Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
Privacy Shield: has gone up in smoke, and today millions of companies and operators are in a dead end.

Privacy Shield: has gone up in smoke, and today millions of companies and operators are in a dead end.

The “Privacy Shield” suffered like “Safe Harbor” – The decision of the European Court of Justice was affected by the supremacy of the requirement of national security, public interest and administration of justice, in order to allow interference by the government into fundamental right of natural person which data are transferred to USA companies.
– It was added also the control of the lack of indepencence’s guarantees, compared to the State Dep USA, of the figure of the mediatio of the “Privacy Shield”, in contrast with the article 47 of the Charter of Fundamental Rights of the European Union.

Even if the idea that the prudence usually suggests to take into account any development (especially in a insidious discipline like data protection), the decision of the European Court of Justice into the cause C-311/18 of the 16 of July 2020 is like a guillotine in a dramatic way – also for its inevitable directness – on billion personal data transfer and on the daily operability of million of companies, bodies, economic operators, out or inside of the Atlantic.

We remember the decision of the 12 July 2016, n. 2016/1250 (the so called “Privacy Shield”), adopted by the Commission for personal data transfer from the member State to other organization into the USA, about companies insert into the Shield list: it was kept and published by the Commercial Dep. of the USA, from which US companies were required to auto certificate on a yearly base the respect of determined duties, to public a privacy policy on their websites, to answer in a tempestive way to claims, to cooperate with the European Data Protection Authorities. According to the instructions into the task force article 29, the controller/processor established into the UE, before transfers personal data to a US companies, needed to ensure that it was certificate into the “Privacy Shield” and that this certification covered different typology of data (human resource’s data like data not related to human resources).

With a sentecen pronounced the 6 October 2015, the European Court of Justice responsible for a prejudicial question submitted bu the High Court (Ireland), declared invalid the decision 2000/520 (known as “Safe Harbor”) the Commission. It can be also called – like the same Court did into the Statement 91-20 – “Sentence Schrems I”. The Statement goes on : “after the Schrems I and the following cancellation, by the Irealand Judge, the rejecting decision of the claim of the Sir. Schrems, Ireland Supervisory Authority invited him to reformulate the claim by keeping in mind the declaration of invalidity from the Court, into the decision 2000/520”. It its reformulated claim Sir. Schrems underlined that USA did not offer a sufficient protection for data transferred and asked to suspend or ban, for the future, personal data transfers from UE to USA, that Facebook Ireland was making based on the terms of protection included into the annex of the Sentence 2010/87.

So, with its request for a preliminary ruling, the dereferal judge has interviewed the Court on the applicability of the Regulation for persona data transfer based on clauses of protection included into the Sentence 2010/87, on the protection level requests by this Regulation in a framework of a transfer and the obligations to the supervisory authorities in this context.

But Sir. Shrems has also asked to ban o suspend the data transfer by Facebook Ireland, for its personal data to Facebook Inc., established in USA, because this third country will not guarantee an adequate protection level. The court seised, In the light of the evidence produced and the adversarial nature of it, he questioned the validity of Sir. Schrems doubts on the adequacy of the level of protection insured in that third country, despite what the Commission has since found in the “Privacy Shield” decision.

The High Court has underlined the question of the validity both of the Sentence 2010/87 both of the Sentence 2016/1250.

As is already evident from this excursus, the ruling of the ECJ has a wider object/perimeter than the “Privacy Shield”, also covering the type clauses of data protection under Art. 46.2, letter c of the EU Regulation 2016/679, for which, however, point 4 of the device establishes, in conclusion, their enduring validity (“… 2010/87/EU Commission decision on 5 February 2010 In the case of standard contractual clauses for the transfer of personal data to those in charge of treatment established in third countries under Directive 95/46/EC of the European Parliament and the Council, as amended by the Commission’s 2016/2297 Enforcement Decision on 16 December 2016, in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights, there was no evidence to support its validity.”)

And even if only a superficial look – that is, not well thought out – would suggest that, for this very reason, the use of standard clauses can therefore be considered peaceful and peaceful, Nevertheless, the key to this contribution is the decision on the “Privacy Shield”, which, according to paragraph 5 of the device, “the Commission’s 2016/1250 enforcement decision, of 12 July 2016, under Directive 95/46/EC of the European Parliament and the Council, on the adequacy of the protection offered by the EU-US Privacy Shield scheme, is invalid.”

It reads in the judgment that “the Commission has found, in Article 1, paragraph 1, of the “Privacy Shield” decision, that the United States ensures an adequate level of protection of personal data transferred from the Union to organisations established in the United States under the European Union-United States Privacy Shield, Which, under Article 1, paragraph 2, of that decision, consists in particular of the principles issued by the US Department of Commerce on 7 July 2016, which are contained in Annex II of the same decision, and the official statements and commitments contained in the documents referred to in Annexes I and III to VII.” But it is also true that “the shield for privacy decision, in paragraph I.5. Annex II ‘Principles of the [European Union-United States] Privacy Shield Scheme’, it also states that adherence to these principles may be limited ‘if and as necessary to meet national security, public interest or administration of justice’ needs’. Therefore, that decision, like the 2000/520 decision, enshrines the primacy of those requirements in relation to these principles, a primacy under which self-certified US organisations receiving personal data from the Union are required to disapply, without limits, those principles when the latter interfere with these requirements and are therefore incompatible with them.”

