On July 16, 2020, the European Court of Justice (ECJ) cancelled the transatlantic data protection agreement between the European Union and the USA. The decision was based on the insufficient protection of personal data of EU users in the USA.
What Is the Privacy Shield Agreement and Why Was It Cancelled?
The EU–US Privacy Shield was introduced in 2016 to regulate the transfer of personal data from EU companies to the US. The aim of the agreement was to protect the data of EU users from misuse during export and processing in the USA. The problem: US companies could issue a Privacy Shield certification on their own just by assuring to adhere to the EU’s General Data Protection Regulation (GDPR). An independent control body, i.e., a proven protection, was missing. The European Court of Justice ruled that the EU–US Privacy Shield isn’t compatible with the data protection law of the EU. Therefore, the agreement had to be declared invalid.
Shortly afterwards, the CH–US-Privacy Shield was also overturned on September 8, 2020. Since then, the transfer of personal data from Switzerland to the US is no longer possible on legal grounds.
The invalidations of the Privacy Shield agreements were accompanied by strong uncertainty among companies in the EU and in Switzerland. Many companies use US communication and collaboration solutions, such as WhatsApp, Microsoft Teams or Slack. Therefore, there’s still a great deal of uncertainty as to whether user data on US servers are sufficiently protected.
In order to make your corporate communications secure and privacy-compliant, we offer you a comprehensible overview of the current legal situation and recommend the following five measures:
- Identify US Communication Tools
- Focus on the Transfer of Personal Data
- Determine the Legal Basis of Data Transfers
- If Possible, Switch to Swiss or EU Servers
- Switch to Privacy-Compliant Communication Services
Table of Contents
1. The invalidation of the Privacy Shield agreements: your business is also affected
2. Why You Cannot Rely on Standard Contractual Clauses
The Invalidation of the Privacy Shield Agreements: Your Business Is Also Affected
The invalidations of the Privacy Shield agreements by the European Court of Justice and the Swiss Federal Data Protection and Information Commissioner (FDPIC) are of crucial importance for your company if at least one of the following conditions is met:
- Your company uses a US service (e.g., WhatsApp, Slack, Microsoft Teams) for internal communications.
- Your company stores data in a cloud hosted by a company based in the USA (e.g., OneDrive, Dropbox).
- Your company uses a video conferencing system by a US provider (e.g., Zoom, Google Chat) that, for example, stores profile pictures as well as identifying information about the participants of video sessions.
What Is the Problem With US Data Protection?
The CLOUD Act, enacted in 2018, allows investigating authorities and secret services such as the FBI and CIA access to personal data of citizens from the EU and Switzerland – even if the data is physically stored in Europe. This includes their email addresses and phone numbers. As a result, the CLOUD Act is not in line with the Swiss Data Protection Act (DPA) and the GDPR.
Anke Domscheit-Berg, Internet politics speaker of the parliamentary group DIE LINKE on the ECJ’s Privacy Shield ruling. Source: https://digitalisierungspraxis.de/privacy-shield-ist-geschichte/
If your company uses tools that violate the General Data Protection Regulation, it could face heavy fines. These can amount to up to 20 million euros or 4% of the previous year’s turnover. Your company may also be prohibited from transferring data to the US. Since many companies in the EU and Switzerland do not have an overview of their ongoing data traffic with US companies, they run the risk of incurring high penalties for data protection violations.
Why You Cannot Rely on Standard Contractual Clauses
In the case of the Privacy Shield agreement, the standard contractual clause is still a valid contractual framework for data transfers from Switzerland as well as from the EU and the US due to the ECJ and the FDPIC. The challenge: Such an agreement must be concluded individually with each US company. It’s also important to note that the standard contractual clause is only valid if full protection of data can be guaranteed by the US company. In addition, the European business needs to strictly monitor whether the compliance with the standard contractual clauses is met.
What Are the New Standard Contractual Clauses Good For?
