The European Court of Justice has invalidated the EU- U.S. Privacy Shield, that allowed the transfer of personal data between the two regions, stating that personal data protection and its judicial protection in the U.S. is not as per requirements of EU law.
While determining whether the Privacy Shield offers adequate protection to the personal data of EU citizens that is transferred to the U.S. for processing or storage, the European Court of Justice held that since the requirements of U.S. national security, public interest, and law enforcement have primacy, the Privacy Shield does not protect personal data from being accessed by U.S. public authorities for various reasons.
The court noted that the personal data of EU citizens can be processed outside the European Union only if a country has data protection rules and regulations that are essentially equivalent to those required under EU law. However, in the case of the United States, there is no such equivalence as the scope of surveillance programmes are not limited to what is strictly necessary.
It added that the limitations on the protection of personal data from the access and use by U.S. public authorities do not place any limitations on the power they confer to implement surveillance programmes and also do not offer any guarantees to potentially targeted non-U.S. persons.
Even though some of the provisions laid down requirements with which the US authorities must comply when implementing the surveillance programmes, the provisions do not grant data subjects actionable rights before the courts against the US authorities.
Visibility over data, access controls, and data security a key to ensure compliance
Commenting on the implications of the European Court of Justice's verdict, Peter Margaris, Head of Product Marketing at Skybox Security, said that the decision by the ECJ to strike down the EU-US Privacy Shield signals a new era in terms of data protection, one marked by the overriding principles of GDPR on one side and a patchwork of contractual clauses on the other. But the fact of the matter remains the same: For the enterprise, complete understanding of where data resides has never been more paramount.
“Trillions of dollars are at stake in transatlantic trade; in order to reap those profits, the ECJ has made clear organisations will need to protect the data they collect not just from cyberattackers but the prying eyes of the US government.
“This means a great deal more resource will have to be invested in gaining the awareness of where data resides and how it’s protected — and demonstrating that to regulators. While this process will add to an already heavy burden, regulation is a good thing for security programmes; for the CISO, having a legal requirement to maintain tight security around this data gets the attention — and budget — of the boardroom.
“Visibility is key to meeting these compliance requirements. Organisations need to ask themselves how reliable their visibility is of network infrastructure is — especially as it changes — and how are they monitoring the access controls in place. Also, how’s their cyber hygiene being handled, that is, the fundamentals of reducing the risk of unauthorised access. Decisions like the one by the ECJ should bring up a time for reflection and action to ensure your company doesn’t fall foul of regulators — or in the sights of attackers,” he added.
EU Commission felt the Privacy Shield needed improvements to better protect consumer data
This isn't the first time that the effectiveness of the EU-U.S. Privacy Shield has been called into question. As far back as in 2017, the European Commission said that even though it 'continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S.', the Privacy Shield still needed some improvement to better protect consumer data and to get rid of existing loopholes.
This observation was made at the conclusion of the European Commission's first annual review of the Privacy Shield. To strengthen the Privacy Shield, the Commission published a list of recommendations that included the appointment of a permanent Privacy Shield Ombudsperson, and filling up of vacant positions at the Privacy and Civil Liberties Oversight Board (PCLOB).
The Commission has also called for more awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, closer cooperation between U.S. and European privacy enforcement agencies, more proactive monitoring of U.S. companies that handle data belonging to anyone in the EU, and ensuring the protection of non-Americans from fresh changes made in the Foreign Intelligence Surveillance Act.