On July 16th, 2020, the European Commission (EC) invalidated the data privacy shield (DPS). The DPS was a framework that allowed European data transfers to the US. The data privacy shield was meant to have additional privacy protection and to have limited US surveillance.
Moreover, a Data protection Ombudsman was assigned to make sure that the Privacy safeguards weren’t violated. It was later found that even though it’s the position of the Ombudsman to enforce the privacy safeguards, within the US system, he does not have the power to do so, consequently, rendering him useless.
Before the DPS, there was another framework that allowed the transfer of EU data, called safe harbor. The case of Max Schrems and Irish Data protection commissioner made the court of Justice of the EU (CJEU) question the adequacy and validity of the safe harbor agreement, and the role of the Privacy shield. GDPR, forbids transfers of EU data. However, the safe harbor and the DPS act as a middle ground to keep business operations afloat. There are more than 5000 US businesses that depend on transatlantic trade of data.
Why did the court invalidate the privacy shield?
The CJEU discovered that US violated the privacy standards set by the EU. Therefore, all EU data transfers to non-EU businesses were paused. They may only occur if appropriate safeguards and measures are in place, such safeguards are called standard contractual clauses. Companies must now verify on a case-by-case basis whether the recipient country has adequate privacy standards and measures in place. If one country does not meet the privacy standards set by the EU then all data transfers must stop.
Overall, this is a small victory for European residents and privacy activists. It means your data will remain on European servers unless the US government introduces stricter privacy laws. To whom do we owe such as a victory? To Max Schrems a law student who became a privacy activist. Max filed a lawsuit against Facebook Ireland & Google and the way they handle user data and force consumers to accept their data collection policies. The Schrems II decision is what made the CJEU invalidate the DPS.
What is going to happen next?
Nobody knows for sure, but what needs to happen is for the US to finally adopt stricter privacy regulations. Despite Snowden’s revelations, mass surveillance and data collection is still active. Seven years have passed but little has changed, the invalidation of the data privacy shield should be a wake-up call for the US. Facebook and other big tech companies continue to hide their data collection practices. The US must take an example from the EU and start enforcing more concrete privacy regulations.
The EU will probably create a 3rd framework like safe harbor and DPS to meet the US in the middle in the hope that the US adopts more strict privacy laws. Updates on this matter are slow as this takes time and a lot of negotiations. We will closely follow this topic and we will continue to update you as more details arise.
Privacy is a right, not a feature
Mailfence is a secure and private email-suite, based in Europe. At Mailfence, we firmly believe that “Privacy is a right, not a feature”. We do everything we can to protect and promote data privacy. That’s why we support GDPR, ePrivacy and other legislative efforts in this direction. We also support organizations like EDRI and EFF to contribute in their fight of data privacy.
Follow us on twitter/reddit and keep yourself posted at all times.