In summer 2020, the Privacy Shield agreement was overturned by the European Court of Justice. With the Schrems II ruling, it was clear from then on: the GDPR is not compatible with the data deal between the EU and the USA.
But what does this mean?
The storage of personal data of German users on US servers is prohibited – that is clear. But even if the servers of a US company are located in the EU, this does not make the situation any more relaxed. The US authorities still have the option of demanding access to this data. This almost happened in 2014, when Microsoft was supposed to hand over data to the US government that was located on Irish servers. The company fought back, however, and was ruled right in the second instance by the US Surpreme Court.
A new agreement to replace the Privacy Shield is not yet in sight. But what was actually regulated in the agreement?
EU-US Privacy Shield Agreement & CLOUD Act
The EU-US Privacy Shield agreement was in effect from July 12, 2016, until July 16, 2020, with the idea behind it being to protect the personal data of European citizens that is stored and processed by companies based in the U.S. after a transfer to the U.S. The Privacy Shield agreement was not in effect until July 16, 2020. The agreement still allowed European data to be stored in the U.S., but on the condition that the level of data protection was equivalent to that in the European Union.
Complicating matters was the CLOUD Act. The 2018 U.S. law provides for access to personal data of U.S. citizens stored in the EU. At the same time, access to data of EU citizens in the US is also permitted. In an emergency, US companies are thus faced with the decision of violating either the GDPR or the CLOUD Act.
How do you behave correctly now?
The GDPR can therefore collide with the CLOUD Act and the EU-US Privacy Shield agreement. Anyone who uses services from US companies – regardless of whether their servers are located in the EU – is operating in a dangerous gray area.
So what can be done? In fact, there is only one option left: European companies of all sizes should only use digital services from service providers whose companies and servers are located in the EU.
By the way: we at IT-Seal attach great importance to compliance with the GDPR. Our company is located in Germany. The storage and processing of personal data takes place exclusively on European servers.
Do you want to learn more? Get in touch with us.