The United States does not offer adequate protections for the protection of personal data of European citizens who are transferred to the aforementioned country, therefore the Privacy Shield, the agreement concluded in 2016 that allowed the transfer of data between Europe and the United States, is invalidated. This is a summary of the content of the sentence of the recent ruling of the Court of Justice of the European Union which now risks adversely affecting the activities of companies that base a large part of their activity on the management and transfer of user data.
The Court starts from the premise that, according to the general data protection regulation (GDPR), the transfer of data is allowed provided that the third country (outside the Union) provides an adequate level of protection. A circumstance which, according to the European Authority, does not occur in the case of the United States. The result is summarized in two lines:
Court declares Commission decision 2016/1250 on the adequacy of protection offered by the EU-US Privacy Shield regime invalid
The Court emphasizes that U.S. regulations that allow local authorities to access and use the transferred data do not meet the requirements of the GDPR. Surveillance programs legitimated by the United States authorities for which there are no authorization limits or specific guarantees for foreigners have ended under the observation lens; the subjects subjected to these programs also have no specific rights to be asserted before the judge.
To contextualize the story, it is useful to remember that the data transfer activities of European citizens overseas have been characterized by two important agreements: the "Safe Harbor" and the "Privacy Shield", the latter has replaced the former which had been canceled in the 2015 from another ruling by the European Court of Justice. Those were the years when the echo of the Edward Snowden case was still very much alive, which in 2013 unveiled the mass surveillance system created by the American National Security Agency.
The back of Europe starts from the case raised by Maximillian Schrems, an Austrian citizen residing in Austria who has been registered with Facebook since 2008. Your data, like those of other European citizens, are transferred in whole or in part from Facebook Ireland to the Facebook servers located in the United States where they are processed.
In Safe Harbor, Schrems made a first complaint to the Irish supervisory authority with which he asked to ban these data transfers. The request is not accepted; in the meantime the Privacy Shield is approved and the judges invite Scherms to re-submit the request and then bring the case to the attention of the European Court of Justice.
The ruling of the Court of Justice divides in two: on the one hand, activists who fight for the protection of privacy, and who have long accused the United States of implementing inadmissible surveillance programs in the hypothesis of application to European citizens, rejoice.
On the other hand, there are companies that need to transfer European user data to the United States: giants such as Apple, Facebook and Google, already after the cancellation of Safe Harbor, have moved to create datacenters in Europe, but the problem it could present itself for companies of more modest dimensions that could be forced to rethink their activities and bear the huge costs related to the creation of infrastructures for data processing in our continent. Meanwhile, the United States expresses its disappointment through Secretary of Commerce Wilbur Ross who hopes to succeed limit the negative consequences for transatlantic economic reactions collaborating with the European authorities.
The Court of Justice has canceled the Privacy Shield, but has confirmed the validity of alternative instruments starting from the standard contractual clauses that require both the data exporter and those who care about them to adopt adequate protections for the data transmitted and these protections impose a preliminary assessment of the level of protection offered by the third country (outside the Union). In theory, a company could legitimately continue to transfer user data to a third country with standard contractual clauses; in concrete terms, however, at least for the moment, Europe believes that the US does not offer sufficient guarantees.