When you click on”Accept all cookies“click, you agree to the storage of cookies on your device to improve website navigation, analyze site usage, and support our marketing efforts. For more information, see our privacy policy.

EU-U.S. Privacy Shield at the end: an overview for Atlassian customers

On July 16, 2020, the European Court of Justice declared the EU-U.S. Privacy Shield Agreement, which was intended to ensure the equivalence of EU data protection in the USA, invalid. Against this background, we look at the topic and the options for action and deployment for Atlassian customers.

According to the European General Data Protection Regulation GDPR, which has been in force since May 2018, personal data of natural persons may not be processed at will in third countries. If companies wish to process (view, transfer, process, store, etc.) personal data in third countries, they are responsible for doing so in accordance with the GDPR and ensuring equivalent data protection in the third country. In the event of violations, companies can be fined and their management may even be held personally liable under certain circumstances. Further information on the European General Data Protection Regulation can be found in our Series of articles from 2017/2018.

The easiest way to ensure this in third countries is to rely on a Equalenzentscheid to support the EU Commission. For example, legal data protection in Switzerland is considered equivalent to the EU. Since data protection laws in the USA do not ensure the same level of data protection, the EU and the USA have so far tried to ensure data protection in such a way that US companies voluntarily submit to higher European standards. First, they were used for this Safe Harbour Privacy Principles agreed between the EU and the USA. However, this framework agreement was declared invalid by the European Court of Justice because it required a mere declaration of compliance by US companies and did not provide for any control mechanisms. As a successor solution to this, the EU and the USA have the EU-U.S. Privacy Shield Framework negotiated, which remedied this shortcoming and in turn attested equivalent data protection to the corresponding participating US companies.

Already in our Series of articles on the introduction of data protection We predicted that the EU-U.S. Privacy Shield would also be short-lived. That has now happened. On July 16, 2020, the European Court of Justice also declared this agreement invalid. This time, US legislation on mass surveillance by the state is responsible for this. This is According to Computerworld On the one hand around the Foreign Intelligence Surveillance Act (FISA) with their PRISM and UPSTREAM monitoring programs, as well as the Executive Order 12333. Specifically, PRISM instructs Internet service providers, the NSA, the FBI, and the CIA, to provide all communications relating to specific individuals. UPSTREAM instructs telecommunications providers to allow Internet traffic to be copied and filtered. Executive Order 12333 allows the NSA access to submarine cables in the Atlantic in order to be able to intercept data transfers there. The Swiss Data Protection Commissioner is now also examining the decision of the EU Court of Justice and the effects on the analogous, still valid Swiss-US Privacy Shield.

As a result, processing in the USA can no longer be based on an equivalence decision by the EU Commission. The so-called standard contractual clauses are envisaged as the most important alternative, such as those offered by Linkyard to its customers in addition to the reference to the equivalence decision. In the case of the USA, however, there is now the problem that private contracts cannot undermine the mentioned national legislation either. Accordingly, no solution via standard contractual clauses should be possible with the US companies affected by the laws (operators of Internet services and telecommunications providers) without the USA adapting its legislation beforehand. This probably leaves the few in the first place Exceptions under Art. 49 GDPR, in particular obtaining explicit consent (opt-in) from every data subject about whom data is stored, as a way out.

At the time of this article, the decision is still very fresh and the various specialized lawyers will now be thinking about how to address this problem with the deepest risks. We will then address the technical specifics that are relevant to considering the topic of data protection.

--

linkyard is a specialist in the secure operation of collaboration services. Around 100 customers — including many from industries with particularly high information security and data protection requirements such as banks, insurance companies, public administration, critical infrastructures or armaments — count on our services. linkyard's information security management system is certified in accordance with ISO 27001:2013.