Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.
02
Like its predecessor, the Safe Harbor agreement, Privacy Shield was essentially limited to voluntary commitments on the part of companies to guarantee the protection of transferred data. To do so, the companies had to be listed with the U.S. Department of Commerce. However, neither Safe Harbor nor Privacy Shield offered concrete protection of sensitive data from access by U.S. authorities. There was also a lack of effective legal remedies for data subjects against access by government authorities.
However, the GDPR requires the establishment of an adequate level of protection for non-European data transfers. The exceptions are the so-called secure third countries (Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan), to which data transfers are expressly permitted. For secure third countries, there is an adequacy decision by the EU Commission confirming that the national laws of the countries ensure an adequate level of protection for personal data comparable to that provided by EU law. In the case of Privacy Shield, this adequacy decision of the EU Commission was declared invalid by the ECJ. Following the ECJ’s ruling, it is therefore clear that there is no substantially equivalent level of protection in the U.S. The following reasons were decisive for the ECJ:
U.S. legislation (Section 702 FISA (Foreign Intelligence Surveillance Act) /E.O. 12333) entitles U.S. security services to access personal data during data transfers from the EU. This situation disproportionately restricts Article 7 and Article 8 of the EU Charter of Fundamental Rights and also violates Article 52 (1) p. 2 of the EU Charter of Fundamental Rights (marginal no. 184 f.), since:
First, access to personal data by non-Americans is not restricted;
Second, because non-Americans have no enforceable rights against such access at their disposal.
There is no legal protection against access by the U.S. security services under the provisions of the EU Charter of Fundamental Rights. Thus, there is no legal protection against access based on E.O. 12333. Furthermore, the ombudsman mechanism stipulated in Privacy Shield is ineffective against U.S. intelligence services, as no binding decisions can result from it.
04
How can data transfers to the U.S. take place in a legally secure manner after the end of Privacy Shield?
With the discontinuation of Privacy Shield, a legally compliant exchange of sensitive data between Europe and the U.S. is in principle possible via standard contractual clauses or binding corporate rules (BCR). However, there are some challenges to be overcome in terms of implementation. Thus, the ECJ emphasizes in its ruling that the data exporter bears responsibility for verifying the level of protection. Personal data must essentially enjoy equivalent protection in a third country as under the GDPR. Otherwise, guarantees must be implemented via additional security mechanisms in accordance with Article 46 of the GDPR. However, according to Stefan Brink, the data protection commissioner of the state of Baden-Württemberg, the current options for legally secure data transfers are extremely limited:
“Although a transfer based on standard contractual clauses may be conceivable, it will only rarely meet the requirements that the ECJ has set for an effective level of protection.”
One particular impediment to GDPR-compliant standard contractual clauses with U.S. companies is the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) signed into law in March 2018. The U.S. law requires American internet companies and IT service providers to permit U.S. authorities to access stored data even if the data is not stored in the U.S. This means that internationally operating American companies are de facto compelled to hand over data if requested to do so by U.S. authorities.
Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.