This waiver is contained in paragraph I.5. Annex II of the “Privacy Shield” therefore makes possible interference based on national security and public interest needs or internal U.S. legislation in the fundamental rights of persons whose personal data is or could be transferred from the Union to the United States: “more specifically,” reads a later passage. Such interference may result from the access by US public authorities to personal data transferred from the Union to the United States, and the use of such data under the PRISM and UPSTREAM surveillance programmes based on Article 702 of the FISA, as well as on the basis of E. O. 12333.” The Court still observes, as in the opinion of the remilient judge, “the establishment of the Ombudsman of the Privacy Shield cannot, …, remedy these shortcomings as that Ombudsman would not be comparable to a judge, under Article 47 of the Charter.”

The reference to art. 7 (respect for private and family life) and 8 (personal data protection) of the Charter of Fundamental Rights of the European Union and the verification of their compliance remain an essential basis for the adequacy decisions that the Commission takes under Art. It is not the first time that the European Parliament has been involved in this debate. And it is precisely in the light of art. 7 and 8 that the decision on the “Privacy Shield” was put on the grid: “in particular, on the basis of the relief that the interference resulting from the surveillance programs based on Article 702 of FISA and the E. O. 12333 would not be subject to requirements that, in accordance with the principle of proportionality, a level of protection substantially equivalent to that guaranteed by Article 52, paragraph 1, second sentence, of the Charter (where “in accordance with the principle of proportionality, restrictions may be made only where necessary and actually respond to the general interest of the Union or the need to protect the rights and freedoms of others”). Leaving aside here the details of the extensive reconstruction (for which the reader is deferred to the full text of the ruling), it is in summary to the Court that neither Article 702 of FISA nor the E. O. 12333, in combination with PPD 28, “corresponds to the minimum requirements associated, in EU law, with the principle of proportionality, so that surveillance programmes based on these provisions cannot be considered to be limited to the bare minimum requirements.”

As regards the relationship with art. 47 of the Charter, on the right to an effective appeal and to an impartial judge, given that, according to the constant jurisprudence, “the very existence of effective judicial control, intended to ensure compliance with the provisions of EU law, is intrinsic to the existence of a rule of law”, does not respect art. 47 that legislation which does not provide for any possibility for the individual to use legal remedies in order to access personal data concerning him, or to obtain the correction or suppression of that data.

The Court is well aware that in points 115 and 116 of the Privacy Shield decision, the Commission found that as a result of the existence of the mediation mechanism established by the US authorities – as described in the letter sent on 7 July 2016 by the US Secretary of State to the European Commissioner for Justice, Consumers and Gender Equality, contained in Annex III of that decision – and the nature of the mission entrusted to the Ombudsman. , that is, the ‘First Coordinator of International Diplomacy for Information Technology’, the United States could ensure a level of protection substantially equivalent to that guaranteed in Article 47 of the Charter. However, from the examination of the letter above, it is clear that the Privacy Shield Ombudsman, although described as “independent of the US intelligence community”, “reports directly to the Secretary of State, who ensures that he does his function objectively and without undue interference that could affect the response made.”

This Ombudsman is appointed by the Secretary of State and is an integral part of the United States State Department: there is no indication that his dismissal or annulment of his appointment is accompanied by special guarantees. All this seems to show that the Ombudsman’s independence from the executive power is far from assured and that the internal mediation mechanism of the Privacy Shield does not provide means of recourse before a body that is sufficient to provide persons with guarantees equivalent to those required by Article 47 of the Charter.

It is for these reasons that the Commission has disregarded the requirements of Article 45, paragraph 1 of the Regulation, which was read in the light of Articles 7, 8 and 47 of the Charter, stating that Article 1 of the ‘Privacy Shield’ decision is incompatible with Article 45, paragraph 1, which is read in the light of Articles 7, 8 and 47 of the Charter, and that it is for that reason invalid.

Moreover, “since Article 1 of the ‘Privacy Shield’ decision is inseparable from articles 2 to 6, as well as its attachments, its disability has the effect of affecting the validity of that decision as a whole.”

In short, according to the Court, the “Privacy Shield” enshrines the primacy of the requirements related to national security, the public interest and compliance with US law, thus making possible interference in the fundamental rights of people whose data is transferred to that third country.

One last notation cannot fail to relate to paragraph 202 of the judgment, where the Court seems to be concerned about the legal loophole that the ruling immediately inaugurates and opens, and then basically… deny it. The Court argues in money that, in view of Article 49 of the Regulation, the annulment of the Privacy Shield would not be suitable to create such a legal loophole, since art. 49 establishes, precisely, under what conditions personal data transfers may take place to third countries in the absence of a decision on adequacy ex 45.3 or appropriate guarantees ex art. 46 of the Rules.

Now, reserving ourselves to sift through the possible remedies to what is (and remains, with good peace of the Court of Justice) a dramatic chasm, do we really think that we can bridge/overcome it with the lifesaver of the insegas? After all, what is the physiological limit of the use of exemptions? And how can we reconcile it with the likely characteristics/types of the vast majority of personal data treatments involved in transfers to companies already members of the Shield?

Now the hunt for interim solutions will open up and the fear is that – until new decisions of adequacy that, however, are far from coming – millions of companies/operators risk being stuffed into a pitiful cul de sac.


Recommended to you

Advanced Research