The European Court of Justice declares the EU-US Privacy Shield for the protection of personal data invalid

On 16 July 2020, the European Court of Justice (ECJ) declared the European Commission’s decision regarding the Privacy Shield to be invalid (C-311/18). It was further decided that data transfers to non-EU countries on the basis of standard contract clauses are in fact legal but must be evaluated in each individual case. The ruling was designated “Schrems II”.

Why was the EU-US Privacy Shield struck down?

The Privacy Shield was struck down because the level of data protection in the USA is insufficient owing to the fact that public authorities have a variety of legal mechanisms for accessing the data that the ECJ considers excessive, and EU citizens do not enjoy sufficient legal protection options in the USA. For example, the ECJ determined that a rule permitting public authorities and intelligence agencies to access the content of digital communications violates the basic right of EU citizens to the preservation of their privacy. Already in the year 2015, the ECJ stopped the Safe Harbor agreement that was in force at the time. This means that the legal basis for the transmission of personal data from the EU to the USA has been eliminated for the second time.

Evaluate your contracts with cloud providers

We recommend that you evaluate your existing contracts with cloud providers such as cloud services, CRM systems and compliance systems as soon as possible to ensure that the collected data are not transferred to the USA or other non-EU countries and are not otherwise processed in such locations.

In the event of uncertainty, you should inquire whether the respective provider will make a special rule for EU customers or what solutions are offered.

Storing data only in the EU is the safest policy

Previously, many European companies that transfer personal data of their customers to subsidiaries or have their data processed by US cloud providers utilised the EU-US Privacy Shield as the legal basis for these activities. These companies must now switch over to standard contract clauses in order avoid violating applicable law, which could result in hefty fines.

WHAT HAPPENS NEXT?

How the judgement will be applied in practice remains to be seen. In the long run, however, a binding data protection agreement should be negotiated between the EU and the USA that guarantees a sufficient level of data protection in order that personal data may once again be simply and legally transferred to the USA. Until then, US companies must find new ways to process the data of EU citizens in compliance with data protection laws.

ADDITIONAL INFORMATION CAN BE FOUND ON OUR DATA PROTECTION AND INFORMATION SECURITY PAGE.

We offer you brief answers to the most important questions:

WHAT IS THE EU-US PRIVACY SHIELD?

After the ECJ overturned the Safe Harbor decision in 2015, the EU-US Privacy Shield was agreed upon between the EU Commission and the USA in 2016. Rather than a binding contract, this is a bilateral agreement.

WHICH U.S. COMPANIES ARE PERMITTED TO PROCESS DATA OF EU CITIZENS?

By registering on a list maintained by the U.S. Department of Commerce, US companies could obtain a Privacy Shield certification (a type of self-certification), with which they agreed to uphold the following four principles:

- Data minimisation
- Data processing only for a specific purpose
- Responding to complaints within 45 days
- Cooperation in the event of an investigation

WHAT RIGHTS DID EU CITIZENS HAVE WITH RESPECT TO THESE US COMPANIES?

EU citizens whose data were transferred to certified US companies could exercise the following rights, amongst others:

- Right to information
- Potentially the right to object to data processing
- Right to access
- Right to submission of a request to appeal to an ombudsperson
- Right to correction of inaccurate data
- Potentially the right to erasure

The ECJ found these points to be inadequate to ensure a sufficient level of data protection in the USA. Data transfer to a non-EU country must provide a level of protection that corresponds to the GDPR.

WHAT IS THE RELATIONSHIP TO THE GDPR?

According to the EU General Data Protection Regulation (GDPR), which entered into force on 25 May 2018, personal data may only be transferred to a non-EU country if an appropriate level of protection exists there (Art. 44 GDPR).

However, there is an exception to every rule: Art. 45 GDPR also permits data transfers to a non-EU country if it has been decided by the European Commission by means of an adequacy decision that the level of data protection is sufficient. This exception previously served as the basis for the EU-US Privacy Shield.

Alternative agreements must now be reached in the form of the EU standard contract clauses which must be evaluated. In the view of the ECJ, these could represent a valid basis for the transfer of personal data. However, one requirement remains: The level of protection demanded by EU law must be complied with in the transfer. It must now be determined whether this is possible with US laws.

CAN ENCRYPTED DATA BE TRANSMITTED?

Yes, the data can be anonymised or encrypted to remove a personal association. Data can continue to be transmitted to non-EU countries in this way.

WHERE CAN I FIND THE DECISION OF THE ECJ?

You can read the original text of the ECJ decision here: https://noyb.eu/files/CJEU/judgment.pdf

Your data is safe with us

ISO 27001 certificate
BKMS^® Compliance System

Data privacy quality seals
BKMS^® Compliance System

Penetration test certificate
BKMS^® Incident Reporting

WACA certificate
BKMS^® Incident Reporting