Privacy Shield Judgement - Privacy vs mass surveillance
This month the austrian lawyer Max Schrems was successful in front of court: The european court ruled the Privacy Shield invalid. Reason: Our european data protection laws can’t be followed in the USA. The US regards their national safety over that of private personal data and the right for effective judicial legal protection. Laws like the Foreign Intelligence Surveillance Act (FISA) resulted in mass surveillance without a legal reason, which is not combinable with european law.
Privacy Shield: Legal framework for transatlantic data traffic, which rules that the US data privacy laws are sufficient for the data traffic of personal data by companies like Facebook and Google. In return the USA gave limited guaranties for restricting their mass surveillance of european users.
Until now, European data on American servers was exposed to surveillance by US authorities without protection. US companies such as Facebook or Google, which have little interest in strong data protection, also bear joint responsibility - after all, this stands in the way of business models with personalized advertising. At the latest after the revelations of the whistleblower Edward Snowden it is also clear: The NSA is sucking in data from Apple, Facebook, Google and Co. on a large scale and also making them available to other US authorities. Since there is no way to find out if you are being monitored, people also have no way to go to court. In this context, the ECJ even spoke of a violation of the “essence” of EU fundamental rights.
What now follows the judgment is a massive legal uncertainty: Although international data traffic is still possible, the fundamental rights of EU citizens must be observed - a complex task. Data protection officers in Germany and Europe must quickly come to an agreement on how to deal with institutions that continue to rely on the Privacy Shield in an impermissible manner. The often used standard contractual clauses (SVK) can still be concluded in principle, however, before the first data transmission, it must now be checked whether there are state access options to the data abroad.
„The Court of Justice has now made it clear for the second time that there is a conflict between EU data protection law and US surveillance law. Since the EU will not change its fundamental rights to satisfy the NSA, the only way to overcome this conflict is for the US to introduce solid data protection rights for all people, including foreigners. Surveillance reform will be critical to Silicon Valley's business interests.“
One thing is certain: until the legal situation changes, according to the judgment, personal data should no longer be transmitted to the USA as before. Only when the NSA and other (American) secret services are put a stop, we can speak of a similar level of data protection between the EU and the USA. Until then, companies, public administration and European supervisory authorities have the task of applying the ruling. Despite the declarations of invalidity in the judgment, absolutely "necessary" data transfers can still take place in accordance with Article 49 GDPR. If users want their data to flow legally abroad, there are still options. The data transfer can be based on the informed consent of the user, which can be revoked at any time. The GDPR also allows data transfers that are "necessary" to fulfill a contract. We therefore continue to advise against using centralized american service providers such as Facebook. We published a statement on Facebooka few years ago.