Dapro Technologies – July 2020
Privacy Shield is Invalidated, What Now?
In a far reaching decision for GDPR by the European Court of Justice today, the EU-US Privacy Shield has been struck down. The abbreviated text of the decision can be viewed on twitter here, (p3) while the official text published on curia.europa.eu can be found Here starting in section 163.
To summarize the key points, in the view of the European Court of Justice the primacy under which US law enforcement and intelligence agencies gather information on subjects is too broad and not limited to what’s strictly necessary. The full text from the curia site specifically mentions PRISM and UPSTREAM mass surveillance programs as an example of being too broad.
The ruling disputes the proportionality in essence of this type of collection of personal data particularly for non-US persons. It also highlights the problem of judicial recourse for EU citizens, in other words, what about a complaint mechanism if I don’t like how my personal data is being used.
Privacy shield introduced the role of an ombudsman based in the US for which the State Department website this role is described as
“a position dedicated to facilitating the processing of requests from EU and Swiss individuals relating to national security access to data transmitted from the European Union or Switzerland to the United States”
In today’s ruling by the ECJ, the Ombudsman’s authority is called into question. Specifically, the Ombudsman cannot guarantee independence or enforce legally binding rules on intelligence agencies for example. This is in contrast to EU citizens who can be afforded legally binding protections from their country’s data protection authority and/or the ECJ if their rights have proven to be violated by state surveillance agencies.
So what does Max Schrems make of the judgement? Unsurprisingly he was critical of the establishment and issued the following statement via his website noyb.eu
“I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”…
“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley”
He goes on to criticize the Irish DPC in perceived unnecessary delays and failure to enforce standard contractual clauses SCC’s. Understandably he feels vindicated although it might be a bit early for a victory lap, as we have yet to see what changes come of it all and particularly how social media giants may respond.
What does this all Mean?
Well the good news first is that standard contractual clauses (SCC’s) and binding corporate rules (BCR’s) are still upheld for third country transfers so the world keeps spinning for multi-nationals and their legal departments. But now the bad news, safe harbor and now privacy shield have fallen under the bus and now seems more unlikely than even ever that data protection needs will outweigh US state security needs to an extent where a successor to privacy shield would work. The two terms, data privacy and mass surveillance are diametrically opposed and will remain so.
The options facing the EU and US authorities are now either to accept that
- A derogation for national intelligence agencies is emplaced
- The US ombudsman gets extra enforcement powers which satisfy the ECJ
- Offending Data is somehow not transported or minimally transported between the US and processed within regions much like a data center region for Amazon AWS for example
- Or we remain in limbo until somebody budges and yields to the ECJ
In any scenario, trust is called into question again and hence the working relationship between the US and EU remains under pressure from activists. Both sides put effort into trying to make privacy shield a substantive piece of legislation but the ghosts of Edward Snowdens revelations and Cambridge Analytica are still haunting the data privacy house.
I suspect though that the impasse will be broken but it’s going to need stronger language than what’s in place now.
Read our related article 10 Steps to designing the right data protection program
Tips on running a successful security awareness program
Companies face difficult challenges when training their staff on security. Find out how to build a successful security awareness training program.
Guide to Performing a Privacy Impact Assessment
Privacy impact assessments are required under GDPR Art.35 and US State privacy laws. Learn the steps required for a PIA and download our template.
CTDPA – What to expect with Connecticuts new Data Privacy Law
CTDPA comes into effect in July 2023 and introduces a series of changes for Connecticut businesses when handling customer personal data.
How to achieve privacy by design with some examples
GDPR and US privacy law requires that businesses implement privacy by design in their environment, but what does that mean and what are some examples?
Electronic Health Records – What are they and how to protect them
Last year 46 million medical records were stolen in the US in over 500 recorded incidents. In this article we look at what they are, what the regulations are and how to protect them,
What are the Key Qualities of a Good Data Protection Officer!
What are the key qualities of a good data protection officer and what to look for in the hiring process, read our tips here.