On 16th July 2020, the Court of Justice of the European Union invalidated the “Privacy Shield” agreement in an important ruling.
Implemented in 2016, this text provided a framework for the exchange of personal data between Europe and the United States.
The reason for invalidation? The incompatibility between current US surveillance laws and European standards for personal data protection (GDPR).
This court decision will have an impact on players in the digital world.
A major decision for digital companies
On the 16th July 2020, within the context of a 7-year dispute between Facebook and the Austrian lawyer and privacy activist, Max Schrems, the European judges decided to invalidate and thus cancel the Privacy Shield.
The “Privacy Shield” was an agreement put in place in 2016, that provided a framework for the transfer of personal data between EU member states and the United States of America. The “Privacy Shield” replaced the “Safe Harbor” framework, which was invalidated in 2015 for similar reasons.
US players in the digital industry (including GAFAM) relied on the Privacy Shield to process European residents’ personal data. Below, we will measure the impact of the European Court of Justice’s decision.
Why put an end to the “Privacy Shield”?
The “Privacy Shield” agreement has drawn criticism from privacy associations and several European ICOs ever since it was created. Why? According to those opposing it, the Privacy Shield does not provide sufficient guarantees for the privacy of European residents.
There is no equivalent in the United States to the European standards of data protection (GDPR). US surveillance laws grant public authorities and other independent agencies significant surveillance powers. For example, the Electronic Communications Privacy Act, which grants the NSA the power to intrude into the private lives of Americans.
The European Court of Justice ruled that US surveillance laws were incompatible with the data protection standards imposed by the European GDPR.
How this decision impacts the digital ecosystem
Does the end of the Privacy Shield mean that European residents’ personal data can no longer be stored and processed on servers in the United States?
A legal mechanism exists for data exchange between European and US companies, the so-called “Standard Contractual Clauses”. These are contracts that enable two companies to exchange personal data provided that the laws of the country receiving the data guarantee the same level of protection. But in light of the CJEU’s decision, these mechanisms will not be applicable much longer between European and US companies.
Although it is difficult to imagine the end of personal data exchange between the USA and Europe, it is fair to say that the CJEU’s decision reinforces the protection of privacy and personal data in Europe.
MyFeelBack servers are hosted in Europe, so not affected by the Privacy Shield
While waiting for a change in US law, and in the event of invalidated standard contractual clauses, digital US companies will have to choose between two costly solutions:
- Repatriating personal data relating to European residents to Europe.
- Doing nothing and risking the sanctions in place for non-compliance with the GDPR. These sanctions can reach up to 20 million euros or 4% of annual worldwide turnover, so they are particularly dissuasive.
At MyFeelBack, we are not faced with this dilemma because all our servers are based in Europe. We offer a 100% GDPR compliant solution.