Europe and USA flag

What is Privacy Shield?

Privacy Shield was an informal agreement between the U.S. and the EU intended to ensure compliance with European data protection standards for data transfers to the U.S. The agreement was negotiated with the Obama administration and adopted by the EU Commission on July 12, 2016. Specifically, Privacy Shield included a number of assurances from the U.S. government and an adequacy decision from the EU Commission that formed the legal basis for data transfers between Europe and the U.S. From its inception, Privacy Shield was criticized by data protectionists and civil rights organizations for keeping open the possibility of mass surveillance by U.S. authorities. In the summer of 2020, the European Court of Justice (ECJ) finally overturned the agreement, thus removing the legal basis for all data transfers based on it. 2023, the EU Commission has adopted a new adequacy decision, the Trans-Atlantic Data Privacy Framework – this has been controversial from the start.

Protect yourself with Myra DDoS Protection
Privacy Shield agreement between EU and USA weighting

01

A definition of Privacy Shield

The set of rules based on Privacy Shield established by the EU and the U.S. in 2016 was intended to ensure adequate data protection for the European public as the successor to the Safe Harbor agreement, which had already been overturned in 2015. At the same time, the agreement, also known as the EU–US Privacy Shield, formed the legal basis for transatlantic data transfers. However, data protectionists and civil rights organizations criticized the agreement from the outset because it continued to provide leeway for mass surveillance and gave U.S. law a greater priority over European jurisprudence. In its decision of July 16, 2020, the ECJ declared the EU–US Privacy Shield invalid (“Schrems II” judgment of July 16, 2020 (Case C-311/18)). From then on, companies could no longer rely on the adequacy of the level of data protection under Article 45 of the European General Data Protection Regulation (GDPR) when transferring sensitive data for processing to partners or service providers in the USA. As an alternative, companies still had the option of using the so-called standard contractual clauses (SCC) to agree on the legal security of the data transfer – however, this proved extremely difficult in most cases. It was not until 2023 that a new adequacy decision was launched in the form of the Trans-Atlantic Data Privacy Framework.

02

Why is Privacy Shield incompatible with the GDPR?

Like its predecessor, the Safe Harbor agreement, Privacy Shield was essentially limited to voluntary commitments on the part of companies to guarantee the protection of transferred data. To do so, the companies had to be listed with the U.S. Department of Commerce. However, neither Safe Harbor nor Privacy Shield offered concrete protection of sensitive data from access by U.S. authorities. There was also a lack of effective legal remedies for data subjects against access by government authorities.

However, the GDPR requires the establishment of an adequate level of protection for non-European data transfers. The exceptions are the so-called secure third countries (Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan), to which data transfers are expressly permitted. For secure third countries, there is an adequacy decision by the EU Commission confirming that the national laws of the countries ensure an adequate level of protection for personal data comparable to that provided by EU law. In the case of Privacy Shield, this adequacy decision of the EU Commission was declared invalid by the ECJ. Following the ECJ’s ruling, it is therefore clear that there is no substantially equivalent level of protection in the U.S. The following reasons were decisive for the ECJ:

U.S. law violates the EU Charter of Fundamental Rights

U.S. legislation (Section 702 FISA (Foreign Intelligence Surveillance Act) /E.O. 12333) entitles U.S. security services to access personal data during data transfers from the EU. This situation disproportionately restricts Article 7 and Article 8 of the EU Charter of Fundamental Rights and also violates Article 52 (1) p. 2 of the EU Charter of Fundamental Rights (marginal no. 184 f.), since:

  • First, access to personal data by non-Americans is not restricted;

  • Second, because non-Americans have no enforceable rights against such access at their disposal.

Lack of legal protection

There is no legal protection against access by the U.S. security services under the provisions of the EU Charter of Fundamental Rights. Thus, there is no legal protection against access based on E.O. 12333. Furthermore, the ombudsman mechanism stipulated in Privacy Shield is ineffective against U.S. intelligence services, as no binding decisions can result from it.

