Transfer of personal data from Europe to the United States is no longer allowed?
The decision of the Court of the European Union on the claim against Facebook
The court of the European Union adopted a decision [1], which may lead to the fact that the transfer of personal data from Europe to the USA will be recognized as contrary to the requirements of EU legislation on the protection of personal data [2]. This decision was made on October 6, 2015 on the basis of an appeal by Austrian lawyer Maximilian Schrems, a graduate student at the University of Vienna, in an Irish court with a complaint against Facebook. He complained that Facebook stores his personal data in the United States, including those that he deleted from his page, and thus violates his rights to protect personal data. As an argument about the existence of the threat, Maximilian Schrems referred to the recognition of Edward Snowden that American intelligence services were receiving information about citizens from Google, Apple and Facebook.
The Irish court referred to the European Court of Justice the question of whether the rights of users are violated when transferring their personal data in the United States.
The European Union has a directive on the protection of personal data [3], which provides that personal data can be transferred to other countries, if at the same time a certain level of their protection is provided in the country where they are transferred. The question of whether personal data is protected in a specific country can be decided by the EU Commission. But the compliance with the requirements of the directive should be specifically authorized bodies of each EU member state.
In July 2000, the EU Commission decided that the United States provided the required level of personal data protection - the so-called Safe Harbor Decision [4]. Moreover, the Commission’s decision states that US companies that certify themselves on the basis of a safe harbor program provide the necessary protection for personal data.
In its decision, the Court of Justice of the European Union indicated that these findings of the Commission do not affect in any way the duties of specially authorized bodies in EU member states to monitor the protection of personal data. Moreover, the Commission’s decision is not binding on these bodies. But at the same time, the Court also considered the decision of the Commission itself and declared it invalid. The findings of the Court are based on the fact that, in fact, the Commission, in deciding Safe Harbor Decision, did not study the provisions of US law regarding the protection of personal data. In addition, the safe harbor program, which the company was obliged to comply with, does not affect the actions of the US government. In fact, the US authorities have the possibility of almost unlimited access to personal data. The second argument of the Court was the fact that US law does not provide for the possibility of user requests to change their data or delete them if they are not accurate or unreliable. All this goes against two requirements of the European Union legislation: on the protection of personal data and on access to justice.
')
The European IT community is very worried by this decision. Some commentators even said that about 4,400 European companies storing European users' data on American servers should urgently decide how to move all this data to another territory. Also indicated are large amounts of losses in connection with this: 1.3% of the European Union's GDP [5]. But in fact it is not so.
So far, the only thing that will follow the decision of the EU Court of Justice is that the question of whether Facebook can transmit personal data of European users in the United States will be considered by a specially authorized body in Ireland. And already on the basis of this administrative decision, companies that transfer personal data in the United States may begin to worry about the transfer of data. But formally, the decision of the Irish authorities will not threaten companies from other EU countries. Although in the long run, it is possible to imagine a gradual recognition by the European Union of the US insecurity for storing user personal data. But what will follow after this is practically impossible to predict: in the struggle between the interests of special services and the largest IT companies like Facebook, the outcome is not clear.
In general, the question of the storage and localization of personal data has recently become increasingly relevant in many countries. In Russia, from September 1, 2015, there is a requirement to store personal data on servers located in Russia. Although, as always, there are more questions than answers. For example, how to prove cross-border data transfer in violation of the localization requirement? Obviously, in the coming years, issues related to personal data will be highly relevant. It is not without reason that they say that “personal data is the new oil of the XXI century”.
[1] Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.
[2] European Union Charter (2000 / C 364/01), article 8.
[3] Such data
[4] July 2000: Decision 2000/520 / EC of 2000 the US Department of Commerce.
[5] The Guardian: www.theguardian.com/world/2015/oct/06/us-digital-data-storage-systems-enable-state-interference-eu-court-rules
The court of the European Union adopted a decision [1], which may lead to the fact that the transfer of personal data from Europe to the USA will be recognized as contrary to the requirements of EU legislation on the protection of personal data [2]. This decision was made on October 6, 2015 on the basis of an appeal by Austrian lawyer Maximilian Schrems, a graduate student at the University of Vienna, in an Irish court with a complaint against Facebook. He complained that Facebook stores his personal data in the United States, including those that he deleted from his page, and thus violates his rights to protect personal data. As an argument about the existence of the threat, Maximilian Schrems referred to the recognition of Edward Snowden that American intelligence services were receiving information about citizens from Google, Apple and Facebook.
The Irish court referred to the European Court of Justice the question of whether the rights of users are violated when transferring their personal data in the United States.
The European Union has a directive on the protection of personal data [3], which provides that personal data can be transferred to other countries, if at the same time a certain level of their protection is provided in the country where they are transferred. The question of whether personal data is protected in a specific country can be decided by the EU Commission. But the compliance with the requirements of the directive should be specifically authorized bodies of each EU member state.
In July 2000, the EU Commission decided that the United States provided the required level of personal data protection - the so-called Safe Harbor Decision [4]. Moreover, the Commission’s decision states that US companies that certify themselves on the basis of a safe harbor program provide the necessary protection for personal data.
In its decision, the Court of Justice of the European Union indicated that these findings of the Commission do not affect in any way the duties of specially authorized bodies in EU member states to monitor the protection of personal data. Moreover, the Commission’s decision is not binding on these bodies. But at the same time, the Court also considered the decision of the Commission itself and declared it invalid. The findings of the Court are based on the fact that, in fact, the Commission, in deciding Safe Harbor Decision, did not study the provisions of US law regarding the protection of personal data. In addition, the safe harbor program, which the company was obliged to comply with, does not affect the actions of the US government. In fact, the US authorities have the possibility of almost unlimited access to personal data. The second argument of the Court was the fact that US law does not provide for the possibility of user requests to change their data or delete them if they are not accurate or unreliable. All this goes against two requirements of the European Union legislation: on the protection of personal data and on access to justice.
')
The European IT community is very worried by this decision. Some commentators even said that about 4,400 European companies storing European users' data on American servers should urgently decide how to move all this data to another territory. Also indicated are large amounts of losses in connection with this: 1.3% of the European Union's GDP [5]. But in fact it is not so.
So far, the only thing that will follow the decision of the EU Court of Justice is that the question of whether Facebook can transmit personal data of European users in the United States will be considered by a specially authorized body in Ireland. And already on the basis of this administrative decision, companies that transfer personal data in the United States may begin to worry about the transfer of data. But formally, the decision of the Irish authorities will not threaten companies from other EU countries. Although in the long run, it is possible to imagine a gradual recognition by the European Union of the US insecurity for storing user personal data. But what will follow after this is practically impossible to predict: in the struggle between the interests of special services and the largest IT companies like Facebook, the outcome is not clear.
In general, the question of the storage and localization of personal data has recently become increasingly relevant in many countries. In Russia, from September 1, 2015, there is a requirement to store personal data on servers located in Russia. Although, as always, there are more questions than answers. For example, how to prove cross-border data transfer in violation of the localization requirement? Obviously, in the coming years, issues related to personal data will be highly relevant. It is not without reason that they say that “personal data is the new oil of the XXI century”.
[1] Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.
[2] European Union Charter (2000 / C 364/01), article 8.
[3] Such data
[4] July 2000: Decision 2000/520 / EC of 2000 the US Department of Commerce.
[5] The Guardian: www.theguardian.com/world/2015/oct/06/us-digital-data-storage-systems-enable-state-interference-eu-court-rules
Source: https://habr.com/ru/post/295214/
All Articles