Drawing on his profound data protection expertise, he tackles data protection challenges with renewed vigor every single day. He understands the dangers and stumbling blocks in intimate detail and gives customers practical advice.
EU-US Privacy Shield: Urgent need for action after European Court of Justice ruling!
Like the Safe Harbor agreement in 2015, the European Court of Justice has now also overturned the EU-US Privacy Shield in judgment C-311/18 of 16 July 2020.
What is the EU-US Privacy Shield Agreement?
The Privacy Shield is an agreement between the EU and the USA and aimed to establish a certain level of protection for personal data that was to be transferred to the USA. Companies could submit to the requirements of the Privacy Shield in order to create an adequate level of data protection in accordance with Art. 45 DSGVO. This legal basis served to allow personal data to be transferred to a third country, in this case the USA.
What are the implications of the European Court of Justice ruling?
Companies that have transferred personal data to the US on the basis of the EU-US Privacy Shield can no longer rely on it. As a result, any data transfer is now no longer permitted and can be stopped by the authorities and fined. Another legal basis is therefore urgently needed that allows the transfer of personal data to the USA.
What other legal bases exist?
An alternative legal basis is, for example, the creation of "appropriate safeguards" according to Art. 46 DSGVO. These are intended to create a certain level of protection for personal data when it is transferred to a third country. Such safeguards can be, for example, binding internal data protection rules (Binding Corporate Rules, BCR) or the standard data protection clauses issued by the European Commission. The Binding Corporate Rules are interesting for companies that are globally positioned and are intended to make it possible to transfer personal data within the company to third countries with inadequate levels of data protection. However, they must be approved in advance by the supervisory authority. Most relevant here are the standard data protection clauses (or standard contractual clauses), which are concluded as an addendum to the contract between the data transmitter in the EU and the recipient in the third country. This is another contract that is concluded between the parties. This is comparable to a contract for commissioned processing according to Art. 28 DSGVO. With the help of this contract, the respective parties undertake to maintain an appropriate data protection standard for the transfer of data and to grant the data subjects the necessary rights. It should be noted, however, that these clauses may only be deviated from in order to increase the level of protection, but not to disadvantage data subjects.
There is an urgent need for action!
Unlike, for example, the "grace period" granted with the entry into force of the DSGVO, the ECJ ruling does not provide for a transition period. All data transfers based on the Privacy Shield are currently illegal and another legally secure solution must be created.
- Therefore, first check whether you have service providers that are based in the USA or whether you store personal data on servers in the USA. If you store data in the cloud, you should clarify where this data is stored. Is your company website hosted in the US and perhaps also analysed by Google Analytics? Do you use social networks or messengers for corporate communication? Do you edit your documents in Microsoft Office 365?
- If you have discovered that you are working with service providers from the USA, you now need to check on what basis you are transferring personal data to them. If this transfer is still based on the EU-US Privacy Shield, you must switch to the standard data protection clauses here.
- Talk to your service provider! They may already have standard contractual clauses in place, which only need to be signed by you. Otherwise, you can find them free of charge on the internet.
If you already have standard contractual clauses in place, this is already a very good start. However, it must be checked on a case-by-case basis whether they are effective.
- Data protection