European Court of Justice Strikes Toppled Privacy Shield: Immediate Actions & Recommendations

Privacy Shield toppled. What now?

The news that the European Court of Justice (ECJ) declared the Privacy Shield Agreement invalid spread like wildfire in the media. But then there was radio silence for the time being – because even the data protection experts had and still have no satisfactory answers to the questions that the judgment inevitably raises. The only thing that is certain is that companies must take action immediately. In this article we give you tips and recommendations for action on how to deal with the changed data protection situation.

Evaluate data flows

Even if the judgment of the ECJ is effective immediately, no one expects you to change your data processing processes overnight. In any case, it remains to be seen how exactly the national supervisory authorities will implement the recommendations of the ECJ in the respective country. However, that is by no means a reason to put the topic on the back burner. Start evaluating how your data flows are performing today. Pay particular attention to data transfers to the USA. This gives you a good overview of the effort involved in an emergency.

Obtain user consent

“Play it safe”: By far the safest way to legally transfer personal data to the USA – and in principle any other country – is to obtain user consent. This sounds easy in theory, but in practice it means a lot of extra work. You have to prove that each user has informed and given their express consent – for example in your customer database or your CRM system. This is the only way to be on the safe side during audits or official controls. However, one crucial question remains unanswered with this model: What happens to users who do not give their consent? In any case, you need a plan B.

Encrypt data

Another option to process data in a legally secure manner in the USA is to encrypt or make the master data anonymous. But: Not every organization and not every business model is suitable for this. So check in detail beforehand whether your company can also work with data with no or only limited personal reference.

Switch to another provider

Many of the above options are compromise solutions or only suitable for certain types of businesses. If you really want to be independent and also prepared for the future, you should think about processing your data exclusively in the EU. Because if Safe Harbor and Privacy Shield have taught us anything, it’s that data processing in the USA will continue to cause explosives in the future.
no-repeat;left top;;
< br />Many experts, such as the Berlin data protection officer Maja Smoltczyk, are therefore calling for “personal data stored in the USA to be relocated to Europe.” Companies and institutions that transmit personal data to the USA, especially when using cloud services, “are now urged to immediately switch to service providers in the European Union or in a country with an appropriate level of data protection.”

In Europe, Germany is considered to be the server location with a particularly high level of data protection. As an experienced data center operator, we ourselves know very well how important data protection is – because for many of our customers this is not just the mere fulfillment of requirements, but an integral part of their business concept. Therefore, we do everything we can to protect the data of our customers and their customers as well as possible. For example, we store data exclusively in Germany in our centron data center in Hallstadt. Our information security management is also ISO 27001 certified by the Federal Office for Information Security (BSI) – and even exceeds the strict German data protection requirements.

Further information on data protection in our centron data center and our managed server offers can be found here:

Our ISO 27001 data center
Managed Server Dedicated by centron
Managed Server Virtual from centron

Keep an eye on the legal situation

On the basis of the ECJ ruling, the state governments will also publish recommendations for action in the coming weeks and months. So be sure to keep your eyes open. Reliable sources of information are:

Website of the European Court of Justice < br />Website of the Federal Court of Justice
Principles of the data protection conference

Background: why is Privacy Shield prohibited?

Privacy Shield was created as a successor to the Safe Harbor Agreement, which was overturned in 2015. It should form the basis for a legal data transfer of user and customer data to the USA. But as soon as it was introduced, Privacy Shield was massively criticized and described as a sham. In July 2020, the European Court of Justice finally withdrew the legal basis for the agreement. The main reason: In the USA, secret services can legally access company and customer data. This means that there is no level of data protection comparable to the standards of the EU – according to the Luxembourg judges, this is the basic requirement for data transfer from the EU to the USA. Particularly problematic: As a result of this judgment, many standard contractual clauses that are considered an alternative to Privacy Shield are on the brink – because it seems utopian that the USA should change its secret service policy in the medium or long term – European Court of Justice Strikes Toppled Privacy Shield: Immediate Actions & Recommendations