04 augustus 2020

Privacy Shield cancelled: how, why and what now?

written by Hidde Kamp

The Court of Justice of the European Union decided to declare the much-discussed EU-US Privacy Shield agreement invalid on 16th July. This once again underlines what European experts have claimed for years: Organisations opting for optimal privacy and data security would be wise to opt for a European cloud provider.


The European invalidation of the Privacy Shield is a set-back for the Americans, who also saw the agreement’s predecessor, Safe Harbor, be declared invalid in 2015. The European Court’s ruling means the Privacy Shield for organisations in the European Union cannot be a basis to transfer personal data to the United States.


Not GDPR-proof

The main reason for the court’s decision is that the GDPR security level for personal data could not be sufficiently guaranteed. According to American legislation, the United States authorities have the right to access and use EU citizens’ data; a right which goes way beyond simply looking at essential data. The European Data Protection Board (EDPB) is looking into the practical implications of the court’s ruling and what the eventual next steps could be.


Doubts and Scepticism

The Privacy Shield has been under attack from day one, mostly because of the privacy threat. Some experts wondered to what extent certain parts of the treaty would be complied with in practice. In addition, there were doubts about verifiability: how can you be sure all parties will comply with the agreements? The Americans’ promise that they would not apply 'large-scale surveillance' to the data exchanged also created scepticism. All in all, everyone agreed the Privacy Shield would mostly offer fake privacy.


What is Wisdom?

Now the treaty has been definitively cancelled, we could say that it’s better to have no agreement than a bad agreement. But, in the meantime, the question continues to be whether it’s wise to entrust parties with cloud servers in the US with privacy sensitive data. What exactly happens to your information now there’s no international treaty with clear rules? The legal uncertainty remains significant. It’s also still important to be aware of the data centre owner when selecting a cloud provider. lf a European data centre has an American owner, it will be formally under American supervisory legislation. This can therefore create a difficult situation, because every European data centre also needs to comply with the GDPR. Another scenario: if a European data centre owned by an American goes down, what happens to the data? Another point to consider: there are cloud providers from outside the European Union who offer the possibility of storing data in Europe. This can be done without additional measures, as long as there is no data processing outside of the EU. However, you would need to be extra careful that there is no involvement from parties outside of the EU. Vigilance is therefore very important, also when subcontractors are hired by data processors.


Better safe than sorry

It would be wise to opt for European servers with local storage facilities as long as there is no watertight treaty on the table in which all points of the GDPR are guaranteed. That is the best way to ensure privacy-sensitive data can no longer be accessed by the NSA or other American services. This will continue to be the case for the years ahead, as the US and Europe are so fundamentally different in terms of privacy rights for civilians.

The European court’s decision definitely benefits Previder and our data centres. This is also evident in the growth of our data centre and cloud services in recent years. However, legal reasons are not the only arguments for choosing European data centres. Most organisations want to know who they are doing business with, where their data is stored and how things are arranged by us. That kind of trust is probably just as important.


© 1998 - 2020 Previder Conditions Privacy | Contact Supportdesk Previder is part of the Odin Groep