The ECJ has declared the EU-US Privacy Shield Agreement invalid. The reason is the extensive rights of US security authorities, which cannot be reconciled with the GDPR. In particular, there is a lack of enforceable rights and effective legal remedies for EU citizens to defend themselves against data processing by authorities and secret services. For example, Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) allows access to electronic communication data of non-US citizens without a court order and without legal protection.
The ECJ has also declared that the EU standard contractual clauses (“SCCs”) remain valid.
However, the ECJ makes a significant restriction: EU companies may not blindly trust the SCC , but must check and ensure (if necessary together with the data importer in the third country) that the contractual agreements from the SCC can also be complied with in the third country. Only then can an appropriate level of protection be guaranteed.
Such an examination is carried out
based on the contractual provisions of the SCC,
based on the specific circumstances of the data transfer and
the legal system applicable in the third country.
And this is where a big problem lies, because due to the Privacy chile number dataset Shield decision, we must assume in many cases that US companies cannot comply with the EU standard contractual clauses either. It must therefore be examined on a case-by-case basis and from service to service whether US security laws allow the contractual clauses to be implemented effectively.
options for action
The ECJ ruling leaves a vacuum. So how should companies react and what measures can be taken now to reduce risks?
We currently see the following options for action:
Some providers offer their EU customers the option of choosing and bindingly specifying server locations in the EU . These include Google Cloud, Microsoft and Amazon Web Services (AWS). Even with this option, you have to live with legal uncertainty due to US legislation . However, the ECJ has not dealt with the relevant "risk laws" (in particular the CLOUD ACT), which is why we currently believe it is a reasonable solution. However, it remains critical if the data can be accessed from the USA, e.g. by the provider's US staff. Particular attention must therefore be paid to the service's authorization concept.
An effective solution is to refrain from processing data in the USA . To do this, you must say goodbye to services that do not offer data storage in the EU. Depending on the purpose of the service, it may be possible to only refrain from processing personal data. Completely anonymized data or aggregated data sets are not subject to the GDPR.
You can rely on existing standard contractual clauses or negotiate that the standard contractual clauses are included. Due to the ruling, there is also hope that US service providers will increasingly proactively integrate the standard contractual clauses into their terms and conditions. If you choose this option, please note the special requirements for standard contractual clauses below.
Theoretically, you can obtain consent from any data subject to transfer their data to the USA . However, as already described above, the requirements are very high (particularly because of the transparency requirement), which is why consent is only appropriate in very limited exceptional cases.
For the sake of completeness, we would also like to mention doing nothing and waiting , although this option carries the greatest risk (we will come to the risks later) and we must strongly advise against it .