Privacy Shield Chaos – How to act correctly nonetheless

When the GDPR came into force in 2016, the world turned upside down for many entrepreneurs. What rules applied and still apply today? No sooner had calm returned to the GDPR than the Privacy Shield data deal between Europe and the USA caused headaches. What is the situation today?

Privacy Shield Chaos – How to act correctly nonetheless

...

Privacy Shield Chaos – How to act correctly nonetheless

When the GDPR came into force in 2016, the world turned upside down for many entrepreneurs. What rules applied and still apply today? No sooner had calm returned to the GDPR than the Privacy Shield data deal between Europe and the USA caused headaches. What is the situation today?

In summer 2020, the Privacy Shield agreement was overturned by the European Court of Justice. With the Schrems II ruling, it was clear from then on: the GDPR is not compatible with the data deal between the EU and the USA.

But what does this mean?

The storage of personal data of German users on US servers is prohibited – that is clear. But even if the servers of a US company are located in the EU, this does not make the situation any more relaxed. The US authorities still have the option of demanding access to this data. This almost happened in 2014, when Microsoft was supposed to hand over data to the US government that was located on Irish servers. The company fought back, however, and was ruled right in the second instance by the US Surpreme Court.

A new agreement to replace the Privacy Shield is not yet in sight. But what was actually regulated in the agreement?

EU-US Privacy Shield Agreement & CLOUD Act

The EU-US Privacy Shield agreement was in effect from July 12, 2016, until July 16, 2020, with the idea behind it being to protect the personal data of European citizens that is stored and processed by companies based in the U.S. after a transfer to the U.S. The Privacy Shield agreement was not in effect until July 16, 2020. The agreement still allowed European data to be stored in the U.S., but on the condition that the level of data protection was equivalent to that in the European Union.

Complicating matters was the CLOUD Act. The 2018 U.S. law provides for access to personal data of U.S. citizens stored in the EU. At the same time, access to data of EU citizens in the US is also permitted. In an emergency, US companies are thus faced with the decision of violating either the GDPR or the CLOUD Act.

How do you behave correctly now?

The GDPR can therefore collide with the CLOUD Act and the EU-US Privacy Shield agreement. Anyone who uses services from US companies – regardless of whether their servers are located in the EU – is operating in a dangerous gray area.

So what can be done? In fact, there is only one option left: European companies of all sizes should only use digital services from service providers whose companies and servers are located in the EU.

By the way: we at IT-Seal attach great importance to compliance with the GDPR. Our company is located in Germany. The storage and processing of personal data takes place exclusively on European servers.

Do you want to learn more? Get in touch with us.

Hilpertstr. 31 | 64295 Darmstadt | Phone: +49 511 515464-200
Made with ♥ in Security Valley Darmstadt

MicrosoftTeams-image (11)
IT-Seal GmbH Phishing Simulation, Security Awareness Programm, Social Engineering Prävention hat 4,65 von 5 Sternen 78 Bewertungen auf ProvenExpert.com
Erfahrungen & Bewertungen zu IT-Seal GmbH
IT-Seal bietet IT-Security made in Germany.