«Privacy Shield» invalid: what happens now?

Any company that processes EU citizens' personal data and at the same time falls back on US providers is now faced with a dilemma, following the end of the “Privacy Shield”: there is currently almost no legally secure way of doing this. In this post we explain the current situation.

For the second time, the European Court of Justice (ECJ) has declared a data protection agreement between the European Union and the United States to be invalid: After "Safe Harbor" in 2015, its successor "Privacy Shield" is similarly now history. This affects all organizations and companies that process EU citizens' personal data and use US providers to do so. Likewise, several international groups with registered locations in Europe and the United States will have to relocate for their internal data exchange.

The parallel Privacy Shield between Switzerland and the US is not directly affected by the ruling. However, as lawyer Martin Steiger explains: “That which applies to the Privacy Shield between the EU and the USA according to the ECJ ruling, also applies to the American-Swiss Privacy Shield in the same way. One can therefore no longer assume that this will ensure the legality of data transmission from people in Switzerland to the United States.”

How the ECJ ruling came about

The starting point for the ECJ decision was a legal dispute between the Austrian lawyer and data protection activist Max Schrems on one hand, and Facebook on the other. Max Schrems doubted that EU citizens' data transmitted to the US was actually protected as required by European law. In fact, Edward Snowden's revelations about the extensive surveillance of Internet traffic in the US is precisely what led to the end of the first Safe Harbor agreement. Another key problem was that EU citizens could not adequately defend themselves against such data queries by US authorities. And this is still the case today.

The successor, “Privacy Shield”, which was quickly introduced, was criticized from the outset because the new agreement had similar weaknesses. As can now be seen, the skeptics were right.

Ray of hope in the Privacy Shield ruling

A ray of hope in the new ruling by the ECJ: It concerns personal data and not any other type. In addition, companies could possibly refer to the exceptions provided for by Article 49 of the General Data Protection Regulation (GDPR). The conditions under which this is possible, however, currently don't seem to be very clear.

Alternatively, companies could use standard contractual clauses, although these aren't necessarily a free ticket either: As the judges explained, in this case the companies themselves need to determine whether or not the foreign country's mandatory data protection rules have been complied with. Attorney Dr. Thomas Schwenke recommends sending the questionnaire to the US service providers. "If the questions are answered positively, then you can at least demonstrate an active reaction to the ineffectiveness of the Privacy Shield," he writes in his assessment.

The lack of clarity in the current situation

In this context, however, the essential question arises as to whether data protection according to EU standards is even possible in the US. If not, the contractual clauses are no help either. "If the agreement has already been declared invalid, checking compliance with contractual clauses would ultimately lead to a ban," states Christian Schmidt, specialist lawyer for internet law and data protection and partner of the law firm Schmidt & Schmidt, in a press release.

Some experts believe that those relying on the clauses should obtain the necessary consent from users, given that Article 49 of the aforementioned GDPR considers this to be an option. It is currently unclear whether this is possible, for example, within the framework of the existing cookie banners. Dr. Thomas Schwenke sees this as a potential opportunity, despite pointing out that it may prove ineffective.

Data protection authorities could also prohibit data transfers if, in their opinion, such clauses are not or cannot be complied with due to the legal situation in the US. This might also lead to fines.

In a press release, the Berlin commissioner for data protection and freedom of information made it very clear that companies should look for alternative providers: “Responsible persons who – especially when using cloud services – transfer personal data to the US now have an obligation to immediately switch to service providers in the European Union or else a country having an adequate level of data protection.”

In her article, however, lawyer Ulrike Berger explains that “there is no reason for anybody to expect a knock on their door by the data protection authority next week, and that all data transfers to the US will be prohibited.” At the same time, however, it was also clear that there could be cases of "data transfers to the US where the required level of protection, in particular the right to effective legal protection for non-US citizens, does not exist, for example when transferring data to US telecommunications companies". Because in this case, US authorities can sometimes gain access to personal data without a court order.

Final word

The situation would be much simpler if the United States were to cut back its surveillance accordingly. Experts consider this unlikely given the current political situation in the US. As such, a successor to the “Privacy Shield” is not expected any time soon.