In March 2022, the European Union and the United States unveiled the follow-up to the Privacy Shield agreement: the Trans-Atlantic Data Privacy Framework. The new agreement, also known as “Privacy Shield 2.0,” is intended to ensure the free and secure exchange of data between the EU and the United States.
For more than two years, data exchange across the Atlantic has been on uncertain footing, and lacking urgently needed legal framework for the transfer of data. U.S. President Joe Biden has taken a long-awaited step towards a new solution with the Executive Order that was signed on October 7, 2022.
Politicians and businesses, along with data protection activists, would like to see free and, most importantly, secure data transfer and the legal framework that goes with it. Nevertheless, Biden’s executive order is only one of many steps that will need to be taken, as based on this decree, the EU Commission must once again make a so-called adequacy decision.
This decision, based on Article 45 of the General Data Protection Regulation (GDPR), stipulates that a third country or international organization must ensure an adequate level of protection for personal data. However, the EU Commission may not make this decision alone, they must involve the European Data Protection Board (EDSA) and the European Union states.
The focus when examining the adequacy of the level of data protection is on the rule of law and the applications of the legal and data protection regulations in the respective third country. Herein lies the problem though, as it is questionable whether or not a meaningful data protection is possible with the U.S.
U.S. laws such as the Foreign Intelligence Surveillance Act (FISA) or the Cloud Act enable mass surveillance by security agencies such as the NSA, and the USA Patriot Act by allowing the FBI or CIA to access servers of U.S. companies and their affiliates.
Between the year 2000 and 2015 there was the Safe Harbor agreement, a decision of the EU Commission, which considered data protection in the U.S. under Safe Harbor conditions as adequate to the European regulations. However, at the same time, this agreement was often criticized due to its lack of legal basis and the previously mentioned U.S. laws. In addition, the Safe Harbor agreement was a voluntary commitment.
With Edward Snowden’s public revelations in 2013, it became very clear that the standard of data protection in the United States does not measure up to that of the EU. The lawsuit brought by Austrian data protection activist Max Schrems, and the following Schrems I judgment against Facebook paved the way for the end of the Safe Harbor agreement in October 2015.
The European Court of Justice (ECJ) ruled that personal data theoretically could not be transferred to the U.S. because there was insufficient protection for such data on U.S. servers, rendering the Safe Harbor agreement invalid.
To restore legal certainty for the lively exchange of data between the US and the EU, the EU-US Privacy Shield came into force in 2016. The hastily created successor to the Safe Harbor agreement by the EU Commission was also merely an agreement whereby US companies would enter a voluntary commitment that they will handle the data of EU citizens in compliance with the GDPR. Furthermore, an independent complaint or mediation office (ombudsman’s office) was established in the U.S. Department of State to handle complaints arising from Europe.
Like the Safe Harbor agreement, the Privacy Shield was heavily criticized by data privacy activists and NGOs at the outset. Although data protection requirements were tightened, U.S. authorities still had extensive access to the stored data of EU citizens, and mass surveillance measures were still permitted.
Again, it was Austrian lawyer and privacy activist, Max Schrems, who finally took down the Privacy Shield in the summer of 2020. In the so-called Schrems II judgment, the agreement on the transfer of personal data of Europeans to the U.S. was declared unlawful. In its decision, the ECJ referred to the surveillance programs of U.S. intelligence agencies. This clearly highlights that not only is the level of data protection in the U.S. not equivalent to that of the EU, but also that there is an urgent need for action.
Since the end of the Privacy Shield in July 2020, personal data of EU users may no longer be stored in the USA without further consideration. This has significant consequences, especially for the use of cloud services, as most servers are located in the USA. European data may only be stored there to a very limited extent.
The companies involved often invoke the so-called standard data protection clauses. While valid, they do not provide a level of data protection comparable to that in the EU as the information must be transmitted in encrypted form under these standard clauses.
However, since U.S. laws such as the Foreign Intelligence Surveillance Act (FISA), the Cloud Act or the USA Patriot Act continue to apply, the required level of data protection in the U.S. cannot be implemented to the necessary extent. The EU and the U.S. want to remedy this deficiency and lack of legal certainty with the Trans-Atlantic Data Privacy Framework, i.e., the Privacy Shield 2.0.
The initial core principles of the new agreement, the Trans-Atlantic Data Privacy Framework or Privacy Shield 2.0, published in March 2022, include the following:
– A new set of rules and binding protections that limit access by intelligence agencies
– A two-tiered redress system to ensure independent handling of complaints from EU citizens through a “data protection review court”
– Stricter obligations for U.S. companies that process data transferred from the EU
– Specific monitoring and review mechanisms.
While the U.S. speaks of “unprecedented obligations” in its associated official statement, Max Schrems and many data protection organizations have a very different opinion. In the first statement on Biden’s executive order, Schrems criticizes that the U.S. would continue to not limit its mass surveillance systems and the “Data Protection Review Court” is not a court in the true sense, but merely an administrative body.
Schrems further criticizes the fact that U.S. companies do not have to comply with the GDPR, since the EU Commission does not demand their compliance explicitly. He doubts that the US has a future as a global cloud provider if international customers would not have rights under US laws. Basically, Schrems sees little chance for the new agreement.
In contrast, the German IT industry association, Bitkom, commented positively on Biden’s implementing regulation, stating it was a clear step forward for securing international data transfers, and companies needed resilient legal frameworks and the associated legal certainty.
The Privacy Shield 2.0 would at least make things considerably easier for companies in this respect. However, it remains to be seen what the EU Commission’s adequacy decision will look like and whether more data protection-friendly adjustments will be made to the currently valid US laws.
In addition to the cloud services already mentioned, US providers of cyber security services such as DDoS protection or Web Application Firewall (WAF) could also be affected. Many of these companies use a Content Delivery Networks (CDN) as a kind of data highway for their protection solutions. CDNs are complex and difficult to adapt tactically to such far-reaching regulatory requirements as those described so far.
The data on this data highway finds its way to the user completely detached from data protection. In a matter of seconds, data traffic is on overseas cables or outside the EU data protection zone.
Companies that intend to play it safe should entrust their data, such as personal details and IT security, to a provider from Germany or Europe thereby excluding any unauthorized use of data in the USA at the outset. After all, every U.S. company is subject to the U.S. laws described above and is obligated to provide information. This also applies to the associated subsidiaries in Europe, even if the company is a German GmbH.
The strict requirements of the European and German legislators regarding data protection and data security provide the necessary security for a data transfer. There are several companies in Germany and Europe that offer very good IT security solutions. Technologically, these innovative solutions stand in no way inferior to U.S. products. Along with a high level of protection, the DSGVO conformity of the “Made in Germany” security solutions also simplifies compliance requirements. In addition, the purchase of a local IT security product promotes the German or European economy.
Would you like to know more about compliant IT security solutions? Please feel free to contact us: