contact
Kristian Krannich

Business Keeper AG

eu-regulation@business-keeper.com

The European Court of Justice declares the EU-US Privacy Shield for the protection of personal data invalid

On 16 July 2020, the European Court of Justice (ECJ) declared the European Commission’s decision regarding the Privacy Shield to be invalid (C-311/18). It was further decided that data transfers to non-EU countries on the basis of standard contract clauses are in fact legal but must be evaluated in each individual case. The ruling was designated “Schrems II”.

Why was the EU-US Privacy Shield struck down?

The Privacy Shield was struck down because the level of data protection in the USA is insufficient owing to the fact that public authorities have a variety of legal mechanisms for accessing the data that the ECJ considers excessive, and EU citizens do not enjoy sufficient legal protection options in the USA. For example, the ECJ determined that a rule permitting public authorities and intelligence agencies to access the content of digital communications violates the basic right of EU citizens to the preservation of their privacy. Already in the year 2015, the ECJ stopped the Safe Harbor agreement that was in force at the time. This means that the legal basis for the transmission of personal data from the EU to the USA has been eliminated for the second time.

Evaluate your contracts with cloud providers

We recommend that you evaluate your existing contracts with cloud providers such as cloud services, CRM systems and compliance systems as soon as possible to ensure that the collected data are not transferred to the USA or other non-EU countries and are not otherwise processed in such locations.

In the event of uncertainty, you should inquire whether the respective provider will make a special rule for EU customers or what solutions are offered.

Storing data only in the EU is the safest policy

Previously, many European companies that transfer personal data of their customers to subsidiaries or have their data processed by US cloud providers utilised the EU-US Privacy Shield as the legal basis for these activities. These companies must now switch over to standard contract clauses in order avoid violating applicable law, which could result in hefty fines.

WHAT HAPPENS NEXT?

How the judgement will be applied in practice remains to be seen. In the long run, however, a binding data protection agreement should be negotiated between the EU and the USA that guarantees a sufficient level of data protection in order that personal data may once again be simply and legally transferred to the USA. Until then, US companies must find new ways to process the data of EU citizens in compliance with data protection laws.

Does Business Keeper AG transmit data to the USA or non-EU countries?

We understand that this dramatic decision could give rise to questions among our customers. We wish to assure you that Business Keeper AG does not transmit any data of EU citizens to the USA or other non-EU countries or otherwise allow data to be processed in such locations. The BKMS® Compliance System is the first compliance solution in the world that is certified according to the strict EuroPriSe criteria. The protection of personal data in the BKMS Compliance System is our top priority.

Contact us

We offer you brief answers to the most important questions:

WHAT IS THE EU-US PRIVACY SHIELD?
Show more
WHICH U.S. COMPANIES ARE PERMITTED TO PROCESS DATA OF EU CITIZENS?
Show more
WHAT RIGHTS DID EU CITIZENS HAVE WITH RESPECT TO THESE US COMPANIES?
Show more
WHAT IS THE RELATIONSHIP TO THE GDPR?
Show more
CAN ENCRYPTED DATA BE TRANSMITTED?
Show more
WHERE CAN I FIND THE DECISION OF THE ECJ?
Show more