On July 16, 2020, the European Court of Justice declared the Privacy Shield Agreement invalid. The ruling, which is also intended to set limits for social media such as Facebook, will have a massive impact on other companies. For example, on medical device manufacturers who store patient data in US tech giants’ clouds.
a) The GDPR
The General Data Protection Regulation (GDPR) establishes that personal data can only be transferred to a third country if the country in question guarantees an adequate level of data protection. Under the GDPR, the Commission can decide that a third country guarantees an appropriate level of protection based on its internal national legislation or on its international obligations.
If there is no such positive adequacy decision, as is the case with the USA, data may only be transferred if the exporter of the personal data located in the European Union provides appropriate safeguards. These guarantees can take the form, for example, of standard data protection clauses prepared by the European Commission.
b) Aim of the Privacy Shield Agreement
The Privacy Shield contains a mechanism to certify that the companies certified under it have a level of data protection comparable to the level in the EU, so that data can legitimately be transferred to the USA. The agreement was intended to guarantee that data processed in the USA was protected to an (adequate) level comparable to the level of data protection it would have in the EU.
The agreement was heavily criticized by privacy groups from the very start. Rightly so, as the ECJ ruling confirms. This makes the EU-US Privacy Shield the second agreement between the US and the EU, after the Safe Harbor Agreement, to be struck down by the ECJ.
Around 5,000 companies, including Amazon (including Amazon AWS), Microsoft (including Azure) and Google (including all services offered by Google LLC) are currently covered by the EU-US Privacy Shield.
As the European Court of Justice has declared the Privacy Shield invalid in its ruling of July 16, 2020, companies can no longer use it as the basis for data transfers to the USA.
a) Switching to Amazon's data center site in Frankfurt?
If, for example, you choose to use Amazon's data center in Germany/Frankfurt, you can check whether all health data is also stored and processed there. It must also ensured that not just the server location but also the company's headquarters are in the EU.
Even storing email addresses, e.g., in connection with the use of a digital health application, can be considered as processing health data.
b) Use of standard clauses
As the ECJ ruling makes clear, medical device manufacturers still have the option of ensuring a level of protection for the processing of personal data comparable to that in the EU through standard contractual clauses.
c) Encrypted storage
The technical requirements that encryption must meet to effectively exclude the possibility of the encrypted data being identifiable are very high. Therefore, as a general rule, it can be assumed that personal data retain their connection to a person despite encryption.
This means that the requirements of the GDPR must be complied with even if the data is stored in encrypted form by the respective service provider. Therefore, it is generally not possible to circumvent the ECJ ruling in this way.
The ECJ ruling has deprived a lot of companies of the legal basis on which they store data with US tech giants.
Therefore, these companies should check whether the data stored with a service provider covered by the EU-US Privacy Shield is personal data. If it is, the data must be protected by standard contractual clauses.
The standard contractual clauses for processors can be found in the Annex of Commission Decision 2010/87.
Do you have any further questions or comments? Contact us in the comment box below or write directly to Sonia Seubert, a lawyer at Mazars Rechtsanwaltsgesellschaft mbH.