Privacy Shield 2.0: Doing Without Holey Shields

The European General Data Protection Regulation (GDPR) has been in force since May 25, 2020. Even though it cost those responsible a lot of nerves when it was introduced, it can be considered a success story. For example, it has had an extremely positive effect: namely, it has raised general awareness of data protection issues. This has been ensured not least by the many headlines about the hefty fines imposed for violations of the GDPR. Even powerful US players have to tremble before it. This was recently felt by the Meta Group, which was ordered to pay a record fine of 1.2 billion euros for passing on European Facebook user data to the USA.

Many imitators found

The fact that the GDPR is a success story is also shown by the fact that it has found many imitators worldwide. Australia, Brazil, South Korea, Thailand and even U.S. states such as California have taken it as a model for their data protection laws. And on September 1, 2023, the new Data Protection Act (nDSG) will come into force in Switzerland (cf. here). It will strengthen the rights of Swiss citizens in the digital age and raise data protection in the Swiss Confederation to a level comparable to that of EU countries - by also being based on the GDPR.

It practically goes without saying that companies should comply with the requirements of the European General Data Protection Regulation. Now, after five years, another good reason has been added to the many good moral, legal and financial reasons: in the future, companies will also have to be prepared for claims for compensation for non-material damage in the event of violations. In a landmark ruling at the beginning of May 2023, the European Court of Justice confirmed that victims of infringements can claim damages for immaterial harm such as exposure, similar to damages for pain and suffering in cases of bodily injury. It is therefore more important than ever for companies to implement clean processes to fulfill their obligations.

Demanded: a "No Spy" Agreement

For the European Commission, the fifth anniversary would actually be the ideal occasion to do some soul-searching. It is currently about to make the same mistake a third time. In recent years, the European Court of Justice has already overturned two agreements between the Commission and the United States. First "Safe Harbor" and then "Privacy Shield"The European judges pulled the emergency brake on both occasions. Because of the extensive access rights of the American intelligence services, they argued, the personal data of European citizens held by U.S. companies was not sufficiently protected in the sense of the GDPR.

Recently, the EU Commission and the U.S. government agreed on a new regulation that threatens the same fate. Indeed, there is nothing to suggest that anything will change in the U.S. surveillance laws - and thus in the fundamental problem. Data protection experts therefore assume that the European Court of Justice will also annul this "Privacy Shield 2.0" agreement. Companies will then be threatened with further years of legal uncertainty when using U.S. cloud solutions. To prevent this, the European Commission should use the occasion of the DSGVO anniversary to reflect on what it really needs: a "No Spy" agreement with the USA that guarantees the renunciation of intelligence activities. Until such an agreement is reached, it is true that the clouds of US providers cannot be used for personal data in a legally secure manner. It's good that there are digitally sovereign solutions as alternatives.

Author: Holger Dyroff, Co-Founder and COO of ownCloud