The verge reports on a new ruling from the EU that will change how or even if personal data from Europe can enter the United States. As we know, there are very specific rules set forth in GDPR on how data is handled and what can and cannot be shared. In addition, GDPR mandates security of the data. In other words, employees, thieves, and even governmental organizations shouldn’t have easy access to it. Many companies like Facebook share data between countries and servers between countries. They do this using a “Privacy Shield” framework where US companies agree to follow EU laws regarding privacy and protection of personal data. Since 2016 this has allowed for data sharing across borders. With this new ruling however, the Privacy Shield framework is no longer valid. Even stronger Standards Contractual Clauses (SCC) have limitations that are dependent on the safety of that data from mass surveillance. Here’s a quote from the ruling:
“The limitations on the protection of personal data arising from the domestic law of the United States […] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” they wrote. In other words: US law is designed to facilitate mass surveillance while EU law enshrines individual privacy.
Reacting to the ruling, Schrems said it showed that the only way forward for American companies was widespread “surveillance reform.”
The healthcare world already has very specific rules on how and when and to whom data may be shared. Other personal information has been catching up with Europes GDPR and California’s CCPA laws. The need to share data won’t go away but the constraints on where that data resides, how it is protected, and how individuals have a right to privacy of their data continues to evolve. SCC’s still allow sharing of data but only with countries who have similar levels of individual data privacy rights. Many of our clients probably have a minimal impact but everyone who shares data between Europe and the United States needs to take a close look and understand what is now allowed. If you process European personal data in the US, you may need to take steps to move that data. Eventually, the standard operating procedures will be known after a settle in period and after court cases like this wend their way through the system.
Of course, any changes in the United States at the Federal level will start the process over again.