全球数据交换面临的麻烦:欧盟法院打击“隐私盾”

2020年7月16日,欧盟法院(CJEU)发布了一项备受期待的裁决 数据保护专员诉Facebook Ireland和Maximillian Schrems(Schrems II). 该案的重点在于两个关键数据传输机制的有效性:标准合同条款(SCC)和EU-U.S。隐私盾(Privacy Shield)–这两种方法都是美国企业广泛用于遵守欧盟的方法’关于将个人数据转移到欧盟以外国家的法律。在考虑跨边界数据传输中数据保护的有效性时,该决定通过使该机制无效,对依赖隐私盾的美国公司造成了决定性打击。法院维持了SCC的有效性,但为全球范围内与欧盟进行数据传输的组织规定了新的义务。

在一开始:Schrems’投诉Facebook
The EU General Data Protection Regulation (GDPR) prohibits the transfer of personal data to non-EU countries that do not provide an 足够的保护水平 for personal data under applicable national law. Data exporters, therefore, must identify and use transmission methods that are compliant with GDPR. Two of these methods for U.S. companies are SCCs and 隐私盾.

 奥地利隐私权倡导者马克斯·施雷姆斯(Max Schrems)向成立了Facebook的爱尔兰的数据保护专员(DPC)投诉了美国社交媒体公司Facebook。投诉挑战了Facebook’从爱尔兰服务器到美国服务器的数据传输。施雷姆斯坚称,美国法律未能充分保护欧盟消费者的数据隐私,认为一旦欧盟数据转移,美国政府就有访问和处理欧盟数据的风险。施雷姆斯还声称,没有法律补救措施可以确保欧盟数据一旦转移到美国后就得到保护。

The DPC brought proceedings against Facebook in the Irish High Court, which, in turn, referred questions to the CJEU for a preliminary ruling, including questions regarding the validity of the EU-U.S. 隐私盾 and SCCs.

虽然最初的投诉是针对F​​acebook的,但 施雷姆斯二世 决定影响着全世界的企业。

决定
欧盟法院的重点’s decision in 施雷姆斯二世 是用于建立数据传输机制的“adequate protection” of personal data transferred from EU data exporters were successful. The decision considered two major mechanisms: the EU-U.S. 隐私盾, which the CJEU found to be invalid, and SCCs, which were upheld, but face major hurdles.

隐私盾
2015年10月,欧洲法院在 Schrems诉数据保护专员 (施雷姆斯一世)使欧盟和美国之间的商业数据传输协议无效,这被称为“Safe Harbor” arrangement.  In 施雷姆斯一世,法院认为,安全港安排不足以保护欧盟消费者的数据隐私。 2016年2月,一项政治协议被称为欧盟-美国“Privacy Shield” was jointly proposed by the European Commission and the Obama Administration. The 隐私盾 agreement was created to replace 避风港 and to serve as the basis for the European Commission’s decision that the U.S. has an adequate system regarding data protection, government surveillance, and consumer privacy. 隐私盾 allows for the transfer of personal data from the EU to U.S. companies who self-certify compliance with certain privacy standards.

欧盟法院发现,由于美国的国家安全,公共利益和执法有“primacy” over the data protection principles of the EU-U.S. 隐私盾, the Court found that the level of protection afforded to EU users does not meet the level of privacy protection guaranteed in the EU by the GDPR.

法院裁定,美国法律没有考虑相称性原则,也没有将数据收集限制在必要的范围之内。此外,法院发现,欧盟使用者在美国法院没有可诉的权利。尽管美国发起了“ombudsperson” program as an additional way for all EU data subjects to address the transfer of their data from the EU, the CJEU rejected the argument that the 监察员 program satisfies the GDPR right to judicial protection. The court found that the program does not provide EU users with a cause of action substantially equivalent to those offered by European law and that the 监察员 “不能被视为法庭。” 

With the invalidation of the 隐私盾, over 5300 U.S.-based companies who rely on the 隐私盾 for compliance are no longer permitted to transfer personal data from organizations located in the EU.

标准合同条款
SCC是一组模板合同条款,已获得欧盟委员会的批准,并由数据导出者和数据导入者同意。 SCC要求各方做出某些承诺,以保护其数据传输者的隐私权。

欧洲法院认为,个人数据传输的SCC仍然有效。但是,法院增加了一个步骤,认定在可能发生转送之前,必须对每次转送的背景进行评估。这包括评估:收件人所在国的法律;传输数据的性质;数据的隐私风险;以及各方为确保数据将受到欧盟法律的充分保护而采取的任何其他保护措施。

法院还认定,数据进口商必须将无法遵守标准数据保护条款的情况告知出口商。

决定的含义
的影响 施雷姆斯二世 decision will be far-reaching and, in the short term, the ruling stands to significantly disrupt EU-U.S. personal data transfers and the businesses that rely on them. Companies that rely on the 隐私盾 need to identify an alternative data transfer mechanism, like SCCs, to continue business as usual. 虽然 a grace period for enforcement may be granted, the need for such organizations to implement alternative mechanisms is urgent. The GDPR allows for fines in the amount of 4% of a company’的全球收入。虽然尚未对这些罚款处以制裁,但如果公司未能解决这些罚款,则将面临相当大的风险 施雷姆斯二世 决定。

重要的是要记住,SCC仍然有效,尽管依赖它们的公司要承担更高的保证责任。“足够的保护水平”符合欧盟法律要求的个人数据。这些组织将不得不监视各国的相关政策’法律制度,以遵守有关SCC的裁决,并在必要时中止数据传输。

虽然 施雷姆斯二世 struck a blow to one data privacy compliance mechanism, the U.S. and the EU have a proven history of working together to resolve data protection issues. As with the invalidation of the 避风港 agreement in 2015, both the U.S. and EU have a strong interest in finding a successor agreement to 隐私盾. Whether the CJEU objections to 隐私盾 protection for data protection for EU users can be sufficiently addressed remains to be seen.  

订阅

订阅

* 表示必填
/ (毫米/日)
RSS 的RSS订阅

最近的帖子

档案

跳转到页面

使用本网站,即表示您同意我们的更新 隐私政策& Disclaimer.