Transfer of personal data from Europe to the USA is no longer permitted?
Decision of the European Union Court in a lawsuit against Facebook
The Court of Justice of the European Union adopted a decision [1], which could lead to the fact that the transfer of personal data from Europe to the USA would be deemed contrary to the requirements of EU legislation on the protection of personal data [2]. This decision was made on October 6, 2015 on the basis of an appeal from Austrian lawyer Maximilian Schrems, a graduate student at the University of Vienna, to the Irish court with a complaint against Facebook. He complained that Facebook stores his personal data in the United States, including those that he deleted from his page, and thereby violates his rights to protect personal data. As an argument about the existence of the threat, Maximilian Shrems referred to Edward Snowden's confession that the American intelligence services received information about citizens from Google, Apple and Facebook.
An Irish court submitted to the Court of Justice of the European Union the question of whether the rights of users are violated when transferring their personal data to the United States.
The European Union has a directive on the protection of personal data [3], which stipulates that personal data can be transferred to other countries, if at the same time a certain level of protection is provided in the country where they are transferred. The question of whether personal data is protected in a particular country can be decided by the EU Commission. But to monitor compliance with the requirements of the directive must be specially authorized bodies of each EU member state.
In July 2000, the EU Commission decided that the United States provides the required level of protection for personal data - the so-called Safe Harbor Decision [4]. Moreover, this decision of the Commission states that American companies that certify themselves based on the safe harbor program provide the necessary protection for personal data.
In its decision, the EU Court indicated that the Commission's findings did not in any way affect the obligations of specially authorized bodies in the EU Member States to monitor the protection of personal data. Moreover, the decision of the Commission is not binding on these bodies. But at the same time, the Court also considered the decision of the Commission itself and declared it invalid. The Court's findings are based on the fact that, in fact, the Commission, in making the Safe Harbor Decision, did not study the provisions of US law regarding the protection of personal data. In addition, the safe harbor program, which companies pledged to comply with, does not affect the actions of US government bodies. In fact, US authorities have the ability to have almost unlimited access to personal data. The second argument of the Court was the fact that US law does not provide for the possibility of user requests to change their data or delete them if they are not accurate or inaccurate. All this goes against the two requirements of the legislation of the European Union: on the protection of personal data and on ensuring access to justice.
The European IT community is very alarmed by this decision. Some commentators even stated that about 4,400 European companies that store European users' data on American servers must urgently decide how to move all this data to another territory. Large losses are also indicated in connection with this: 1.3% of the GDP of the European Union [5]. But in fact, this is not entirely true.
So far, the only thing that follows the decision of the EU Court of Justice is that the question of whether Facebook can transfer personal data of European users to the United States will be considered by a specially authorized body in Ireland. And already on the basis of this administrative decision, companies transmitting personal data in the United States may begin to worry about data transfer. But formally, the decision of the Irish authorities will not threaten companies from other EU countries. Although in the long term, one can imagine the gradual recognition by the European Union of the US insecurity for storing users' personal data. But what follows after this is almost impossible to predict: in the conflict of interests of special services and major IT companies like Facebook, the outcome is not clear.
In general, the issue of storage and localization of personal data has recently become increasingly relevant in many countries. Starting September 1, 2015, Russia has a requirement to store personal data on servers located in Russia. Although, as always, there are more questions than answers. For example, how to prove cross-border data transfer in violation of the localization requirement? Obviously, in the coming years, issues related to personal data will be extremely relevant. It is not without reason that they say that “personal data is the new oil of XXI century”.
[1] Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.
[2] Charter of fundamental rights of the European Union (2000 / C 364/01), article 8.
[3] Directive 95/46 / EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[4] Commission Decision 2000/520 / EC of 26 July 2000 pursuant to Directive 95/46 / EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce.
[5] The Guardian: www.theguardian.com/world/2015/oct/06/us-digital-data-storage-systems-enable-state-interference-eu-court-rules
The Court of Justice of the European Union adopted a decision [1], which could lead to the fact that the transfer of personal data from Europe to the USA would be deemed contrary to the requirements of EU legislation on the protection of personal data [2]. This decision was made on October 6, 2015 on the basis of an appeal from Austrian lawyer Maximilian Schrems, a graduate student at the University of Vienna, to the Irish court with a complaint against Facebook. He complained that Facebook stores his personal data in the United States, including those that he deleted from his page, and thereby violates his rights to protect personal data. As an argument about the existence of the threat, Maximilian Shrems referred to Edward Snowden's confession that the American intelligence services received information about citizens from Google, Apple and Facebook.
An Irish court submitted to the Court of Justice of the European Union the question of whether the rights of users are violated when transferring their personal data to the United States.
The European Union has a directive on the protection of personal data [3], which stipulates that personal data can be transferred to other countries, if at the same time a certain level of protection is provided in the country where they are transferred. The question of whether personal data is protected in a particular country can be decided by the EU Commission. But to monitor compliance with the requirements of the directive must be specially authorized bodies of each EU member state.
In July 2000, the EU Commission decided that the United States provides the required level of protection for personal data - the so-called Safe Harbor Decision [4]. Moreover, this decision of the Commission states that American companies that certify themselves based on the safe harbor program provide the necessary protection for personal data.
In its decision, the EU Court indicated that the Commission's findings did not in any way affect the obligations of specially authorized bodies in the EU Member States to monitor the protection of personal data. Moreover, the decision of the Commission is not binding on these bodies. But at the same time, the Court also considered the decision of the Commission itself and declared it invalid. The Court's findings are based on the fact that, in fact, the Commission, in making the Safe Harbor Decision, did not study the provisions of US law regarding the protection of personal data. In addition, the safe harbor program, which companies pledged to comply with, does not affect the actions of US government bodies. In fact, US authorities have the ability to have almost unlimited access to personal data. The second argument of the Court was the fact that US law does not provide for the possibility of user requests to change their data or delete them if they are not accurate or inaccurate. All this goes against the two requirements of the legislation of the European Union: on the protection of personal data and on ensuring access to justice.
The European IT community is very alarmed by this decision. Some commentators even stated that about 4,400 European companies that store European users' data on American servers must urgently decide how to move all this data to another territory. Large losses are also indicated in connection with this: 1.3% of the GDP of the European Union [5]. But in fact, this is not entirely true.
So far, the only thing that follows the decision of the EU Court of Justice is that the question of whether Facebook can transfer personal data of European users to the United States will be considered by a specially authorized body in Ireland. And already on the basis of this administrative decision, companies transmitting personal data in the United States may begin to worry about data transfer. But formally, the decision of the Irish authorities will not threaten companies from other EU countries. Although in the long term, one can imagine the gradual recognition by the European Union of the US insecurity for storing users' personal data. But what follows after this is almost impossible to predict: in the conflict of interests of special services and major IT companies like Facebook, the outcome is not clear.
In general, the issue of storage and localization of personal data has recently become increasingly relevant in many countries. Starting September 1, 2015, Russia has a requirement to store personal data on servers located in Russia. Although, as always, there are more questions than answers. For example, how to prove cross-border data transfer in violation of the localization requirement? Obviously, in the coming years, issues related to personal data will be extremely relevant. It is not without reason that they say that “personal data is the new oil of XXI century”.
[1] Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.
[2] Charter of fundamental rights of the European Union (2000 / C 364/01), article 8.
[3] Directive 95/46 / EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[4] Commission Decision 2000/520 / EC of 26 July 2000 pursuant to Directive 95/46 / EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce.
[5] The Guardian: www.theguardian.com/world/2015/oct/06/us-digital-data-storage-systems-enable-state-interference-eu-court-rules