The „Privacy Shield“ data protection agreement between the EU and the USA has been history since 16 July 2020. The level of data protection in the USA is not adequate by EU standards, according to the European Court of Justice (ECJ). The „Privacy Shield“ served in most cases as the basis for data transfer to the USA as a so-called „third country“. According to the GDPR, the processing of personal data outside the EU is prohibited if there is no adequate level of data protection in so-called “third countries” (Art. 44 to 49 GDPR).
„The ruling has significant implications for the exchange of data between companies and the USA,“ Dieter Kempf, President of the Federation of German Industries, told the dpa. „I regret the ruling of the European Court of Justice. The question to be clarified was actually about how private consumers deal with platforms.“ However, all companies that transfer personal data to the USA must now act urgently. This affects almost EVERY company – small and medium-sized enterprises are alarmed!
Data transfers to the USA on the basis of the Privacy Shield are now unlawful. The supervisory authorities have already announced that there will be no grace period (cf. decision of the DSB of 28.07.2020, https://www.datenschutzkonferenz-online.de/media/pm/20200616_pm_schrems2.pdf).
Our customers in Germany and Austria must act immediately to comply with data protection regulations. Companies that relied solely on the Privacy Shield agreement now have a problem. They must either switch to another legal basis with their contractual partner, such as the EU Standard Contractual Clauses. In most cases, EU Standard Contractual Clauses will be suitable, although these do not offer any guarantee of permanent admissibility. The ECJ has not declared these to be invalid.
He simply states that when using EU Standard Contractual Clauses, it must also be checked whether enforceable rights and effective remedies actually exist in the third country concerned. Alternatively, those affected must adjust the data processing. This means, for example, changing the provider or encrypting or anonymising the data. As a first step, we recommend creating a list of all US services, software providers and service providers used and ascertaining whether personal data of users is transferred to them. Then the provider/tool must be changed.
The services concerned are primarily:
Web Design
Google Maps, Google reCAPTCHA, Google Web Fonts, Adobe Fonts
Advertisements
Google Ads, AdSense, Conversion & DoubleClick
Facebook Pixel
Email marketing
ActiveCampaign, Mailchimp
Video conferencing
Google Hangouts, Google Meet, GoToMeeting, Microsoft Teams, Skype, Zoom
social media
Facebook Connect and Plugin, Twitter, Instagram, Tumblr, LinkedIn, Pinterest Plugin
Tracking
Google Analytics
Hosting
Shopify, Squarespace, Weebly, Wix
And the use of WhatsApp Business are therefore also no longer permitted in B2B with immediate effect.
Fines and warnings are conceivable and possible, as are sanctions by data protection authorities. Unfortunately, the entire situation is open-ended, and for anyone who wants to be on the safe side, we recommend looking for alternatives as soon as possible.
