The Rusty Privacy Shield
On July 16, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s (EC) decision on the adequacy of protection provided by the EU-US Privacy Shield. In its judgment in case C-311/18, the CJEU indirectly concluded that the US does not ensure a European level of privacy of personal data, belonging to European Union citizens. The Court stated that the European Commission’s decision on the Privacy Shield is invalid because “the transfer of personal data of website users to a third country is permissible provided that the legal arrangements ensure that their privacy is effectively protected, including against surveillance by the US intelligence services.”
Until now, on the basis of the EC’s decision of July 2016, it was possible to process data belonging to EU citizens by entities in the United States included in the Privacy Shield under the same conditions as the companies located in the EU. Previously, the legal aspects of data flow were determined by the Safe Harbor regulations, the implementation of which was declared invalid on October 6, 2015, when the CJEU for the first time took the position that the flow of personal data should be stopped, because it was not examined whether the United States provides an adequate level of protection of personal rights, guaranteed in European countries by the EU Charter of Fundamental Rights. The judgment was argued, among others, by the EC announcements, which showed that the US authorities, having access to the personal data of citizens of the EU countries, used it in a way that extended beyond the purposes of ensuring national security.
The Safe Harbor mechanisms were invalidated as a result of a lawsuit brought to the Irish court by the activist Max Schrems. He argued that Facebook was illegally transferring his personal data to the US. The case was brought to the CJEU, which admitted he was right. The Safe Harbor regulations were therefore invalidated, which contributed to short-term legal chaos.
A new legal act – the Privacy Shield, was quickly prepared and became effective as of 2017. Max Schrems, having already worked out the methods of action, once again brought the case to court, this time challenging the newly introduced regulations. It is worth emphasizing that experts in the field of privacy have regarded the mechanisms of the Privacy Shield as provisional and full of loopholes since the very beginning of its existence. Despite this, the Privacy Shield allowed international companies to operate on the basis of its regulations and enabled data transfer across the ocean, providing a kind of “legal certainty.” The companies functioned whilst the experts were unanimously doubting whether the adopted agreement sufficiently protects the privacy of Europeans.
“Sadly, for both privacy and for business, this agreement helps nobody at all. We now have to wait until the Court again rules that the deal is illegal and then, maybe, the EU and US can negotiate a credible arrangement that actually respects the law, engenders trust and protects our fundamental rights,” said Joe McNamee, Executive Director of European Digital Rights in July 2016.
Although the CJEU judgment concerned the Schrems dispute with Facebook, the invalidation of the Privacy Shield decision affects all transoceanic businesses.
The Shield lasted for four years. Once again, the intercontinental flow of data does not have a secure legal basis, which significantly impedes business conducted by many companies, especially those operating in the IT market. This, of course, does not mean that the transfer of data from the EU to the US is halted. Data could still be sent if the data subject:
- is informed of the risks that data transfer may entail;
- explicitly gives the consent to such transfer.
Data may also continue to be transferred if the handover is necessary to perform a contract or to determine or ensure the protection of claims. However, the transfer after the fall of the Privacy Shield requires the introduction of further forms and information clauses, the avalanche of which is likely to occur as soon as the Safe Harbor provisions are rejected.
The fall of the Privacy Shield opens the way for the preparation of other legal solutions, such as those which this time will actually guarantee safe processing of personal data of EU citizens. Experts associated with the Access Now organization (specializing in the area of security and privacy), suggest that the EU should, as soon as possible, negotiate a new type of legislation that would force the US to:
- the adoption of a comprehensive privacy and data protection framework that puts users at the center and provides significant opportunities for pursuing claims and having control over their data;
- grant EU citizens a greater right of pursuing claims in case of rights violation due to unlawful data processing in the US;
- reform surveillance practices and take action to protect the human rights of all people, regardless of where they come from.
This article was originally published on “Polish Daily News” .