A comment from Marc Schieder, CIO at DRACOON
Exactly one year ago, the European Court of Justice declared the so-called EU-US Privacy Shield (also EU-US Privacy Shield) invalid.
Marc Schieder, CIO at DRACOON
The agreement was negotiated in 2016 and served as the basis for the commercial exchange of personal information between the European Union and the United States. The judges of the ECJ based their decision on the fact that US intelligence services could access data of EU citizens practically uninhibited and that data protection was therefore not guaranteed. In principle, the European Court of Justice held that the level of data protection in the US was not of equal importance to that in the EU and that the agreement was therefore void. The court also ruled that the exchange of data with non-EU countries as a whole was legal on the basis of the “standard contractual clauses”, but had to be examined on a case-by-case basis. Specifically, the ruling meant that US tech companies such as Facebook are no longer allowed to export and store personalized data of EU citizens in the United States. The same applies, of course, the other way around.
But the reality is different, because as a study by the think tank “Centrum für Europäische Politik” showed in January of this year, numerous companies continue to illegally transmit personalized information to the United States and often refer to the standard contractual clauses, the use of which remains permitted in principle. However, the cep argues that data transfers to the United States should not be based on these or, for example, on company-internal data protection regulations if the data recipients there are subject to problematic US laws on surveillance and have access to the data content in plain language. The think tank notes that in such cases, additional data protection measures cannot in fact prevent access by US authorities. Especially transfers within the framework of cloud services are mentioned here as illegal. They should be stopped by the data exporter itself or by regulators, according to cep. Just under a month ago, the EU Commission presented new standard contractual clauses to increase legal certainty for European companies that send data to the US. However, according to Justice Commissioner Didier Reynders, a new data protection agreement with the USA is planned as a long-term solution.
Although there is still legal uncertainty on some points, the judgment a year ago was an important step in terms of data protection in Europe and a clear signal for the strengthening of European data sovereignty. Last but not least, it offers a further incentive for the US to refrain from anti-data protection laws and to anchor the issue in its legislation in the long term. Another reason why this is worthwhile is the fact that companies and users are becoming more and more sensitized here and purchasing decisions often depend on how much customers trust a provider in terms of data protection. The current pandemic and the fact that the “New Normal” has long been a reality in the world of work once again illustrates the urgency of the issues of data protection and IT security. This applies to companies as well as private users. It is to be hoped that the new agreement will strengthen Europe’s role in the fight for greater transparency and data sovereignty for all users and strengthen its pioneering role here.