EuGH dumps US-Privacy-Shield: Action needed?

Four years after “Safe Harbour” the EUGH has overturned the US privacy shield!

Though this was legally predictable, the news still hit like a rocket: The IAPP, the International Association of Privacy Professionals, scheduled three online sessions, all well attended.

What are the implications of removing the US privacy shield?

To cut a long story short: If you store personal data exclusively in the EU and Switzerland, the ECJ ruling does not affect you at all. You are then welcome to continue reading at your leisure.

If, on the other hand, you exchange personal data with a company in the USA or use such a service, you are most likely affected and can find more detailed information and recommendations for action here.

Retrospect

Max Schrems has filed a lawsuit in 2013 against the transfer of his data from Facebook Ireland to Facebook USA. The case is still pending:

Year Action
2013 Lawsuit by Max Schrems for not forwarding personal data from Facebook Ireland to Facebook USA
2014 Class action lawsuit against Facebook in Austria
2015 Safe Harbour was rejected by the ECJ as unlawful
2016 EU agrees with the USA on US Privacy Shield as replacement
2018 class action in Austria rejected by the Austrian Supreme Court: 25,000 plaintiffs!
2020-07-16 US-Privacy-Shield was annulled by the ECJ as unlawful

Both the safe harbour and the successor regulation on US privacy shields were annulled by the ECJ as illegal on July 16, 2020 (Press release).

Purpose of the US-Privacy-Shield

Data protection does not only apply when you collect and process personal data:

Data protection also applies when you pass on personal data.

If you want to pass on personal data outside your company and have it processed by another party in accordance with the GDPR, you therefore need a data processing agreement (also: Data Processing Agreement – DPA; see Art 28 GDPR).

If you transfer data to another country outside the EU, it must be ensured that there is a qualified legal reason for doing so and that the target country also has an appropriate level of data protection.

EU US Privacy Shield

The US Privacy Shield and its predecessor, the Safe Harbour, provided that US companies meeting certain requirements could be registered in a list.

European and – for the US Swiss Privacy Shield – Swiss companies could exchange data with these companies in accordance with European data protection requirements.

The US Privacy Shield was repealed by the ECJ on July 16, 2020.

If you were previously dependent on the US Privacy Shield, there is a need for legal action.

The EU Privacy Shield is thus history: You must use the so-called standard contract clauses (SCC) to ensure a legally compliant data exchange with the USA.

You must legally switch to standard contractual clauses if you have previously exchanged personal data with a company based on the US Privacy Shield.

Swiss US-Privacy-Shield

Originally the Swiss Privacy-Shield is still valid as of July 16, 2020. Although this is a legal and rather unsustainable paradox, it still applies:

Currently and until further notice, you can legally send data via Switzerland from the EU to the USA!

Standard Contractual Clauses (SCC)

The EU provides for so-called standard contractual clauses, distinguishing between data controllers and data processors.

  • You can use these standardized contracts.
  • The data protection authorities thus know what is at stake and are able to control and verify it.
  • And the data subjects are to be given the possibility of legal verification in the event of problems.

You must fill in and activate these standard contract clauses as required. Of course, this is much more tedious than using the US Privacy Shield, where data could be automatically exchanged with listed companies in compliance with the law.

Since the legal dubiousness of the US Privacy Shield was clear for a long time, it is tragic how much legal uncertainty the EU Commission has created at the expense of individual economic operators. One can certainly speak of a failure of European digital policy.

In addition, Art 49 GDPR continues to apply, which provides for certain exceptions for the transfer of data to third countries.

What kind of action is required?

There is a fundamental political oversight here which will hopefully be corrected quickly.

  1. If you are located in Switzerland and have previously exchanged personal data with companies based on the Swiss US Privacy Shield, there is no need for action. You should carefully monitor the situation.
  2. If you are, on the other hand, located in the EU you have exchanged personal data with companies based on the EU US Privacy Shield, you have legal debts as a result of the ECJ ruling and should actively tackle the switch to standard contractual clauses.
  3. If you exchange personal data anyway only with companies in the EU and have them process it, the general rules of the GDPR apply and a contract processing agreement pursuant to Art 28 GDPR is still sufficient.

Since politics has already failed in this respect on several occasions, it will - as I said - most certainly take some time before a more viable solution is available.

You are therefore well advised to start quickly with the conversion to standard contract clauses if the worst comes to the worst.


If you have any questions or require further support, please contact me at pe@peterebenhoch.com!