Privacy Shield: The end of transatlantic data exchange?

+++ INFORMATION +++

Currently, it is recommended that affected data flows be identified and switched to alternatives that meet the required level of protection under GDPR. We would therefore like to assure you that Hornetsecurity’s cloud email security services are not affected by the invalidation of Privacy Shield and can continue to be used as usual.

+++

On 16.07.20 the European Court of Justice (ECJ) overturned the data protection framework between the USA and Europe. Although this does not immediately mean the end of data transfer between the two continents, it does have far-reaching consequences. Let’s take a quick look at it.

The Data Agreement came into force at the beginning of 2016 as the successor to the Safe Harbour Agreement. The aim of the Privacy Shield, according to its creators, was to provide legal certainty not only for a higher level of protection for citizens, but also for European companies that exchange data with the USA. US companies would thus be obliged to store the data of EU citizens for only as long as it was used for the original purpose. Data protection experts criticised this agreement from the very beginning, as they suspected that it would not offer any significant changes compared to the previous safe harbour agreement.

For example, the Privacy Shield offered approaches for better data protection, but this was still far from reaching the European standard. In particular, US secret services were able to access data of EU citizens without any restrictions. This fact prompted the ECJ to declare the Privacy Shield invalid.

Can data still flow between the USA and Europe? It is clear that the removal of the Privacy Shield agreement creates confusion. First of all, it is important to realize that a distinction must be made between private individuals and companies. Private individuals can still send private emails to the US or make a booking on a US website. The situation is different for companies.

Around 5,000 companies are directly affected by the ECJ’s decision, as they invoke the Privacy Shield when transferring data to the USA. These include companies such as Facebook, Microsoft and Amazon. In order to initially continue to ensure legal data exchange to the USA, companies can alternatively invoke the standard contract clauses that have been practicable to date. But here, too, the question is: Can these still be valid, even if they cannot exclude access by secret services?

German data protection experts, in particular, are beginning to talk about Europe’s digital independence. The Berlin data protection expert Maja Smoltczyk, for example, calls on those responsible for transferring personal data to the USA to switch to service providers in the EU in order to ensure an adequate level of data protection.

It can therefore be assumed that there will be no ‘go ahead’ in the data protection debate to overcome legal uncertainty.

In principle, Hornetsecurity provides its core service in Germany within secure data centers there. There is no data exchange with the USA and Hornetsecurity is therefore not directly affected by this decision.

All subcontractors in a third country commissioned by Hornetsecurity, who have named the Privacy Shield as the basis for data transmission, also have alternative legal bases, so that if one legal basis is no longer applicable, one of the other possibilities will take over. The two other variants for the transfer of data from the European Economic Area to other countries, especially the USA, are Binding Corporate Rules / binding internal data protection regulations and EU standard contractual clauses/EU standard contractual clauses. Our customers will find the exact information about our subcontractors in the Order Processing Agreement in Annex 3.