We recommend that you evaluate your existing contracts with cloud providers such as cloud services, CRM systems and compliance systems as soon as possible to ensure that the collected data are not transferred to the USA or other non-EU countries and are not otherwise processed in such locations.
In the event of uncertainty, you should inquire whether the respective provider will make a special rule for EU customers or what solutions are offered.
Storing data only in the EU is the safest policy
Previously, many European companies that transfer personal data of their customers to subsidiaries or have their data processed by US cloud providers utilised the EU-US Privacy Shield as the legal basis for these activities. These companies must now switch over to standard contract clauses in order avoid violating applicable law, which could result in hefty fines.
WHAT HAPPENS NEXT?
How the judgement will be applied in practice remains to be seen. In the long run, however, a binding data protection agreement should be negotiated between the EU and the USA that guarantees a sufficient level of data protection in order that personal data may once again be simply and legally transferred to the USA. Until then, US companies must find new ways to process the data of EU citizens in compliance with data protection laws.