Strengthen the Privacy Shield to Retain it as an Important Legal Ground

The Privacy Shield is currently the most important legal ground for the exchange of personal data between EU Member States and the USA. The legal significance is particularly high for all companies involved in data transfer and storage. Currently, intensive discussions are taking place in both the USA and the EU on the future of transatlantic data protection. In interview, Oliver Süme, Chair of eco, gives us an insight into the thinking behind the dialogues.

Mr. Süme, what exactly is the EU-US Privacy Shield?
The EU-US Privacy Shield is a data protection legal agreement between the European Union and the USA. It offers European companies the required legal basis for transferring personal data to companies based in the USA. The background to this is that, in accordance with the General Data Protection Regulation, the personal data of EU citizens can only be transferred to third countries if one of several legal grounds exists. Given that the USA – as a result of a considerably different legal framework – does not offer an appropriate level of data protection from the EU perspective, the EU Commission and the US government negotiated the Privacy Shield. This was also necessary because the predecessor to the Privacy Shield, the Safe Harbour agreement, had been declared invalid by the European Union Court of Justice. Under the Privacy Shield, US companies can get themselves certified if they fulfill certain data protection requirements and can therefore demonstrate an appropriate level of data protection. The certification takes place through the US Department of Commerce, which also publishes a list of the certified companies.

Why is the agreement so important?
The secure and legally compliant exchange of data between the EU and the USA is an important component of business processes for many European companies. Many important IT service providers, cloud and ERP providers, and also the plethora of Software-as-a-Service offers of different shapes and sizes, are services coming from the USA that are used in the EU. As soon as personal data is processed as part of these, the Privacy Shield provides a very important legal ground for the European economy.

So transatlantic data exchange is now in safe waters?
Yes and no. On the one hand, it does in practice guarantee an appropriate level of data protection, and the second annual examination by the EU Commission also attested to this. At the same time, the Privacy Shield is under fire: It is receiving some criticism from the European Parliament. The EU Commission has also found fault with the fact that the Ombudsperson – who, according to the agreement, the US Administration is required to appoint – has not yet been formally appointed and it is therefore not possible for affected EU citizens to have any complaints handled appropriately. In addition, the European Court of Justice is currently reviewing a further important legal ground for international data transfer: the Standard Contractual Clauses approved by the EU Commission, which represent an important alternative to Privacy Shield.

Against this backdrop, and as part of our transatlantic round table discussions together with our US American partner association, the i2Coalition, we want to encourage the dialogue between political actors and companies on both sides of the Atlantic and strengthen the Privacy Shield, in order to retain this important legal ground. The previous events in this series in Brussels and Berlin were very successful and they showed, among other things, that there’s currently quite a lot happening in the US in the area of data protection. A whole series of legislative initiatives are getting off the ground to strengthen the overall level of data protection.There has also finally been some movement on the Ombudsperson, so that we are now on the right track. Now we want to round the series off with a further event in Washington.


eco: Plan by Ministers of the Interior to Delete Terrorist Content Is Unrealistic and Will Promote an Indiscriminate Culture of Deletion on the Internet