US Privacy Shield Invalid
The EC is keen to protect its citizens’ right to privacy, and that includes protecting them from unwarranted government snooping. The European Court of Justice has just ruled that the US Privacy Shield does not adequately protect its citizens when their data is stored in the USA.
Readers may remember that the same fate befell the US’s Safe Harbour agreement, an earlier attempt to reassure the EC that its citizens’ data was safe when stored in the US. Its successor, the Privacy Shield, was hastily concocted so that EC companies were note breaking the law when storing data in the US.
Now the EC has ruled that Privacy Shield is not good enough. The fundamental problem with both the Safe Harbour agreement and the Privacy Shield is that while US companies may commit to strong safeguards over personal information, they are subject to the US authorities’ ability to override them and conduct mass surveillance that the EC deems unjustified. GDPR reinforced EC citizens’ right to privacy, a concept that doesn’t exist in the US for its own citizens let alone foreigners.
Technically this now means that any EC citizen can sue a business that stores their data in the US. In practice, at least in the short term, officials on both sides of the Atlantic are saying that the problem can be fixed. The EC will want the US to commit never to perform mass surveillance on EC citizens’ data, in effect making the US subject to EC law. The US won’t like that, it is used to forcing the rest of the world to abide by its own laws, such as FACTA, but avoids committing itself to any external legal authority such as the International Court of Justice.
Watch this space as the EC forces the US to play by EC data protection rules.