After Safe Harbor, Privacy Shield has now also been hit: the European Court of Justice has ruled against the data transfer agreement. Companies should now check what kind of data they process using the services of US service providers and protect themselves with EU standard contractual clauses.
It is and remains a difficult issue: how can adequate data protection be guaranteed when data from EU countries is processed on the servers of American service providers? After the European Court of Justice (ECJ) declared the Safe Harbor agreement invalid in 2015 - the representatives of the EU and the USA already disagreed at that time on what was to be understood by an "adequate level of protection" - new regulations became necessary. Because many European companies use the services of US companies such as Amazon, Google and Microsoft - it is all the more important that there is clarity about the legal background to the exchange of data.
Since 2016, the Privacy Shield agreement has therefore been the basis for cooperation. For example, it agreed on data protection principles that US companies must comply with and required US authorities to provide so-called "safeguards and limitations on access to data". In practice, the Privacy Shield rules facilitated the transfer of personal data between the EU and the US because they provided a security framework. Not data protection-compliant enough, the ECJ judges now ruled and declared the Privacy Shield invalid with regard to the GDPR.
It is true that the ECJ's ruling has removed one of the foundations of transatlantic data transfer. But this does not mean that companies are no longer allowed to have data processed in the USA. Rather, the repeal means that all processing operations that previously referred "exclusively" to the provisions of the Privacy Shield are now inadmissible. It is also important to always keep in mind that these are exclusively personal data or personal-related data protected by the GDPR and country-specific laws that are exported (stored, processed, etc.) to the US. In addition, the EU standard contractual clauses, which should generally be concluded with business partners from non-EU countries, remain in force. This agreement can be concluded between business partners to legally secure data processing according to certain data protection principles.
What can and what must affected companies do now? Every company should now check whether it transfers personal or personally identifiable data to the USA via a service provider. The following short checklist lists the most important questions that companies should now ask themselves in relation to each of these partners:
Well-known providers such as Amazon and Microsoft, which generate a quite significant share of their turnover with European customers, have been incorporating the EU standard contractual clauses into their commissioned processing contracts for some time. In an official statement, Microsoft confirms that thanks to overlapping protection measures, nothing will change for business customers, neither in the security of data transfer nor in the quality of services. The company also announces that it will proactively work with the European Commission and the US government to clarify any issues that now arise.
In our view, this is a very important commitment on the part of Microsoft to provide customers in Europe and worldwide with data protection-compliant order processing. After all, cloud services have long been part of the strategic everyday business for many companies - data protection concerns should not be a stumbling block.