The rocky road for sharing personal data between the European Union and the USA has suffered another blockage, although diversions are in place. Privacy Shield which was the agreement put in place to replace the discredited Safe Harbour scheme has itself been ruled invalid by the European Court of Justice. Privacy Shield was a framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the USA. At the current time the EU regards the USA again as a “non-adequate country” with no special arrangements for sharing personal data in place.
Future transfers of personal data, at least temporarily, between both parties requires organisations to agree standard Contractual Clauses with the organisations concerned taking responsibility that the data will be stored and treated to GDPR standards. Businesses will have to conduct legal assessments to ensure they can transfer data from the EU to the US and other countries. Organisations gearing up to replace Privacy Shield with Standard Contractual Clauses (SCCs) have "been told they can no longer rely on “tick-box” exercises to show they are compliant with EU data protection and human rights laws." 2
This 16 July ruling by the ECJ, known as the Shrems II Judgement, is one outcome of a long running battle between the Austrian lawyer Maximillian Shrems and Facebook Ireland involving the Irish Data Protection Agency. “As in the case of other users residing in the European Union, some or all of Mr Schrems’s personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing. MrSchrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers.“1
The original Shrems I judgement resulted in the Safe Harbour agreement being overturned in 2015 and the court has now found against it’s successor, not least as the GDPR is now in force and requires far reaching commitments from organisations before personal data trasnfer can take place.
The case is further complicated by the Irish Data Protection Agency requesting the ruling whether even SCCs are valid. “The ECJ has raised questions over the US Executive Order 12333, which has been used by the US National Security Agency as a legal basis for collecting data passing through the datacentres of big tech companies, including Google. It has raised further concerns about the US National Security Agency’s ability to extract emails and other private data by tapping underwater internet cables.” 2
Helen Dixon the Irish Data Commissioner has questioned whether data transfers from Europe to the US “under any mechanism” would comply with European human rights law. This issue is not final yet by any means.
Read more about the ECJ ruling at:
[1] https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.