Oops. Well, not unexpected, but Max Schrems case was upheld, the EU courts have supported his view, that the Privacy Shield, the replacement for Safe Harbour, is not valid and does not provide the required protection of EU citizens’ data, when it is transferred to the USA.
Given that the US Government never really took it seriously (they were supposed to have a permanent Ombudsman in place by 2016 to deal with issues relating to Privacy Shield, they were reprimanded in 2016, 2017, 2018, 2019 and 2020 for not complying with this key term for the validity of Privacy Shield) and FISA Courts, NSLs, the Patriot Act etc. make a mockery of any such agreement anyway - especially given that the US TLAs seem to think that they have jurisdiction in Europe anyway, just because a company happens to have an office in the USA, let alone be headquartered in the USA.
Microsoft is about the only company that has tried to stand up to the US Government over this, but they haven’t had any real success.
Interestingly, I signed up to the birthday offer from Strato last week, 1TB of cloud storage, hosted in Europe for 1€ in the first year (75€ or thereabouts thereafter). Looks like it is time to shift my data from OneDrive and I’ll be looking at setting up my own NextCloud + Email solution, instead of MS365 and Outlook.com…
Edit: for clarification, if an EU citizen’s data is held in the US, the data owner cannot pass that data onto a foreign entity (police, CIA, FBI, another company etc.) without the express written permission of the EU citizen. That means, that either the data owner has to break EU law and face fines and imprisonment (up to 4% of global turnover) or has to refuse a US court subpoena, National Security Letter etc. and face fines and imprisonment in the USA.
And, if I am a company in Europe and I store my data in, say Google Cloud, Azure, AWS etc. and Google, Amazon or Microsoft hand over the data, I am liable under EU law for the data breach.
The US IT and Innovation Foundation (ITIF), meanwhile, complained the ruling was “irresponsible” and would treat the US with a “double standard”.
Well, no, the US Government was irresponsible for not taking Privacy Shield seriously. You can’t lay the blame at the EU court’s door, if your own government has done everything it can to ensure that PS is sabotaged.
Chivot made the point that US laws on government access to personal data were not “unique”, seemingly calling on the EU to reject other countries’ data access laws in the same way.
Idiot. All countries are held to the same standards. The whole point of Privacy Shield was to give US companies a free-pass to transfer data to the US, on the understanding that the US Government would ensure that the data was held to standards equivalent to those in the EU (GDPR etc.). Again, it is the US Government’s failure to follow through on its promises in Privacy Shield that are the problem.
The EU court couldn’t have come to any other conclusion, as long as the US refuses to keep its end of the bargain!
And, it looks like Vera Jourová didn’t tell the truth. SCCs are not valid where US gov by US law gets to see the traffic. So not Facebook etc. For bank transactions, fine.