The European Union’s Data Protection Board has ordered data transfers between the EU and the US under the ‘Privacy Shield’ protocol to cease immediately after the instrument was found incompatible with EU law by a court.
In a landmark ruling last week, the EU Court of Justice ruled that an EU-US data flow agreement named ‘Privacy Shield’ is not private enough to pass muster with European law. The case was taken against Facebook by an Austrian activist after National Security Agency contractor Edward Snowden revealed that the US government was sifting through people’s online communications and data, including data transferred under ‘Privacy Shield’ and its predecessor, ‘Safe Harbor’.
Tech firms will have no grace period to switch their privacy protocols, and must comply immediately, the European Data Protection Board (EDPB) said in a statement on Friday. Furthermore, the onus is on these firms to ensure that whatever protocol they switch to is legally sound.
Two such protocols exist: Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). However, not all variants of them are compliant with European privacy law, and companies using them must carry out a privacy assessment, and stop sending data if this assessment fails.
The EDPB stated that the US government’s data protection policies allow intelligence agencies and law enforcement to interfere “with the fundamental rights” of Europeans.
For US companies, it remains to be seen whether data transfers can be arranged under SSC and BCR rules. If not, Max Schrems, the activist who brought the case in the first place, said last week that “the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”
Think your friends would be interested? Share this story!