News, Press relation

Everything is on track even without a data protection agreement with the USA

Björn Lorenz08/25/2020

Following the end of the Privacy Shield agreement, the European Court of Justice (ECJ) is requiring companies to take on more responsibility. In the future, companies themselves will have to ensure that the processing and storage of data in the USA is done in accordance with the EU’s General Data Protection Regulation (GDPR). However, since in practice this can hardly be guaranteed, the COSMO CONSULT Group has taken the following precautions: In contracts with Microsoft it is ensured that customer data is stored and processed exclusively on servers in the European Union (EU). Customers of the COSMO CONSULT Group, which specializes in digital transformation will therefore continue to fulfill all legal requirements in terms of data protection.

In July, the European Court of Justice invalidated the Privacy Shield agreement between the EU and the USA, which until then had provided the legal guarantee protecting data transfers between the two regions. The court found that European’s data was not being adequately protected in the USA. In principle, the EU expects a level of security that corresponds to that of the General Data Protection Regulation. With the end of Privacy Shield, the legal framework for data transfers between the USA and the EU no longer applies. This means that companies can no longer assume that data transfers automatically comply with EU regulations.

Data protection becomes a problem

This affects cloud services, social media and online storage, for example, if US servers are used. That includes not only US providers, but also companies that use the  services of US providers for their own products. With the end of the Privacy Shield Agreement, all companies must now ensure that their business models comply with EU data protection regulations. There will not be a long grace period. Companies that ignore the ruling will risk fines and claims for damages.

The ruling does not leave much room for manoeuvre. Companies will be unlikely to be able to find a provider that stores data in the USA in compliance with the GDPR due to different legal frameworks. The alternative of obtaining a declaration of consent from users for data storage under US law does not seem very promising, at least in the B2B field.


Because it foresaw this development, the COSMO CONSULT Group was prepared for the end of the Privacy Shield agreement, explains Michael Makowski, Senior System Engineer & Global Privacy Coordinator: "Our contracts with Microsoft stipulate that data processing is only to be carried out on servers within the EU. In addition, there are standard contractual clauses for the case of an unexpected but necessary transfer of data to the USA. We do not think that any changes to the agreed protective measures and contractual regulations are necessary." He also said that the company would naturally continue to monitor current developments and the statements of the supervisory authorities. "If it becomes necessary, we will reassess the situation and react quickly if there are consequences for our customers," he added.


In terms of exchanging data with the USA, all companies are now responsible for storing sensitive data in accordance with the GDPR. In the future relying on specialized providers will no longer be sufficient, because it is often unclear where the data is being transferred to and where it is being physically stored. Together with Microsoft, the COSMO CONSULT Group ensures that all data is processed in the EU. COSMO CONSULT customers can therefore rest assured that their data is protected and that legal requirements are met.

Share post