It happened. Finally, the European Union has taken the protection of the personal data of its citizens seriously. The Privacy Shield has been invalidated which means the end of EU citizens’ personal data uncontrolled legal drain not only in US, but outside of EU in general. All thanks to an Austrian activist who I has disliked for years what Facebook does with his and your personal data. And the EU Court of Justice (CJEU) judgment issued on the 16th of July 2020, case C-311/18. Now, what does this judgment actually mean in practice?
THE PRIVACY SHIELD INVALIDATED: THIS IS FACEBOOK’S “FAULT”
To begin with, the Judgment of the CJEU is a result of the dispute between Facebook and an Austrian activist fighting for the protection of the EU citizens’ personal data, Maximillian Schrems.
Maximilian particularly dislikes Facebook’s policy in this regard, and it is safe to say that he has been arguing with the American giant for years now.
On June 25, 2013 (seven years ago), our brave activist demanded that the Irish Personal Data Protection Authorities prohibited Facebook Ireland from transferring his personal data to the US. I wrote about how Facebook works in Europe in my post about how, after installing just one, small Facebook plugin, you can become an inadvertent co-controller of your website visitors’ personal data.
In any case, the personal data of European Facebook is transferred in whole or in part to the servers of Facebook, Inc., located in the United States of America.
According to Mr. Schrems, US law and practice does not provide sufficient protection for his personal data against activities carried out by US public authorities. In case C-311/18, the CJEU shared Mr. Schrems’ opinion and invalidated EU Commission decision on the US Privacy Shield.
The verdict is 78 pages long. It is available in all EU spoken languages and I do recommend you read it yourself although this is not exactly a light reading.
In addition, the position and guidelines for this judgment issued by the European Data Protection Board (EDPB) are also very important.
So now let’s answer a question what the hell the Privacy Shield is?
WHAT IS THE PRIVACY SHIELD ?
The Privacy Shield is an agreement between the European Union and the United States. Both parties specified in there conditions to be met by US companies and other economic operators in order to be able to process EU citizen’s personal data. However, the whole Privacy Shield framework was based on self-certification. That is, a US company simply notified a relevant US public administration representative that this company meets the data protection requirements of the EU-US Privacy Shield Agreement.
And that’s it.
The Privacy Shield agreement was approved by the EU Commission, by the Decision No. 2016/1250.
The idea of the Privatization Shield was that these self-certified US data operators would provide “adequate” protection for EU citizen’s personal data once it is transmitted to USA. However, “adequate” was understood to be at least identical to the level of personal data protection guaranteed in EU.
THE PRIVACY SHIELD INVALIDATED: WHAT EXACTLY US AUTHORITIES HAVE ACCESS TO?
Unfortunately, according to the CJEU, certificates for US companies under the Privacy Shield programme do not guarantee adequate protection of the personal data of EU citizens.
In a nutshell, when personal data is transferred to the US, it is subjected to US law onwards, and these laws, according to the EU Court, do not guarantee adequate protection of EU citizens’ personal data.
The Privacy Shield agreement states that compliance with the principles of personal data protection may be limited to “ the extent necessary to meet national security, public interest, or law enforcement “.
After examining the current US legislation in this regard, the CJEU concluded that the US public administration has to great possibility to access and process EU citizens’ personal data one this data is transferred to the USA and therefore, the requirements set forth in the article 45 of the GDPR are not met. Consequently, the Privacy Shield program does not guarantee identical level of protection for personal data transferred to US from EU as such data has in EU.
In this case, a declaration to have the Privacy Shield invalidated was the only logical outcome.
This means that it has stopped matter if an American company is under the Privacy Shield program hence such a certification is legally irrelevant at the moment. The Privacy Shield self-certification is no longer sufficient to consider the transfer of personal data of EU citizens to the US as legal according to EU laws.
THE CJEU JUDGEMENT ON HAVING THE PRIVACY SHIELD INVALIDATED HAS BROADER CONSEQUENCES
The judgment in Case C-311/18 has consequences not only for the transfer of personal data of EU citizens to the United States. In general, the Court set out the principles it considers to be minimal in order to talk about the lawful transfer of personal data from the EU outside the Union.
What’s the most important, according to the rules stated by the Court, even the EU approved Standard Contractual Clauses (SCC) or Biding Corporate Rules (BCR) do not protect personal data exporters and importers from breaching GDPR.
Which raises a question: what to do now?
I shall get back to this in my next post.