The EU-US Privacy Shield has been striked down. For companies in Europe that use US cloud services, the decision of July 16, 2020 will have significant consequences. They can no longer rely on the guarantee of an adequate level of data protection under the Privacy Shield when using US services.
What is the alternative? Use tools that don't make you dependent on the Privacy Shield.
Background: Key facts about the Privacy Shield in simple words
What is the Privacy Shield and what has it regulated?
The EU-US Privacy Shield is an informal agreement between the US and the EU, which was intended to regulate transatlantic data exchanges in accordance with an adequate level of data protection. US providers who committed themselves to the Privacy Shield have also committed themselves to respecting established restrictions and principles to protect the data of EU citizens.
The Privacy Shield therefore served as a basic requirement for the use of US tools and the transfer of data to America according to the General Data Protection Regulations (GDPR).
DSGVO vs. Cloud Act (Patriot Act): Criticism of the Privacy Shield
The problem with the Privacy Shield? American law stands in stark contrast to the EU DSGVO, which lays down strict rules for the protection of personal data within the European Union.
However, the assurances given by the Privacy Shield are not in line with the Cloud Act of 2018 and the Patriot Act of 2001. These guarantee the American authorities extensive rights in connection with all data stored on American servers and by American companies. In plain language: Authorities can oblige US providers to hand over all data (including personal data). The situation is similarly critical with regard to secret internal company information: According to (Christian Schmitz, Chief Strategy & Innovation Officer at ownCloud, the US Cloud Act is not only diametrically opposed to European data protection laws such as the DSGVO; it also opens the door to economic and other espionage.
Well, I guess you can see: Privacy Shield and the Cloud Act or the Patriot Act won't quite fit together. Which statement counts in case of doubt? Now, that our big question mark.
The ECJ judgment - Privacy Shield declared void
The Austrian lawyer and data protection activist Maximilian Schrems has therefore gone to court, bringing down first Safe Harbour (the predecessor of the Privacy Shield) in 2015 and ultimately the previously valid Privacy Shield. Safe Harbour and the Privacy Shield were set up on the same legal basis. "It says just the same thing, US law takes precedence and if US law says that data may be intercepted, then data may be intercepted," says Schrems.
So the Privacy Shield has now been striked down. As a result, there is no longer any basis for legitimate use of American services.
After the Privacy Shield ECJ decision - consequences for the companies
US tools are widely used in German companies. In EU companies, which have relied on the Privacy Shield up until now and continue to use American cloud services, there is legal uncertainty. The verdict has consequences. So now what?
What companies need to know now
Maja Smoltczyk, Berlin's data protection commissioner, is very clear in her statements: From the side of the supervisory authorities, appropriate prohibitions on data transfer must follow and those affected have a right to "compesation", the monetary reward to be set at a "deterrent level".
Standard contractual clauses? Yes? No?
The use of so-called standard contractual clauses is still open to companies. However,…
These clauses need to be questioned and examined by European companies – to determine whether data protection can be adequately guaranteed by the provider, including whether there is a risk of federal access. Yet, considering the circumstances for the current situation, i.e. why a Privacy Shield was needed and why it was declared void, it seems more than likely that US companies will not be able to comply with the standard contractual clauses either.
Privacy professionals nevertheless advise all companies to make an effort to do so and to contact US providers:
"If stopping the transfer of data is not an option for you, in our opinion, you simply have no other choice to at least reduce the risk." (Sebastian Herting, lawyer and certified data protection officer)
The alternative to the Privacy Shield? Tools, which can also be used without Privacy Shield!
As Smoltczyk pointed out, Europe must achieve digital sovereignty. This is also the way to achieve the eagerly awaited legal certainty with regard to data protection.
For companies, this means using providers from Germany (or Europe). A German provider whose server is located in Germany is under German jurisdiction. Such a provider is not affected by the Cloud Act and MUST be able to guarantee sufficient data protection. In this case the Privacy Shield is not required anyways.
What companies should do now: Examine all US tools and services
Check carefully:
- what tools you have in use,
- where the company office (and head quarter) is located,
- and where the servers are located or where the data is stored/hosted.
| Provider location |
Head quarter location (if different) |
Server location |
Classification |
| DE/EU |
DE/EU |
DE/EU |
suitable |
| DE/EU |
USA |
DE/EU |
To be questioned! |
| DE/EU |
|
USA |
Urgent need for action! |
| USA |
|
DE/EU |
Urgent need for action! |
| USA |
|
USA |
Urgent need for action! |
The best thing to do is to make a list of all the tools that are in use and get an overview of the tools that could be potentially dangerous. In this situation it is of course recommendable to switch to GDPR-compliant providers from Germany or other European countries that are not affected by the Cloud Act. In this way, your company will ultimately be on the safe side, even in similar situations in the future - while the issue of data protection is probably still far from 'off the table'.
Made & hosted in Germany: Play it safe with Stackfield
Stackfield combines project management and communication to a comprehensive cloud collaboration solution: team chats, audio and video (conference) calls, screen sharing, task management and scheduling, project management and collaborative document and file management. The tools are functionally linked to each other to keep the team communication traceable.
Provider/headquarter: Munich, Germany
Server location: Karlsruhe, Germany
Data protection standards at the highest level:
Client-side end-to-end encryption ensures that all data is encrypted during the upload process, stored encrypted on the servers and retrieved being still encrypted. The key required for access never leaves the user's possession. Therefore even Stackfield has no access to the end-to-end encrypted data of users.
Further data protection measures by Stackfield and everything about security and privacy: https://www.stackfield.com/security
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.