The European Court of Justice invalidated the “Privacy Shield ” on July 16. The “Privacy Shield ” is this legal mechanism put in place to manage the exchange of data between Europe and the United States. It is a key element for all companies that work on both continents and exchange data. This decision is not surprising, however, given the cancellation of the previous mechanism which was the “Safe Harbor “.
What were the key foundations of this judgment?
Before understanding the consequences of this judgment, it is important to understand its origins. First of all, as we mentioned above, from its birth, the shadow of an invalidation hovered in view of the repeal of the “Safe Harbor” itself considered as non-compliant with our RGDP (General Regulations of Private Data). But this cancellation is also due to the persistence of an individual, Mr Schrems, an Austrian national, a Facebook user, who did not agree to his data being transferred from Facebook Ireland to the company’s US servers.
The CJEU (Court of Justice of the European Union) considers that European law implies that the GDPR applies to all data transfers outside the EU (Avis de la CJE– CNIL). The ECJ notes that internal limitations in American law do not sufficiently guarantee the protection of the personal data of European citizens, and it therefore invalidates the previous decision which allowed the implementation of the “Privacy Shield”.
This decision is not surprising, given the cancellation of the “Safe Harbor” agreement in 2015 by the same CJEU. Mr. Schrems’s initial complaint about Facebook was already the source of this. The thirty-page court ruling gives the different reasons (LeMonde).
The decree invalidating the “Privacy Shield” specifies that the standard contractual clauses allowing the transfer of data were not invalidated, and therefore as during the cancellation of the “Safe Harbor” allows companies with this type of contractual clauses to frame their data exchanges not to be impacted or only marginally. However, the CNIL and its European counterparts will carry out a precise analysis of the decree, we should have in the coming days more details and a more precise vision of the impacts of this judgment.
What are the expected effects of this decree?
One of the very first effects, since the mechanism of contractual clauses is considered valid, is that companies that must transfer data outside the EU (European Union) will be able to do so by putting in place standard contractual clauses governing data transfers. . However, it is a long and laborious process that will potentially slow down these exchanges (mydatacompany.fr). It is the responsibility of the company wishing to export its data to prove that the protection mechanisms are sufficient. In addition, like all contractual clauses resulting from a contract between two companies, they can be challenged before a data protection authority such as the CNIL, and adds a legal risk to data exchanges outside the European Union.
What are the other impacts that we can begin to outline for all companies that have to exchange data with the United States and that have not necessarily established standard contractual clauses, relying solely on the “Privacy Shield”?
The first impact is that from the day of the CJEU decision, any company that relied only on the Data Privacy Shield, will have to put in place standard contractual clauses for any exchange of data with the States. -United.
What data can be affected? All personal data of employees, customers, suppliers or users of the companies concerned.
How to maintain GDPR compliance (TOOLinux) For companies with subsidiaries in the United States or conversely for American companies with subsidiaries in France, a real headache for Human Resources departments is emerging. For example. : How to assess an employee on French soil if the manager is in the US? How is the HRIS (Human Resource Information System) structured to manage these data exchanges?
The same question arises for marketing and sales departments. How are their CRM (Customer Relationship Management), their customer and prospect databases managed? Are current cloud solutions in these areas able to properly manage the origin of data and its storage locations?
This decree calls into question certain government choices, for example for the Health Data Hub, with the choice of Microsoft® Azure as the cloud, or the Oracle® Cloud for the CNAM (Caisse Nationale d’Assurance Maladie) and the APHP ( L’usine Digitale), and finally the choice of Amazon AWS for the BPI. The questioning of these choices, in particular by the mobilization of French digital (PlayFrance.Digital) should accelerate.Le premier impact, c’est qu’à partir du jour de la décision de la CJUE, toute entreprise qui ne s’appuyait que sur le Data Privacy Shield, devra mettre en place des clauses contractuelles type pour tout échange de données avec les Etats-Unis.
In conclusion
The topic of digital sovereignty through the use of our data is back in the news. This was made possible in part by the stubbornness of a European citizen, and I must say we owe him a great debt.
It turns out that our GDPR is a real regulatory weapon that will allow us to rebalance European positions against the American and even Chinese digital giants. Our decision-makers will come to understand that there are a number of solutions that are as powerful or better than their American counterparts and that limit their exposure to the legal risks involved in the transfer of data.
Case, to be followed …
