Privacy Shield, where do we stand?

As of July 16, 2020, the Court of Justice of the European Union (CJEU) has invalidated, via its ruling commonly referred to as "Schrems II" the EU Commission Decision 2016/1250 on the adequacy of protection provided by the EU-US Data Protection Shield, commonly known as Privacy Shield.

As mentioned in our previous article, in its decision, the CJEU affirmed the validity of the standard contractual protection clauses while invalidating the Safe Harbour scheme. The rationale for this invalidation is that surveillance programs based on US domestic regulations are not limited to what is strictly necessary.
The consequences of this decision are that transfers of personal data are now sanctionable if they are not carried out using the mechanisms provided for by the GDPR: the use of STCs, an approved code of conduct, or a certification mechanism.

 

Security of personal data not guaranteed

In fact, and until today, these means, even if they are legal and recognized as legitimate by the control authorities, do not guarantee the security of European citizens' personal data, since the national security imperatives put forward by the United States to justify mass surveillance will not bend before personal data protection rules.

Thus, the responsibility for a data transfer to the United States is left in the hands of the European-based data controllers alone.

 

A new limited agreement

It would seem that a new agreement can do nothing to change the current insecurity of personal data transferred to the United States, if not only in appearance. This is what the European Commissioner for Justice, Didier Reynders, logically stated in September 2020: "There will be no quick fix [...]What we need are lasting solutions that ensure legal certainty, in full respect of the court ruling." The need invoked is reinforced by the 110 complaints similar to the one that led to the invalidation of the Privacy Shield.

 

Towards stronger data protection

In mid-January 2021, the European Data Protection Committee and the European Data Protection Supervisor issued a joint opinion on a revision of the standard contractual clauses to take into account the Schrems II judgment. This opinion calls for a strengthening of protections, while recognizing that shortcomings cannot but remain concerning the surveillance operated by third countries, including the United States, on data transiting their territories or via companies located there.

As for the European Commission, it has been engaged since the last quarter of 2020 in negotiations with the American authorities aimed at having them review the American surveillance program. The positive outcome of these talks is naturally more than uncertain.

The thunderclap of the Schrems II ruling should be seen as a useful event. Indeed, it highlights the real limits of the RGPD, to be set against its original claims. No bilateral agreement on the issue of personal data or protective measures taken by a data controller will be able to guarantee the non-intrusion of a state, in the context of its intelligence activities, in a database or data flow containing personal data.

The exponential digitalization of data and the globalization of their transfers make it illusory to control their confidentiality. States have never been able to access so easily such a mass of information on their citizens and on those of other countries; the RGPD will certainly not limit them in the optimized exploitation of these data, for purposes determined as they wish.

compliance compliance data data personal data companies privacy Privacy Shield protection of personal data RGPD Schrems II European Union economy