Privacy Shield ' Data Protection Bites Again
Published date | 12 August 2020 |
Subject Matter | Privacy, Data Protection, Privacy Protection |
Law Firm | Gilson Gray |
Author | Derek Hamill |
If you do business with companies in the USA - and potentially even anywhere outside Europe - you might find that you have a new problem. New rules on data protection, which came into effect last week, effectively make it harder to transfer data outside of Europe.
Privacy Shield - Not Strong Enough
On 16 July 2020, the ECJ ruled in the "Schrems 2" case. This involved a complaint about Facebook's use of data when it could ultimately be accessed by the US government. The court decided that you could no longer rely on "Privacy Shield" to allow the transfer of personal data from Europe to the USA.
Privacy Shield was a system whereby a US business could register with the US government to confirm that it would hold personal data with certain protections. It was thought, until last week, that if a US company held this registration then the prohibition on transferring data outside Europe would not apply to that company. This was because the view was that Privacy Shield gave protections to EU citizens' data in the US similar to that offered by GDPR in Europe.
Except, that was wrong.
The ECJ decided last week that Privacy Shield is invalid because it gave US national security and law enforcement agencies priority over the rights of EU citizens. The ruling says that this is not proportionate and goes beyond what is strictly necessary, and that US laws do not give EU citizens appropriate rights of redress through the courts if their data is misused by US authorities.
Privacy Shield rules allow for an Ombudsperson to provide this redress to EU citizens. This was thought enough until this case. Now, the ECJ says that the Ombudsman doesn't provide "guarantees substantially equivalent to those required by EU law" because it's not independent and cannot impose its will on US intelligence services.
EU-US trade
The Business Software Alliance, one of the parties to the case, said that the CJEU decision to invalidate Privacy Shield would create a barrier for electronic commerce between the US and the EU.
"Today's Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic. The impacts will be felt by large and small enterprises on both side of the Atlantic, when businesses are focused on recovering from the economic impacts of Covid-19 and are increasingly relying on data-driven tools and services to do so," said Thomas Boué, director general of...
To continue reading
Request your trial