Privacy Shield cancelled: how, why and what now?

On the 16^th of July, the Court of Justice of the European Union decided to declare the agreement EU-VS Privacy Shield invalid. With that it has once again become clear what European experts have claimed for years: Organisations who choose for optimal privacy and data-security, are wise when choosing for a European cloud provider.

The European invalidation of the Privacy Shield is a set-back for the Americans, who, in 2015, saw the predecessor of this agreement, Safe Harbor, be declared invalid. The judgement of the European Court means that the Privacy Shield for organisations in the European Union cannot be a basis to pass along personal data to the United States.

The primary reason for the decision of the court is that the GDPR-security level for personal data could not be sufficiently guaranteed. According to American legislation, the authorities in the United States have the right to look at and use the data of EU-citizens; a right which goes a lot futher that just looking at essential data. The European Data Protection Board (EDPB) is researching what the practical implications of the ruling of the court is and what the eventual next steps can be.

From day one, the Privacy Shield has been under attack, mostly because of the threat of privacy. That is why some experts were wondering to what extend certain topics of the treaty would be complied in practise. Alongside that, the controllability was questioned: how do you know for sure that all parties will conform to the agreements? Also the promise of the Americans that they would not conduct a ‘large-scale surveillance’ on the exchanged data created scepticism. All in all, everyone agreed that the Privacy Shield mostly offered fake-privacy.

Now that the treaty is definitely cancelled, we could say: it is better to have no agreement than a bad agreement. But in the mean time the question continues to be if it is wise to entrust privacy sensitive data to parties who have there cloud servers located in the US. What is precisely happening with that information now that there is no international treaty with clearly dictated rules. The legislative uncertainty remains large.

When selecting a cloud provider it is also still important to be aware of the owner of the datacentre. If a European datacentre has an American owner, it is formally under American supervisory legislation. Therefore, a difficult situation can be created, because every European datacentre also belongs to the GDPR. Another scenario: if a European datacentre and its American owner detach from each other, where does the data go to?

Another point which should be of interest is cloud providers from outside the European Union who offer the possibility of saving data in Europe. This can be done without additional measures, as long as there is no data-processing which happens outside the EU. However, than you need to be extra careful that there is no party outside the EU involved. Vigilance is therefore very important, also when subcontractors are hired by data processors.