In July 2020, the European Court of Justice (ECJ) overturned the EU-US Privacy Shield agreement. Now the European Union (EU) and the US have agreed on a new agreement that will regulate how personal data can be shared with US digital companies. EuroCloud board member Dr. Jens Eckhardt explains what cloud users should know.
eurocloud.de: Dr. Eckhardt, as a specialist attorney for IT law, how do you assess this development?
Dr. Jens Eckhardt: The European Union and the US have agreed in principle on a new agreement on the transfer of personal data from the EU to the US. Although details are not yet known. But the step already has an important signal effect: Data transfers in the digital economy are to become easier again in the future.
How quickly will the agreement be implemented?
A timetable for the adoption and effective date of new regulations is not yet known. However, in view of the case law of the ECJ, I consider the hurdles for such an agreement to be very high.
Why did the new agreement become necessary in the first place?
The ECJ had overturned the existing EU-US Privacy Shield agreement in July 2020. This meant that cloud providers and other companies were no longer allowed to transfer personal data to the US on this basis.
What was the problem?
In the so-called “Schrems I” decision, the ECJ first criticised the EU Commission for not (sufficiently) examining the access powers of US security authorities in its adequacy decision and therefore declared the so-called Safe Harbor Principles invalid. In the so-called “Schrems II” decision, the ECJ found, on the basis of the EU Commission’s findings in the decision on the EU-US Privacy Shield, that the powers of the US security authorities and the insufficient legal remedies of EU citizens after a data transfer do not ensure an adequate level of data protection and declared the EU-US Privacy Shield invalid. Since then, additional contractual and technical safeguards for a data transfer to the USA have to be examined and implemented.
What does this mean for the new agreement?
The new agreement must specifically take into account the requirements of the ECJ. European companies, for example, experience how difficult this is on a daily basis. A mere remake of the elements of the EU-US Privacy Shield would probably be doomed to failure.
How can it still succeed?
If the new agreement takes the ECJ’s criticism into account, it will provide relief. Otherwise, in my opinion, it would only be a matter of time before the ECJ also declares the new agreement invalid. My experience shows: There are a lot of plaintiffs already waiting in the wings.
Thank you for the interview!
About
Dr. Jens Eckhardt is a specialist attorney for information technology law as well as ECSA Legal Auditor, Data Protection Auditor (TÜV) and Compliance Officer (TÜV). He works for the Derra, Meyer & Partner law firm and has been advising national and international companies nationwide on data protection, information technology, telecommunications and marketing since 2001.