Just over half a year ago, the agreement on the transfer of personal data between the EU and the USA, known as the “Privacy Shield”, was overturned by the ECJ. But do all of us have to panic now? Who needs to take action at all? We clarify what the end of “Privacy Shield” means for companies.
In July 2020, the moment had finally come. After a long dispute, the European Court of Justice declared the agreement between the EU and the United States of America on the transfer of data protected by the GDPR to American servers invalid. While data protectionists are celebrating the Court’s decision as a great victory, uncertainty now arises for many companies for the time being. After all, many companies in Europe have long relied on (often U.S.) cloud services with data centers in the U.S., on CRM systems from the States, or have relied on Zoom & Co. for pandemic-related organization in home office.
No reason to panic
As is so often the case after court decisions of this magnitude, unrest breaks out across the board. But for the time being, the order of the day is to keep calm. After all, the responsible supervisory authorities at national level must first derive concrete recommendations from the ruling. In the meantime, companies can ask themselves to what extent they will be affected by the end of the Privacy Shield. Companies that already host their data in European data centers or even on their own servers, work with open source software, encrypt data end-to-end in an exemplary manner, and refrain from processing data in the U.S. in other ways, may not care about the ECJ’s decision. For companies that have outsourced their entire IT infrastructure to the US cloud, the situation is quite different. So before companies start to panic, they should first analyze the situation and identify the necessary steps. There are essentially three options for action:
1. Standard contractual clauses
The ECJ has initially confirmed the effectiveness of standard contractual clauses in which companies regulate data transfers to US partners. In theory, it is therefore still possible to transfer data to US companies. In practice, however, things are different: the clauses have to be concluded individually with each contract partner. Depending on the size of the company, this can quickly degenerate into legal and logistical chaos – especially in light of the high fines that can be imposed for violations.
We’ll be honest: As tempting as the solution with standard contractual clauses may sound, anyone who seriously wants to make their data storage compliant with the GDPR would be better off not relying on it.
2. Data storage in the EU
Data processing within the EU, on the other hand, offers more legal certainty. European data centers are obligated to comply with all GDPR directives and can thus guarantee companies the necessary data protection standards. In some cases, US service providers also offer the option of processing data on EU servers. It is important to ensure that data is not transferred to the USA at any time.
3. Encryption of data
Contrary to popular opinion, the encryption of data alone is unfortunately not sufficient to meet the high technical requirements of the GDPR. Since the identifiability of encrypted data cannot be ruled out 100% at all times, it must be assumed that it will also retain its personal reference in case of doubt. It is therefore not advisable to base one’s data protection efforts solely on data encryption. But: effective encryption increases data security enormously and can thus perfectly complement standard contractual clauses as well as data processing in the EU, so that companies are on the safe side.
As we can see, there is no single measure, no panacea for DSGVO-compliant data management. The steps mentioned above do lead to an approximation of the legally required standards. However, they are no substitute for an individual strategy.
To everyone who is waiting for the right moment: Here it is
Of course, the end of the Privacy Shield initially causes uncertainty, irritation and concern on the part of companies. Ultimately, however, companies should see the end of the agreement as an opportunity to finally question long-standing data retention practices and to treat not only the data of customers and business partners, but also their own data with maximum security and care – something that many companies have unfortunately done far too little of in the past. Sure, relying on cloud solutions from large providers in the US is certainly convenient. However, the concerns expressed by data protectionists in this regard are anything but new. Some may view the ECJ’s impulse positively, others negatively – either way, however, it is present. So it’s time to take back control of your own data.
Another piece of good news: you don’t have to do all this alone. Get help from experts – from us! We at epiKshare are happy to advise you on all aspects of DSGVO & data storage. Whether you’re interested in hosting in our German data center or simply want to host yourself right away – our experts are there for you. We are also happy to support you at any time with questions about protected file sharing and particularly secure end-to-end encryption. Just send us a message.