Berlin Leading representatives of the digital economy in Germany have expressed concern that German companies could face fines if the EU-US data protection agreement “Privacy Shield” is overturned.
“The quasi-ban on many data transfers has an impact on numerous established business models and misunderstands the reality of a global data economy,” said Susanne Dehmel, member of the management of the IT association Bitkom, the Handelsblatt. “The companies affected cannot change their processes overnight, and at the same time there is a threat of fines from the supervisory authorities – all of this leads to great uncertainty.”
The Association of the Internet Industry Eco was also alarmed. For all companies that are dependent on the free movement and exchange of personal data, the ruling of the European Court of Justice (ECJ) in mid-July, with which the “Privacy Shield” was annulled, carries “enormous risks,” said Eco- Managing Director Alexander Rabe of the Handelsblatt.
The EU-US agreement stipulates that companies may transfer personal data from EU countries to the USA under certain protection measures. Data is often stored in the USA – even if it is for companies from Europe. These often access cloud services in the US such as Amazon AWS, Microsoft Azure or Google Cloud back.
The Luxembourg judges based their verdict on the fact that the US authorities’ supervisory powers were too extensive. For similar reasons, in 2015 the ECJ had already overturned the previous regulation “Safe Harbor”.
Associations see EU on the move
The Baden-Württemberg data protection officer Stefan Brink considers fines against German companies to be possible following the new ECJ ruling. The supervisory authorities are currently trying to find a way out of an “almost unsolvable situation”, Brink told Handelsblatt. Otherwise, every German company would have to be checked and fined if it built its infrastructure on US data processors.
Eco-managing director Rabe sees an urgent need for action. “The EU must therefore present practicable and sustainable, reliable solutions for data transfer to the USA as quickly as possible and thus restore legal certainty for companies,” he said. This is in the interests of the entire economy in Germany and Europe.
Bitkom expert Dehmel also appealed to the EU “to ensure legal security quickly and to enable long-term data processing in third countries such as the USA”. She asked the supervisory authorities to advise the companies concerned and give them practical advice.
According to Dehmel, the ECJ ruling has “massive” effects on European companies with data processing in the USA. “Anyone who has previously processed data solely on the basis of the Privacy Shield must at least switch to the standard contractual clauses,” she explained. “But even that does not offer sufficient legal security for all processes,” added Dehmel. “General solutions are hardly in sight so far.”
Only individual transfers based on consent are possible
The EU Commission had emphasized that the flow of data between Europe and the USA is not fundamentally impossible after the ECJ ruling – because there are still the so-called standard contractual clauses for data transfer between EU countries and third countries.
The data protection advocate Brink objects, however, that the “standard data protection clauses” according to the ECJ alone “could not be a sufficient basis, but would have to be supported by additional guarantees”. That means: It must be ensured that US authorities do not access data from Europeans at US companies within the scope of their legal powers.
Brink considers such a contractual assurance to be hardly conceivable. “Since when has a company been able to contractually guarantee its customers that the law of their country will break?” He asked. “So the standard contracts are no longer more than a fig leaf.”
Thus, according to the rules of the EU General Data Protection Regulation GDPR, only individual transfers on the basis of consent or for the fulfillment of individual contracts would be possible, as Brink explains, i.e. no more regular cooperation with US providers.
More: 5000 companies affected: EU companies are pushing for a new legal basis for data transfer to the USA.