21 August 2020

ECJ Privacy Shield ruling: No reprieve by EU data protection authorities

On 16 July 2020, the time had come: the European Court of Justice (ECJ) declared the agreement previously applicable to data traffic between Europe and the USA, the so-called EU-US Privacy Shield, invalid. The reason given by the ECJ: In the USA, companies can be obliged to make user data - also generated in Europe - available to US authorities such as the NSA or the FBI. However, this is not compatible with the current EU data protection, especially within the framework of the EU General Data Protection Regulation (GDPR). The legal protection of European users could not be guaranteed.

For companies that use cloud computing solutions from US providers, this means that they have been deprived of the legal basis for this use. Those who hoped that there would at least be a transitional period until the ruling was implemented were disabused just one week after the ruling was published.

No reprieve from EU data protectors

Already on 24.7.2020 reported heise.dethat the "European Data Protection Board (EDSA) [...]has found answers to the main questions on the consequences of the European Court of Justice (ECJ) ruling on data transfers outside the EU ("Schrems II") . According to the supervisory authorities in the EU, there is no "grace period" for data processing based on the "Privacy Shield" declared invalid by the ECJ.

According to heise.de, companies still transferring personal information from the EU to the US under the transatlantic data protection shield must change their practices "without delay", explained Federal Data Protection Commissioner Ulrich Kelber. Otherwise, they could face hefty sanctions under the General Data Protection Regulation (GDPR).

The EDSA FAQs on the standard contractual clauses announced in the heise.de article are now available on the EDSA website available for download.

Deploy cloud computing solutions: Act immediately

Companies that use cloud computing solutions should therefore definitely act immediately and check where the data they process with their cloud-based solutions end up. Otherwise, they risk the sanctions outlined above. This check is particularly important for cloud solutions that are offered by a German or European provider but are operated on the cloud platform of an American cloud service provider (Amazon Web Services, Google Cloud, Microsoft Cloud, etc.). In these cases in particular, it must be ensured that the data of German or European users are not transferred to the USA by the platform operator, e.g. in the course of archiving or nightly backups. Because it is precisely this transfer that is no longer permitted since the ECJ decision of 16 July 2020.

Cloud Service Made in Germany: Example ZEP - time recording for projects

Of course, it is best to rely on a cloud service provider that is not affected by the ECJ ruling at all. This is the case with ZEP, for example.

  • The ZEP provider, provantis IT Solutions GmbH, is a German company that does not have to comply with any requirements from US authorities and/or other official bodies in the USA.

  • The data collected and processed in ZEP is operated exclusively in German high-performance computer centres, which in turn are operated by German companies. This means that there is no data transfer to the USA and/or a third country at any time. The data centre operators are also subject exclusively to German law and the requirements of the GDPR.

Thus, neither the Privacy Shield Regulation nor its repeal by the ECJ play a role for ZEP users.

Further information on the topic of data security and data protection when using ZEP in the cloud computing model is available at the ZEP website available.