- EU-US Privacy Shield is no longer a valid basis for data transfers to the USA
- Small to medium-sized cloud providers should now amend privacy notices
- EuroCloud checklist for data protection in the absence of EU-US Privacy Shield
The European Court of Justice overturned the EU-US Privacy Shield Agreement in July 2020. This means that cloud providers and other companies are no longer allowed to transfer personal data to the USA on the basis of that agreement. There is to be no transition period. Cloud providers should therefore act now and immediately check their privacy notices under Articles 13 and 14 of the GDPR and amend them if necessary, advises Dr. Jens Eckhardt, Director of Legal & Compliance at EuroCloud Deutschland_eco e. V. Anyone who fails to do so risks a fine and claims for damages from data subjects.
But even the use of the common standard contractual clauses will not suffice, at least not when it comes to the transfer of personal data to the USA. “In its ‘Schrems II’ ruling, the ECJ didn’t declare these standard contractual clauses to be invalid, but at the same time made it clear that what must be examined is whether a sufficient level of data protection exists in the recipient country,” says Dr. Jens Eckhardt.
Not all third country transfers are ruled out, but the exceptions are limited.
According to the ECJ, anyone wishing to export data on the basis of standard contractual clauses must first determine whether the recipient country has an adequate level of data protection from the EU data protection law perspective.
However, small and medium-sized cloud service providers will find it difficult to check and prove that sufficient data protection is in place in the USA – or any other third country. Data transfer based on so-called binding corporate rules presents similar concerns. In other words, the simple standard instruments for data transfer to the US face sustained scrutiny.
Without these standing instruments, such data transmission is only possible in four exceptional cases under Article 49 of the GDPR, namely when ….
- …the data subject has explicitly consented to the data transfer after having been informed of the possible risks of such data transfers to the data subject due to the absence of an adequacy finding and appropriate safeguards;
- …the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures at the data subject’s request;
- …the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or
- …the transfer is necessary for the establishment, exercise or defence of legal claims.
However, in practice these exceptional cases are difficult to implement. If, in accordance with point 1 above, concrete consent is to be obtained from the data subjects, they must be informed that their data will be transferred to a corresponding third country – including notification of all risks and that the level of data protection there does not correspond to the European level. “The effectiveness of such consent depends on its transparency and completeness,” says Dr. Jens Eckhardt. “It therefore needs to be based on careful advice and must be meticulously constructed.” Even then, whether all users will agree to this is questionable.
Technical alternatives can offer a way out of the dilemma – such as encryption of personal data before transfer or trusteeship solutions. Both are suitable for preventing access to the data from the USA. However, these also require close examination. One way or another: companies should tackle the problem quickly and not sit it out.
Download the EuroCloud legal assessment of the overturned EU-US Privacy Shield including checklist.