What is Privacy Shield?

Privacy Shield was an informal agreement between the U.S. and the EU intended to ensure compliance with European data protection standards for data transfers to the U.S. The agreement was negotiated with the Obama administration and adopted by the EU Commission on July 12, 2016. Specifically, Privacy Shield included a number of assurances from the U.S. government and an adequacy decision from the EU Commission that formed the legal basis for data transfers between Europe and the U.S. From its inception, Privacy Shield was criticized by data protectionists and civil rights organizations for keeping open the possibility of mass surveillance by U.S. authorities. In the summer of 2020, the European Court of Justice (ECJ) finally overturned the agreement, thus removing the legal basis for all data transfers based on it.

Privacy Shield agreement between EU and USA weighting

01

A definition of Privacy Shield

The set of rules based on Privacy Shield established by the EU and the U.S. in 2016 was intended to ensure adequate data protection for the European public as the successor to the Safe Harbor agreement, which had already been overturned in 2015. At the same time, the agreement, also known as the EU–US Privacy Shield, formed the legal basis for transatlantic data transfers. However, data protectionists and civil rights organizations criticized the agreement from the outset because it continued to provide leeway for mass surveillance and gave U.S. law a greater priority over European jurisprudence. In its decision of July 16, 2020, the ECJ declared the EU–US Privacy Shield invalid (“Schrems II” judgment of July 16, 2020 (Case C-311/18)). Since then, companies can no longer rely on the adequacy of the level of data protection pursuant to Article 45 of the European Data Protection Regulation (GDPR) when transferring sensitive data for processing to partners or service providers in the U.S. As an alternative, companies still have the option of using so-called standard contractual clauses (SCC) to agree on the legal security of data transfers, but this is extremely difficult in most cases.


02

Why is Privacy Shield incompatible with the GDPR?

Like its predecessor, the Safe Harbor agreement, Privacy Shield was essentially limited to voluntary commitments on the part of companies to guarantee the protection of transferred data. To do so, the companies had to be listed with the U.S. Department of Commerce. However, neither Safe Harbor nor Privacy Shield offered concrete protection of sensitive data from access by U.S. authorities. There was also a lack of effective legal remedies for data subjects against access by government authorities.

However, the GDPR requires the establishment of an adequate level of protection for non-European data transfers. The exceptions are the so-called secure third countries (Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan), to which data transfers are expressly permitted. For secure third countries, there is an adequacy decision by the EU Commission confirming that the national laws of the countries ensure an adequate level of protection for personal data comparable to that provided by EU law. In the case of Privacy Shield, this adequacy decision of the EU Commission was declared invalid by the ECJ. Following the ECJ’s ruling, it is therefore clear that there is no substantially equivalent level of protection in the U.S. The following reasons were decisive for the ECJ:

U.S. law violates the EU Charter of Fundamental Rights

U.S. legislation (Section 702 FISA (Foreign Intelligence Surveillance Act) /E.O. 12333) entitles U.S. security services to access personal data during data transfers from the EU. This situation disproportionately restricts Article 7 and Article 8 of the EU Charter of Fundamental Rights and also violates Article 52 (1) p. 2 of the EU Charter of Fundamental Rights (marginal no. 184 f.), since:

  • First, access to personal data by non-Americans is not restricted;

  • Second, because non-Americans have no enforceable rights against such access at their disposal.

Lack of legal protection

There is no legal protection against access by the U.S. security services under the provisions of the EU Charter of Fundamental Rights. Thus, there is no legal protection against access based on E.O. 12333. Furthermore, the ombudsman mechanism stipulated in Privacy Shield is ineffective against U.S. intelligence services, as no binding decisions can result from it.

/

03

What penalties do companies face if they fail to comply with the new legal situation?

Whichever way companies go, the strict requirements of the GDPR must be implemented in any case. The more sensitive the information processed, the more comprehensive the IT protection mechanisms must be. There is also a strict requirement to report breaches and technical problems. Violations of the requirements can result in heavy fines of up to 20 million euros or up to 4 percent of annual global turnover, whichever is greater. The fact that the European data protection commissioners are quite prepared to make companies pay for serious violations has been demonstrated several times in recent years: British Airways, the Marriott hotel chain, and the housing company Deutsche Wohnen have been fined millions of euros.


04

How can data transfers to the U.S. take place in a legally secure manner after the end of Privacy Shield?

With the discontinuation of Privacy Shield, a legally compliant exchange of sensitive data between Europe and the U.S. is in principle possible via standard contractual clauses or binding corporate rules (BCR). However, there are some challenges to be overcome in terms of implementation. Thus, the ECJ emphasizes in its ruling that the data exporter bears responsibility for verifying the level of protection. Personal data must essentially enjoy equivalent protection in a third country as under the GDPR. Otherwise, guarantees must be implemented via additional security mechanisms in accordance with Article 46 of the GDPR. However, according to Stefan Brink, the data protection commissioner of the state of Baden-Württemberg, the current options for legally secure data transfers are extremely limited:

“Although a transfer based on standard contractual clauses may be conceivable, it will only rarely meet the requirements that the ECJ has set for an effective level of protection.”

One particular impediment to GDPR-compliant standard contractual clauses with U.S. companies is the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) signed into law in March 2018. The U.S. law requires American internet companies and IT service providers to permit U.S. authorities to access stored data even if the data is not stored in the U.S. This means that internationally operating American companies are de facto compelled to hand over data if requested to do so by U.S. authorities.

/

05

How does the new legal situation affect cloud service providers?

The stricter the applicable compliance guidelines in each company, the more difficult it is to contractually stipulate a legally secure data transfer to the U.S. This applies in particular to highly regulated industries such as finance, insurance, healthcare, and operators of critical infrastructure. For example, in practice, IT outsourcing by banks and financial service providers in critical core areas can often only be done by local providers since contractually defined rights of instruction must also be agreed upon to secure data sovereignty. Furthermore, the responsible supervisory authority must be able to monitor the cloud service provider in the same way as would be the case here in Germany. These monitoring options also include unrestricted access to information and data as well as access to the business premises of the service provider itself. Only very few providers from the U.S. and other third countries are likely to agree to such concessions. After all, it would be much easier for them to generate revenue in less regulated areas.

/

06

What alternatives to Privacy Shield is the EU Commission working on?

Meanwhile, the search for a stable legal basis is entering a new round: Since the end of 2020, the Commission has been working on an adapted draft for standard contractual clauses that takes into account the points criticized by the ECJ in the Schrems II judgment and also follows the recommendations of the European Data Protection Board (EDPB). This includes newly introduced safeguards to ensure compliance with the clauses in third countries with different legal jurisdictions. In addition, a requirement to notify the data subjects will apply in the future when authorities in a third country request personal data in a legally binding manner. Data importers should also provide information on how they keep the amount of personal data as small as possible and protect it from unauthorized access through technological measures such as pseudonymization and encryption.

/

07

What you need to know about Privacy Shield

The Privacy Shield agreement was intended to provide the legal basis for the exchange of sensitive data between the EU and the U.S. and to ensure compliance with European data protection standards for these transfers. In mid-2020, the adequacy decision made by the EU Commission under Privacy Shield was declared invalid by the ECJ, as there was no substantially equivalent level of protection as required by the GDPR due to applicable U.S. law. Since then, data transfers based on Privacy Shield have lacked a legal foundation. Therefore, companies must resort to standard contractual clauses or binding corporate rules (BCR) to make data transfers legally sound. In many cases, this will be difficult to achieve in practice, as U.S. law is at odds with the GDPR in a number of respects. The greatest impediments arise from Section 702 FISA, E.O. 12333, and the CLOUD Act.