The successor to the EU-US Privacy Shield agreement seems to be within reach. In a corresponding declaration, the EU Commission and the U.S. government have set out the cornerstones for international data exchange in a Trans-Atlantic Data Privacy Framework.
Background history:
In the past, both partners had already tried to reach an agreement under the terms of “Safe Harbor Agreement” and “Privacy Shield”. An agreement, that would enable European citizens to handle personal data fairly and in compliance with the law. Both agreements were declared illegal by the ECJ and were therefore invalid.
One of the key points that the ECJ criticized about the agreements was that the access to personal data of European citizens by U.S. security agencies, especially on the basis of FISA Sec. 702, was nearly unrestricted and without significant legal recourse.
In future:
Access should now only be possible within fixed limits.
EU citizens will have the opportunity to file complaints with a “Data Protection Review Court,” a kind of arbitration body, which would then be neutrally reviewed.
The already from the two previous attempts known certification mechanisms for companies, that have to adapt their own internal data protection principles to the European level, have been retained.
Current state:
Currently, all European companies that use U.S. cloud providers find themselves in a legal uncertainty. Increasingly, regulators are reviewing and sanctioning the use of such services. The Gaia X project, which seeks to provide an open European alternative, can not yet offer companies the same service as the one of established U.S. providers.
The Federal Commissioner for Data Protection and Freedom of Information provides a detailed description of the effects and necessary measures: LINK
When using U.S. cloud providers, a transfer impact assessment must always be conducted to evaluate the risks for those affected.
Transfer Impact Assessment
We have ready-to-use TIAs for the well-known American cloud providers such as Atlassian, Microsoft, AWS, Salesforce and others, which only need to be slightly adapted to the specific company use.
Outlook for the economy
The announcement creates the hope that legal certainty will emerge in the data transfer with the USA and the still unrivaled American cloud providers.