The EU’s highest court, the European Court of Justice (ECJ), has declared the EU-US Privacy Shield agreement as invalid. This is a considerable development in the field of data privacy and will impact thousands of companies who participated in the arrangement. The Privacy Shield lets companies sign up to more detailed privacy protections before transferring EU citizen’s data to the US. The EU is governed by stricter privacy laws than the US, and EU citizens must have their data processed under the regulations of the GDPR no matter where in the world it is being processed.
The agreement was challenged by Austrian privacy expert Max Schrems who argued that despite the shield, the security laws in the US did not go far enough to protect EU citizens from government surveillance.
It is clear that the US will have to seriously change their surveillance laws if US companies want to continue to play a role in the EU market.
His case was in part prompted by previous leaks on the extent of US surveillance from ex-CIA contractor Edward Snowden.
The EU-US Privacy Shield arrangement aided digital trade for over 5,000 companies. According to UCL, approximately 65% of them are small-medium companies or startups.
Instead of the Shield, companies will now have to sign “standard contractual clauses”, already in use by large corporations such as Microsoft. Previously, organisations have been given a ‘grace period’ following major changes in data privacy.
The GDPR, which governs how EU citizens’ data must be processed was introduced in May 2018 and has had a major impact on many companies worldwide.
The European Court of Justice said regarding the Shield,
The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred. The limitations on the protection of personal data arising from the domestic law of the United States… are not circumscribed in a way that satisfies requirements.
Jonathan Kewley, a Head of Technology at Law company Clifford Chance added, “What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot”.
So what does this all mean for your business?
The ICO has released a statement saying they are reviewing their guidance in light of the case.
- In the meantime, businesses should continue using Privacy Shield if you are already, but not to start using it if you haven’t yet.
- If you’re using alternative methods such as SCCs (Standard Contractual Clauses), then you should carry out a privacy audit to ensure you’re following the legislation.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.