Europe finally stands up for privacy and rebukes US for its mass surveillance
US surveillance is in need of complete reform and until this happens there will be a massive opportunity for service providers in Europe
In a landmark ruling on 16th July the CJEU handed down a final ruling in a long-running case between privacy activist Max Schrems and Facebook – a ruling that has massive ramifications for us all.
Privacy Shield, the data sharing treaty between the EU and US, was overturned and Standards Contractuak Clauses (SCCs), the othermain legal mechannism for transatlantic data sharing had its use restricted. Key takeaways are:
1) Without Privacy Shield OR SCCs US telcos, cloud and social media firms no longer have any legal basis for EU/US data transfers
As all US IT firms (such as Microsoft, Apple, Google or Facebook) all fall under FISA 702, they cannot prevent data that they hold being seaized by the NSA, CIA, etc. This means that they are unable to provide any assurace that they can protect their clients’ data from mass surveillance and consequently they are not allowed to use SCCs. With Privacy Shield no longer available, these firms no longer have any legal basis for transatlantic data sharing.
2) Companies MUST reassess their use of US data processors (including cloud firms)
Other companies can continue to use SCCs as a legal basis for transatlantic data sharing as long as they are able to provide assuraces that they can protect their clients’ data from mass surveillance. They will need to reasses their data management and plan to migrate any personal data away from US cloud firms (such as AWS, Azure and GCP) if they are to maintain this assurance.
3) DPAs MUST enforce GDPR
To date local regulators, and in particular the Irish DPC which is responsible for overseeing most of the tech giants as they have their headquarters in Ireland, have all been hesitant about taking action. Indeed while the Irish regulator has over a dozen major ongoing actions against the tech giants, it had not had made any real progress on a single one. Part of the ruling was that the Irish regulator and its EU peers have an obligation for enforce the regulation in a timely and effective manner.
For more detail see the graphics below as well as the two videos below this (a short one on RT and a longer one with Johannes Drooghaag):