In July 2020, the European Court of Justice invalidated an exchange of the personal data between the European Union and the United States. The times of the Safe Harbor and the Privacy Shield are over. Now what?
This is the second time in almost 5 years that a European Commission decision concerning the United States is invalidated by the Court. In its judgement, the court confirmed the criticisms of the transatlantic privacy repeatedly expressed by the European Data Protection Supervisor and the European Data Protection Board.
Safe Harbor
The Safe Harbor Privacy Principles issued by the US Department of Commerce in July 2000 was the first framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. Before personal data may be exported, the European entity must ensure that the receiving data controller provides adequate protection such data.
In October 2015, the European Court of Justice invalidated the Safe Harbor Privacy Principles:
legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
Privacy Shield
The Privacy Shield was the second framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. Since August 2016, the framework amends the Safe Harbor aiming to enable US companies to receive personal data from European entities under EU privacy laws meant to protect European Union citizens.
In January 2017, US president signed the Enhancing Public Safety order which states that US privacy protections will not be extended beyond US citizens or residents. Thus, the US Privacy Act has violated the fundamental rights of the Europeans in the US.
In July 2020, the European Court of Justice invalidated the decision on the adequacy of the protection provided by the Privacy Shield:
limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
Impact
In general, the personal data protection in the US must be equivalent to that guaranteed by the General Data Protection Regulation in the EU. Personal data is any information relating to an identifiable person, who can be identified by reference to location data or online identifier. Therefore,
- transatlantic companies in the US shall review and update Privacy Policies to add the relevant Standard Contractual Clauses as a transfer mechanism for personal data of Europeans. Processing of the personal data is lawful only if the person has given prior consent which is clear affirmative action.
- webmasters in the US shall review and update Consent Banners on the Web-sites according to the Guidelines 05/2020 on Consent under Regulation 2016/679 version 1.0. Correct and valid consent gives the data controller lawful right collect and process personal data from the EU.
- webmasters in the US shall disable tracking on the Web-sites without prior consent. Webmasters need this in order to make processing of the personal data lawful.
- companies in the EU shall assess and mitigate the risks processing personal data abroad. Domestic services and facilities shall take priority.
- webmasters in the EU shall review and minimize usage of external resources and services, involved in processing of the personal data. For now, continuous monitoring demonstrates that 71% of tracking traffic in the EU national domain zones is terminating in the US.
European supervisory authorities have the duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country. Segmentation process in Internet goes by.