Europe’s highest court has banned the mass transfer of personal data of EU citizens to US companies, due to mass surveillance carried out by the US government. The court struck down an arrangement known as the EU-US Privacy Shield …
Europe has much tougher privacy standards than the US when it comes to processing personal data. One protection says that personal data may only be sent to a country outside the EU if arrangements are in place to ensure that GDPR-standard privacy protections will be applied within that country.
The EU-US Privacy Shield was an agreement designed to ensure that this requirement was met. It set out standards US companies agreed to follow, which EU companies believed would then allow them to legally send personal data to those companies. Literally thousands of companies have relied on the Privacy Shield to transfer data, including tech giants like Facebook.
However, the Court of Justice of the European Union has now ruled that the Privacy Shield does not offer sufficient protection. In particular, it says that mass data surveillance programs by the US government makes it impossible to guarantee the privacy of personal data processed and stored in the USA.
In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
Yes, that was all one sentence … It went on:
On the basis of the findings made in that decision, the Court pointed out that, in respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons. The Court adds that, although those provisions lay down requirements with which the US authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the US authorities.
In other words, even if US companies do everything they are supposed to, there is no way for them to prevent the US government accessing the data – and in that situation, EU citizens have no rights.
The ruling doesn’t prevent all transfer of personal data of EU citizens to the US. Companies are still allowed to do it more selectively, when they can show that this is necessary – for example to process a hotel booking in the US by an EU citizen. But it is no longer legal to transfer data en-masse for processing or storage.
The issue is a complex one. If you’d like to understand more about it, Wired has an excellent in-depth piece.
Image: Microsoft
FTC: We use income earning auto affiliate links. More.
Comments