Ops! Privacy Shield, bye-bye
Antonio Ieranò
Security, Data Protection, Privacy. Comments are on my own unique responsibility :-)
I was not in the mood to write again on GDPR, there are soo many experts here my voice would be useless (and I Know my fellow accomplices of the #quellidelfascicoloP would agree) but I could not refrain myself from this.
Max Schrems did it again and Privacy Shield is gone as his predecessor (safe harbor).
This should not come as a surprise, well not at least at this side of the pond. I understand the USA does not have a clue on what we're talking about, privacy is also a cultural matter and we have a profoundly different approach here, but European fellows should not be surprised at all.
Basically what happened is that EJC agreed with the basic concept that if the processor is in a country where the European data will not be treated fairly then it will not be safe nor sound to send data there.
But this was the main idea behind privacy shield: the USA has a privacy and data protection framework that is not aligned with European rights and laws but to not stop business we (European) will accept to jeopardize our rights with a framework that is way less effective and strict compared to what it is imposed in Europe.
Mr. Shrems is not new to have a problem with this approach and moved from court to court to the EJC to force them to rule on the subject as he did for the infamous safe harbor.
So we were all expecting this and should not come as a surprise, in the end, we should remember that the USA under several arbitrary conditions (as an investigation moved from NSA) do not need a judge to come and see data stored in the USA (they do not care even if the data are stored outside, another story) and they do not care if those data are related to a European Citizen, do not feel any need to inform European authorities and the European citizens and, under their framework, does not have a problem performing massive surveillance and data gathering (remember Prism?).
Now that the "privacy shield" was doomed as soon as this matter arrived at the EJC was something many of us were expecting, but the "Privacy Shield" is not the only way to allow data exchange between us and them.
There is also something called SCC - Standard Contractual Clauses. A ruleset agreed between the parties that determine how to deal with data coming from the old world to the new one.
The European Court of Justice on this (Case C-311/18) told us those clauses are effective and valid so only privacy shield has been affected. But if we read the things a little deeper and closer we realized that EJC provides us an interesting point of view on ECC.
The European Court says (in paragraphs 134 & 135) that:
“[…] as the Advocate General stated in point 126 of his Opinion, the contractual mechanism provided for in Article 46(2)(c) of the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is, therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.
Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.”
The upshot of this is that it is not enough to simply have SCCs in place but that due diligence also has to be undertaken, and possibly additional protections added. That due diligence will need to be done not only on the other party to the agreement but also on the legal regime in the country where it is based.
Data protection authorities across the EU will also be expected to step up their enforcement of the data transfer requirements of GDPR including looking at how organizations are using SCCs. This comes at a time when investigations in most EU countries are on the rise.
In one sense, because the European Court has ruled that SCCs are valid, it’s business as usual concerning SCCs. However, as the European Court has indicated, even where a business relies on SCCs, data protection additional due diligence may still be required. Additionally, it is expected that under GDPR the European Commission will be revising SCCs – so businesses may at some point in the future need to adapt/update their existing SCCs.
It is, therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection
This means that even if the agreement between two subjects is under SCC this is not a safe pass to heaven, and the data controller is not released from his\her\its duty to verify the data are processed fairly and correctly. And the legislative framework of the country where data are moved\stored has to be taken into account.
Ok Ok I stop it.
ciao :-)
#quellidelfascicolop #vaccatadellasera #pensieriinlibertà #datasecurity #dataprivacy #deliridelvenerdì
CONSULENTE SENIOR ICT
4 年for dindirindina! so now we can tell clients that they can't continue to use "free" US processors by pretending nothing as before?
40+ years in Information and IT Security & ISO compliance
4 年The title is wrong. No "bye-bye" Privacy Shield. To say "bye-bye" to something or somebody its/his existence is a prerequisite... Allen, ain't I "poetically correct"?