Yeah, the, the title is very drastic after privacy shield is death. What is still possible? I think none other of the European Europe's highest churches have killed the privacy shield, the so-called framework for data exchange of personal data from the EU to, to us and other countries. And this of course caused uncertainty on all sides and it raises a lot of questions Carsten. So there I'm, I'm glad you are here and I can welcome you to help us understand the implications of, of this decision of the court of justice, of the European union.
Perhaps I, I, I briefly introduce yourself. Carson is law with exclusive focus on data protection law and it law, and therefore perfectly suited to help us understand the implications. So Carsten, can you shed some light on the background of, of, of the judgment?
Well, first of all, thank you to have invited me. I'm happy to be here and speak over this decision. It's already been a while July 16th, it was issued. And it wasn't really a surprise, I guess, to receive that judgment, maybe for some, it was interesting to understand how far this gotten, however, it's for the mere importance of this, this decision that we are still talking about it.
Now it's October, it's three months ago, and I guess it will keep us busy three months longer in order to, to maybe get a little background, as you just asked me for those who maybe haven't, haven't heavily involved in this issue. Let me give you a short sketch of the DMA respective international data flow. From a European perspective, the European standards shall be maintained everywhere. We have a little selfish, maybe even a little arrogant understanding of how privacy should work globally in Europe.
So our understanding in Europe would be that we have really the answer, how things should go and the rest of the world should adhere to that. That's the major idea. And we've had this for the longest time, even before, long time, decades before the GDPR. That was the idea. So I always like to call this a bit arrogant, however, maintain European understanding of privacy everywhere. That's the idea. So how overcome this? Because if we are saying in Europe that all the other countries maybe aren't suited, or most of them aren't suited perfectly. So how actually do business?
That question, that's actually the question that we now have to re-ask and it had always to be asked in the past, in the past, there was some clear cut solutions to that situation were either had an adequate level decision by the EU commission saying that particular countries that are not members of the European union would be able to receive data from the European da, from the European member states without any additional activity to take.
So that kind of did a clearance saying between Andora and J why, including Argentina, Canada, some other countries, they were fine to receive the information out of Europe without any additional activities to take. If you weren't. Part of that list that recently was joined by Japan, just, I think last year, you could always do some additional activity such as if you were an American company joined the safe Harbor, which was the shrimps one decision to be killing this or privacy shield, which now was subject of this ECJ discussion jurisdiction and the ECJ case.
So with the privacy shield, there was one solution amongst more. There was also the standard contractual classes, individual contracts that required certain technical organizational measures or so-called binding corporate rules. And all of the, these priests, remember, I'm sure we will discuss this because now we really have to look at each of them on a case by case basis. So either you are happy, a country with an adequate level decision, you are fine, you don't have to do anything, but of course that's not true for the us.
Or you could be able to use the privacy shield and the standard contextual clause or the binding proper rules. So now this has been shaken by this decision. Those solutions are not true anymore.
Yeah. Very interesting.
I mean, you mentioned that that Europe was a little bit arrogant to say, okay, we know how to do it. And all the others have to adhere to it. How is this adequate level of protection actually defined?
Well, actually the, this adequate level was just looking very generically, whether you would as a country with your jurisdiction follow European standards. So you would either follow pretty much what's in the GDPR or formally the pre GDPR settings. And also you would have to live up to the charge of fundamental, fundamental, right on the European union. And even before the shrimp's case, this had been shaken already. So it was the adequate level that you had, but for the, yes, that was difficult. They weren't only not on the list. They also had some local rules that were clearly not adequate.
So they had e-discovery rules for those who haven't heard of that legal evidence rules that ask us companies to give certain evidence if they were a part of a court case, and this could include your include European data. So that was a difficulty that was a hurdle before becoming an adequate level of protection data protection country.
So e-discovery was against it. The Patrick act was against it in the us, the visa orders that would allow the FBI to, to obtain certain information. Also going into the cloud, seeing things there, the section 215 of the Petri act also included a gag provision.
So the companies that had to bring up information to the FBI couldn't even tell their customers. So all of those, including also an executive order that allowed agency, the FBI, for example, to monitor unin encrypted data in the trans-Atlantic cables, all of those rules we have known for so long, they were really in the way for the us to become adequate level of data protection. So all of this was surely not helping, but the countries. So the us was not on the list.
It's, it's just living up to the GDPR. And of course the GDPR asked countries not to have any kind of surveillance laws like I have just listed and we found them in the, in the us. So that's the adequate level of, of, of data protection. And that's what hindered some countries, especially in the us to be part of that list of that positive list.
So, so the word was, I think, well, let's say regulated before July, even this of course raises the questions that why has the privacy sheet agreement being get invalid by the court. And, but this also affect the AU standard co contractual clause short, short abbreviation C
Yeah. That's that's, that's a good question.
I, and you are right. You are thinking in terms of, okay, if we don't have the privacy shield, will the standard clause help us. And so that's a two part answer. The privacy shield was declared invalid because simply there were too many of those very crucial surveillance loss in the us.
