The Privacy Shield decision: What does the Schrems II ruling mean for your organization?

No time to read? Listen instead:

On July 16, 2020, the European Court of Justice declared the “Privacy Shield” data protection agreement invalid with the Schrems II ruling. This caused a lot of legal uncertainty for thousands of European companies, because the repeal of the agreement meant that there was no legal means for cross-border transfer of personal data from the EU to the US based on the fact that the Privacy Shield agreement was not GDPR-compliant. As a result, it became more challenging for companies that relied on data transfer to work with US service providers.  

Let’s rewind the rescindment and first understand what the EU-US Privacy Shield was all about the premise for its introduction and the series of events that raised data privacy concerns, ultimately leading to its defragmentation. What exactly went behind assembling a framework that took more than two years to reach an agreement? The fundamental aspect was to protect citizens and enable companies for a more accommodating transatlantic trade. So, why did the agreement fail to do so?  

The EU-US Privacy Shield

The Privacy Shield was created to replace the International Safe Harbor Privacy Principles and came into effect on July 12, 2016. This data protection agreement was supposed to provide a framework for securely transmitting personal data from the European Union to the United States. Essentially, it was created to protect Europeans’ rights and ensure a level of security in the processing of their data in agreement with European data protection law, as well as enable seamless data exchange and facilitate commerce between the EU and the US. However, in 2020, the European Court of Justice (ECJ) declared the Privacy Shield invalid with the Schrems II ruling. 

Schrems II ruling: Why was the Privacy Shield invalidated?

Lawyer Maximilian Schrems, whose lawsuit against Facebook was taken to the Irish Data Protection Commissioner and resulted in the repealing of the International Safe Harbor Privacy Principles, believed that the transfer of his personal data from Facebook Ireland to the parent company in the US was not compliant with the EU data protection law. He appealed to the Irish Data Protection Commissioner until the Irish High Court forwarded the case to the ECJ, which then issued the Schrems II ruling, declaring that the Privacy Shield does not meet EU’s data protection requirements. 

According to the ECJ, the transmission of European Citizens’ data to the US cannot meet the level of security required by the European General Data Protection Regulation (EU-GDPR 2016/679), and hence, it is not GDPR-compliant. 

United States legislation allows authorities to monitor and release data that is considered necessary for collection by companies. This does not sufficiently protect European citizens’ data on US servers against access by these authorities, according to the ECJ. The Privacy Shield prioritized United States law, and even listed six cases in which mass monitoring was allowed. This monitoring of data was not limited to instances in which it was absolutely necessary, and restricted European consumers’ ability to legally defend themselves. 

What are the implications of the Privacy Shield ruling for businesses?

The Schrems II ruling directly affects compliance with the GDPR: Companies must actively learn about the level of data protection offered by service providers in third countries, evaluate them for GDPR compliance, and adjust their contracts accordingly. If they fail to do so, and if the data is processed in the US without any reasonable guarantee of security, employees can file a complaint with the supervisory authorities for data protection. In the worst-case scenario, this could lead to a fine of €20 million, or 4 percent of global annual profits, whichever amount is higher. 

Although the ECJ confirmed the legal security of the standard data protection clauses that many companies use, it must still be determined in each case whether these guarantees are sufficient or if they must be supplemented with other measures – especially since it may still not be possible for data subjects to obtain reasonable legal defense if their personal data are obtained by US authorities. 

The Schrems II ruling affects all American software providers who transmit EU citizens’ personal data to the US. Special care must be taken when working with service providers who handle highly sensitive information that can be used against employees, such as behavioral data obtained from phishing simulations. Paul Voigt, partner and IT specialist at Taylor Wessing, explains how complicated it is to transmit data to the US while complying with the GDPR:  

Outlook: What’s next for the exchange of data?

The ECJ’s ruling doesn’t offer much leeway for legal data transfers between Europe and the US. Two years after the Schrems II ruling was passed, it remains unclear whether there will be a new framework agreement – or when. 

Following the two Schrems rulings, an appraisal by American lawyer Stephen Vladeck published early 2022 casts doubt on whether American companies and their EU subsidiaries are processing data in accordance with the GDPR. It describes the current state of US monitoring laws, and whether American companies are capable of adhering to European data protection standards. Vladeck says that processing data on EU servers is not sufficient to prevent access by authorities or intelligence services from outside of the EU. 

In the spring of 2022, the EU and the US agreed that new regulations and guarantees must be defined within a new instrument, but there has yet to be a concrete suggestion or clear schedule – and the chances of a new data protection agreement remain uncertain. This makes for a foggy legal situation for companies and the IT industry as a whole. 

Make phishing attacks miss the mark

Sign up now

Discover how our phishing simulations turn your employees into active defenders of your organization.

The solution: Choosing service providers with servers in the EU who take additional technical precautions

There are many reasons to proactively look for a way out of this quagmire, but what would the way out even look like? Choose a service provider with servers in the EU taking necessary precautions to ensure GDPR-compliant data processing. This means that companies will have a safer, legal environment that values privacy and protects confidential data. Former Berlin Commissioner for Data Protection and Freedom of Information Maja Smoltczyk said this during a press conference in 2020: 

This means that companies that forward personal data to the US should immediately:  

• Switch to service providers with servers in the EU, and  
• protect personal data against unauthorized access with additional technical measures.  

One of the most secure technical measures is strong encryption of sensitive employee data with a key. If the key is managed by the selected provider itself within EU, the server provider cannot decrypt the collected data, which prevents them from accessing the data unauthorized. 

Additionally, for consistent application of GDPR, the collaboration of all stakeholders along with data protection supervisory authorities (DPA) to ensure and enforce regulations regarding personal information and data privacy, is required. The data protection supervisory authority is the center point of financial regulation, to resolve conflicts, address queries or violations that can arise between the parties involved. Every EU member state has at least one dedicated supervisory authority.  

In short: What you need to know

The ECJ invalidated the Privacy Shield two years ago, and as a result, the security standards of the GDPR can only be met with additional security measures if US companies or companies with data servers or legal entities in the US are involved. When these companies’ services are used, their implementation of additional technical measures must be thoroughly evaluated, which often results in legal uncertainty. 

In order to comprehensively protect sensitive employee data and safeguard oneself against fines from the supervisory authorities for data protection and complaints or lawsuits from employees, organizations should choose providers who meet the criteria specified above (servers are located in the EU and data are protected by additional technical measures). 

GDPR compliance is important to SoSafe. We follow a privacy-by-design approach with our Cyber Security Awareness Training. Our services are designed so that only the most necessary data is obtained and protected with default settings. We exclusively process data within the EU and take the most stringent security measures to prevent access to data.