The Court of Justice of the European Union has overturned the EU-US Privacy Shield. He overturned the EU Commission’s adequacy decision in 2016, which established that the United States guaranteed “adequate” protection of personal data in accordance with its own laws and international agreements. The court does not consider this protection to be guaranteed.
Instead, the Court concludes that “priority must be given to the needs of national security, the public interest, and compliance with American law.” This would interfere with the fundamental rights of those whose data would be transferred to the United States. In the USA, the requirements for official data access are lower and do not correspond to the principle of proportionality applicable in the EU. In particular, the “surveillance programs based on American legislation” are not limited to what is necessary.
The Court also criticizes the ombudsman mechanism agreed with the United States. It is designed to help EU citizens assert their rights against US authorities in the event of a dispute. However, the ombudsperson was not empowered to “make binding decisions towards American intelligence services”.
However, the court considered the 2010 decision on the so-called standard contractual clauses, which can be agreed between a data exporter and a data recipient in a third country, to be valid. Among other things, it stipulates that the exporter and recipient must “check whether the required level of protection in the third country in question is observed” In addition, the recipient is obliged to inform the exporter, since he cannot comply with the standard protection clauses of the EU, whereupon the exporter must stop the transmission.
This was triggered by the complaint against the Austrian activist Max Schrems in 2008Ireland. In 2015, it resulted in the Safe Harbor Agreement, which had been in effect until then, being repealed. Subsequently, data transfers based on the standard contractual clauses and Schrems directed his complaint against this set of rules at the instigation of the Irish data protection authority. The Irish High Court, finally entrusted with the matter, then brought the case to the Court of Justice of the European Union
Schrems now assumes that the standard contractual clauses cannot be used for data exchange with US companies that are subject to US surveillance laws. Competent data protection authorities would now even have to act on their own initiative against companies, “if US surveillance laws violate the principles of EU data protection law but the companies have not acted,” said Schrems data protection initiative NOYB.
“The judgment makes it clear that companies must not simply sign the SCCs, but also have to check whether they can be complied with in practice. In cases such as Facebook, where Facebook remained inactive, the DPC had the solution to this case in its own hands all the time. She could have instructed Facebook to stop data transfers years ago. In our lawsuit, we demanded that she issue an injunction with a reasonable implementation period so that Facebook can take all necessary steps. Instead, the DPC turned to the CJEU to have the SCCs, which were now found to be valid, be set aside. It’s like calling the European fire brigade because you don’t feel like blowing out a candle yourself, ”said Schrems.
The Nuremberg cloud provider OwnCloud also rated the judgment positively. “Today’s ECJ ruling poses a major problem for American cloud storage services such asOneDrive, Drive or Dropbox. In the end it means that the storage of personal data of EU citizens in these clouds violates EU law, i.e. the GDPR, and thus faces severe penalties. This severely limits the usability of these services for European companies and authorities from today on, ”commented Tobias Gerlinger, CEO and Managing Director of .
“With the judgment of the European Court of Justice, it is now official that the certifications of the major American cloud providers Microsoft, Google,and Co. are not even worth the paper they are on under the EU-US Privacy Shield Agreement. The transfer of personal data from EU citizens to the USA through these cloud services violates EU law. Since such a transfer cannot be ruled out due to the US Cloud Act even when data is stored in the EU, the usability of American cloud services for European companies and authorities is de facto severely restricted. “
EU Commission Vice-President Věra Jourová said that data protection is a fundamental right of European citizens. “We firmly believe that in today’s globalized world, it is essential to have a wide range of tools for international data transfers while ensuring a high level of protection for personal data.”
The EU is now working with the data protection authorities of the Member States to modernize the standard contractual clauses. In addition, the further procedure will be discussed with the US partners. However, the EU Commissioner did not agree with Schrems’ that data exchange was only possible after a fundamental reform of the US surveillance laws.
Collaboration platform Slack: work efficiently – no matter where
Before COVID-19, remote work was almost unthinkable for many companies. Today they realized that it can work very well if the general conditions are right. Find out in this webinar how you can optimally react to changing working conditions with the Slack collaboration solution.