Europe’s highest court has banned the mass transfer of personal data of EU citizens to US companies, due to mass surveillance carried out by the US government. The court struck down an arrangement known as the EU-US Privacy Shield …
Europe has much tougher privacy standards than the US when it comes to processing personal data. One protection says that personal data may only be sent to a country outside the EU if arrangements are in place to ensure that GDPR-standard privacy protections will be applied within that country.
The EU-US Privacy Shield was an agreement designed to ensure that this requirement was met. It set out standards US companies agreed to follow, which EU companies believed would then allow them to legally send personal data to those companies. Literally thousands of companies have relied on the Privacy Shield to transfer data, including tech giants like Facebook.
However, the Court of Justice of the European Union has now ruled that the Privacy Shield does not offer sufficient protection. In particular, it says that mass data surveillance programs by the US government makes it impossible to guarantee the privacy of personal data processed and stored in the USA.
Yes, that was all one sentence … It went on:
In other words, even if US companies do everything they are supposed to, there is no way for them to prevent the US government accessing the data – and in that situation, EU citizens have no rights.
The ruling doesn’t prevent all transfer of personal data of EU citizens to the US. Companies are still allowed to do it more selectively, when they can show that this is necessary – for example to process a hotel booking in the US by an EU citizen. But it is no longer legal to transfer data en-masse for processing or storage.
The issue is a complex one. If you’d like to understand more about it, Wired has an excellent in-depth piece.
Image: Microsoft