End of the "Privacy Shield": Data protection authorities go on the offensive

Jan Tissler

European companies that continue to use US internet services without further verification or modification are exposed to an increased risk of fines. This is particularly true in Germany, as data protection authorities in the Federal Republic have now announced that they are launching their own investigations.

Anyone who previously thought they could sit out the end of the Privacy Shield should take note of this news: German data protection authorities have announced that they will take action themselves. Companies must therefore be prepared to receive a list of questions. In it, they should explain which US services they use and, above all, on what data protection basis they do so. If the answers are not satisfactory, the authorities have various sanction options - from formal orders to fines.

Previously, these offices had only reacted if they received a corresponding complaint. However, the legal situation is clear in this case, Hamburg data protection officer Johannes Caspar told Handelsblatt.

Background: July marks the first anniversary of the end of the "Privacy Shield" between the European Union and the USA. The European Court of Justice (ECJ) declared it invalid. This means that for almost a year now, there has been no generally applicable basis for EU companies to use US internet services to store and process personal data. This affects services of all kinds - from cloud storage to video conferencing services. The situation is similar in Switzerland (more on this below).

What can companies do now?

Affected companies should consider how to react to this situation now at the latest. The data protection officer of the state of Baden-Württemberg has published recommendations on this (PDF).

The best and safest option is therefore to look for alternatives in countries that are considered safe under data protection law. These could be EU offerings or those from Switzerland, for example. If you don't find what you're looking for, you should at least document your research well. If the worst comes to the worst, this can prove that the problem has been taken seriously.

Some US services also offer the option of storing and processing data only on European servers. However, some observers believe that this is not enough, as the provider would still have to hand over information to US authorities if the worst came to the worst. The situation is currently different when American services enter into a joint venture with a European partner.

Standard data protection clauses are sometimes recommended as another way out. Unlike the Privacy Shield, these have not become fundamentally invalid. However, they are only an effective measure if care is taken to ensure that the data is actually secure. In case of doubt, this requires additional protection, such as encryption, to which the US service provider has no access. However, if data is to be processed, this will not be possible. In this case, companies generally have to do their own research and document the extent to which the provider's data protection is adequate.

The EU Commission is currently working on new clauses. Data protectionists have welcomed the drafts on the one hand, but have also criticized them for not being far-reaching enough.

What happens now?

Ultimately, it is not surprising that a new solution has been a long time coming. After all, the Privacy Shield was already the second attempt at a data protection agreement: its predecessor "Safe Harbor" also failed before the ECJ. The reason is easy to understand in both cases: The USA has different ideas and priorities when it comes to data protection and privacy than many European nations.

Observers of the issue therefore see it as imperative that the USA fundamentally changes how personal data of EU citizens is handled in their country. Under the previous US president, this seemed more than unlikely. The new government, however, has signaled its willingness to negotiate. The US Secretary of Commerce, Gina Raimondo, is particularly concerned about the reputation and business of American internet services. After all, "more intensive negotiations" have therefore been announced. But nothing more.

In Switzerland, the situation is somewhat different, but not much clearer. In a statement, the Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss version of the Privacy Shield does not meet the necessary data protection standards either. Although this agreement is therefore not invalid, it is no longer a reliable basis. The official website therefore recommends contacting the FDPIC or seeking legal advice if in doubt.

Closing words

It doesn't exactly seem fair that companies now have to pay for what is actually the responsibility of politicians. Hamburg data protection officer Johannes Caspar agrees in an interview with Golem.de. According to him, "it should not be the case that responsible bodies in one place end up being fined heavily because they transfer their data to the USA, while no one elsewhere remedies this abuse."