“EU-US Privacy Shield” overturned by the ECJ

The European Court of Justice (ECJ) has overturned the EU-US data protection agreement “Privacy Shield”. A data transfer to other countries on the basis of so-called standard contractual clauses is still permitted, according to the ECJ. The prerequisite for this is an equivalent level of data protection in the USA. And that is exactly what the ECJ does not see in its judgment.

The topic began years ago with a complaint from the Austrian lawyer Max Schrems. The activist had complained to the Irish data protection authority that Facebook Ireland transmitted its data to the parent company in the USA. The legal basis at that time was the so-called “Safe Harbor” agreement, which, from Schrems’ point of view, did not offer sufficient guarantees. He justified his complaint by stating that Facebook in the USA was obliged to make the data accessible to US authorities such as the NSA and the FBI – without those affected being able to take action. At that time, the agreement was also overturned before the ECJ and replaced by the “Privacy Shield”. At that time, critics already described the Privacy Shield as “old wine in new bottles”, since it does not protect the rights of EU citizens either. It was already set out then that the Privacy Shield was only of limited use as the new legal basis for data transmission and could be overturned if the European Court of Justice were to review it again.

The judges of the ECJ have now declared the “Privacy Shield” to be invalid. With a view to the access options of the US authorities, the requirements for data protection are not guaranteed. On the other hand, they did not object to the “EU standard contractual clauses” (also European Standard Contractual Clauses or EU-SCC’s) used as an alternative legal basis. Essentially, these are intended to offer guarantees that the data of EU citizens are adequately protected even when they are transferred from the EU to other countries, in particular to any insecure third country. The “Privacy Shield” is another channel that is only available for data transfer to the USA.

With the elimination of the EU-US Privacy Shield, the proper legal basis is no longer applicable for numerous applications if these were based on the fact that the US service provider had only certified itself according to this standard. So far, it was sufficient for the US-based IT service provider, software provider or data center service provider to be listed in the public privacy shield list and certified for normal data (non-HR) or personal data (HR). In the corresponding processing activities in the data protection management system, this was the legal basis to be adequately documented.

This is no longer necessary! All of these affected applications or processes that relied on this legal basis do not have a sufficient legal basis with this judgment. Use is therefore prohibited. In the event of further use, all these scenarios will initially result in a fine because the GDPR is violated. This almost certainly affects thousands of application scenarios.

Since standard contractual clauses are still accepted as an alternative, it is necessary to check whether the US provider makes them available or whether these can be concluded with him. Microsoft actually serves as a positive example here: Because although Microsoft Corp. as an IT company in the Privacy Shield list for HR and non-HR data, it offered e.g. Office 365 already has flawless standard contractual clauses attached to the license terms. The ECJ ruling should therefore initially have no influence on the use of these services.

But there is also a need for action for group-internal data transmission to the USA, which was previously based on the Privacy Shield! These standard contractual clauses have already been concluded or will be made up as soon as possible, otherwise there is a risk of a fine.

Important: If you have commissioned an external DPO from us, we will successively check all relevant processing activities and inform you if necessary!

You have not appointed a data protection officer from us, but still need competent advice so that your company can continue to operate in accordance with the law?
We are glad to be here for you! Just contact us.