Privacy shield is riddled with holes

It’s official: The Privacy Shield is a mess of gaping holes and was officially declared invalid in mid-July. Although the report itself has already been buried in the media, companies and organizations will struggle with the impact for a long time to come. In a nutshell: Companies who used the services of an American provider that collected personal data of users relied on the Privacy Shield agreement. This successor to the Safe Harbor agreement that expired in 2015 assured European individuals comparable data protection in the USA as within Europe. This is no longer the case, as the European Court of Justice has now officially ruled that the level of data protection in the USA is not comparable to Europe. This rebuttal arose from an initiative by Max Schrems, who originally filed a claim against Facebook for not providing adequate protection of his personal data. And now the efforts of a single person have succeeded in revealing the ugliness under the thin veil of the entire transatlantic privacy agreement and paved the way to its formal invalidation. Well done Max!

Now, everyone involved in IT and data protection needs to take a good look and hang their heads in shame. Of course, it is clear to everyone that the US has a approach to data protection that might be compared to a shark with an open sardine can. This begins with the completely unnecessary exploitation of the more or less voluntarily given data on Facebook and other social platforms, continues with the telemetry data sent to the USA via cloud services operated by Microsoft, Amazon and others and ends - presumably – with all-encompassing access by the secret court FISA on request, in the interest of national security, of course. Anyone who purchases US services and gives in to the illusion that they receive them according to European data protection standards is so naive that you should probably call them something else instead.

This is unlikely to new for most readers and yet for the sake of completeness: Neither the Chinese, nor the Russians, nor any other state with developing IT surveillance capabilities, do it any differently. But historically, Germany is heavily dependent on the US as a technology partner and a decision against Privacy Shield has a massive impact on German organizations. This is because data transfers to the USA now breach data protection if they are made (exclusively) on the basis of a Privacy Shield certification. This includes data transferred not only to processors, but also within a group or to business partners. This potentially means that the German HR department of a large corporation could be breaking data protection laws when it transfers a German personnel file to its American HR department. For example, if an employee has applied internally for a position in the American office. This is at least the case if the data is transferred on the basis of the Privacy Shield agreement. Fortunately, this is often not the case. What the ECJ has explicitly not overturned are the standard contractual clauses. These are also often agreed between the partners and what is defined there is not invalid per se.

However, it is too early for a sigh of relief just yet. The ECJ also states that the contracting parties have a duty to ensure that what has been defined in the standard contractual clauses is actually implemented. Let’s just imagine how a small or medium-sized enterprise could turn up on the doorstep of its American business partner, a much larger company, to check that its data is being processed in compliance with the GDPR. Only in a world of make-believe. But what can companies do to protect themselves? Recommendations for action such as obtaining the consent of stakeholders and using alternative providers in the EU are only possible in a minute number of cases. That is why, first of all, we must hope. Hope that the data protection authorities will not penalize the vast numbers of violations that are likely to be reported. And then you should do what always needs to be done in a situation like this. Know your part of the obligations and know your assets. It is imperative to know: What data is being transferred to the US Which applications at your company are using US servers What contractual agreements exist governing the exchange of data. Once this has been clarified, there is still not much that can be done at the moment, but at least you will be prepared for the next round between the ECJ and the USA. Discussions are currently being held on a new regulation, and it will not be long before the next version of the Privacy Shield, whatever it is called, comes into force.