27.08.2020 I Author: Dr. Stefan Riedl
After the safe-harbor and then the privacy shield agreement was legally overturned, contractual relations with data transfer between the EU and the USA are now based on so-called standard contract clauses. But even these clauses could possibly be toppled at some point.
The abolition of the privacy shield agreement (see box) brought a lot of momentum into the legal assessment of cooperation with cloud providers from outside the EU, i.e. mainly the USA. "We at gridscale noticed this in the demand for our solutions, which are now ISO-27001 and ISO-27018 certified, but also in the number of downloads of a 24-page paper on the subject, which we provide free of charge," reports Henrik Hasenkamp, CEO, gridscale.
Said whitepaper "Legal Risks when Using International Cloud Providers" was prepared together with the law firm "Heuking Kühn Lüer Wojtek" and addresses legal problems with personal data that may arise here, for example, with the tax office, the works council, the law on general terms and conditions and other areas. "In order to understand the problem, you actually have to start with the safe harbor agreement, which ceased to exist in 2015," Hasenkamp says. "The ECJ judges presented a long list of shortcomings at the time and decided that the agreement could not be valid against this background. A core criticism was that a personally affected person has no practical way to enforce his or her rights that he or she is entitled to in connection with personal data. In addition, the transfer of data to secret services and authorities is considered a problem.
As a result, the EU came under pressure and pulled the "privacy shield" out of the hat.
"It came as it had to come."
However, it was already clear at the time of its introduction that the central points of criticism regarding the enforceability of rights were not clarified, Hasenkamp describes his perspective. "Now it came as it had to come: After a renewed examination, it was determined that personally affected persons from the EU in the US judicial system are practically unable to enforce these rights, and the secret services still have very liberal access to data, so that the privacy shield has now also been removed," says the gridscale CEO. An Irish court had previously expressed doubts to the ECJ about the effectiveness of the Privacy Shield. The ECJ has now overturned this agreement because it believes that the rights of EU citizens have been violated by measures taken by the US security authorities. These authorities have far-reaching powers to access data - including that of EU citizens.
The EU standard contract clauses
As of now, cooperation with personal data processing companies abroad, for example in the USA, can be based on the EU standard contract clauses. In this case, intergovernmental agreements such as Safe Harbor or Privacy Shield are not intended to protect the rights of users, but rather agreements between contractual partners. Hasenkamp points out an important aspect of this: "Since this is not an intergovernmental agreement, but contractual relationships between individual companies, it is much more difficult to declare them invalid.
Data protection officer is a sticking point
However, in Hasenkamp's view, the EU standard contractual clauses are also up for discussion in the longer term: "I assume that sooner or later complaints about the handling of personal data will be reported and that the issue of the lack of enforceability of rights regarding personal data will then come back to the table via the institution of data protection officers. Corresponding voices of individual data protection commissioners are already audible".
The issue also has geopolitical dimensions. With Gaia-X, a "European cloud" is to be promoted, but parallel work is being done on follow-up agreements with the USA.
The original article in german can be found here.