When Safe Harbor was overturned by the European Court of Justice in October 2015, there was initially great uncertainty about the future transmission of personal data to the USA. The follow-up agreement Privacy Shield, which came into force in 2016, has brought greater clarity, but what exactly is behind the new agreement?
This article provides more information on the following topics:
- Provisions of the agreement
- Implications of the new data protection agreement for businesses
- Criticism of Privacy Shield
- The role of the German cloud
EU-US Privacy Shield – data protection agreements between the USA and the EU
The EU-US Privacy Shield agreement regulates data protection between the European Union (EU) and the USA. The agreement clarifies which data protection provisions the USA grants to European citizens and companies, and specifies the aspects European companies need to take into account when sending data to the USA. The agreement focuses on the protection of personal data transferred from EU countries to the United States.
Data protection and data security in connection with storing data in the cloud plays an important role for companies, especially when using IT services provided by American companies. When operating services in Microsoft Azure, for example, companies need to pay special attention to the transfer and storage of personal data. In order to meet individual compliance guidelines, a combination of the Microsoft Cloud EU/Global and the Microsoft Cloud Germany is also possible.
How the EU-US Privacy Shield protects data
Companies may only transfer the data of EU citizens to the USA under certain conditions. Up until the fall of 2015, these provisions were governed by the Safe Harbor Agreement. In October 2015, however, the European Court of Justice overturned this agreement, criticizing the fact that data originating in Europe could only be inadequately protected from US authorities when sent to the USA. A new agreement was needed – and was finally arrived at with the EU-US Privacy Shield.
Since July 2016, the new agreement has provided a high level of data protection for data subjects and legal certainty for companies transmitting data to the USA. It is now much clearer how companies can handle personal data and how data processing is controlled and enforced.
Controls aim to ensure compliance with regulations
The US commitment to enforce restrictions on the use of EU citizens’ data by its own authorities is particularly important. As this also applies to intelligence services, mass surveillance can be ruled out and it is ensured that personal data is sufficiently protected. In contrast to the Safe Harbor Agreement, the new standards comply with the current European data protection requirements. The enforcement of controls also ensures that the regulations are complied with. In addition, the US Department of Commerce intends to take much stricter action against data protection violations by American companies.
In addition, there is a Privacy Shield Ombudsperson in the US to whom EU citizens can turn with complaints. The ombudsperson acts as an intermediary between European and US authorities who can prosecute data protection violations and informs plaintiffs of the progress of the investigation.
How Privacy Shield is enforced
US companies or companies with branches in the USA can conduct a self-certification process that requires the company to comply with the requirements of Privacy Shield and to ensure the protection of personal information. This serves to significantly improve the company’s level of data protection when working with European companies. The data protection provisions of EU-US Privacy Shield comply with the European standards, and compliance with Privacy Shield certifies that companies have an adequate level of data protection based on Article 25 of the European General Data Protection Directive. This provides the basis for EU companies to transmit data to the USA.
Privacy Shield still leaves ample room for criticism
The benefits of EU-US Privacy Shield are clear: individuals can be sure that their personal data will not be used without permission. Companies, on the other hand, can now work with the data of EU citizens in a legally secure manner – even in the USA.
But just like Safe Harbor, Privacy Shield is also subject to criticism. For example, it is claimed that the agreement is still far from adequate as far as the protection of personal data is concerned, and that the entry of Privacy Shield into force does not dispel the general uncertainty associated with the Safe Harbor ruling. There are a number of basic aspects you should consider when it comes to data protection.
German Cloud solutions remain unrivaled for maximum data protection
If you want to protect personal data in the best possible way, there is no alternative to German cloud solutions. Data is only truly protected from being accessed by the US authorities if it is stored in German data centers and managed by a German company. This is the case with the Open Telekom Cloud, but Microsoft Cloud Germany also guarantees companies the highest level of data protection and data security. The reason for this is that the Telekom subsidiary T-Systems acts as a data trustee and ensures that data is not passed on to third parties without authorization.