Invalidation of the Privacy Shield for non-lawyers
Last July 16 the Court of Justice of the EU, adopted a decision that can have a very high impact on the day-to-day management of many businesses: the invalidation of the Privacy Shield.
In essence, this decision raises doubts on the use of platforms or technological tools that host personal data of Europeans in the United States. Let’s see why.
What is (or was) the Privacy Shield?
From the beginning of the development of the right to data protection in Europe (in the early 80s), a very Eurocentric view of the issue was imposed, which in summary implies that the transfer of data between EU countries did not represent a bigger problem, but on the contrary, when these data left the EU, additional requirements were required considering that the laws outside the EU in this area, did not meet European standards.
Thus, in the 1995 Directive (already repealed), a system was established so that countries outside the EU were “homologated” in order to transfer data there with the same guarantees. Here you have the list of countries that are considered suitable. Transferring data to countries on this list has the same requirements as transfers within the EU.
The United States entered the list but with one particularity: companies that wanted to host data from Europeans had to “enroll” in a protocol agreed between the US and the EU. This protocol was first called Safe Harbor, being canceled in 2015, and as of 2016, it receives the name, of the also canceled, Privacy Shield.
The reasons for both invalidations are essentially the same: it cannot be guaranteed that data from Europeans, once hosted in the US, will not be accessed by US investigative agencies without minimal guarantees. In both cases the decisions were the result of lawsuits against Facebook from an Austrian citizen named Max Schrems (@maxschrems).
Many companies, very large and widely used by very different profiles (from freelancers to large corporations), are registered in the Privacy Shield: Google, Mailchimp, Zoho … (here you have the complete list of companies). It is necessary to say that to be in the Privacy Shield it is enough with a process of self-certification of the company. Nobody verifies that they effectively comply with the protocol.
What does its cancellation imply?
Well, on July 16, 2020, the Court of Justice of the EU has invalidated the Privacy Shield (although the USA continues to consider it valid …) and this has direct effects on European companies that host data from third parties (customers, workers, leads, etc …) in one of the companies included in the list. Once the Privacy Shield is canceled, European companies must find one of the other options that the GDPR gives to transfer personal data outside the EU:
- In 2010 the EU published a standardized contract model for transferring data outside the EU. The judgment of July 16, considers that this model is still valid (although it is not adapted to the GDPR). Well, if we are a European company and we want to transfer data to a US company, we must verify that its terms of service include the terms of the standardized contract model.
- Another option is to ask for the consent of the data subject (data owner) to transfer your data outside the EU. To comply with the GDPR, this consent must be explicit. Beware of consents that are not 100% free, for example when the data is from workers.
We are facing a sentence of high impact and that can really affect many digital or traditional businesses with a high use of Information Technologies, so keep in mind the following recommendations:
- Have inventoried the applications you use where you host personal data (emails, names, phone numbers, work data, etc …).
- Find out the location of these applications (where they host the data).
- If they are in the EU, ok (note that this does not mean that you do not have to control their conditions of service to comply with the GDPR).
- If they are outside the EU, evaluate what allows the transfer of data to that country: list of “homologated” countries, EU standard contract or consent of the affected party.
- If they are in the US, as we have said, the options are limited to the EU standard contract or the consent of the affected party.
Any questions or comments, I will be happy to help you. Feel free to contact me.