The Court of Justice of the EU has just sounded the death knell for the Privacy Shield agreement which previously governed the exchange of transatlantic personal data, mainly from Europe to the United States.
Thunderbolt in Brussels. The European Court of Justice has just announced that the so-called Privacy Shield agreement between the EU and the United States has expired. Validated on July 12, 2016 by the European Commission to ensure the protection of personal data and the security of industrial Iot equipment, this legal framework, which was a new version of Safe Harbor, framed the transfer of data between Europe and the United States. United. During the negotiation of the Privacy Shield, which notably allows companies like Apple, Google, Facebook or even Microsoft to transfer the personal information of European citizens to the United States, the European Union required the United States to guarantee a right to privacy for data from foreigners processed on American soil. These transfers are prohibited by European privacy legislation, unless the country of destination of the data respects a level of privacy protection at least equal to that required by EU legislation with the GDPR.
The Privacy Shield was far from unanimous, however. The European Parliament as a whole, the CNIL and several associations pointed to the shortcomings of this agreement, in particular regarding access by public authorities to data transferred to the United States. Indeed, according to national data protection authorities (such as the CNIL in France), the guarantees are not strict enough regarding the independence and powers of the American mediator (will he be really independent of the intelligence services?) and the lack of concrete assurances on the mass and systematic collection of personal data. Finally, on the commercial aspects, the associations regret the lack of specific rules on decisions based on automated processing of data and the absence of a general right of opposition.
Multiple remedies against the Privacy Shield
In its decision taken following the appeal Facebook Ireland and Schrems, the European Court stresses that “the general data protection regulations state that the transfer of such data to a third country can, in principle, only take place if the third country in question provides an adequate level of protection for these data. […] As for the requirement of judicial protection, the Court held that, contrary to what the Commission considered in Decision 2016/1250, the mediation mechanism referred to in this decision did not provide these persons with a remedy before a body offering guarantees substantially equivalent to those required in Union law, such as to ensure both the independence of the mediator provided for by this mechanism and the existence of standards empowering the said mediator to adopt binding decisions with regard to American intelligence. For all these reasons, the Court declares Decision 2016/1250 invalid ”.
The European Commission will therefore have to renegotiate an agreement for the transatlantic data exchange by ensuring that the rights of European citizens are well respected, in particular within the framework of the GDPR. The latest decisions of the American government, and in particular the decree limiting the protection of the privacy of foreigners signed by Donald Trump, complicates the negotiations. The general surveillance of foreigners is therefore this time at the heart of the problem of data collected massively by the Gafam and insidiously made available to the American authorities if they request it for national security issues.