After the ECJ overturned “Safe-Harbor”, the EU-US Privacy Shield, which entered into force on 1 August, is intended to put the exchange of personal data between the EU and the US on a legal footing. In view of the diverse business relations between the EU and the USA as well as a fine of up to 300,000 euros per data breach, this is also urgently needed.

The EU-US Privacy Shield is intended to provide the legal basis for transatlantic data transfer/exchange. This is existential, because the existing regulations – known as Safe Harbor – had been overturnedby the ECJ at the beginning of October 2015. Since then, there has been a risk that should not be underestimated for companies. This is because if personal data is stored in the cloud on US servers, data breaches could result in fines of up to 300,000 euros. Companies that have relied on Safe Harbor for the past 15 years enjoy a legitimate vote and do not have to worry about action from regulators for the transfer of data to the US. However, further data transfers based on Safe Harbor are no longer permitted.

In order to comply with the ECJ’s ruling and to restore legal certainty, the EU-US Privacy Shield, which entered into force on 1 August, was designed: all documents representing this shield can be found online , both on the EU and on the part of the US.

What is the Privacy Shield

Personal data may only be transferred abroad if there is an adequate level of data protection there. The latter is currently only the case in a few countries (see world map). In order to achieve this appropriate level of data protection in the USA, the EU and the US have agreed standards in the EU-US Privacy Shield for the handling of the relevant data. In particular, it is promisedthat companies will be strongly held accountable to ensure data protection and that violations will be strictly sanctioned.

It clearly defines when and how US authorities and intelligence services are allowed to collect and process european personal data, and that these powers are strictly controlled and monitored; in addition, the Office of the Director of the NSA assures compliance with all EU-US agreements relating to the shield and the abolition of non-stop mass surveillance.
EU citizens will receive various remedies to ensure effective legal protection, and the Privacy Shield will be subject to an annual review to ensure that it works and that the assurances of the US government and its intelligence services are respected.

From a European point of view, it looks predominantly red for data protection worldwide

Empty promises

The basic structure of the currently planned shield already raises scepticism about its compatibility with European law. In any case, a protective shield that is comprehensible to everyone looks different from a collection of various documents. In addition, the tracts, which are drawn up in the technical language, with frequent references and debauched descriptions and descriptions, leave a great deal of room for interpretation. The appropriate level of data protection thus remains just as questionable as it was with the Safe Harbour agreements.

Hidden mass surveillance

U.S. intelligence activities are expected to be “as tailored as possible” in the future and will continue to allow U.S. intelligence agencies to collect “massive” data in six cases:

1. Counter-espionage
2. Counter-terrorism
3. Preventing the proliferation of weapons of mass destruction
4. Threats to U.S. or Allied Forces
5. Prosecution of international criminal threats
6. Ensuring cybersecurity

No real limitation, then! Max Schremm – he overturned Safe Harbor’s action before the ECJ – asked the rhetorical question in response to the agreements now envisaged: “Back to Luxembourg?”

Max Schrems sees only a Safe Harbor pig in the Privacy Shield that has been hung up with lipstick!

Legal assessment

The Privacy Shield will undoubtedly be another case for the ECJ and is also likely to be overturned. In its judgment, the ECJ set out a number of principles which must be met in order to achieve an adequate level of data protection. However, the Privacy Shield does not comply with these principles because:

1. Us commitments are not sufficiently legally binding
2. The Privacy Shield is contrary to the transparency requirement
3. The Privacy Shield is not sufficiently substantiated to justify a Commission finding on the level of data protection in the US in conformity with EU law
4. U.S. companies face much lower data protection requirements than companies in Europe
5. EU citizens do not have effective and enforceable legal protection, in particular not against administrative interference
6. Us authorities and intelligence agencies are in conflict with EU law
7. There is no independent data protection oversight in the United States

Interested parties will find a detailed legal assessment of the above points of Thilo Weichert on the net.

In contrast, the Privacy Shield, which entered into force on 1 August, is overwhelmingly well receivedas a compromise in business and among industry and digital associations. However, this is probably due more to the removal of the state of limbo than to the actual legal situation. At the very least, companies can rely on a certain degree of legal certainty for the period of validity of the Privacy Shield.

Recommendations

Despite the currently shaky foundations of international data exchange – especially with the US – there are also additional ways to make data transmission legally secure and to legally handle the cross-border data transfer:

1. Exceptions under the Federal Data Protection Act

Where transfers of data to third countries are necessary “for the performance of a contract or for the implementation of pre-contractual measures”, they may also take place. This is when the contract cannot be carried out without the transfer of data to third countries. The same applies to data transmission carried out in the interests of the persons concerned.

2. User’s consent

Individual permission of those affected also allows for legal data transmission. In any case, this presupposes explicit consent, which is free of coercion and can be revoked at any time. However, a GTC clause is not enough for this!

3. Other exceptions

There are also the so-called standard contractual clauses for data transmission to third countries. However, these clauses are also currently under scrutiny and it is likely that they will also be overturned.

Conclusion

Anyone who collects, stores and processes digitally personal data is fundamentally affected by the data protection issue. In order to avoid expensive fines and warnings, companies should have their current legal texts and transmission processes reviewed by lawyers and, if necessary, revised.
The EU-US Privacy Shield does not address the privacy issues already inherent in Safe Harbor, but companies can orientate themselves on them, at least as long as it remains in force.
The Sword of Damocles of the ECJ, whose data protection principles it does not in any way comply with, thus continues to hover over the transatlantic exchange of data. Even the standard contractual clauses in force up to now are unlikely to withstand judicial review.
This means that German and European entrepreneurs, if they have not yet transferred data to the USA, will refrain from doing so until further notice, also in order to avoid future risks.
Companies that need to transfer data to the US should immediately evaluate the risks and urgently adapt their situation to the current legal situation. U.S. companies are not currently queuing up to submitto the rules of the new Privacy Shield. A list of participating companies can be found here.