Privacy Shield, towards the ban on transfers to the United States?

What if Privacy Shield wasn't as unchangeable as one might think? This Privacy Shield, a transatlantic agreement that came into force on August 1, 2016, was intended to fill the legal limbo concerning the flow of personal data from European residents to the United States.

Remember...

Until 2015, Safe Harbor authorized transfers of personal data to the United States provided that they could benefit from an adequate level of protection.

”As long as no one says no to you, you can continue to use their data.”

It all starts with Max Schrems, an Austrian lawyer, who came to attend a conference given by a Facebook representative. During this conference, he realized the great freedom granted by the social network to the personal data of European residents.

The phrases”As long as no one says no to you, you can continue to use their data.” or “You can do what you want, nothing will ever happen to you” are undoubtedly two of those who motivated Max Schrems to file no less than 22 complaints against Facebook with the Irish Privacy Authority (Facebook's head office for European activities being in Dublin).

The case went all the way back to the Court of Justice of the European Union, which ruled, in 2015, the invalidity of the text on which Facebook was based to transfer Europeans' personal data to the United States: The Safe Harbor.

The lawyer has since been joined by several associations but his objective has remained the same: to stop the transfers of personal data of Europeans from Facebook to the US, as long as mass surveillance is routine on American soil.

Today, both the Privacy Shield (a transatlantic agreement that replaced the Safe Harbor) but also the Standard Contractual Clauses (SCCs), a legal alternative to justify transfers of personal data from Europeans to countries not members of the EU, are therefore being called into question.

Privacy Shield, guarantor of the protection of personal data or simply pass the law?

It is a self-certification mechanism for companies established in the United States. This mechanism has been recognized by the European Commission as offering an adequate level of protection for personal data from European residents to companies established in the US.

But what differences with Safe Harbor will you tell me? Great question!

The only significant difference with Safe Harbor is the creation of remedies for European citizens. They can now assert their rights and file a complaint either with the national supervisory authorities or directly with the companies themselves.

The Privacy Shield should then be the solid response to the abuses revealed in broad daylight by the action of Max Schrems.

However, and even the European Commission recognizes it, Privacy Shield does not prevent abusive measures such as mass surveillance. This is the reason why many actors oppose the maintenance of the Shield. Among them, the Quadrature du Net.

In the process for many years, the association is not giving up: the Privacy Shield is not a Shield, and the level of protection for American companies is not “adequate” to that required by the EU. And for good reason, to have this agreement invalidated would be for her.”a way to reinforce European case law opposing mass surveillance.”

The hearing originally scheduled for July 2 has been postponed, as the Court of Justice of the European Union decided to first open the so-called “SCHREMS II” case before examining this case. Since the two cases were linked, it was preferable for the Court not to conduct the two cases jointly.

Is “Shrems II” coming back?

While Privacy Shield may be unsatisfactory in many respects, there are alternative solutions for authorizing cross-border flows: Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCR), or even binding corporate rules (BCR), or even binding corporate rules.

(See Patrick Tiev's video on the subject).

The Irish Data Protection Authority (the DCP), following complaints from Max Schrems, is questioning one of these alternative solutions: CCTs.

For Schrems, instead of ordering Facebook to stop the transfers of Europeans' personal data, the Irish authority turned to the CJEU to invalidate the entire system. For Max Schrems it's like “call the European firefighters for help, because you don't know how to blow out a candle yourself.“

Thus, on 9 July, a hearing on the case now called “Schrems II” (case C-311/18) took place at the Court of Justice of the European Union (CJEU) in Luxembourg.

The final judgment of the CJEU is not expected before the start of this year 2020.

However, the Advocate General delivered a favourable opinion on the CLA procedure on 19 December last.

Max Schrems agreed with this opinion. According to him, it is necessary for the Irish supervisory authority to “do its job” with respect to Facebook without calling into question the entire legal system set up for the transfer of personal data.

“No foreign customer will trust American industry if there is no strong privacy protection in the United States.”

For the time being, these mechanisms remain valid, but be careful to anticipate these court decisions which could cause some syncopation on the part of your legal department if you have transfers of personal data to the United States, by determining whether other data transfer mechanisms are available. Simply put, more and more French companies are turning to European solutions, to avoid flawed legal frameworks to adequately protect EU-US personal data flows.

Schrems' mindset at this point in the fight for privacy says a lot:”In the long run, I hope that the American legislator realizes that no foreign customer will trust the American industry if there is no solid privacy protection in the United States. You can't say “trust us with all of your data,” but you actually have no rights ”

While waiting for the final verdict of the Schrems II case and the hearing of La Quadrature du net expected at the beginning of 2020, Adequacy wishes you a very happy new year and will be at your side to face these crucial challenges!