The new standard contractual clauses, which were revised by the EU commission, have been in force since June 27. They do ensure more legal certainty by obliging the data importer, among other things, to inform the company in question from the EU or Switzerland as soon as a request for data access by US authorities is made. However, it is still problematic that the access to personal data by US authorities permitted by the CLOUD Act cannot be prohibited by the revised standard contractual clauses.
The Standard Contractual Clauses Do Not Guarantee a Secure Data Transfer
Therefore, the use of standard contractual clauses doesn’t offer a sufficient protection of personal data on servers of US companies.
Learn more about the measures that help you towards privacy-compliant and secure corporate communications in the next section.
Privacy Shield 2021 – What Companies Need To Do Now
1. Identify US Communication Tools
In Swiss and European companies, popular communications tools such as WhatsApp, Slack, Wire or Threema Work have become indispensable for internal communications. However, many of the well-known messenger services do not offer a sufficient level of data security in terms of the GDPR. For example, the messenger Wire (Wire Swiss Ltd.) is based in Switzerland but stores its data on servers of the US company Amazon.
Knowing that, the following questions must be answered:
- Which messengers are used for internal communications in your company?
- Where are their headquarters located?
- Where are their servers located?
If US-based messenger services are used in your company, be sure to consider the following recommendations.
2. Focus on the Transfer of Personal Data
The transfer of personal data to the US is affected by the ruling of the ECJ and the FDPIC. Personal data is transferred in particular when using instant messaging services in corporate communication. Therefore, you should explicitly consider this type of data transfer when taking the following measures.
3. Determine the Legal Basis of Data Transfers
In case your company does use US-based messenger services, you need to check for each individual service on which legal basis the service provider processes and stores the personal data. Normally, only the following contracts come into consideration:
- the now invalid Privacy Shield agreements
- the standard contractual clauses (if applicable, supplemented by additional agreements)
However, neither the obsolete Privacy Shield agreement nor the standard contractual clauses guarantee an appropriate protection for your company data on servers of US companies.
4. If Possible, Switch to Swiss or EU Servers
Some US communication companies offer the possibility to store personal data exclusively on EU servers to avoid the transfer to the US.
Do EU Servers Offer Legal Compliance?
Based on the CLOUD Act of 2018, the US also grants its authorities and secret services such as the FBI and CIA access to data records on servers in the EU that are hosted by US communication services. Hence, the storage of data on EU servers does not guarantee legal compliance.
Switzerland Guarantees Full Legal Security
All Swiss companies are subject to Switzerland’s strict privacy laws, which are comparable to the GDPR in terms of privacy protection. Therefore, Switzerland is, unlike the US, considered a “safe third country” and a high level of data protection can be maintained when transferring data between the EU and Switzerland.
5. Switch to Privacy-Compliant Communication Services
Due to the deficient data protection level in the US, it is generally not possible to transfer personal data in compliance with the GDPR. To avoid legal violations, it’s recommended to use privacy-compliant communication services that do not save data on US servers and therefore are not subject to the CLOUD Act.
Conclusion: The Most Secure Messenger for Your Company
A data transfer that complies with the GDPR’s strict regulations is no guarantee for a full protection of personal data. Besides the legal compliance of a communication tool, you have to consider whether the company’s business model and application programming can ensure an appropriate data protection level.
This includes public access to the source code (open source), which ensures full transparency and makes it possible to understand how the application works. It is also important to have independent security experts regularly audit the software. Ensuring data security and privacy should also be prioritised in the development phase of the communication tool (Privacy by Design) to guarantee that only the least amount of user data possible is stored and therefore misuse of data is ruled out right from the outset.
When taking a closer look at the most popular communication tools, it becomes clear that the Swiss messenger Threema and its business solution Threema Work are the safest alternatives to popular US messengers. Save yourself time-consuming reviews and contract negotiations with US providers or providers that host your data on US servers. Such providers cannot assure adequate protection for your company’s data and expose your company to unpredictable risks. With Threema Work, you communicate securely and in compliance with data protection laws!