As reported on last Thursday, the European Court of Justice (ECJ) in Luxembourg has declared the so-called EU-US Privacy Shield - a highly controversial agreement among data protectors - invalid. The pact, negotiated in 2016, regulated the transatlantic exchange of personal data for commercial purposes between the European Union and the United States. The decision also means that companies such as Facebook will no longer be allowed to export personal information of EU citizens to the US and store it there. The basis of the legal dispute was a lawsuit brought against Facebook by Austrian data protection activist Max Schrems. With reference to the revelations of whistleblower Edward Snowden, which appeared in 2013, he complained to the Irish data protection authority that the Irish branch of the US group, Facebook Ireland, was passing on its data to the American company headquarters - and this despite the fact that there is no adequate protection of this data from US surveillance programmes. Schrems was specifically concerned in this connection with Snowden's discovery that Facebook in the USA was obliged to give the NSA and the FBI access to user data without users having a say in the matter. Finally, Ireland's highest civil and criminal court, the High Court, referred the question to the European Court of Justice as to whether the procedure decided upon in the context of the Privacy Shield was compatible with the European level of data protection. The answer now followed clearly and unequivocally. Specifically, according to Schrems, around 5,000 US companies are affected by the decision, which, thanks to the agreement, have so far been able to export personal data of EU citizens to the USA.
The decision from Luxembourg is in any case to be welcomed, because the issue of data sovereignty is playing an increasingly important role, especially in times of advancing digitalisation. Like the CLOUD Act, which explicitly allows the release of personal data of EU citizens to US authorities if they use American services, the Privacy Shield put users at a disadvantage when it comes to data protection. As is well known, the CLOUD Act and the EU-DSGVO are in conflict with each other and now the Privacy Shield has also been stripped of its legal basis.
The awareness of companies and individual users of the importance of the issue of data sovereignty is increasing more and more and data protection has long since ceased to be an issue that is ignored and underestimated. Companies and users, on the other hand, clearly demand it and it often plays a role in the decision to use certain services or to purchase company software. For us as a company that is proud to be a driving force behind the digital change in Germany and Europe, the issue of data sovereignty is inextricably linked to digitization and has been one of our principles from day one. It is gratifying that the EU is clearly standing up for usage rights and the sovereignty of European citizens in the exchange of information. Another positive development is that US corporations now also recognise this desire for transparency and control - on both the corporate and private side. It is equally gratifying that they are cooperating with German and European cloud providers to enable users to store and exchange data in compliance with the DSGVO despite the current CLOUD Act. All in all, such cooperation and clear verdicts such as the one against the Privacy Shield can make a lasting contribution to ensuring that Germany and Europe are and remain a safe place to protect the privacy of individuals and secure commercial data exchange.