Privacy Shield withers and dies in the heat of yesterday’s European Court judgement.17th July 2020
American companies may now find themselves immediately unable, legally to serve users in Europe.
Many well known businesses such as Facebook, Amazon and Apple all rely on Privacy Shield, and will need to find an alternate legal basis of transferring personal data from the EU, or stop doing it. In order to understand the magnitude of what happened in the European Court yesterday, let’s go back a step and explain what the Privacy Shield was.
What was the Privacy Shield?
The Privacy Shield was a major agreement governing the transfer of personal data of EU citizens to the United States.
Under EU law, personal data can only be transferred to countries that ensure an equal level of data protection. Each country was assessed on its own merits and those who ‘passed’ were granted an ‘Adequacy Decision’, and as the name suggests, the EU deemed their data protection laws to be adequate and allowed the personal data of EU citizens to be transferred there.
The US does not have an Adequacy Decision, i.e. it doesn’t ‘pass this test’.
Another option for a business transferring personal data from the EU, is to put in place certain safeguards to ensure protection – commonly known as Standard Contractual Clauses or SCCs, that have been pre-approved by the European Commission. (SCC’s were also under scrutiny during the recent court case, but they came out in-tact).
Privacy Shield however, was a framework designed by the US Department of Commerce, the European Commission and Swiss Administration to, and in their own words –
‘. . provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring data from the European Union and Switzerland to the United States in support of transatlantic commerce.’ www.privacyshield.gov
The reason the Privacy Shield was required was that the US is not deemed to have adequate privacy or data protection laws in place to protect EU citizens. However, in order to allow trade between these two huge economic areas, a framework was devised, that responsible companies could sign up to, adhere to, and therefore enable them to legally transfer from the EU to the US. It was easier, faster and less expensive than using an SCC.
Initially, the framework that was developed for this was Safe Harbor – however Mr Max Schrems, the data protection activist, challenged the robustness of the protection offered by Safe Harbor and this was abolished by the European Court in 2015 and was later replaced by Privacy Shield.
Back in 2016, when Privacy Shield was first presented as the replacement to Safe Harbor, Mr Schrems stated that –
“Privacy Shield is Safe Harbor with flowers on it – it will probably be killed by the European Court”.
Yesterday it was.
Why did the European Court say Privacy Shield was no longer valid?
Put simply, they decided that US National Security law does not protect the personal data of EU citizens. Much of the breach of rights was deemed to come from the US’s own surveillance laws which allow government snooping and are not limited ‘to what is strictly necessary,’ as European law dictates.
So, what now?
The huge impact is on US companies who transfer the personal data of EU citizens to the US, who have been relying on Privacy Shield.
Facebook is one such company but according to University College London’s European Institute there are more than 5,300 companies affected, about 65% of them SMEs.
What these companies need to do now is utilise the ‘Standard Contractual Clauses’ or SCCs. The reason SCCs have not been utilised by all US companies up to now is that they are much more time consuming and expensive to prepare than using Safe Harbor.
Some American companies, such as Microsoft were already relying on SCCs, but these are likely to be very closely scrutinised now. Can these remain valid if US surveillance law remains as it is? Perhaps not.
The victorious activist, Schrem said yesterday:
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to play a major role in the EU market”.
What this means for everyone transferring data from Europe to a country outside of the EU, is that even more care than usual needs to be taken. Data controllers must take their obligations very seriously and ensure that utmost due diligence has taken place, and all necessary procedures and protocols are being adhered to in the receiving country, before any data is transferred. If there is any doubt that the receiving country cannot guarantee the level of data privacy required under EU law, do not transfer the data. To quote directly from the ruling:
“Paragraph 142 sums it up nicely “It follows that a controller established in the European Union and the recipient of personal data are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned. The recipient is, where appropriate, under an obligation, under Clause 5(b), to inform the controller of any inability to comply with those clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract. “
If you would like any help or advice in relation to this, or any other data protection issues, please do get in touch with one of the specialists here at The Griffin House Consultancy.
We provide training, advice and project management on all matters relating to the GDPR and data protection; for corporates, businesses, civil service and the third sector.