“Privacy Shield” for Europeans’ Data Use in US Dissolves
July 16, 2020
On July 16, 2020, the European Union Court of Justice ruled that the EU-U.S. Privacy Shield, a compliance policy governing the protection of data transferred from the EU to the United States, was invalid. As a result, U.S. businesses can no longer rely on the Privacy Shield framework in connection with their collection, usage, retention and transfer of personally identifying information about EU residents and citizens.
Such a policy and practice ensure that personal data is collected in a manner seen as legal under the GDPR and then prevent misuse and exploitation of that data while respecting the data’s owners' rights – namely, the individual identified by said data.
For any business that relied on the Privacy Shield to deem their Utilization of personal data valid under the GDPR, that shield has now dissolved, and a replacement needs to be put into place rapidly. For all others, a prompt review of their policies to ensure that they comply the guidance on “necessary” transfers and retention, as well as Standard Contractual Clauses where viable, is advised.
Part of the ruling invalidating the Privacy Shield turns on the Court of Justice’s judgment of overbreadth of FISA, the U.S. Foreign Intelligence Surveillance Act, which allows the federal government to access data from those who are not U.S. citizens, for law enforcement and national security purposes, without closely tailoring the collection of that data to specific topics, individuals or issues. Congress may this autumn consider legislation to circumvent some of the specific issues set forth by the EU ruling. Until then, the concerns set forth since at least 2017 that the U.S.’s National Security Agency can surveil EU residents and citizens, regardless of whether they are suspected of connections to terrorism, will be maintained, as the EU Court now sees unlimited and unchecked surveillance of EU residents and citizens of Justice as violating the rights protected by the GDPR.
As a result of this ruling, individual businesses cannot themselves claim reliance on or compliance with the Privacy Shield and the provisions it set forth, as the Court of Justice said the principal issue with the Privacy Shield stemmed from the “limitations on the protection of personal data arising from” FISA. The Court said were “not circumscribed in a way” that is “essentially equivalent to those required under EU law,” as U.S. national security requests for data in the had “primacy” over European citizens’ “respect for private and family life, personal data protection and the right to effective judicial protection,” FISA “condoned” what the Court felt was interference EU citizens’ “fundamental” rights when their data was transferred into or moved through the United States.