Privacy Shield Agreement: What Its End Means

The Privacy Shield contains a mechanism to certify that the companies certified under it have a level of data protection comparable to the level in the EU, so that data can legitimately be transferred to the USA. The agreement was intended to guarantee that data processed in the USA was protected to an (adequate) level comparable to the level of data protection it would have in the EU.

The agreement was heavily criticized by privacy groups from the very start. Rightly so, as the ECJ ruling confirms. This makes the EU-US Privacy Shield the second agreement between the US and the EU, after the Safe Harbor Agreement, to be struck down by the ECJ.

2. Hosting in Amazon, Google & Co. clouds?

Around 5,000 companies, including Amazon (including Amazon AWS), Microsoft (including Azure) and Google (including all services offered by Google LLC) are currently covered by the EU-US Privacy Shield.

As the European Court of Justice has declared the Privacy Shield invalid in its ruling of July 16, 2020, companies can no longer use it as the basis for data transfers to the USA.

3. Possible workarounds

a) Switching to Amazon's data center site in Frankfurt?

If, for example, you choose to use Amazon's data center in Germany/Frankfurt, you can check whether all health data is also stored and processed there. It must also ensured that not just the server location but also the company's headquarters are in the EU.

Even storing email addresses, e.g., in connection with the use of a digital health application, can be considered as processing health data.

b) Use of standard clauses

As the ECJ ruling makes clear, medical device manufacturers still have the option of ensuring a level of protection for the processing of personal data comparable to that in the EU through standard contractual clauses.

c) Encrypted storage

The technical requirements that encryption must meet to effectively exclude the possibility of the encrypted data being identifiable are very high. Therefore, as a general rule, it can be assumed that personal data retain their connection to a person despite encryption.

This means that the requirements of the GDPR must be complied with even if the data is stored in encrypted form by the respective service provider. Therefore, it is generally not possible to circumvent the ECJ ruling in this way.

4. Conclusion and recommendation

The ECJ ruling has deprived a lot of companies of the legal basis on which they store data with US tech giants.

Therefore, these companies should check whether the data stored with a service provider covered by the EU-US Privacy Shield is personal data. If it is, the data must be protected by standard contractual clauses.

The standard contractual clauses for processors can be found in the Annex of Commission Decision 2010/87.

Do you have any further questions or comments? Contact us in the comment box below or write directly to Sonia Seubert, a lawyer at Mazars Rechtsanwaltsgesellschaft mbH.