Är slutet nära för Privacy Shield? - En analys av huruvida Privacy Shield-beslutet är förenligt med det europeiska dataskyddet

Sammanfattning: With the fast development in information technology, personal data is increasingly being processed and interchanged cross-border. Processing and transfer of personal data is associated with a risk that the individual's privacy protection is disregarded. The EU has strong data protection legislations and a strong protection of the personal data of EU citizens. The U.S. does not have as strong data protection legislation. The U.S. is at the same time an important trading partner and both the EU and the U.S. have an interest in a system which enables transferral of personal data from the EU to the U.S. Transfers of personal data to a third country may take place after the European Commission finds that the third country ensures an adequate level of protection. This was done by the Commission and it decided, together with the Department of Commerce (DoC), on a framework called the EU-US Safe Harbor. The Safe Harbor allowed transfers from the EU to U.S. organizations, provided that the organizations joined the framework and thus ensured that they adhered to the Safe Harbor Principles. In a case in the Court of Justice of the European Union, Maximilian Schrems got the Safe Harbor decision void. The Court declared that the Commission did not provide sufficient reasons that the U.S. ensured an adequate level of protection, which meant a level of protection of fundamental rights essentially equivalent to what is guaranteed in the EU legal order. The Commission, together with the DoC, implemented a new decision — the Privacy Shield. The decision is an updated version of the Safe Harbor and it is presently valid. It consists of a number of principles about how personal data transferred from the EU to the U.S. should be treated and different oversight and enforcement mechanisms to ensure compliance with the principles. Although the Privacy Shield is an updated version of the Safe Harbor, it is not certain that the decision is compatible with European data protection. It is a complex decision and it is difficult for both companies and individuals to apply the decision. The lack of clarity has a negative impact on the data subjects’ rights. The Privacy Shield was adopted when the Data Protection Directive was in force. The General Data Protection Regulation (GDPR) came into force in May 25, 2018, and is applicable in all EU countries. However, companies established outside the Union, which inter alia offer goods and services to registered persons in the EU, are covered by the regulation. The GDPR is more detailed and complex than the Data Protection Directive, and the Privacy Shield Principles need to be updated, in order to comply with the GDPR. Schrems has once again attempted to have the decision on the transfer of personal data between the EU and the United States annulled, this time the Privacy Shield decision. Schrems means it does not maintain sufficient protection for the rights of EU citizens. The case has not yet been decided, but it shows that the question is highly relevant.