Cell phone with messages on the screen

03

What penalties do companies face if they fail to comply with the new legal situation?

Whichever way companies go, the strict requirements of the GDPR must be implemented in any case. The more sensitive the information processed, the more comprehensive the IT protection mechanisms must be. There is also a strict requirement to report breaches and technical problems. Violations of the requirements can result in heavy fines of up to 20 million euros or up to 4 percent of annual global turnover, whichever is greater. The fact that the European data protection commissioners are quite prepared to make companies pay for serious violations has been demonstrated several times in recent years: British Airways, the Marriott hotel chain, and the housing company Deutsche Wohnen have been fined millions of euros.

04

How can data transfers to the U.S. take place in a legally secure manner after the end of Privacy Shield?

With the discontinuation of Privacy Shield, a legally compliant exchange of sensitive data between Europe and the USA was in principle possible via the standard contractual clauses or Binding Corporate Rules (BCR). However, some challenges had to be overcome during implementation. For example, the ECJ emphasized in its ruling that the data exporter bears the responsibility for verifying the level of protection. Accordingly, personal data in a third country must essentially enjoy an equivalent level of protection as under the GDPR. Otherwise, guarantees would have to be implemented via additional security mechanisms according to Art. 46 GDPR.

A particular barrier to GDPR-compliant standard contractual clauses with U.S. companies is the CLOUD Act signed in March 2018 (Clarifying Lawful Overseas Use of Data Act). The U.S. law obliges U.S. Internet companies and IT service providers to grant U.S. authorities access to stored data even if the storage does not take place in the United States. In effect, this means that internationally operating US companies are obliged to hand over data if requested to do so by US authorities.

Since 10.07.2023, the Trans-Atlantic Data Privacy Framework has provided a new adequacy decision that enables the legally secure transfer of data between the EU and the USA.

Code on a screen

05

How does the new legal situation affect cloud service providers?

As long as there is no adequacy decision, it remains to be stated: The stricter the applicable compliance guidelines in each company, the more difficult it is to contractually stipulate a legally secure data transfer to the U.S. This applies in particular to highly regulated industries such as finance, insurance, healthcare, and operators of critical infrastructure. For example, in practice, IT outsourcing by banks and financial service providers in critical core areas can often only be done by local providers since contractually defined rights of instruction must also be agreed upon to secure data sovereignty. Furthermore, the responsible supervisory authority must be able to monitor the cloud service provider in the same way as would be the case here in Germany. These monitoring options also include unrestricted access to information and data as well as access to the business premises of the service provider itself. Only very few providers from the U.S. and other third countries are likely to agree to such concessions. After all, it would be much easier for them to generate revenue in less regulated areas.

 

Since 10.07.2023, a new adequacy decision exists through the Trans-Atlantic Data Privacy Framework, which enables the legally secure transfer of data between the EU and the USA.

Person works on a laptop

06

What alternatives to Privacy Shield is the EU Commission working on?

After the EU Commission had initially created a possibility for legally secure data transfers via adapted standard contractual clauses, a new adequacy decision finally followed in 2023 through the Trans-Atlantic Data Privacy Framework. This data pact between the USA and the EU is intended to enable companies to transfer data in a legally secure manner from now on.

Cell phone with a security lock on the screen

07

What you need to know about Privacy Shield

The Privacy Shield agreement was intended to provide the legal basis for the exchange of sensitive data between the EU and the U.S. and to ensure compliance with European data protection standards for these transfers. In mid-2020, the adequacy decision made by the EU Commission under Privacy Shield was declared invalid by the ECJ because, based on applicable U.S. law, there was no substantially equivalent level of protection as required by the GDPR. In 2023, the Trans-Atlantic Data Privacy Framework created a new legal basis for data transfers between the EU and the US. In expert circles, the successor to Privacy Shield is controversially discussed. The data protection activist Max Schrems has already announced that he will take legal action against the Trans-Atlantic Data Privacy Framework, as it offers “no substantial change to US surveillance law”.