The end of the Privacy Shield: thousands of companies will have to reinvent the approach European-US on data privacy matters

SÉRVULO PUBLICATIONS 17 Jul 2020

This Thursday, the European Court of Justice (“ECJ”) ruled on Decision 2016/1250  concerning the protection provided by the EU-US agreement for the transfer of personal data considering it to be invalid in a decision handed down in the case brought by the Austrian Maximiliam Schrems as a user from Facebook.

The transfer of personal data between Europe and the United States has taken a difficult path over the years. While European data protection legislation has been standardized on the fundamental principles of data protection since 1995, with Directive 46/95 /EC and focused on protecting the European citizen's right to privacy as a fundamental right, US law is, in turn, dispersed in this matter, with deep divergences between federal states and a strong tendency towards protectionism of the technology sector.

This difference in perspectives has resulted, over the years, in a refusal by the European Union and to accept the United States as a country with an adequate level of protection in terms of personal data.

Furthermore, the value attributed to personal databases considered today more important than reserves of precious metals and one of the main assets of several economic groups, boosted the differences.

In this wake and seeking to find a bridge that makes data transfers between the two continents relatively efficient while also being guided by European legal principles and protection of the fundamental right to privacy, the United States and the European Union initially signed the Safe Harbor Agreement for data protection, basically allowing a mechanism in which North American companies could self-adhere to the European data protection principles, forcing themselves to comply with these same principles and thus enabling legal transfers from EU based controllers/ processors  and reception of  personal data from citizens of the EU Member States.

The Safe Harbor decision was ultimately invalidated in 2015 by the CJEU after a complaint lodged by an Irish citizen and based on the fact that the US federal investigating authorities can access personal data with barely no limits and companies are required to comply with federal law.

Europe and the United States were then dependent on (i) authorization from the personal data subjects or (ii) signature by the companies involved in the data transfer process, either as controllers or as processors of the set of model agreements approved by the European Commission and which allow compliance with European legislation on personal data.

The difficulty of practical execution and speed of world trade and technology changes, led to the search for a new agreement, and the Privacy Shield was born.

Since the beginning of its implementation, there have been several voices that indicated that the basic situation remained the same and that North American companies would always be subject to compliance with federal anti-terrorism legislation, the extent of which is very wide compared to what is allowed in European legislation, among other issues.

he ECJ has now considered that Privacy Shield does not guarantee an adequate level of protection, which invalidates all data transfers carried out under that agreement.

In limbo are around 5300 North American companies that had the Privacy Shield to legitimize the data transfers made with the European Union and will now have to fully review their policies on the level of personal data, seeking to sign agreements based on the EU model contractual clauses.

On the European side, the concern should focus on the economic groups that outsource most of their information technology and data hosting services and that may now be dealing with invalid contracts with many of these service providers, and should know proceed. It should be remembered that the fines under the GDPR are very heavy and that the situation today is much more difficult than that created with the end of the Safe Harbor under the then current Directive 95/46/EC.

Ana Rita Paínho | arp@servulo.com