Snowden, Schrems and Facebook – Privacy: Shield yourself?
When Edward Snowden delivered his message about the USA’s (and other countries’) intelligence gathering actions and methods in 2013, he started a series of events which spread across the world. There are too many effects to list here, but in the field of EU data protection there was a very specific result: the collapse of the self-certified ‘Safe Harbour’ scheme, which gave the USA something approaching equivalency status for the purpose of the Data Protection Directive of 1995. Safe Harbor was really important for the USA because, without it, Europe-based data-controller companies who wanted to send personal data of EU citizens to their US partners would put those European companies at risk of breach of EU data law.
A quick bit of history: at the time of the Snowden leak Max Schrems – an Austrian lawyer and privacy campaigner who had already taken Facebook to court in Ireland (Facebook’s EU headquarters) for data protection law breaches in 2011 – was keeping close watch. Reviewing the papers on Wikileaks, he quickly realised the extent of US surveillance on social media such as Facebook, and he accused Facebook in Ireland of being in breach of EU law as a result of sending data to the USA, because that data was at risk of being intercepted by intelligence agencies.
The Irish court played it safe and referred the question to the European Court of Justice, the judicial HQ of the EU, and after the European Commission’s own lawyer confirmed that Safe Harbour was unable to guarantee adequate safeguards for personal data, the ECJ declared it was not an adequate safeguard for international data transfers.
The result – after a brief grace period, EU data protection authorities would have been able to prosecute any EU-based company which transferred personal data to the USA, unless that company put alternative protections in place (model clauses or binding corporate rules). That was not a very comfortable position – no-one ever believed it would be possible to get all the necessary arrangements in place before the end of the grace period.
And so, as the deadline grew closer, the EU and USA pulled together to build the Privacy Shield, a series of international promises which confirm, on the USA’s part, that they are not going to spy on the data of individuals. Really, they mean it this time.
But there are still some that believe that the USA shouldn’t hold equivalency status. Last week, the EU General Court rejected an application to invalidate the Privacy Shield made by Digital Rights Ireland, an Irish data protection campaign group. But the basis for their rejection was largely administrative, and it appears that the door has been left open to permit a challenge with a different approach when GDPR becomes enforceable on 25 May 2018.
For now, consider yourselves Shielded, but expect a challenge against the Privacy Shield to be one of the first tests of GDPR.
Is your company ready for GDPR? If you have no base in Europe, have you appointed a Data Protection Representative in the EU? Contact DPR Group at firstname.lastname@example.org for more information, or visit our website at www.dpr.eu.com.