Privacy Shield inadequate for the protection of data transferred to the USA: what consequences for companies?
The EU Reg. 679/2016 or "GDPR" only applies within the European Union. There are, however, some specific provisions (in particular in Chapter V, from articles 44 ss., GDPR) aimed at ensuring compliance with the principles of protection and protection of personal data also in the case of transfer of data from the European Union to Non-EU countries.
In this context, the Privacy Shield was inserted, or the "privacy shield", which in 2016 had been approved with a decision of the European Commission and deemed an appropriate tool to guarantee a adequate level of protection with regard to data transfers from the European Union to the United States.
On July 16, however, the Court of Justice invalidated the aforementioned decision of the European Commission (Decision 2016/1250) , considering the Privacy Shield mechanism to protect the privacy of European citizens' data inadequate.
We must therefore ask ourselves: what consequences does the declaration of invalidity of the Privacy Shield entail? And how can we deal with the problem of data transfer from the EU to the US at present?
What was the Privacy Shield and how did it work?
The Privacy Shield provided for a self-certification mechanism to to which US-based companies wishing to receive personal data from the European Union were subjected. In particular, through this system, the US companies undertook to guarantee compliance with the principles in force in the EU and, of course, with the principles envisaged by the GDPR, providing the interested parties with adequate protection tools.Thus, many companies Americans (such as Google, Mailchimp, Facebook, Microsoft and many others) relied on the "EU-US shield" to receive personal data from the European Union.
In the case of non-respect of these principles, the Company suffered certain consequences, such as: the removal from the list of certified companies (the“Privacy Shield List”), as well as the specific sanctions that the Federal Trade Commission (the federal Commission for commerce).
It was, therefore, a system that allowed to ensure the protection of personal data from the European Union, even in a country not covered by the GDPR, and in which, therefore, are not guaranteed the same rights for the persons Concerned.
With the decision 2016/1250, the European Commission decided that the Privacy Shield to offer an adequate level of protection for personal data transferred from the Union to a company established in the United States registered with the Privacy Shield list, and features of the above-mentioned self-certification. According to the European Commission, therefore, the Privacy Shield was a source of legal safeguards appropriate to the transfer of data to the USA.
The Judgment of the Court of Justice and the consequences of the declaration of invalidity
As anticipated, the Court of Justice of the European Union, however, has determined that the system provided by the Privacy Shield is not suitable to ensure adequate protection of personal data transferred to the USA, for a number of reasons.In the first place, observes the Court, the us law that enshrines the primacy of certain requirements of public interest, relating for example to national security or to respect the laws, that allow access to the personal data transferred to the USA with many less restrictions than is allowed in Europe. This is substantially incompatible, in itself, already, with the principles of proportionality and necessity provided by the GDPR , according to which the data used must be limited to those strictly necessary in relation to the objectives pursued, and the treatment may be considered lawful only when it is the only reasonable means to achieve the purpose pursued.
In the second place, according to the Court, such a system does not ensure adequate judicial protection to the interested parties, that would not have available the appropriate tools for the defense of their rights.
The impact of this ruling, as is obvious, it is strong and not negligible.
in Fact, at the present time, all of the Companies that reside in the USA and who based the legitimacy of the transfer of personal data on the Privacy Shield, will have to review its policy on internal processing of data from the European Union and to establish the lawfulness of the transfer to another of the legal bases provided for by Title V of the GDPR.
In the absence of such an adjustment, the activity of the treatment will be considered illegal.
the legal basis for The transfer of data to countries outside the EU
The Privacy Shield was not, however, the only way to make lawful the transfer of personal data from the Eu to the United States. In this regard, it is necessary to bear in mind what is expected from the entire chapter V of GDPR, which is responsible for regulating the transfers of data to third countries”, i.e. all the states outside the eu that do not apply to the GDPR.In particular, art. 44 GDPR provides that any transfer of personal data to a third country or an international organisation may only take place if it is adhered to at least one of the conditions referred to in art. 45 and following articles, namely:
In the presence of an adequacy decision by the European Commission. In particular, according to the provisions of art. 45 GDPR, the transfer is allowed “if the Commission has decided that the third country ensures an adequate level of protection”. In this case, was, however, the Privacy Shield, which, as seen earlier, with the decision 1250/2016, the European Commission had considered it appropriate to ensure an adequate level of protection.
The third country has provided the appropriate guarantees , but only on the condition that the interested parties have legally enforceable rights and means of effective remedy (art. 46 GDPR). In this regard, they constitute “appropriate safeguards”, and are therefore appropriate to ensure the lawfulness of the transfer, c's.d. Standard contractual clauses (SCC) or standard contractual clauses adopted by the European Commission with the aim to constrain the subject to which are transferred the data to adopt appropriate safeguards on the data subject of the transfer. In this regard, it should be noted that the decision of the European Commission on Standard Contractual Clauses had been placed before the Court of Justice, without which, however, it was invalidated. Therefore, they may still constitute an appropriate legal basis for the transfer.
In the presence of binding corporate rules, i.e., clauses that secure the principles and rules of conduct that must be observed between companies belonging to the same group of companies (Binding Corporate Rules), and with offices both in europe and beyond. In addition to the assumptions mentioned above, the art. 49 GDPR also includes the hypothesis residual in which the data transfer may, however, be considered lawful. In particular, reference is made to the case where the data subject has given his free consent and explicit. In this case, however, for the purposes of the validity of the consent, the data subject must be properly and previously informed of the risks of the transfer and the absence of guarantees of observance of the rights recognized in the GDPR.
operational Solutions to the current state
As we have seen, the Judgment of the Court of Justice's scope is very wide as it involves a large number of american Companies that were originally based on data transfers from the EU on the Privacy Shield.Therefore, considering such a circumstance, the competent authorities must grant a reasonable period of time to the companies involved to regularise its position.
In this time, all the Italian and European companies that relied on the Privacy Shield to ensure the lawfulness of data transfer to the USA will have to face the consequences of that decision.
in this regard, the first step will be to evaluate the service providers that you use and that assume the role of Responsible of the Treatment ex art. 28 GDPR, to verify if they result in transfers of data to the United States on the basis of the Privacy Shield.
In this case, it is also important to check if such transfers would be based on other tools, such as standard contractual clauses or binding corporate rules. In the absence, it will be necessary to arrange an additional warranty, but also, for example, between those provided for in art. 49 GDPR.