In July 2020, in a decision as controversial as it was surprising, the Court of Justice of the European Union invalidated a key agreement with the United States called Privacy Shield. This agreement allowed members of the European Union, among other things, the transfer of personal data of users to thousands of US companies.
This decision generated a series of uncertainties regarding the treatment –and of course, the protection– of data between Europe and America protected by Privacy Shield, particularly for companies that deal with user information from the European Union. Furthermore, the protection that these users already enjoy thanks to the GDPR pressures US legislators to comply with those regulations. This in order to ensure the protection of privacy in cases where the now contested rule was appropriate.
To analyze and clearly visualize the dispute, it is necessary to recount how the legislation that regulates American organizations with users in the European Union came to be, and why it is being disputed.
GDPR And The European Union
Since May 25, 2018 the General Data Protection Regulation of the European Union was in effect. Although in the eyes of the consumer the change could be imperceptible, the way in which the web is designed, and how the personal data of the users was being treated, changed forever.
In short, the GDPR came to overwrite the legislation on personal data in all member states of the European Union with the highest privacy standard that has ever existed. A series of rights in favor of users were enshrined and deepened, such as those of access, rectification, and elimination of personal data from any registry where they are found. In addition, the GDPR deepens the transparency and information with which the user must be informed about data being collected, and also as how, for what, and where it is being sent.
In addition to the transparency and rights standard established by the GDPR, perhaps the most novel and relevant aspect is that the mandatory nature of its regulations extends not only to the member states of the European Union, but also to all those who receive personal data from organizations or companies that are within the European Union. Thus, these international transfers must be authorized through the so-called "adequacy decisions" of the European Commission. This decision does not seek to declare that the legislation of the recipient country is the same as the European regulation, but is in practical terms substantially equivalent, so that the essential basic requirements can be met.
The EU-US Privacy Shield Framework
In the case of the United States, the current adequacy decision was the “Privacy Shield”, which in 2016 replaced the previous treaty in force, called "Safe Harbor". Through the Privacy Shield, companies that processed data received from the European Union could go through a certification process before arbitrators authorized by the Federal Trade Commission (FTC), which operated as a supervisory body in charge of supervising that these companies effectively processed said data. personal in the above manner.
In the event that they did not comply or a problem arose, the affected party could resort to one of the authorized arbitration bodies to resolve the dispute. That could eventually lead to the imposition of fines by the FTC to those companies that did not comply with the regulations.
The innovations of the Privacy Shield regarding Safe Harbor expanded the rights and guarantees of users in the treatment of their data in a way that is more in line with the new rights guaranteed by the GDPR. In addition, the figure of an "Ombudsperson" or "Ombudsman" was created to whom the protection authorities can make requests on behalf of European citizens regarding the surveillance that the United States could carry out for intelligence purposes.
In addition to this, the members of the Privacy Shield had to ensure that the contracts they entered into with third parties complied with the same principles and protections that they offered to their users. This with the aim of equalizing the protection or guarantee "reflects" or mirror that the GDPR requires regarding transfers to third parties.
In principle, these adequacy decisions are the best guarantee for making international transfers to the United States outside the European Union. However, it is only a presumption, since these decisions may be challenged by the European Court of Justice (CJEU) in the event that it is found that said state is not guaranteeing a sufficient level of security.
Privacy Protection Against the U.S. Government
In principle, these adequacy decisions seek companies and institutions of the European Union that they can transfer data with confidence to third parties in other States outside of it. Thus, for example, a company in France can safely host the data of its users on a server in the United States, since it can guarantee that this company gives its users guarantees equivalent to those they have within the European Union.
But these adequacy decisions are not just related to private organizations, but also against the acts of the States themselves, since it may be the State itself that decides to carry out surveillance of electronic communications for intelligence or national security purposes.
In these cases, it is required as a guarantee that this treatment by the State has a clear and precise legal basis (as to when and how it will interfere), that it is carried out in a proportionate way (that is necessary and seeking a legitimate objective), that said treatment is subject to independent supervision and, finally, that those affected with such treatment have access to effective actions to enforce their rights.
Breakthrough: Schrems II And Data Protection
As we said, these adequacy decisions can be challenged. That was precisely what happened in the so-called “Schrems II” case, whereby means of a challenge that privacy activist Max Schrems raised regarding the processing of personal data carried out by Facebook Ireland –mainly the transfer that Facebook makes to its simile in the United States– the adequacy decision regarding Privacy Shield was revoked, determining that it does not provide adequate guarantees to data protection.
What led to this? Mainly, the Court's decision is related to article 702 of the FISA law (Foreign Intelligence Surveillance Act). This article allows surveillance programs such as PRISM or UPSTREAM, through which the United States government can request information from users of social networks such as Facebook, whether they are American or European citizens.
Although these programs are not contrary to the GDPR, the protection mechanism for taxpayers in the face of such data requirements was found insufficient. The analysis carried out by the Court determined that a level of protection substantially equivalent to that which they would have within the European Union is not guaranteed, since said programs lack the necessary proportionality by not defining the scope or limitation in the exercise of such activities.
In addition, not all intelligence acts that allow the collection of personal data from the European Union may be subject to judicial remedies by those affected. In addition to this, many of these challenges would only be presented to the Ombudsperson –contemplated in the Privacy Shield– who, as an administrative authority, does not grant the same guarantees or have the same powers as a court of law.
The Consequences: Updating Data Protection Standards in the U.S.
In the long term, the decision must necessarily cause the United States to update its personaldata protection regime to current times. The opposite would imply putting more obstacles to the lucrative business of personal data on the Internet. According to figures from the FTC, the court's decision puts operations of up to $7 trillion at risk, a severe blow to technology economies around the world.
In the immediate term, given that from now on the Privacy Shield was invalidated as a sufficient guarantee, it is necessary for those who carry out transfers of personal data to third parties located in the United States to analyze the basis and conditions of said transfers, the type of data that is sent and the existence or not of complementary protection measures, such as anonymization or pseudonymization thereof. If from this analysis it is concluded that there are no adequate guarantees, the transfers may still be continued, but this decision must be notified to the corresponding control authority.
Although at first instance it would seem convenient to opt for Binding Corporate Rules, Data Protection Agreements, or the use of Standard Contractual Clauses, it should be in mind that these instruments, although formally maintain their value and have not been declared invalid by the ruling, are not totally sufficient. This occurs because US law will always have primacy over these agreements. In general, these instruments will serve to the extent that, based on the aforementioned analysis, it can be concluded that there are adequate guarantees for the protection of the personal data sent.
Finally, it should be taken in consideration that article 49 of the General Data Protection Regulation leaves open certain exceptions to maintain data transfers. Within the hypothesis of transfers between private parties, this will occur when the consent of the owner is obtained, if he has been informed of the possible risks of said transfers or in those cases in which the transfer is necessary for the execution of a contract between the owner of the data or in your interest.
In particular, when said transfers are occasional, limited to a group of interested parties and all the concurrent circumstances of said transfer and the interests of the owner have been analyzed, in such a way as to allow the conclusion that there are appropriate guarantees for the protection of said personal data.