Privacy-Shield framework: to do all over again
The Court of Justice of the EU calls into question the agreements between EU and USA on privacy, considering the guarantees offered to European citizens insufficient: a decision ripe with consequences on the use of public clouds
With judgement of 16 July 2020 in Case C-311/18 (Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems) the Court of Justice of the European Union invalidated the agreement between the UE and USA known as “Privacy-Shield Framework”, adopted in 2016, on account that it does not provide enough guarantees to European citizens against the US laws on surveillance and privacy.
The Court considered that the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not in line with those in EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities.
There is no grace period, meaning that all personal information transfers performed on the basis of this legal framework, and potentially others which are equivalent, are illegal. This won’t automatically invalidate all personal data transfers between the EU and USA, but it requires that those who transfer such data on a regular basis perform an assessment to understand if they offer enough guarantees.
The European Data Protection Board (EDPB) published a FAQ document to provide initial clarification and give preliminary guidance to stakeholders, which will be developed and complemented, along with further guidance, as the EDPB continues to assess the judgment of the Court.
This decision promises to have serious consequences on the use of GAFAM (Google, Amazon, Facebook, Apple, and Microsoft), platforms and particularly calls into question their indiscriminate usage by Public Administrations and in schools and universities, especially public ones. It is not the first time that the question is raised in Europe on where the data acquired by the “Big 5” go and how they are used. However, the fact that this time it is the Cour of Justice of the European Union to express these concerns makes much more urgent a debate on the real costs of the “free” platforms that everybody are using these days.
Much needs to be done to reverse the trend, but this judgement calls for re-thinking the tools we use, especially within the research and education community, in view of solutions that can ensure the privacy and protection of our data, but also our sovereignty on them, and the competences needed to manage them.
- European Data Protection Board website
- Schrems II: what’s new for EU-US data transfers? - on Connect
- Frequently Asked Questionson the judgment of the Court of Justice of the European Union in Case C-311/18 - pdf file