16th July 2020
Max Schrems, an Austrian activist known for campaigns against Facebook for privacy violation, has done it again.
The EU-US Privacy Shield, which allowed US companies to register with PrivacyShield.gov, such that their processing of European's data was deemed adequate for data protection purposes under EU GDPR, has been deemed invalid by the European Court of Justice.
Do you feel safer?
Schrems has been going after Facebook since 2011.
In 2012, the DPC said his complaint was "frivolous and vexatious".
That complaint went to the Irish High Court, then the European Commission, then the European Court of Justice (CJEU).
In October 2015, the CJEU deemed Safe Harbor (the predecessor to Privacy Shield) as invalid.
Privacy Shield was adopted as the replacement in July 2016.
Schrems still didn't like Facebook processing his data on US servers, as he didn't believe their data protection to be adequate and in accordance with GDPR. US surveillance laws is a particular gripe here.
Where most people would just shrug or stop using Facebook, Schrems kept going.
In July 2020, the European Court of Justice overturned a previous decision made by the European Commission, deeming Privacy Shield to be invalid.
Standard Contractual Clauses (SCCs), the easiest alternative mechanism for transferring data to US, remains valid, for now.
We assume companies will continue using the invalid Privacy Shield at risk, until a replacement is found, or transition to EU Standard Contractual Clauses.
Standard Contractual Clauses (SCC) are also being used more in the UK as we get closer to a potential hard Brexit, without agreement with the EU about data protection. UK data protection legislation, such as the Data Protection Act 2018, may not be deemed adequate, even though it probably mentions GDPR more than this Data GRC Ltd website!
Does this impact you, or your business?
Or want to read more data protection news?
Got a comment or request?
Need help with data protection or information security?
Contact us for advice, assurance, audit, training, vDPO, vCISO, outsourced partnership.
+44 (0) 208 133 0242