Thursday, July 16, 2020

Privacy Shield No More

Under EU privacy law, personal data can only be transferred to countries with adequate data protection. When the General Data Protection Regulation (GDPR) went into effect, adequate countries included only Andorra, Argentina, Canada (for commercial organizations), the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan. For those in countries without adequacy decisions, recipients of personal information must ensure they are sufficiently protecting data in other ways. The U.S. is not deemed adequate. However, organizations were able to confront this issue by self-certifying under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks designed by the European Commission, Swiss Administration, and the U.S. Department of Commerce. If an organization self-certified under the Privacy Shield and remained in compliance with its data protection requirements, then that organization would be deemed adequate to receive personal data from the EU and Switzerland. More than 5,000 U.S. organizations rely on the Privacy Shield to legitimize their international data transfers. 

The Privacy Shield has been much criticized by privacy advocates and groups for lacking sufficient protection against the collection and use of personal data for national security purposes and from surveillance in the U.S., a concern that has been heightened since whistleblower Edward Snowden’s revelations about the extent of the collection and use of personal information by the NSA. As of this morning, the EU-U.S. Privacy Shield is no longer a legal basis to transfer data. The European Court of Justice struck down the data transfer mechanism in the case Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”). The case stems from Max Schrems, a renowned Austrian data privacy advocate, and his long campaign against Facebook for its significant privacy violations against its users. The court stated, “The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities...are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”

Organizations in the U.S. that previously relied on the Privacy Shield will now need to turn to other data transfer mechanisms to be in compliance with GDPR, such as standard contractual clauses issued by the European Commission. Based on what we know now, there is no grace period to make this transition. 

No comments :

Post a Comment