GDPR compliance after Privacy Shield

The end of the data protection agreement Privacy Shield between Europe and the USA affects how companies can store and process data. Learn how you will be able to act in accordance with GDPR in the future.

Data Agreement Privacy Shield overturned by ECJ – What does this mean for awareness training?

The judges of the European Court of Justice (ECJ), Europe’s highest court, have overturned the “Privacy Shield” data deal between Europe and the USA. In the so-called Schrems II ruling of July 16, 2020, the ECJ assumes that the security level required by the GDPR has not been achieved with the agreement. The issue at stake is how to handle the storage and processing of personal data of EU citizens in the USA. A look at the history of the US-EU data transfer agreements and a look into the future should help to understand: What is going to happen now that the Privacy Shield Deal has been annulled?

A look back: Patriot Act – Safe Harbor – Privacy Shield – CLOUD Act

Europe and the USA share a long history of data transfer agreements. The reason for this lies in European data protection law, which has stipulated since the 1995 Data Protection Directive that no personal data of EU citizens may be transferred to unsafe third countries. These countries include the USA in which an adequate level of protection is not guaranteed. In order to enable data to be transferred between the EU and the USA despite this, a series of special agreements have been negotiated to ensure an adequate level of protection – a very complicated undertaking for almost 20 years now, as a look at the previous agreements shows:

  • The Patriot Act, originally created as a means of combating international terrorism, facilitating the collection of surveillance data and improving the exchange of information between US federal authorities, poses a real problem for many US companies and their customers. For example, Microsoft’s prominent 2014 case showed that the U.S. government can force the release of data even if the data is located outside the U.S., in this case on Irish servers. The background to the dispute was a release order issued by a US court. The court ordered Microsoft to surrender emails that were located at a Microsoft subsidiary in a data center in Ireland. Microsoft refused to comply with the order and won the case in the US Supreme Court in the second instance.
  • The Safe Harbor Agreement was an agreement that existed from 2000 to 2015 and regulated compliance with data protection principles. If a U.S. company had made a public commitment to this, the level of protection was to be equivalent to that in Europe. In 2015, however, the European Court of Justice declared the agreement to be invalid. The reason for this were the PRISM revelations from June 2013 by Edward Snowden. The whistleblower revealed that PRISM, the top-secret surveillance program of the U.S. secret service NSA, was collecting massive amounts of information on all electronic communications. Companies, governments and citizens in over 100 countries were affected. This was not in keeping with the data protection principles of the Safe Harbor Agreement.
  • The EU-US Privacy Shield Agreement is the direct successor to the Safe Harbor Data Transfer Agreement and was in force from July 12, 2016 to July 16, 2020. It was a further attempt to protect the data of European citizens that is stored and processed by companies based in the USA. This only concerned personal data, which are collected in e-commerce, for example. The EU-US Privacy Shield still gives precedence to US law and even lists six cases in which mass surveillance is still permissible. This follow-up agreement thus continued to allow European data to be stored in the USA.
  • The CLOUD Act is, among other things, the result of years of litigation between Microsoft and the US government, which culminated in this agreement in March 2018. It allows access to personal data of US citizens stored in the EU and at the same time paves the way for access to data of EU citizens in the USA. In addition, the CLOUD Act does not make the release of data dependent on whether a mutual legal assistance agreement exists between the country concerned and the USA. US companies are thus obliged to comply with US law and, in an emergency, are faced with the decision to either violate the GDPR or the CLOUD Act.


In summary, the GDPR may collide with the Patriot Act, the CLOUD Act and the EU-US Privacy Shield if US companies or companies whose data servers are located in the USA are involved. Using the services of these companies puts you in a dangerous legal grey area. The motto ” no plaintiff, no judge” ends to apply when, for example, employees appeal to the regulatory authorities against this practice. In the worst-case scenario, this can lead to a fine of 20 million euros or 4% of the worldwide annual turnover.

Update: What happens after the end of the EU-US Privacy Shield?

In many European companies, all contracts with all service providers are currently under close scrutiny. Are services used that process data in the USA? Was the data protected under the Privacy Shield? If this is the case, new contracts will have to be drawn up, but it is still unclear what they should contain. The standard contract clauses, which were frequently used, are also under criticism. Here, companies can copy clauses directly from the corresponding decision of the EU Commission. Until now, the transfer was considered legal. But the ECJ would also cast doubt on its use because a mere clause will not prevent American intelligence services from accessing it.

Overall, the ECJ decision leaves little room for a legal data transfer between Europe and the USA in the future It also remains questionable whether and when there will be a new agreement. Looking at the history, the chances of success of such an undertaking are doubtful. Observers do not assume that the USA will move so far in this legislative period that its conduct will meet the strict rules of the EU. This means one thing above all: massive legal uncertainty for companies and the IT industry.

The solution – European servers are GDPR-compliant

So there are many reasons to actively seek a way out of this legal grey area. But how can a solution to this tricky situation be found? The solution is as simple as it is logical – choose a service provider from the EUwhose servers are also located in the EU. In one fell swoop, the legal pitfalls listed above and the associated considerable financial risks and potential damage to your image are eliminated. Maja Smoltczyk, the Berlin Commissioner for Data Protection and Freedom of Information, made a clear statement in this direction. The solution is only logical. Companies that transfer personal data to the USA should immediately switch to service providers in the EU or in a country with an appropriate level of data protection. Personal data is also processed in phishing simulations, so special data protection is required.

SoSafe stores and processes on EU servers only

SoSafe clearly opts for legal security and for data processing in compliance with the GDPR. According to article 25 of the GDPR, “data protection by design and default” (Privacy by Design) must be guaranteed. This follows the principle that data is protected by technical presettings. SoSafe lives Privacy by Design and therefore all places where data is processed by SoSafe are located within the EU.
Our website, the SoSafe learning pages, the e-learning system and the SoSafe Manager are hosted by a German ISO 27001 certified data center. The same applies to our mail servers. ISO 27001 is the leading international standard for information security management systems (ISMS) and thus the most important cyber security certification. It is a very important certification for many companies because it provides a systematic approach to protecting personal data and ensuring the integrity of operational data. All service providers with whom SoSafe works are also compliant with the EU GDPR and are certified according to ISO 27001.

About SoSafe

The SoSafe awareness platform sensitizes and trains employees in dealing with the topic of IT security. Phishing simulations and interactive e-learnings teach employees in an effective and sustainable way on what to pay particular attention to when using e.g. e-mails, passwords or social media. The employer receives differentiated reporting and can finally make awareness building measurable – of course completely GDPR-compliant.