Privacy Shield struck down: what you need to

Jul 24, 2020  - written by  in Security

On July 16, 2020, the Court of Justice of the European Union (CJUE) struck down the agreement between the US and the EU known as Privacy Shield. A ruling that, while bringing joy to those who value and defend personal data privacy, directly impacts data transfers between Europe and the United States.

Privacy Shield judged incompatible with GDPR

Privacy Shield was a framework for transferring personal data between European and US enterprises. Since Safe Harbor had been invalidated under Directive 95 (the predecessor of GDPR—the General Data Protection Regulation), Privacy Shield began in 2015 and 2016 in order to re-establish data transfer between Europe and the US.

Safe Harbor and then Privacy Shield were each respectively attacked in 2015 and 2018 by Maximilian Schrems, a lawyer and personal data privacy activist (NOYB – European Center for Digital Rights). For the second time, Schrems emerges victorious.

On July 16, 2020, CJUE rendered its judgement with essentially the same motivation as its previous decision in 2015: the encroachment of US authorities on digital privacy and the lack of any protection of the rights of European citizens in US law renders the transfer mechanism invalid.

What impact will the ruling having on businesses?

The 5,000-odd businesses, mostly small to medium sized, that operated under Privacy Shield can no longer use it. As such, they are preparing to renegotiate, case by case, the tens of thousands of contracts that have become null and void and return to Europe some processing of personal data covered by the court’s decision—a colossal financial and technical undertaking. However, other legal frameworks are still valid, most notably Standard Contractual Clauses and BCR (Binding Corporate Rules).

However, with the CJUE basing its decision on US law and the survelliance power of the authorities, it’s on those responsible for handling the export of personal data to ensure that they do not violate GDPR by continuing to send data to the United States.

What’s the impact on Gandi’s US office?

The invalidation of Privacy Shield doesn’t impact Gandi’s business activities since its US office was never Privacy Shield certified.

Gandi had instead opted, with the help of our DPO (Data Protection Officer) to implement Standard Contractual Clauses between its French and US offices.

Today, these transfers are not called into question by this ruling, but we will remain vigilant with respect to the position that the CNIL (the French regulatory body in charge of digital privacy) and the European Commission adopt in order to conform with their recommendations.

In any case, all our customer data, as well as all Gandi hosting servers, are located in Europe (France and Luxembourg).