End of the Privacy Shield: Data protection authorities go on the offensive

European companies still using US internet services without further verification or modification are exposed to an increased risk of fines. This is especially true in Germany, as data protection authorities in the Federal Republic have now announced that they will initiate their own investigations.

Anyone who thought they could sit out the end of the Privacy Shield should sit up and take notice: German data protection authorities have announced that they are about to take independent action. Companies must be prepared to receive a questionnaire. In it, they are to explain which US services they rely on and, above all, on which data protection law basis they do so. If the answers are not satisfactory, the authorities have various sanction options – from formal orders to fines.

Until now, these mechanisms were only triggered in response to a corresponding complaint. In this case, however, the legal situation is clear, explained Johannes Caspar, data protection officer in Hamburg, to Handelsblatt.

Background: July marks the first anniversary of the end of the "Privacy Shield" between the European Union and the USA, declared invalid by the European Court of Justice (ECJ). This means: For almost a year, there has been no generally valid basis for EU companies to use US internet services to store and process personal data. Services of all kinds are affected – from cloud storage to video conferencing services. This similarly applies to Switzerland (more on this below).

What can companies do now?

Affected companies now need to evaluate how to deal with this situation. Recommendations have been published in this regard (PDF) by the data protection commissioner of the state of Baden-Württemberg.

The best and safest option is therefore to look for alternatives in countries considered safe in terms of data protection. This might include, for example, offers from the EU or even Switzerland. Those who do not find what they are looking for should at least document their research well. If worst comes to worst, this can at least prove that the problem was taken seriously.

Some US services also offer the option of storing and processing data only on European servers. However, this isn't enough according to some observers, as in the worst case scenario, the provider would still have to hand over information to US authorities. At the moment however, the situation is quite different when American services enter into a joint venture with a European partner.

Standard data protection clauses are sometimes recommended as another way out. These have not become fundamentally invalid like the Privacy Shield but are an effective measure only if sufficient care is taken to ensure that the data is actually secure. In case of doubt, additional protection is required such as encryption, to which the US service provider does not have access. If data is to be processed, however, this will not be possible. In this case, companies will generally need to do their own research and document the extent to which the provider's data protection is sufficient.

The EU Commission is currently working on new clauses. Data protectionists have welcomed the drafts on one hand, but have also criticised them for not being sufficiently far-reaching.

Where do we go from here?

The fact that a new solution has been a long time coming is ultimately not surprising. After all, the Privacy Shield was already the second attempt at a data protection agreement: its predecessor "Safe Harbor" had also failed before the ECJ. The reason in both cases is easy to understand: When it comes to data protection and privacy, the USA has different ideas and priorities than many European nations.

Observers of the issue therefore see it as imperative that the US fundamentally change how EU citizens' personal data is handled in their country. Under the previous US president, this seemed more than unlikely. The new administration, on the other hand, has signalled a willingness to negotiate. US Commerce Secretary Gina Raimondo is particularly concerned about the reputation and business of US internet services. Hence why "more intensive negotiations" have been announced, but that's all for the moment.

In Switzerland, the situation is somewhat different to all this, but nonetheless not much clearer. The Federal Data Protection and Information Commissioner (FDPIC) had announced in a statement that the Swiss version of the Privacy Shield does not meet the necessary data protection standards either. While this doesn't render the agreement invalid, it does mean that it can no longer be considered a reliable basis. The official website therefore recommends contacting the FDPIC or seeking legal advice in case of doubt.

Closing words

It doesn't seem very fair that companies now have to pay for what politicians are actually responsible for. Johannes Caspar, Hamburg data protection officer, expressed a similar opinion in an interview with Golem.de. According to Caspar, it should not be the case that "in the end, responsible bodies in one place are fined heavily because they transfer their data to the USA, while in another place no one remedies this deplorable state of affairs.”