EU Court of Justice Strikes Down the EU-US Privacy Shield
by Chris Bowen
Chief Privacy & Security Officer and Founder
Last week you may have seen or heard the news that Europe’s highest court - the Court of Justice for the European Union (CJEU) - invalidated the EU-US Privacy Shield as an approved mechanism for transferring personal data from the European Union to the United States.
In the ruling, the Court found the EU-US Privacy Shield failed to adequately protect European’s privacy rights when their data is being transferred or shared with the US.
As reported here in NPR, the Court stated surveillance laws in the US “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required” under EU law.
I am not surprised by this ruling. Privacy professionals knew the Privacy Shield's days were numbered as soon as the US passed the CLOUD Act in 2018. This law compels US-based technology companies to provide requested data stored on servers, regardless of whether they are stored in the US or on foreign soil. The Court of Justice’s ruling highlights the growing chasm between European beliefs that privacy is a human right and the US government's prioritization of surveillance and secrecy.
Understandably, myself and other privacy professionals are getting questions from concerned companies that share data across the pond. The good news is, for those companies whose guiding principles are rooted in the highest standards of privacy, security, and compliance, this should have little impact. The bad news is that while some U.S. states have attempted to instill similar privacy principles as the EU, the US has struggled with its privacy priorities at the national level, instead, choosing to embrace surveillance – even on its allies - over privacy.
COVID-19 has added an additional layer of complexity, as I wrote about here regarding the balance of data sharing, contact tracing, testing, and speed while maintaining and supporting privacy principles.
Never before has there been a greater need to get privacy and technology right because there is so much at stake.
At ClearDATA, we are uncompromising in our commitment to privacy principles, with or without the EU-US Privacy Shield. Long before this ruling, we architected our software products to comply with data locality and privacy requirements of the EU, the US, Canada, and the Asia Pacific. We also chose to engage our EU client workloads with Standard Contractual Clauses (SCC), a model composed by the European Commission which the court upheld as valid in the Privacy Shield ruling.
As a healthcare cloud privacy, security and compliance leader, our mantra has always been that a health record represents a human life. We will continue to focus on privacy by design and sound privacy principles, and our actions will continue to support the fact that people have a right to have their sensitive personal data protected.
Interested in learning more about this topic? Read Privacy Vs. Health in the World of COVID-19