Verlage entdecken ihr volles Potenzial im Web
Media consumption

New standards in personal data protection

The issue of the transfer of personal data between the European Union and the United States has long been a touchy subject. The 'Safe Harbour' program has been widely criticized, and recent decisions of the EU Court of Justice are set to introduce a new level of quality. Unfortunately, the Court's decision also entails serious consequences, as explained by Jacek Grabowski from Gemius' legal department.

In accordance with Polish law, the premise for legalizing such transfers may be, for example, a contract between the data controller and a given person, the individual consent of GIODO for a particular company (to obtain this consent, the company will have to demonstrate that they have provided adequate privacy protection standards), the introduction of binding corporate rules (approved by GIODO) or standard contractual clauses approved by the European Commission. Given that US companies are accustomed to self-regulatory programs, in the longer term they may adopt the use of data protection instruments, such as binding corporate rules or standard contractual clauses.

Terra incognita

The CJEU judgement paves the way for inspections to be carried out by the European personal data protection authorities. These authorities may be of the opinion that no contractual obligations (standard contractual clauses or binding corporate rules) will protect Europeans against mass surveillance on the part of the United States. This surveillance may result in decisions prohibiting particular companies from transferring data to the US. In this sense, the legal risk of activities conducted by companies with headquarters overseas is elevated. This may result in the improvement of data protection standards, with companies ensuring the adequate and appropriate supervision of their processing, but it can also be expected that some European data protection authorities – despite having doubts – will make the decision to allow transfers. At that point, the practical implications of the CJEU judgement will only concern the procedure for determining the legal basis for data transfer. At present it is hard to predict which scenario will come to pass.

The CJEU decision also has a political significance. It could present a huge obstacle to the transmission of data, should the Americans not choose to enhance their protection standards. The influence of the judgement on negotiations under the TTIP agreement between the US and the EU could also be considerable. The agreement, which is intended to standardize regulatory norms, will also have to deal with the standardization of privacy rules on both continents.

We have set sail from the 'Safe Harbour' into uncharted waters. Now anything is possible.