The European Court of Justice has overturned the EU-US Data Privacy Shield. What are the implications for businesses?
ECJ: EU-US Data Privacy Shield is Ineffective
The ECJ (European Court of Justice) ruling breaks up an agreement between the EU and the US on the transfer, storage and processing of EU user data. The so-called EU-US Data Privacy Shield developed five years ago from the toppled Safe Harbour Agreement for data transfers between EU countries and the US. More than 4,000 US companies have been certified with this Privacy Shield. This certification allowed EU companies to transfer personal data to US companies.
ECJ finds Personal Data Protection at Risk
The ECJ considers the protection of these data to be at risk due to the US legislation that allows US intelligence services to access US servers (and therefore EU data stored on them) at any time without a court order. The ECJ held that although US authorities have to meet certain requirements for access to personal data, their surveillance programmes are not limited to “what is strictly necessary”. For EU citizens, it also means that they have virtually no means of combating these practices and protecting their data from such access.
Standard Contractual Clauses are of limited Help
An alternative to the Privacy Shield are the so-called standard contract clauses. These are contracts specified by the EU Commission, in which the contracting parties agree to comply with appropriate data protection standards for data transfers. In fact, these contracts are the most commonly used contracts between EU companies and US companies.
EU companies can, in case of doubt, suspend data transfers and contact the relevant supervisory authority. This authority will decide whether to prohibit the transfer of the data to the US. Standard contractual clauses are an effective tool, but cannot protect against a complete stop of data transfers. This is especially true when the parties to the contract are companies such as Google, Amazon or Facebook, whose level of protection is contrary to EU law.
What Happens if the ECJ Judgement is Not Respected?
If data is to be transferred from the EU to the US, data protection must be guaranteed. Failure to comply can result in substantial fines. Fines of up to €20 million or up to four percent of the company’s or group’s worldwide annual turnover can be imposed.
What Can be Done to Ensure Data Protection Compliance?
Standard contractual clauses can of course be concluded between EU and US companies, as they will continue to be recognised by the ECJ. However, there is of course a certain risk in the future: data transfers can, but do not have to be completely suspended. In particular, US companies in the Internet and telecommunications sector, e.g. Amazon, Google and Facebook, are likely to continue to access user data – even beyond the limited extent.
Framework for Action by EU Companies
Dr. Stefan Brink, Baden-Württemberg’s State Commissioner for Data Protection and Freedom of Information (LfDI) has drawn up a framework for action for companies working with US services (only available in German).Companies should proceed as follows:
- Identify and document all data transfers to third countries (USA) and inquire about the security laws prevailing there
- Ask US service providers for standard contractual clauses and check them for data protection compliance
- Enquire from US providers whether they offer EU servers and switch to them
- Moving data from a US server to an EU server
- Where possible, obtain users’ consent; however, users must be transparently informed about the use of US suppliers and the risks involved
- Adapt existing contracts and privacy statements and remove the EU-US Data Privacy Shield notice
- Include encryption where only the data exporter has the key and which cannot be circumvented even by US services
- Anonymisation or pseudonymisation, where only the data exporter can make the allocation
- Inclusion of additional obligations in the standard contractual clauses
Sample for US service provider letters
On the Non of your Business website there are sample templates which contain questions relevant to data protection. You can use these to ask your US service provider(s) for information.
What does AppYourself do?