In its latest decision the European Court of Justice declares the Privacy-Shield-Agreement to be ineffective. Essentially, it justifies this on the basis of US security laws, which grant the authorities extensive access to data of EU citizens without significant restrictions and without judicial control being possible.
At the same time, the European Court of Justice also decided on the standard data protection clauses by which a data importer in a third country gives a contractual assurance to a European company that data transmitted to it will be processed in accordance with EU data protection standards.
In principle, these standards should continue to apply, as long as the laws of the destination country allow the data recipient to comply with these data protection clauses. Since companies in the USA are legally obliged to make their data available to state authorities on a large scale, the European data protection authorities are obliged to suspend or prohibit the transfer of data based on these data protection clauses in such countries.
This has a major practical impact on the international exchange of data!
Data transfers to the USA are now in breach of data protection laws if they are made exclusively on the basis of a Privacy Shield certification. This covers not only transfers to contract processors, i.e. Cloud Service Providers, but also those within a group or to business partners for whom at least part of the data processing is performed in the USA.
The use of software tools where at least part of the data processing takes place in the USA as well as the internal data flows to US Group companies have to be checked.
The European Court of Justice indicates that this is not an adequate level of protection in the USA due to the uncontrolled monitoring powers of the security authorities.
The only data that remains allowed is that which is necessary for the performance of a contract or for the implementation of pre-contractual measures with the person concerned. Communication with American customers or hotel bookings in the USA are still allowed.
Equally not directly affected is the use of US service providers if the service is provided entirely in European data centers. This is now the case with large hosting and cloud providers (e.g. Amazon Cloud) from the USA, for example, as they have server locations in Europe.
In practice, therefore, the only way forward for the time being is to use standard data protection clauses which ensure a certain degree of legal certainty. In addition, however, there is certainly still a great deal of uncertainty regarding the additional examination of the level of data protection in the country of the data recipient, which is still necessary.
It therefore remains to be seen how other data protection authorities in Germany and the EU position themselves on the question of the legally compliant use of standard contractual clauses for data transfers to the USA. A renewed attempt to establish a follow-up regulation to the Privacy Shield would be a conceivable option.
However, this agreement would have to include significant restrictions of the American security laws and an expansion of the legal protection options for EU citizens. This does not seem very promising. The USA will not change its security laws because of EU data protection concerns!
As a result, in practice, there is no choice but to await further action from the European Commission and recommendations from data protection authorities. Announcements to this effect have already been made by both the European Commission and the European Data Protection Committee (EDSA). So, unfortunately, as so often we have to wait and see…
This post is also available in: German