Privacy Shield
The Court of Justice of the European Union has recently reached a verdict ((Judgment of the Court of Justice in Case C-311/18) ) in case “Facebook and Schrems”, by which The Verdict 2016/1250, otherwise known as Privacy Shield, has been declared as invalid.
What is the reason behind this and what does it mean?
In case of transmission of personal data outside the EU, GDPR regulations specify the assurance of some necessary mechanisms. That mechanisms may relate to transmissions on the basis of the Adequacy Decision adopted by the European Commission – BCR ( rules in compliance with the regulation governed independently by a group) or standardized clauses of the contract – SCC (a set of regulations which have been stated and declared in advance by the Decision of the European Commission.).
First and foremost, it is important to point out the existence of stipulated discrepancies in special occasions when a data transmission is possible even in case of lack of defined protection measures, for example when a person has given a consent relative to that kind of transmission, in case when a transmission is necessary for execution of contract concluded in the respondents’ interest and in case when that kind of transmission is necessary for public interest, exercising of legal requirements, in case of vital interests or when requirements of transmission are fulfilled from the publicly available records.
Specifically, this implies that the US company receiving data from EU citizens must guarantee the application and handling of data in compliance with the regulations of GDPR.
However, we can discuss on all the above mentioned mechanisms only in case when a basic principle of the data transmission is complied with, that is when a controller and a data processor during, but also after the data transmission provide the implementation and operate in accordance with the GDPR:
What about the Privacy Shield?
Firstly, we need to understand what Privacy Shield is. It is an Adequacy Decision related to the European-American system of privacy measures adopted on the basis of the Adequacy Decision, that is it is a framework, security mechanism by which are protected fundamental rights of everyone in the EU whose personal data are transmitted in the USA for commercial purposes and a legal clarity is provided to the companies that in their business activities rely on the transatlantic data transmission.
For example, when shopping on the internet or using social media in the EU, personal data in the EU may be collected by a branch or some business partner of a certain American company and then be transmitted them to the USA. For instance, a travel agency from the EU may send the names, contact information and credit card numbers to a hotel in the USA which has been registered in the system of the privacy measures.
Privacy shield previously was used to provide a very high level of protection which used to entirely be in compliance with the valid Directive 95/46 EZ. However, GDPR has introduced certain news regarding all regulations valid up to then and in the article 44. regulates a general principle concerning transmission of the personal data to the third countries and is not entirely in compliance with the Privacy Shield. The European Data Protection Supervisor in 2016. in his Opinion about the Adequacy Decision concerning privacy protection framework between the EU and the USA pointed out that adequacy does not require adoption of the legal framework in the US which is identical to the one already existing in the EU, but, in general, “Privacy protection” measures and the American legal system should cover all the relevant elements of the European framework for the data protection and that the proposal of the Privacy Shield does not include in an adequate manner all appropriate protection measures concerning the individuals’ European rights related to the privacy and data protection, with regard to the judicial protection. Four years later, Privacy Shield was declared as invalid because of the previously mentioned reasons pointed out by a European supervisor.
To put it simply, when it comes to the transmission on the basis of the Appropriation Act, as in case with Privacy Shield, a supervisory body has a duty to suspend or disallow the data transmission to the third country and assume that the clauses relative to the data protection measures are not applied or may not be applied in that country and that the protection measures of the transmitted data required by the GDPR could not be provided by any other means. Therefore, we may say that the Privacy Shield has been declared as invalid given a fact that the USA does not provide the application of the GDPR by the bodies governed by a public law and it does not provide a judicial protection of the European citizens in compliance with the GDPR.
Consequently, the validity of the Privacy Shield-a was not questioned due to the nature of the concluded clauses but due to the mechanisms that do not ensure the adequacy of the level of protection required by a European Union Law (GDPR) or the suspension or the disallowance of the transmission of the personal data based on that kind of clauses or in case of the breach of that clauses or the inability to comply the clauses.
Ines Bolkovac, DPO