For companies that use cloud computing solutions from US providers, this means that they have been deprived of the legal basis for this use. Those who hoped that there would at least be a transitional period until the ruling was implemented were disabused just one week after the ruling was published.
Already on 24.7.2020 reported heise.dethat the "European Data Protection Board (EDSA) [...]has found answers to the main questions on the consequences of the European Court of Justice (ECJ) ruling on data transfers outside the EU ("Schrems II") . According to the supervisory authorities in the EU, there is no "grace period" for data processing based on the "Privacy Shield" declared invalid by the ECJ.
According to heise.de, companies still transferring personal information from the EU to the US under the transatlantic data protection shield must change their practices "without delay", explained Federal Data Protection Commissioner Ulrich Kelber. Otherwise, they could face hefty sanctions under the General Data Protection Regulation (GDPR).
The EDSA FAQs on the standard contractual clauses announced in the heise.de article are now available on the EDSA website available for download.
Companies that use cloud computing solutions should therefore definitely act immediately and check where the data they process with their cloud-based solutions end up. Otherwise, they risk the sanctions outlined above. This check is particularly important for cloud solutions that are offered by a German or European provider but are operated on the cloud platform of an American cloud service provider (Amazon Web Services, Google Cloud, Microsoft Cloud, etc.). In these cases in particular, it must be ensured that the data of German or European users are not transferred to the USA by the platform operator, e.g. in the course of archiving or nightly backups. Because it is precisely this transfer that is no longer permitted since the ECJ decision of 16 July 2020.
Of course, it is best to rely on a cloud service provider that is not affected by the ECJ ruling at all. This is the case with ZEP, for example.
The ZEP provider, provantis IT Solutions GmbH, is a German company that does not have to comply with any requirements from US authorities and/or other official bodies in the USA.
The data collected and processed in ZEP is operated exclusively in German high-performance computer centres, which in turn are operated by German companies. This means that there is no data transfer to the USA and/or a third country at any time. The data centre operators are also subject exclusively to German law and the requirements of the GDPR.
Thus, neither the Privacy Shield Regulation nor its repeal by the ECJ play a role for ZEP users.
Further information on the topic of data security and data protection when using ZEP in the cloud computing model is available at the ZEP website available.