July 16, 2020. In 2016, the U.S. and the E.U. negotiated a “safe harbor” arrangement to protect in the U.S. the personal data of E.U. consumers, called the EU-US Privacy Shield. The E.U, Commission decided that the Privacy Shield arrangement was sufficient so that export of E.U. consumer data to U.S. based servers met the requirements of E.U. data privacy law, the General Data Protection Regulation (GPDR). That decision, the Privacy Shield Decision, was challenged by an Austrian data privacy activist by means of a lawsuit against Facebook’s Irish affiliate. The Court of Justice of the European Union (‘CJEU’) (the highest court in the EU) found that the Privacy Shield does not meet the GPDR requirements on the basis that the U.S. companies may be required to permit the NSA and FBI to secretly monitor or access such data and that U.S. law “does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to… the GDPR.” The Court’s reasoning was that the “the introduction of a Privacy Shield Ombudsperson [in the U.S. to monitor the authority of the U.S. to access E.U. data] cannot remedy the deficiencies which the Commission itself found in connection with the judicial protection of persons whose personal data is transferred to [the U.S.]” This turmoil over U.S. data privacy law may require U.S. companies to sever customer data links between U.S. servers and E.U. customers because the E.U. Commission has already determined that absent the Privacy Shield arrangement, U.S. law does not comply with the GPDR. Many of those links have already been designed-in based on the safe harbor, so this new ruling is potentially disruptive to cross-Atlantic trade. For this reason we expect the E.U. and U.S. trade regulators to step in quickly to attempt to negotiate around this ruling. But this may be difficult given that the Court’s decision relied on U.S. foreign intelligence activities that are authorized by statute and managed by secretive Executive branch agencies like the NSA.
#EU #Dataprivacy #safeharbor #Privacyshield #IPlaw