Transfer of personal information to USA not allowed. What does this mean for companies?
The European Court of Justice declared the Privacy Shield to be invalid. In this article, we provide an overview of what the Privacy Shield was, the scope of the invalidation judgment and whether there are any solutions.
- Transfer of personal information to USA not allowed. What does this mean for companies?
- What was the Privacy Shield?
- What has changed as a result of the ECJ decision to invalidate the Privacy Shield?
- Why has the Privacy Shield been invalidated?
- Stay Up to Date!
- What solution is there for the Privacy Shield -Verdict?
What was the Privacy Shield?
The Privacy Shield is also called „Datenschutzschild“ in German-speaking countries. it refers to a European Commission decision of 12 July 2016. The privacy regulation depending requires third country (outside the EU) of the European Commission an explicit adequacy decision whether in the the level of data protection is comparable to that in the EU. The Privacy Shield defined that the level of data protection in the USA corresponds to that in the EU. Click to edit the translation (adequacy decision according to GDPR). It was the legal basis with which US service providers such as Google, Facebook, Amazon, Microsoft etc. are allowed to process personal data of people who are located in the EU. was also the legal basis that European companies could refer to if, for example, they wanted to have personal data processed on the cloud of a US provider.
What has changed as a result of the ECJ decision to invalidate the Privacy Shield?
On July 16, 2020, the European Court of Justice declared the Privacy Shield to be invalid. This decision is called the Privacy Shield judgment or SCHREMS II. background was a legal proceeding between the Data Commissioner on Ireland and the lawyer and data protection activist Max Schrems. Since SCHREMS II there is no longer a legal basis for the processing of personal data by US service providers.
Why has the Privacy Shield been invalidated?
Max Schrems argued that personal data is not adequately protected in the USA. The ECJ confirmed this view. The transfer violates fundamental rights as defined in Article 8 of the Charter of Fundamental Rights of the European Union. The background to this is the extensive surveillance laws in the USA.
In contradiction: Surveillance in the USA and fundamental rights in the EU
Which surveillance laws apply in the USA?
In the United States, the Foreign Intelligence Surveillance Act (FISA), Patriot Act and CLOUD Act apply to companies. The FISA in particular represents an incompatibility with the fundamental right to the protection of personal data. FISA allows US authorities to access all data processed by US companies. If an EU company uses the AWS or Google Cloud, for example, and processes the personal data of its customers there, US authorities are allowed to access it. Monitoring only needs to be in the interests of the US. This can be used to counter terrorism, but does not exclude industrial espionage either.
FISA contradicts the requirements of the GDPR, which are ultimately based on the Charter of Fundamental Rights of the European Union.
Notwithstanding any other law, the President, through the Attorney General, may authorize electronic surveillance without a court order under this title to acquire foreign intelligence information […]Foreign Intelligence Surveillance Act
Which fundamental rights are incompatible with the Privacy Shield?
Article 8 defines the protection of personal data. The wording is as follows:
Protection of personal data
(1) Everyone has the right to the protection of personal data concerning him or her.
(2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
(3) Compliance with these rules shall be subject to control by an independent authority.Charter of Fundamental Rights of the European Union
Stay Up to Date!
If you would like to be informed about data protection issues and the work and offers of privacy provided in the future, subscribe to our newsletter.
You can also follow us on Linkedin, but privacy loves email .
What solution is there for the Privacy Shield -Verdict?
In short: none. The surveillance laws of the USA and the data protection requirements of the EU contradict each other. Either the EU devalues the fundamental rights or the USA relaxes the surveillance laws.
Various approaches are invalid:
Is the storage of data on servers in the EU a sufficient alternative to the Privacy Shield?
no. FISA has no geographical reference. If the data is also stored on servers in the EU, the US company still has to make the data available to the authorities.
Does it help if the data is processed exclusively by a subsidiary of the US company?
no. The US headquarters must instruct their subsidiaries to provide the data.
Privacy Shield: Does it help to encrypt the data?
yes and no. it depends. Encrypted personal data is still personal data and somebody owns a key to decrypt. This means: If the key is in the hands of the US service provider, it must also be made available to the authorities. If, on the other hand, data is encrypted before being transferred to the US service provider and the key is not in the hands of the US service provider, this is a conceivable technical measure. In most cases, this approach is impractical, as processing is to take place on the servers of the US service provider. To do so, the US service provider must decrypt the data. Then the keys are in the access of the service provider and thus in the access of the US authorities.
Will the update of the standard contractual clauses (SCC) help?
no. They do not in any way resolve the conflict between US surveillance laws and EU data protection requirements.
You can find more video recordings of our talks with Max Schremson our video page.