EuGH dumps US-Privacy-Shield: Action needed?

Four years after “Safe Harbour” the EUGH has dumped the US privacy shield!

Though this was legally predictable, the news still hit like a rocket: The International Association of Privacy Professionals (IAPP), scheduled three online sessions, all well attended.

What are the implications of removing the US privacy shield?

To cut a long story short: If you store personal data exclusively in the EU and Switzerland, the ECJ ruling does not affect you at all. You are then welcome to continue reading at your leisure.

Retrospect

Max Schrems has filed a lawsuit in 2013 against the transfer of his data from Facebook Ireland to Facebook USA. The case is still pending:

Year Action
2013 Lawsuit by Max Schrems for not forwarding personal data from Facebook Ireland to Facebook USA
2014 Class action lawsuit against Facebook in Austria
2015 Safe Harbour was rejected by the ECJ as unlawful
2016 EU agrees with the USA on US Privacy Shield as replacement
2018 class action in Austria rejected by the Austrian Supreme Court: 25,000 plaintiffs!
16.07.2020 US-Privacy-Shield was annulled by the ECJ as unlawful

Both the safe harbour and the successor regulation on US privacy shields were annulled by the ECJ as illegal on July 16, 2020.

Purpose of the US-Privacy-Shield

Data protection does not only apply when you collect and process personal data:

Data protection also applies when you pass on personal data.

If you want to pass on personal data outside your company and have it processed by another party in accordance with the GDPR, you therefore need a data processing agreement (also: Data Processing Agreement – DPA; see Art 28 GDPR).

If you transfer data to another country outside the EU, it must be ensured that there is a qualified legal reason for doing so and that the target country also has an appropriate level of data protection.

EU US Privacy Shield

The US Privacy Shield and its predecessor, the Safe Harbour, provided that US companies meeting certain requirements could be registered in a list.

European and – for the US Swiss Privacy Shield – Swiss companies could exchange data with these companies in accordance with European data protection requirements.

The US Privacy Shield was repealed by the ECJ on July 16, 2020.

If you were previously dependent on the US Privacy Shield, there is a need for legal action.

The EU Privacy Shield is thus history: You must use the so-called standard contract clauses (SCC) to ensure a legally compliant data exchange with the USA.

You must legally switch to standard contractual clauses if you have previously exchanged personal data with a company that used the US Privacy Shield.

Swiss US-Privacy-Shield

Originally the Swiss Privacy-Shield is still valid as of July 16, 2020. Although this is a legal and rather unsustainable paradox, it still applies:

Currently and until further notice, you can legally send data via Switzerland from the EU to the USA!

Standard Contractual Clauses (SCC)

The EU provides for so-called standard contractual clauses, distinguishing between data controllers and data processors.

  • You can use these standardized contracts.
  • The data protection authorities thus know what is at stake and are able to control and verify it.
  • And the data subjects are to be given the possibility of legal verification in the event of problems.

You must fill in and activate these standard contract clauses as required. Of course, this is much more tedious than using the US Privacy Shield, where data could be automatically exchanged with listed companies in compliance with the law.

Since the legal dubiousness of the US Privacy Shield was clear for a long time, it is tragic how much legal uncertainty the EU Commission has created at the expense of individual economic operators. One can certainly speak of a failure of European digital policy.

In addition, Art 49 GDPR continues to apply, which provides for certain exceptions for the transfer of data to third countries.

What kind of action is required?

There is a fundamental political oversight here which will hopefully be corrected quickly.

  1. If you are located in Switzerland and have previously exchanged personal data with companies based on the Swiss US Privacy Shield, there is no need for action. You should carefully monitor the situation.
  2. If you are, on the other hand, located in the EU you have exchanged personal data with companies based on the EU US Privacy Shield, you have legal debts as a result of the ECJ ruling and should actively tackle the switch to standard contractual clauses.
  3. If you exchange personal data anyway only with companies in the EU and have them process it, the general rules of the GDPR apply and a contract processing agreement pursuant to Art 28 GDPR is still sufficient.

Since politics has failed in this area on several occasions, it will therefore almost certainly take some time before a more viable solution is found.

You are therefore well advised to start quickly with the changeover to standard contract clauses if necessary.


For further support you can reach me at pe@peterebenhoch.com!