European personal data can no longer end up in the United States

European personal data can no longer end up in the United States

The EU Court of Justice has canceled the "Privacy Shield", ie agreements that allow European companies to transfer their users' personal data to servers in the United States.

The Facebook, Twitter and Google apps (photo by Volkan Furuncu / Anadolu Agency / Getty Images) In the days when there is a lot of talk about the attacks on TikTok for the potential sharing of data with China and digital sovereignty in view of national cloud and data management in Europe, the case of the European Court of Justice on the transfer of data between Europe and the United States reminds us that we are already experiencing those problems, the risks have been documented by Edward Snowden's leak and that a solution already exists.

Today the Court published its judgment on case C-311/16 - Facebook Ireland and Max Schrems, pro bono president of the noyb.eu association. In fact, the Court canceled the validity of the Privacy Shield, i.e. those agreements that allow European companies to transfer their users' data to servers in the United States. The Court recognizes that U.S. surveillance laws do not offer guarantees for citizens of other states: in fact, there are no legal mechanisms for approving data collection and tools to appeal.

The case in question focuses on the complex mechanisms that allow the exchange of data between European and US companies. When we use Facebook we interface with the Irish division, Facebook Ireland, which then shares the data with the US parent company. That data transfer is no longer valid.

And the same Court reiterated that the cancellation of the Privacy Shield “ is not susceptible of creating a legal vacuum ” for the transfer of data. In a broader perspective, this decision involves not only Facebook, but also companies like Google, Apple, Microsoft, and Twitter . In total, more than 5,000 companies in the us . All data transfers are deemed necessary—take for example the mail sent to persons located in the United States or to services that allow you to book air or hotel—remain valid. And the same is true for all the data transfers that are not considered to be personal data.

“ I Am very happy for this decision, ” said Schrems in a press release immediately after the sentence, “ At first glance the Court seems to have followed us in all aspects. This is a blow to the irish competent Authority and Facebook ”. And he added: “ it Is clear that the United States will need change seriously the laws of their surveillance if us companies want to continue to have a role in the market of the Eu ”.

BREAKING: The EU's Court of Justice has just invalidated the "Privacy Shield" data sharing system between the EU and the US, because of overreaching US surveillance. All details available here: https://t.co/xN4HKhZaBT #PRISM #FISA702 #Privacy #PrivacyShield #SCCs #GDPR #CJEU

— Max Schrems 🇪🇺🇦🇹 (@maxschrems) July 16, 2020



How we got here

In 2015 Schrems has won the victory on the so-called Safe Harbor , the system that guaranteed the possibility of exchanging data with the United States. In that occasion, the european Court of Justice has confirmed that the surveillance of mass implemented by the United States violates the fundamental rights of the european . Instead of the Safe Harbor was born on the Privacy Shield , a sort of updated version of the previous agreements.

In a decision on the Privacy Shield , the european Commission had argued that the laws on monitoring us were compatible with the rights provided for in Europe. Today the european Court of Justice has basically denied this fact. After that decision, Facebook had stated that, with regard to the transfer of data outside of Europe, does not refer to new born Privacy Shield but is based on the Standard contractual clauses (Scc): these are contracts that regulate the exchange of data between european companies and foreign companies, in which the latter undertake to ensure respect for the privacy of european citizens.

At that point Schrems asked the Authorities for data protection in ireland the application of article 4 of the Scc: it is a tool that allows the Authority to stop a targeted exchange of data if there are no adequate measures of protection for the rights of the parties. Surveillance laws in the United States had not changed. The Authorities, however, decided not to act, and indeed to sue Facebook and Schrems to the Irish High Court, which, in turn, has sent the case to the european Court. In December 2019, the advocate general of the Court published an advisory opinion is not binding, which, in large part, supported the positions of Schrems. Today came the final decision of the Court.

Surveillance made in the Usa

In the United States, as revealed by the documents published by Snowden, the national security Agency ( Nsa ) has access to the data of different companies , without any kind of guarantees for the foreign citizens (as with the projects Prism and Upstream ) .

The law, Fisa 702 , introduced in 2007, allows the Nsa to submit requests to the providers of services of electronic communication to obtain data of the users, it is a law already widely criticised, which has been shown to be difficult to monitor and that essentially runs the risk of offering a carte blanche to collect information related to the activity of intelligence abroad . A dedicated court deals with evaluating the requests, but these would not be for the individual case, but consent to the collection of data up to a maximum period of one year, to be renewed subsequently.

There are also two further references to the law, an executive order (Eo 12333) that gives almost carte blanche to the president of the United States on the collection of information relating to non-us citizens and a new kind of protection (PPD-28) introduced by Obama in 2014 but would still permit the indiscriminate collection of information ( bulk collection ) and does not include specific rights for those suspected, and is the victim of a data collection. Given these factors, Schrems, it is impossible to accept that there are adequate protections for the exchange of data, and therefore the Guarantor, the irish would have had to stop this activity.

A victory for personal data protection, but a crushing defeat for @EU_Commission over legality of data transfer scheme.

I call on the Commission to stop stubbornly ignoring the expert advice and repeated calls from @Europarl_EN on #PrivacyShield #SchremsII https://t.co/OZV9Xqoqjt

— Sophie in 't Veld (@SophieintVeld) July 16, 2020



What happens now

“ The Court has made it clear for the second time that there is a clash between the privacy laws of european and those on surveillance in the u.s., ” he reiterated Schrems. One of the myths to dispel is that this decision to block any type of data exchange between the two continents. Data related to logistics services, banking, airlines may continue to flow without problems. The same is true for all of the information that does not relate to personal data of european citizens.

To be clear, there is no risk of the closure of the streaming services and certainly will not be the death of the internet. It is rather the victory of an internet model that places the rights of the citizens in the first place with respect to surveillance, indiscriminate on the part of the state.

In the general Regulation for the protection of personal data (Gdpr) are already there are specific derogations that allow for the exchange of data , such as those provided for by article 49 . If a company prefers to transfer data to the United States to save or to comfort must rethink their approach. The surveillance becomes an economic cost and a risk for organizations .

in Addition, the Court has recognized the validity of the Scc but has made it clear that the authority for the protection of personal data have an obligation to act when they receive a complaint . In this case, therefore, should stop the transfer of data by Facebook. “ The Court is not only saying to the irish competent Authority to do its job after seven years of inaction, but also that the Dpa have the duty to act and can not simply look the other way, ” he stressed Schrems. And he added: “under Eu law, there must be a quick handling and free of the complaint of a citizen. However, in this case, we have been in court for 7 years with over 45,000 pages of documents produced. The myth according to which a law student can do it alone is, unfortunately, wrong. ”



The judgment of the Court is clearly an opportunity to bet again on the magnifying glass on the problems related to the surveillance of the United States. In this case, however, the Court gave a clear indication.

Eva Nagle, Associate General Counsel of Facebook, you know: “ we Welcome the decision of the Court of justice of the european Union to confirm the validity of the standard contractual clauses for the transfer of data to non-Eu countries. These clauses are used by Facebook and by thousands of companies in Europe and provide important safeguards to protect the data of Eu citizens. Like many companies, we are carefully evaluating the results and the implications of the decision of the Court of Justice in relation to the use of the Privacy Shield, and await with confidence a guide to legislation in this regard. We will make sure that our advertisers, customers and partners can continue to use the services of Facebook, keeping their data safe”.









Powered by Blogger.