Like its predecessor, the Safe Harbor agreement, Privacy Shield was essentially limited to voluntary commitments on the part of companies to guarantee the protection of transferred data. To do so, the companies had to be listed with the U.S. Department of Commerce. However, neither Safe Harbor nor Privacy Shield offered concrete protection of sensitive data from access by U.S. authorities. There was also a lack of effective legal remedies for data subjects against access by government authorities.
However, the GDPR requires the establishment of an adequate level of protection for non-European data transfers. The exceptions are the so-called secure third countries (Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan), to which data transfers are expressly permitted. For secure third countries, there is an adequacy decision by the EU Commission confirming that the national laws of the countries ensure an adequate level of protection for personal data comparable to that provided by EU law. In the case of Privacy Shield, this adequacy decision of the EU Commission was declared invalid by the ECJ. Following the ECJ’s ruling, it is therefore clear that there is no substantially equivalent level of protection in the U.S. The following reasons were decisive for the ECJ:
U.S. legislation (Section 702 FISA (Foreign Intelligence Surveillance Act) /E.O. 12333) entitles U.S. security services to access personal data during data transfers from the EU. This situation disproportionately restricts Article 7 and Article 8 of the EU Charter of Fundamental Rights and also violates Article 52 (1) p. 2 of the EU Charter of Fundamental Rights (marginal no. 184 f.), since:
First, access to personal data by non-Americans is not restricted;
Second, because non-Americans have no enforceable rights against such access at their disposal.
There is no legal protection against access by the U.S. security services under the provisions of the EU Charter of Fundamental Rights. Thus, there is no legal protection against access based on E.O. 12333. Furthermore, the ombudsman mechanism stipulated in Privacy Shield is ineffective against U.S. intelligence services, as no binding decisions can result from it.
With the discontinuation of Privacy Shield, a legally compliant exchange of sensitive data between Europe and the USA was in principle possible via the standard contractual clauses or Binding Corporate Rules (BCR). However, some challenges had to be overcome during implementation. For example, the ECJ emphasized in its ruling that the data exporter bears the responsibility for verifying the level of protection. Accordingly, personal data in a third country must essentially enjoy an equivalent level of protection as under the GDPR. Otherwise, guarantees would have to be implemented via additional security mechanisms according to Art. 46 GDPR.
A particular barrier to GDPR-compliant standard contractual clauses with U.S. companies is the CLOUD Act signed in March 2018 (Clarifying Lawful Overseas Use of Data Act). The U.S. law obliges U.S. Internet companies and IT service providers to grant U.S. authorities access to stored data even if the storage does not take place in the United States. In effect, this means that internationally operating US companies are obliged to hand over data if requested to do so by US authorities.
Since 10.07.2023, the Trans-Atlantic Data Privacy Framework has provided a new adequacy decision that enables the legally secure transfer of data between the EU and the USA.
Always up to date
with Myra Security