The privacy shield would basically, and it was something only between the EU and the us privacy shield would basically require the free flow of information and the, the secret flow of information to a service provider in the us and with all the Patrick acts of this world and the visa orders and the executive orders, that was just too much. It wasn't secret information anymore. It was too clearly visible and that's probably post Snowden, very evident that the us, at least that's the European perspective.
I, I tried to quote that the us wasn't just obeying privacy shield, even though it, it had signed it.
And in privacy shield, it was suggested that there wasn't surveillance to have extent. And that wasn't just true. After we have seen that all of those survey laws had really been used heavily and European data wasn't excluded. That was the issue for the privacy shield. So you couldn't be sure that this information wouldn't be handed on to third parties.
And if your service provider would hand this on to an authority to the FBI or to anyone, then you would, as a European company, simply break European law and you would be responsible for that. So the privacy wasn't, she wasn't a solution. I think a lot of people would say, well, we knew that from the beginning. And maybe that's the core idea of your question. Yeah. That's nothing new to it. But now the ECJ was asked about it and, and now we have it written, I would say, so that's the whole story.
I mean, it wasn't open secret, let's say. And now it's really sealed by the ECJ ruling. Second part of your question, would this affect standard contractual classes finally, after shrimps one went against safe Harbor and shrimps. One was successful some years ago and killing safe Harbor, which is the precedent regulation to privacy shield. And now it was shrimps two going against privacy shield, even though it was aiming at privacy shield.
And that's why I mentioned the standard contractual clause and the binding corporate rules as alternatives to the privacy shield in a way, it, it was always called upon privacy shields, but there was a lot of doubt whether the ECJ would stick to that. And of course they didn't stick to it because if you have three bridges to go over the ocean and you are a European court, you can't just find your ruling on the privacy shield.
And if the two other bridges are built on the same kind of stones and these stones wear trust in non surveillance in the us, or not at least not heavy surveillances in the us. And so, you know, then contractual classes, they wouldn't find a way around those surveillance laws also binding corporate rules, just because you had private corporate binding corporate rules, which are simply fine by private corporations. They can't guarantee that the us government wouldn't or governmental bodies wouldn't check on the data being transferred to the yes.
So yes, it wasn't even said in a, in a small sentence or between the lines, it was explicitly explained that standard contractual classes are at stake two, but it's interesting. Whereas the privacy shield itself was declared really illegal. The standard contractual classes weren't revoked. It was just that they are not safe, which is something different.
So it was said that maybe, you know, you should assess your standard contractual classes. And that's where this ruling wasn't very clear for many people.
Is this now something a company has to clarify is this, the court will clarify, or the authorities. So this is the faces we are in now to really understand how can we make standard contractual classes, an alternative again, because what we have now is a big exclamation mark. We know it's effective because it's the same kind of stone. Those bridges are built. So standard contractual, aren't free of question and doubt.
However, it's not invalid. It's just a different risk now to use them.
So it's a, it's a necessity to assess those standard contractual classes now by those parties who have them at use. So it's the company's issue for, for this point of time. And I'm sure it will be authorities in the future to say some words on that.
Yeah. I think this is this, this seems to be exactly the situation.
I mean, the privacy shield agreement is invalid, as you said, and, and CC still remain, but companies are puzzled by the situation. And what is your recommendation? What should, what, what should they now do as, as, as immediate next steps?
Well, actually I think if I, you know, would be here as a lawyer right now, I would say in, in an ideal world and an ideal world for a lawyer is everything is a hundred percent secured and you don't do anything which is gray or anything like that. You would be in a black and white world, I would say, well, stop transferring any kind of personal information out of the European union to the us or any third country may be on the basis of privacy shields to the us because that's invalid. You can't go that way anymore.
That's bridges that bridge is destroyed or using standard contractual classes, standard contractual classes, as I said, just said, they're not invalid. They have a question mark. So I would say to your question, what companies can do with that seriously.
I mean, it's not a way to, to just stop all the transfer to the yes, if you are an international group, maybe even headquarter in the us, that's really not the answer.
So in the black and white world, yes. Stop and sees anything that has to do with European data in the us or anywhere else out of Europe, but as a realistic choice. And I understand companies to be puzzled it's, you need to ensure alternatives. And we haven't had this perfect recipe. What I really tell any clients is you have to first check what's the receiving country. And the ECJ has stated the us as being a country.
It has talked about China and some other countries, and it's a short list of four or five countries, which are supposed to be difficult or, or not possible at this point of time without further activities. So if you're another countries, that's a good thing to start with. Then you may be checking whether the safeguards that in the standard contractor classes are taken for granted really in those countries are maintained.
So you really have to check. And that's what actually authorities say, and the ECJ has laid out as necessary. You need to check how is the local situation in the country?
That's receiving the information. So if you send this to Israel, you would have to check what's the policy in Israel for comparable rules, as I was pointing out the, the Patrick act and things like that, do they have any, any secret services that with few hurdles can access to that information? And this is not even declared to, to us here in Europe, if we are kind of victim on this, you know, so check where your data goes in a lot of cases, the answer will be, wow, that's a short question.
