Data sharing pact between the EU and the US has been invalidated by the European Court of Justice. The ruling was based on the inadequate protection of European citizens’ data under the Privacy Sheild data-sharing. This is a major blow to companies that rely on data transfer between the EU-US.
Why was the Privacy Sheild data-sharing pact invalidated?
In the past few years, the European Commission has worked towards protecting the privacy and data of European Citizens. They introduced the General Data Protection Regulation GDPR mid-2018, which promised heavy fines against all who violate the privacy and security standards laid out by the regulation. On the other hand, the EU-US Privacy Shield was put into effect 2 years earlier in 2016 and was introduced as an improvement to the previous Safe Harbor Decisions. Today, The European Commission has invalidated the pact. It ruled that there was no guarantee that people’s data were protected to the same standard in the US as in the EU.
Short History Recap on Data
- 1960s – US Government creates a centralized database of citizen’s information
- 1991 – Previously a military project – the internet now goes public
- 1995 – Companies like Amazon and eBay launch – some call it the start of the dot com bubble
- 2000s – The Patriot Act is passed to broaden the surveillance power of the NSA (National Security Agency) post 9/11. Google Adwords launches. Safe Harbour Privacy Principles put in effect (an agreement that allowed Data sharing between the EU-US for companies that complied).
- 2004 – Facebook launches out of Harvard, and triggers quickly privacy violations.
- 2010 – Instagram Launches
- 2013 – Edward Snowdon exposes the extent of US surveillance activities and Lawyer and activist Max Schrems files a data complaint against Facebook.
- 2015 – Safe Harbor Agreement Invalid
- 2016 – EU-US Privacy Shield replaces the Safe Harbor Agreement
- 2018 – General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)
- 2020 – EU-US Privacy Shield invalidated
How are Data and Big Data companies effected?
When the terms data transfer and sharing are used, it does not mean sending an email, or booking a hotel room in the US while you’re still in the EU. Here we are talking about mostly big Data, processing, and storing. There are many companies that transfer their data to the US for processing (mostly to reduce costs or ease of management). Most of these will now have to rely on regional solution providers, i.e. process European data within the EU.
However, there is always something between the lines. Large companies like Facebook, process data in the US using Standard Contractual Clauses (SCCs). This mechanism has not been invalidated, as long as it upholds the same standard outline in the GDPR. Hence companies that previously relied on the Privacy Shelied can still operate as long as they switch to the SCCs.
The Court of Justice declared the Privacy Shield decision invalid, but also confirmed that the standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countriesVice-President Jourová
What this means for EU citizens
Under Article 49 of GDPR, Data can still be transferred to the US from the EU, as long as it fulfils the minimum requirements. You as a user can also give your consent to transfer your data, and can also withdraw this consent at any time.
Some might even call this a win for privacy rights, and data protection. As an EU citizen, you have the right that your data is processed fairly with your consent and for defined purposes. When an American company chooses to process your Data in the US, you risk that the US National Security Agency (NSA) will gain access to that data. Now the EU Commission has taken an extra step in ensuring your data rights.
- Read more about how your online privacy while browsing the internet here.
The data battle, if we can call it that, is far from over. Reforms will soon follow, and new issues will be set in focus; who controls the data, who owns them, and how to ensure they don’t fall in the hands of a third party.
Miklagard operates under the guidelines and regulations of the EU, where Data protection and privacy is important. If you want to learn more about this topic or require assistance leave a comment below, or simply contact us here.