Invalidation of the Privacy Shield for non-lawyers
On 16 July, the EU Court of Justice, adopted a decision that could have a very significant impact on the everyday management of many businesses: invalidation of the Privacy Shield.
In essence, this decision raises doubts as to the use of platforms or technological tools that host the personal data of Europeans in the United States. Let’s see why.
What is (or was) the Privacy Shield?
When the right to data protection in Europe was implemented (in the early 80s), a very Eurocentric view of the issue was imposed, which in short implies that the transfer of data between EU countries did not represent a bigger problem but instead, when this data left the EU, additional requirements were needed because the laws outside the EU in this field did not meet European standards.
Therefore, the 1995 Directive (already repealed), established a system so that countries outside the EU were “approved” in order to transfer data with the same guarantees.
Here is the list of countries considered suitable. Transferring data to countries on this list has the same requirements as for transfers within the EU.
The United States entered the list but with one particularity: companies that wanted to host data from Europeans had to “enrol” into a protocol agreed between the US and the EU.
This protocol was first called Safe Harbor, which was cancelled in 2015, and as of 2016, it received the name of the also-cancelled Privacy Shield.
The reasons for both invalidations are essentially the same: it cannot be guaranteed that data from Europeans, once hosted in the US, will not be accessed by US investigative agencies without minimal guarantees.
In both cases the decisions were the result of lawsuits against Facebook from an Austrian citizen named Max Schrems (@maxschrems).
Many companies, very large and widely used by very different profiles (from freelancers to large corporations), are registered in the Privacy Shield: Google, Mailchimp, Zoho, etc (here is the full list of companies).
It must be said that, in order to be included in the Privacy Shield all that is required is a self-certification process for the company. Nobody checks that they effectively comply with the protocol.
What does its cancellation imply?
Well, on 16 July 2020, the EU Court of Justice invalidated the Privacy Shield (although the USA continues to consider it valid …) and this has direct effects on European companies that host data from third parties (customers, employees, leads, etc.) in one of the countries included on the list.
Once the Privacy Shield is cancelled, European companies must find one of the other options that the GDPR provides to transfer personal data outside the EU:
- In 2010 the EU published a standard contract model for transferring data outside the EU. The judgment of 16 July, considers that this model is still valid (although it is not adapted to the GDPR). So, in the case of a European company wanting to transfer data to a US company, it must verify that its terms of service include the terms of the standard contract model.
- Another option is to ask for the consent of the data subject (data owner) to transfer their data outside the EU. To comply with the GDPR, this consent must be explicit. Beware of consents that are not 100% free, for example when the data is from employees.
Recommendations
We are facing a sentence with significant impact that could really affect many digital or traditional businesses that make great use of Information Technologies, so bear in mind the following recommendations:
- Keep a stock of the applications you use where you host personal data (emails, names, phone numbers, work data, etc.).
- Find out the location of these applications (where they host the data).
- If they are in the EU, OK (note that this does not mean that you do not have to control their conditions of service to comply with the GDPR).
- If they are outside the EU, assess what is involved in the transfer of data to that country: list of “approved” countries, EU standard contract or consent of the data subject involved.
- If they are in the US, as we have said, the options are limited to the EU standard contract or the consent of the data subject involved.
If you have any questions or comments, I will be happy to help you. Feel free to contact me.