Data protection authorities become active

Anyone who previously thought they could sit out the end of the Privacy Shield should take note of this news: German data protection authorities have announced that they will take action themselves. Companies must therefore be prepared to receive a questionnaire. In it, they should explain which US services they use and, above all, on what data protection basis they do so. If the answers are not satisfactory, the authorities have various sanction options - from formal orders to fines.

Background

July marks the first anniversary of the end of the "Privacy Shield" between the European Union and the USA. The European Court of Justice (ECJ) declared it invalid. This means that for almost a year now, there has been no generally applicable basis for EU companies to use US internet services for the storage and processing of personal data. This affects services of all kinds - from cloud storage to video conferencing services. The situation is similar in Switzerland.

What can companies do now?

Affected companies should consider how to react to this situation now at the latest. The data protection officer of the state of Baden-Württemberg has published recommendations in this regard.

• The best option is to look for alternatives in countries that are considered safe under data protection law.
• Some US services offer the option of storing data only on European servers, but this is often not enough.
• Standard data protection clauses are a possible solution, but require additional protective measures such as encryption.

What happens next?

The EU Commission is currently working on new clauses, but data protectionists criticize these as not being far-reaching enough. One fundamental problem remains: The USA has different ideas about data protection than many European nations. Although the new US government has signaled its willingness to negotiate, there is still no concrete solution.

The situation in Switzerland

The Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss version of the Privacy Shield does not meet the necessary data protection standards either. Companies are therefore advised to contact the FDPIC or seek legal advice if in doubt.

Closing words

It does not seem fair that companies now have to pay for what is actually the responsibility of politicians. Data protection experts are therefore calling for clearer regulation at international level to eliminate the uncertainties for companies.