On July 16, 2020, the European Court of Justice (ECJ) declared the Privacy Shield Agreement invalid (ECJ, ruling of July 16, 2020; Az. C‑311/18). The verdict, which should set limits on social media like Facebook, has massive implications. For example, medical device manufacturers who store patient data in the clouds of the US tech giants are also affected.

1. Privacy Shield: what is it about? a) The GDPR

The General Data Protection Regulation (GDPR) stipulates that personal data may only be transferred to a third country if the country concerned guarantees an appropriate level of protection for the data. The Commission can determine under the GDPR that a third country ensures an adequate level of protection by virtue of its national legislation or its international obligations.

In the absence of such an adequacy decision, as in the case of the US, such a transfer may only take place if the EU-based exporter of the personal data provides appropriate safeguards. Such guarantees can, inter alia, result from standard data protection clauses drawn up by the Commission.

b) Purpose of the Privacy Shield Agreement

The Privacy Shield contains a mechanism that certifies the companies certified under it a level of data protection comparable to that in the EU in order to legitimize data transfers to the USA. The agreement should guarantee a comparable (adequate) level of protection when processing data in the USA as in the EU.

The agreement was heavily criticized by privacy advocates from the start. Rightly so, as the ECJ ruling confirms. This makes the EU-US Privacy Shield the second agreement between the US and the EU after the Safe Harbor Agreement that has not withstood the review of the ECJ.

2. Hosting in the clouds of Amazon, Google & Co.

Around 5000 companies, including Amazon (including Amazon AWS), Microsoft (including Azure) and Google (including all services offered by Google LLC) are currently covered by the EU-US Privacy Shield.

Since the European Court of Justice declared the Privacy Shield invalid with its judgment of June 16, 2020, companies can no longer rely on it for data transmissions to the USA.

3. Possible ways out a) Switching to data centers in Germany

For example, if you select the data center location Germany/Frankfurt at Amazon, you should check whether all health data is also stored and processed there. In addition, it must be ensured that not only the server location, but also the company's headquarters are in the EU.

Even the storage of an e-mail address (e.g. in connection with the use of a DiGA) can represent the processing of health data.

b) Use of Standard Clauses and Binding Corporate Rules (BCR)

According to the express judgment of the ECJ, manufacturers of medical devices still have the option of using standard contractual clauses to guarantee a level of protection comparable to that of the EU when processing personal data.

However, it must be assumed that the use of protection clauses and BCRs alone does not guarantee an adequate level of protection and that this will be criticized by the responsible data protection supervisory authorities. Rather, additional protective measures (e.g. technical solutions) will become necessary.

c) Encrypted storage

The technical requirements that encryption must meet are very high in order to effectively rule out the identifiability of the encrypted data. Therefore, it can usually be assumed that personal data will retain their personal reference despite encryption.

This means that you have to comply with the requirements of the GDPR even if the data


To the original article