You know, I send everything to the us. My mother company is there. So I don't really need to go further. What should I do in the U if I, if I have this, you know, go into the us.
And I would say, you should really continue with a really particular check on the situation. So who is my service provider? Are they declaring there are following the privacy act. Are they declaring that? Don't do that.
You have, you know, some of you may have heard that during the past years, some companies have declared, they will not follow the gag provision. For example, saying that the customers will not know if there is a transfer of data. That would be good thing to understand if a service provider wouldn't do that.
You know, there really the individual question on how is these, how are these standard contractual classes? If you have them in place, how they live, if you don't have them in place, I would try to have em in place and maybe check for an additional contract next to the standard co contractual classes, assuring that no third parties will be that the information will be not shared with third parties, including governmental bodies.
And let's be honest again, I mean, this is probably for most companies, Amere theoretical approach.
We have realized this for some of our customers, but you know, some of them have just said, well, we could try, but it will take forever. And, you know, we will not be able to, to do this. Maybe they're even a small company and they're talking to tech giants here, how should we realize this?
You know, have them a contractual sign. That's one thing have additional legal checks and maybe an additional contract where we don't have anything approved by authorities.
How are, how would this work? Yeah. For those who, you know, who feel trapped in this situation, I would say, listen, closely to what authorities are about to say very soon, because we will have more authorities information and insight and guidance on this in the future. I guess it will happen this year. And as there is confusion between authorities responsibilities, there's local authorities taking already certain statements. And there is international authorities like the European data protection board, for example, that are taking action.
You know, they haven't really said anything clear now, but they're expected to say something. So I would say,
Sorry,
Let me briefly summarize whether I, I, I correctly understood that. So obviously lots of clients, lots of corporates are, are using cloud services in these days. And of course all the big cloud providers are on that list of the privacy shield of the us department of commercial. I just checked it out still 5,100 companies that are listed there. Right? Yeah.
So when I understood you correctly, you're not suggesting to stop maybe data transfers to the us, pertains to uncertainty. How, how long do you expect that uncertainty to be in place? So when do we get more clarity on that, on that topic?
You're right. Even though I should, as the lawyer say, stop now to transfer that information. I don't tell my clients.
I tell me, you do have a risk because it's a clear cut case with this ECJ. You shouldn't be doing this. Okay. What I have been doing for years, I've been advising all my clients to, to have standard contractual classes signed because I was sure there's gonna be a problem with privacy shields. After TA five Harbor was killed some years ago, you didn't need to be looking Mily into the future to understand there would be an issue with privacy shields.
So what I did ever since safe Harbor was killed to tell companies, please talk to your service providers and make it, make it clear that they have to sign stem, contractual classes. A lot of the folks out there will not have done that if you haven't done that, I would suggest either to do that now, or to wait a bit longer.
And that's your question, how long will will this, this uncertainty will take, I think we must for a minute go away from the legal issue. I think we have a general, general difficulty here between the EU and the us. And I think this is a part of commercial war ongoing.
I'm not saying that the ECJ ruling is somewhat political also, but it just fits into these times. I think what we really need as an answer is local European solutions that are not dependent on the us. It's a big, like the pandemic question.
It's like, when will be, when will we be getting out of this? We all don't know. We really hope that things in maybe some years, or maybe a year's time or whatever will be okay, because we will have a vaccine and all the other things, same thing for privacy shields and all the international data flows.
I'm not sure whether, whether we will go back to a regular understanding that we had before. I think we will have to find solutions that are in business models and then need to be European solutions.
We need to be have joint ventures between the us and the U U that make clear that we don't have access from the us, or we will have a clear ruling, not ruling that's wrong, wrong term. Or we will have a clear answer by the European data protection supervisor, the EDPs and or the ed P D. And they have stated the European data protection board, which is European national authorities and data protection gathering in a circle and discussing this case here now. And they've said there will issue something this year. So we are really strongly believe there will be something.
And from what I'll hear, it's nothing officially announced that they are really aiming at a data trustee center saying that you need to have a data trustee in Europe.
And, you know, if you look at T-Mobile, for example, you know, from a German perspective now, which is originally German company, I mean, they are also regulated in the us, how can they assure that they are trust in that sense that there's no Patrick act, you know, towards them. And they will have to cooperate with American authorities.
They, I don't, I don't think that will be that easy. So I don't know what they can come up with, but they have said they bring something this year. And if I was shrimp, I would aim for a shrimp three.
And, you know, question that again. That's what I mean by don't expect that there will be legal solution. I think we need new business cases here and when we need to have new technical solutions, pseudonymization, minimization, and all of this.
Okay. So I think that was the, a good sort of say closing remark, at least for this session. And the discussion shows that there's a lot more to talk about. And therefore I would like to invite everyone who is interested into that topic to join us just right after their session in, in, in the coffee launch.
But for the time being, thank you very much for being with us and having that knowledgeable, but also entertaining discussion around a topic like this, which is not so easy, I believe. But again, we can follow up in, in a couple of minutes and for the time being, I hand back to, to Annie.
