EU-U.S. Privacy Shield at the end: an overview for Atlassian customers

On 16 July 2020, the European Court of Justice declared the EU-U.S. Privacy Shield Agreement, which was intended to ensure the equivalence of EU data protection in the USA, invalid. Against this background, we examine the issue and the options for action and deployment for Atlassian customers.

In accordance with the European Data Protection Basic Regulation DSGVO, which has been in force since May 2018, personal data of natural persons may not be processed in third countries at will. If companies wish to process (access, transfer, edit, store, etc.) personal data in third countries, they are responsible for doing so in accordance with the DSGVO and for ensuring equivalent data protection in the third country. In the event of infringements, fines may be imposed on the companies and their management may even be held personally liable. Further information on the European Data Protection Basic Regulation can be found in our series of articles from 2017/2018.

The easiest way to ensure this in third countries is to rely on an equivalence decision by the EU Commission. For example, legal data protection in Switzerland is considered equivalent to that in the EU. Since data protection laws in the USA do not ensure the same level of data protection, the EU and the USA have so far tried to ensure data protection in such a way that US companies voluntarily submit to higher European standards. The first step was to agree the Safe Harbour Privacy Principles between the EU and the US. However, this framework agreement was declared invalid by the European Court of Justice, as it required a mere compliance declaration by US companies and did not provide for any control mechanisms. As a follow-up solution, the EU negotiated the EU-U.S. Privacy Shield Framework with the U.S., which remedies this shortcoming and certifies that the participating U.S. companies in turn provide equivalent data protection.

Already in our series of articles on the introduction of data protection, we predicted that the EU-U.S. Privacy Shield would also be short-lived. This has now come true. On 16 July 2020, the European Court of Justice also declared this agreement invalid. This time the US legislation on mass surveillance by the state is responsible for this. According to Computerworld, these are, on the one hand, the Foreign Intelligence Surveillance Act (FISA) with its surveillance programs PRISM and UPSTREAM, as well as Executive Order 12333. Specifically, PRISM instructs the providers of Internet services, the NSA, the FBI and the CIA, to make available all communications concerning specific persons. UPSTREAM instructs telecommunications providers to allow copying and filtering of Internet traffic. Executive Order 12333 allows the NSA to access the submarine cables in the Atlantic Ocean to intercept data transfers there. The Swiss Data Protection Commissioner is now also examining the decision of the EU Court of Justice and the implications for the analogue Swiss-US Privacy Shield, which is still in force.

For processing operations in the USA, this means that an equivalence decision of the EU Commission can no longer be used as a basis. The most important alternative is the so-called standard contractual clauses, which linkyard, for example, also provides to its customers in addition to the reference to the equivalence decision. In the case of the USA, however, there is now the problem that private contracts cannot override the aforementioned national legislation either. Accordingly, it is unlikely that it will be possible to reach a solution with the US companies affected by the legislation (Internet service providers and telecommunications providers) by means of standard contract clauses without the USA first adapting its legislation. The few exceptions under Art. 49 DSGVO, in particular the obtaining of explicit consent (opt-in) from every person concerned for whom data is stored, thus remain the main way out.

At the time of this article, the decision is still very fresh and the various specialist lawyers will now be considering how to tackle this problem with the deepest risks. We will also look at the technical specifics that are relevant to the issue of data protection.

--

linkyard is a specialist for the secure operation of collaboration services. About 100 customers - among them many from industries with particularly high information security and data protection requirements such as banking, insurance, public administration, critical infrastructures or armaments - count on our services. The information security management system of linkyard is certified according to ISO 27001:2013.