The EU’s Court of Justice has just invalidated the “Privacy Shield” data sharing system between the EU and the US, because of overreaching US surveillance. Privacy Shield ruled invalid after hearing.
News this morning from the European Court of Justice. The agreement between the EU and the US for data transfers, known as Privacy Shield, has now been ruled invalid. This followed a complaint by Austrian privacy activist, Max Schrems, against Facebook. His complaint was that Facebook was transferring his data from Ireland to the United Sates and processing the data there. Schrems argued that there were insufficient safeguards in place and today, the ECJ agreed.
What does this mean?
We will have to wait to fully understand the impact of this decision. Clearly, Facebook must stop the processing raised in the case but what does that mean for the rest of us? Privacy Shield was accepted by the EU because the United States offered an adequate level of data protection. What today tells us is that the EU no longer accepts this provision of Article 45, GDPR.
Normally we would look to our own regulator for guidance but so far they have not issued any concrete guidance only the following.
“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.
“We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”
Quite what they will do next is anyone’s guess. It has long been felt by many commentators, including this one, that Privacy Shield was inadequate.
Clearly, we all need to think about where our data is stored and processed. Do you know where your data is? The common answer is in the cloud? But where is your cloud?
Most businesses, particularly small ones, have no idea where the physical location of their data is. The cloud can literally mean anywhere. Most cloud service companies will generally move your data to a European server but this may not be enough if it can be accessed by a third party from overseas.
Businesses should now think about what data should be transferred overseas and whether it is actually necessary. Data Flow maps and Data Asset Registers will need to be dusted off and amended to take into account the changes that will need to be made. If you need help with this you can contact us here or call us on 03333 22 1011.
We will need to wait and see what the fallout is from this but clearly the EU has decided that America isn’t adequate. It will need to prove itself to be so before simple transfers can take place again. Just when you thought 2020 couldn’t surprise you again, it just has.