Following a ruling by the EU Court of Justice, the ‘Privacy Shield’ has been rescinded for not properly protecting the data of EU citizens in the US.
This is the latest installment in a longstanding court case, which began in 2015 when privacy activist Max Schrems formally complained that Ireland’s data protection agency was failing to prevent Facebook from transferring his data to the US. The basis of Schrems’ argument held that once the data was in the US, it could not be protected by EU privacy rules, as they had no means of being enforced.
The ‘Privacy Shield’ was a set of data protection arrangements between the EU and the US, intended to clarify these responsibilities and protect the data privacy rights of EU citizens. However, when read in conjunction with the US Foreign Intelligence Act, the court ruled that EU citizens would have no reasonable recourse to challenge a US company’s handling of personal data. Therefore, the Privacy Shield itself was found to breach the data protection rights and standards of the EU.
Though this may be a big win for data privacy activists, its immediate effect may be limited as Standard Contractual Clauses (SCCs) – or passages added to contracts by individual companies to govern their EEA-US data flows – can still be employed.
As regulations continue to shift, it’s important to know that your organisation is on top of any necessary changes to maintain compliance. CyDesk monitors not only your compliance status, but the compliance of your third-party ecosystem, automatically giving you the time and information necessary to stay within the letter of the law.
Ultimately, GDPR and SCCs will continue to be tracked and used to protect EU data, for the foreseeable future. However, as the Privacy Shield has now been declared invalid, it is possible that there will have to be a new overarching standard put into place for EU-US data flows.