Background of the case
The young Austrian Maximiliano Schrems – law student and resident in Ireland – made a complaint in 2011 to the Irish Commissioner for Data Protection against the social network Facebook, for transfer of their data from the servers of Facebook in Ireland to the servers of Facebook Inc. located in the United States for further processing.
In his claim, Schrems – based on the facts and evidence provided by Edward Snowden through which, the former agent revealed how the United States operated in global surveillance-, alleged that said country did not offer adequate protection to the personal data that received from users in the countries that are members of the EU, and did not even contain a process for the selection and treatment of these data, but rather took them in large quantities and thus processed them, using them for purposes other than those that truly informed the users of the social network –in their eagerness to fight terrorism-.
This motivated Schrems to request a ban on his data being transferred to the servers of Facebook Inc. The Irish body rejected Schrems’ proposal, based on Decision 2000/520 / EC, of July 26, 2000S, considering that The United States complied with an adequate level of protection. However, Schrems appealed this decision to the highest court in Ireland – the High Court -, which finally held that the United States made excessive interference with the personal data that was transferred to its territory.
The decision of the CJEU. Schrems´ I judgment.
The High Court asked the European Court to issue a preliminary ruling regarding the issue of whether said decision -2000/520/EC- is valid and whether it makes it impossible – or not – for the national authorities of the countries of the European Union to carry out a correct control regarding the personal data that is transferred from an European country – in this case, Ireland – to a third state. Finally, the European Court ruled that, although the EC decision 2000/520 prescribes that the United States has an adequate level of protection, the truth is that also the national organizations responsible for ensuring the protection of the data of its inhabitants, they are empowered to carry out this control, although the invalidity of a Decision – in this case, the one adopted by the European Commission – can only be declared by the CJEU.
Finally, the European Court, in order to rule as it did –declaring the invalidation of the EC decision-, taking into account, not what was established by the Commission’s Decision, but, in factual terms, whether the privacy of the data owners was protected when transferred to the United States. In other words, when making such an assessment, the third country is not required to have a regulatory framework and a level of protection identical to that of the EU; more than anything, that this third country provides an adequate protection framework for the data of the holders.
For all these reasons, it declared Decision 520/2000 invalid based on the following arguments:
1) That there was an interference with the right to privacy;
2) Declared that said interference meant a violation of the essential content of the right to privacy.
Due to the judgment issued by the CJEU that invalidated decision 520/2000 of the European Commission regarding what is known as “safe harbor”, regarding the transfer of data to the United States, it was adopted within this framework, the so-called decision 1250/2016, better known as “Privacy Shield”.
The purpose of this decision is summarized as follows:
– Acknowledges that the EU-EE Privacy Shield comprised of the privacy principles applicable to certified United States organizations (companies) and related commitments made by the Department of Commerce and other United States authorities, it provides an adequate level of protection for personal data transferred from the EU to these organizations.
– This means that personal data can be freely transferred to organizations in the United States included in the “Privacy Shield List”, which is prepared and published by the United States Department of Commerce.
– The application of the Privacy Shield guarantees the right to respect for privacy and the right to the protection of personal data of all persons in the EU whose personal data is transferred through the Privacy Shield.
– It also guarantees legal certainty for companies that rely on your application to transfer personal data from the EU to US organizations certified by the Privacy Shield.
Precisely this decision is the one that was declared invalid in the judgment of the Schrems II Case, issued by the CJEU on 07/16/2020, which will be subsequently commented.
As it was commented in a previous article[i], following the wave of strengthening and control of the community and national legislations initiated in the European Union in relation to the acquisition, use and management of personal data, many Latin American countries began to adapt their corresponding regulations to be in tune with this international practice. But not only at a normative level this phenomenon is occurring, but also the Public Administration began to take some measures following this protection line.
In this regard, in Colombia, the Government made a “preventive nature call to the virtual platform ¨Facebook¨, in which an important amount of user data is stored and processed. According to this order, Mark Zuckerberg’s company must implement “useful and effective security measures” in this country, within 4 months, in order to increase the protection of personal data of Colombian users. But not only must implement the aforementioned measures, but also must demonstrate compliance through a certification issued by an independent, impartial, professional and specialized in information security issues, which may be chosen by the famous social network whenever it is alien to any subordination of it.
Through this “tatequieto” –Colombian slang to refer to “put an end to a conduct”-, the Superintendence of Industry and Commerce (SIC) aims to ensure the security of personal data of more than 31 million Colombians using the network Social. Therefore, the measures taken by Facebook must be “appropriate, useful, effective and demonstrable” to comply with all the requirements of the principle and duty of security in Colombian regulation, avoiding unauthorized or fraudulent access, unauthorized use or fraudulent, unauthorized or fraudulent consultation, unauthorized or fraudulent adulteration or unauthorized or fraudulent loss to the data of its users.
As mentioned in the beginning, this order is not alien to the changes that are taking place at the international level about this matter, but it is related to the facts, investigations and actions of data protection authorities that took place in the United States, Ireland, Great Britain, France, among others, and is based on the protection of personal data is a constitutional and fundamental right in the Republic of Colombia. Therefore, it would not be a surprise if similar measures are taken in the future in other countries of the region.
[i] ¨Wave of Personal Data Updates in Latam¨, by Maria Sol Porro, 29 January, 2019 (lINK: https://www.moellerip.com/wave-of-personal-data-updates-in-latam/).Read More