I had not really heard about the Digital Shields prior to last week but on July 12th 2006 EU and US privacy shield framework was designed by the US department of Commerce and the European Commission Administration respectively, to provide companies of both the Atlantic and mechanism to comply with data protection requirements for transferring personal data from the European Union to the United States in support of Commerce on July 16th 2020 the Court of Justice of the European Union issued a judgement declaring this has invalid so what does this mean?
The Privacy Shield programme was used by US based organisations. It required them to self certify with the Department of Commerce and publicly commit to comply with the scheme’s framework requirement for data security. Although voluntary once an organisation makes the public Commitments to comply with the requirements they become legally enforceable. This is important to us today as huge companies like Google, Facebook and Amazon now now rely on it.
The Shield has been pronounced invalid after a case between the Data Protection Commissioner, Facebook Ireland and Maximilian Schrems, who was an Austrian privacy advocate. He has tried to take on Facebook multiple times arguing that his data was vulnerable to Government surveillance when it was transferred to Facebook’s American servers.
This is an incredibly complicated case but sounds like it might happen to any US company doing business with EU citizens, they will not only need to comply with GDPR but it also looks like European user data currently cannot even be transferred to US servers.
Companies are hopefully there is a technical solution that uses Standard Contractual Clauses (SCCs) but this will only work if the European Court and US Commerce Department Agree a plan, in the short term Marteck companies are going to have to ensure that all the vendors are compliant.