Israel’s Privacy Protection Authority on September 29, declared that cross-border data transfers between Israel and the US can no longer rely on the EU-US Privacy Shield, which was a a cross-border data transfer agreement between the EU and US, and was struck down by the European Court of Justice in July.
How Israel used Privacy Shield: Israel’s privacy laws allow for the transfer of data from Israel to countries that are party to a European Convention, or countries that receive data from other EU countries. Since the Privacy Shield basically allowed the US to receive Europeans’ data, by extension Israel’s privacy laws allowed for the transfer of data to the US.
What is Privacy Shield, and why it was struck down: To understand why Privacy Shield was adopted, and later struck down, one has to go back two decades and start at the beginning of how the transfer of data between EU and US has been governed. Here’s a timeline of how the Privacy Shield was formed and later struck down:
- Between 2000 and 2015, companies sending data from EU to the US had to adhere to a set of principles known as “Safe Harbor”, meaning that US companies could transfer Europeans’ data to their country as long as they ensured adequate levels of data protection. However, “Safe Harbor” was challenged in 2013 after whistleblower Edward Snowden’s revelations that the US was involved in large scale surveillance of its citizens.
- In October 2013, Maximilian Schrems, an Austrian, filed a complaint against Facebook with Ireland’s data protection authority, claiming that his data with Facebook was not safe since US did not offer adequate levels of protections against access to public authorities. Following this, in 2015, the European Court of Justice declared Safe Harbour as invalid (Schrems I judgement).
- After Safe Harbor was made invalid, the two regions came up with the “Privacy Shield” arrangement, which had additional protections compared to Safe Harbor. However, in July this year, in continuation to the Schrems I, the CJEU ruled that Privacy Shield too was invalid, again due to the same concerns — that the data of European users was possibly being exposed to US government surveillance (Schrems II judgement).
Switzerland’s Privacy Shield agreement with the US also fell through: Like the EU, Switzerland also had a separate Privacy Shield agreement with the US. However, in the aftermath of the Schrems II judgement, Switzerland concluded that the Swiss-U.S. Privacy Shield Framework did not provide an adequate level of protection for data transfers from Switzerland to the United States.
Facebook warns of plugging services in EU if regulators suspend data transfers: In the aftermath of striking down the Privacy Shield, Ireland’s data protection authority issued a preliminary order to Facebook to suspend data transfers to the US. However, Facebook retaliated by saying that it cannot see how it can continue operating in the European Union if regulators’ proposal to suspend overseas data transfers between the EU and United States is implemented.