The USA currently do not offer an adequate level of protection for data from the EU and Switzerland. In this article we analyze the legal situation and evaluate possible solutions.
European Court of Justice Rules “Privacy Shield” Agreement Invalid
The change in case law is the result of a ruling by the European Court of Justice (ECJ) in July, in which the judges declared the “Privacy Shield” agreement between the EU and the USA to be invalid.
The reasoning was quite clear: American surveillance practice is not limited to the absolutely necessary measure. Moreover, those affected cannot enforce their rights in court.
ECJ Ruling Also Applicable To Switzerland
The ruling initially only affected the EU. Following an in-depth analysis, the Swiss Federal Data Protection and Information Commissioner recently also joined the EU judges in their verdict after an in-depth analysis. Adrian Lobsiger sees no difference in interpretation between EU law and Swiss law in this regard (here his detailed opinion as PDF).
In order for companies from the EU or Switzerland to be allowed to continue transferring data to the USA, they need so-called standard contract clauses (SCC). But even then, risks remain.
Standard Contract Clauses Fail To Safeguard
According to the ECJ, the standard contractual clauses are still lawful, but only if exporters and recipients of the data can guarantee a level of data protection as high as in the EU. The problem: data that ends up at suppliers in the USA are subject to the surveillance laws there.
The transfer of data to US companies under the standard contractual clauses can therefore de facto not function in accordance with the ECJ decision because US data protection laws are much more lax than European ones.
For this reason, Max Schrems’ NGO is currently suing 101 companies in the EU that continue to transfer data to the USA.
According to the current legal situation, one solution seems to be an end-to-end encryption of sensitive data with a strong algorithm. This would ensure effective protection of the data even when it is transferred to the USA.
Of course, this requires increased technological competence on the part of the companies exporting data. And: it is only a matter of time until every encryption will be broken by more powerful computers.
B) Local Hosting
The safest way is to transfer as little data as possible to the USA. This is why you should regularly check where services you use store their data.
For our tools at Friendly, we host all data exclusively on dedicated servers in Switzerland or in Germany / EU (your choice).
P.S. If you enjoyed this, you might like our newsletter. We share insights from our journey as a bootstrapped open startup, marketing best practices, and Friendly surprises!