ECJ overturns Privacy Shield: Consequences for companies
© Andrey Popov / Adobe Stock
Share >

ECJ overturns Privacy Shield: Consequences for companies

The judgement of the European Court of Justice (ECJ) of 16.7.2020 (File No. C-311/18) has caused a great stir. ECJ overturns Privacy Shield. We summarize what entrepreneurs need to know.

After the judgement, the current situation is unclear. In the following, we try to provide clarity.

What is Privacy Shield?

Until now, there has been a decision between the European Union and the USA that personal data of EU customers may be shared with companies in the USA.

This decision, known as Privacy Shield, is based on the assumption that the data of European customers in the USA enjoy adequate protection – in line with EU standards.

Lawsuit against Privacy Shield successful

A plaintiff had applied for this regulation to be declared ineffective because the adequate protection of personal data in the USA was not ensured.

He argued that Facebook in the USA is obliged to make data available to US authorities such as NSA and FBI without the person concerned having any possibility of taking action against it. The ECJ upheld the plaintiff and ruled that the Privacy Shield Decision was invalid.

ECJ overturns Privacy Shield: Consequences for companies

The judgement of the ECJ is certainly to be welcomed. It shows that the European Union takes protection of personal data of its fellow citizens very seriously and positions itself confidently in relation to the United States.

However, for European companies, which are dependent on the exchange of personal data between Europe and the USA for their business model, the ECJ judgement will initially have fatal consequences: In general, companies in Germany currently use declarations on data protection and refer to standard EU contractual clauses regarding data transfer to third countries. After the ECJ judgement, such a generalised way is no longer possible.

ECJ overturns Privacy Shield: How companies should react now

Companies have to include at least an addendum, according to which they will check on a case-by-case basis whether the level of data protection in the recipient country is also secured. Therefore, data protection agreements currently in use need to be amended.

Companies should consider data protection and retention rules in their procedural documentation

This might be a good opportunity to re-examine the used data protection rules. Within the framework of the preparation of procedural documentation of companies, we often find that they have not always implemented data protection regulations to a sufficient extent.

In addition, companies must take into account that, in accordance with provisions of the Tax Code (Section 146 (2) AO), they must keep their books and other necessary records in Germany, including the archiving of invoices. In practice, however, it often happens that companies store and archive accounting data and documents on servers abroad. However, this is only permitted under certain conditions. Particularly only if this has been requested in writing to the tax authorities and the tax authorities have approved this application (Section 146 (2) AO).

We strongly recommend that companies keep these regulations in mind and submit a corresponding application in accordance with Section 146 paragraph 2a AO from a tax point of view.

Keinen Blogbeitrag mehr verpassen - hier registrieren...

Rechtsanwalt in Düsseldorf and Krefeld, Marcus Büscher
Marcus Büscher
Tel.: +49 211 – 9 0867 677
Rechtsanwalt
Beraterseite