The Court of Justice of the European Union “CJEU” on July 16 invalidated the EU–U.S. Privacy Shield. The use of data transfer methods, in particular between the European Union and the United States is questioned. In 2000, the EC put in place an adequacy mechanism known as the “Safe Harbour” for personal data transfers to […]
The Court of Justice of the European Union "CJEU" on July 16 invalidated the EU–U.S. Privacy Shield. The use of data transfer methods, in particular between the European Union and the United States is questioned. In 2000, the EC put in place an adequacy mechanism known as the “Safe Harbour” for personal data transfers to the U.S. It was invalidated by the CJEU in 2015 due in large part to U.S. surveillance practices that arose in the wake of 9/11. It was replaced in 2016 by the Privacy Shield, which aimed to address the concerns that the CJEU outlined in its Schrems I judgment. The Court also looked at SCCs. While the CJEU did not invalidate this mechanism, it did underline that it is up to the exporting and importing organizations to verify that the legal system of the country where the recipient organization resides provides sufficient safeguards.
Under Privacy Shield, U.S. companies guaranteed that they would meet seven principles when handling EU-governed personal data, which included:
Privacy Shield framework governing the transfer of personal data from Europe to the United States is no longer valid. This ruling is very similar to a ruling five years ago that similarly undid the predecessor to the Privacy Shield framework, the Safe Harbor. The thinking in both of these decisions (nicknamed Schrems I and Schrems II after the plaintiff) is that, because surveillance is such a consistent part of American life, and because the government has such easy access to data from large companies and their affiliates, the likelihood that European personal data would be protected and/or only utilized in ways that were understood was fairly low.
Although Privacy Shield was invalidated, SCCs are still permitted for the transfer of EU personal data outside of the EU. However, these clauses are merely a data transfer tool, so organizations must ensure, prior to any data transfers, that there is an adequate level of protection against U.S. government surveillance. The CJEU also emphasized three stakeholder obligations:
The first and most important thing to do is, if you were a company previously certified under Privacy Shield, to identify every contract and every relationship that involves the transfer of personal data from the European Union to the United States. If all the data that you’re transferring is transactional, for instance, and doesn’t touch on anything that could be considered personal data, Schrems II isn’t really going to have much of an effect on you. But most businesses do collect some form of personal data, even if it’s only the business address and contact information of their partners. In that case, once you’ve identified which relationships are a source of data from European citizens, you have to review your agreements and determine whether you want to continue to receive that data and, if so, how the SCCs could be implemented. Because many data relationships are bilateral both in benefit and cost, partners may be willing to work with you to rapidly ensure that no interruption in business occurs. But there will always be some instances where this opportunity for leverage to renegotiate a deal won’t be missed.
With FileCloud Online you have the option to host in secure, world-class data centers. Data storage is available in the region of your choice: US, EU, Canada, Australia, APAC, and SE Asia to meet data residency requirements. Also, with FileCloud On-Premise you can use your existing infrastructure to store and share data abiding by EU data protection laws.