首页 500强 活动 榜单 商业 科技 领导力 专题 品牌中心
杂志订阅

用户数据不许被传送到美国?欧盟法庭裁定“隐私盾”无效

David Meyer
2020-07-22

欧洲法院近期做出一项重要裁决,可能使美国企业无法再为欧盟的用户提供服务。

文本设置
小号
默认
大号
Plus(0条)

如果一家美国企业有欧洲用户或客户,而且会将个人数据传到美国供企业使用,那么它就应该了解欧盟最高法院的动向。

因为欧洲法院(CJEU)近期做出了一项重要裁决。最后结果可能是企业无法再为欧盟的用户提供服务,即便不是现在,不远的将来也会发生。

隐私保护

如果美国企业利用欧洲用户的个人数据,那么就要提出合法理由。因为美国并没有欧盟级别强大的联邦隐私法(或者说根本没有全面的联邦隐私法)。

到目前为止,保持合法性最简单的方法就是加入所谓的“隐私之盾”成员,只要能自证遵守欧盟的规定即可。而“隐私之盾”是根据美国和欧盟2016年达成的同名跨大西洋协议制定。

如今当初的协议宣告结束。7月16日,欧盟委员会宣布取消协议并立即生效,主要有两个原因:一是即便相关企业已经是成员,协议并未阻止美国情报部门调用企业数据;二是欧盟公民在美国没有有效的申诉手段。

美国商务部的反应是,在某种意义上这仍然是商业问题。商务部对裁决发布了一份表示失望的声明,称将“继续管理‘隐私之盾’项目,包括处理提交给‘隐私之盾框架’的自证和重新证明,以及维护‘隐私之盾’成员名单。”

美国商务部还补充称,“当前的决定并不能免除企业参与‘隐私之盾’承诺的义务。”

而欧洲人却不敢苟同。套用巨蟒剧场《死鹦鹉》短剧的台词就是:“隐私之盾”已经死了;完了;离开了人世,谢幕了,给上帝唱诗去了。这是一份死协议。

因此,你可以继续遵守成员义务,尽可能尊重欧盟隐私法。但在欧洲人看来,从欧盟往美国传输数据传输不再合法。而之前加入“隐私之盾”就是为了让数据传输合法。

(不过,在美国遵守承诺可能仍然有法律上的原因。“如果参与隐私之盾的企业做出隐私承诺,那么不履行承诺就可能因为欺诈而受到处理。”Alston & Bird律师事务所的高级律师彼得•斯维尔说。)

7月16日,数据创新中心(Center for Data Innovation)的高级政策分析师艾琳•奇沃特在一份声明中详细介绍了影响:“这一决定对欧洲和美国5000多家将欧美隐私之盾作为跨大西洋数据传输法律依据的企业造成了严重冲击。如今数据传输的依据会立刻推翻,很多情况下欧美之间的数据传输将中止,而且多家企业并没有合适的替代方案。”

标准合同条款

但如果隐私之盾并不是数据传输唯一的法律依据呢?

Facebook(涉及此案)和微软之类的美国公司多年来一直依赖“标准合同条款”的机制。顾名思义,都是由欧盟委员会撰写已就绪的条款,概述了一系列符合欧盟严格的《通用数据保护条例》的权利和责任。

尽管法院可以撤销“标准合同条款”,但其并未这么做。

法院称,“标准合同条款”总体上没有什么问题,如果有企业违反相关条款或无法遵守相关规定,比如说因为企业无法阻止本国情报部门对数据进行大规模监视,法院则可以根据具体情况宣布条款无效。

这也是为何对Facebook以及其他依赖标准合同条款将欧洲数据传输到美国的美国大型科技公司来说,推翻隐私之盾体系是个问题。

2013年斯诺登事件曝光导致美国监控法做出了有限改革,但《外国情报监视法》(FISA)第702条仍然允许从大型科技公司大量收集非美国人的私人数据。

美国一些人认为,只有当相关机构真正查看数据时,监控才真正开始,而查看数据是更受限制的活动。但欧洲人认为,监控从收集就已经开始。所以在欧洲人看来,美国经常对欧洲人的数据进行大规模监控,而处理数据的美国公司对此无能为力。

这种现象已经非常严重,会破坏隐私之盾(及其前身安全港)。因此,如果Facebook等企业使用的标准合同条款受到欧盟隐私监管机构的挑战,很难想象将如何继续。

“尽管原则上标准合同条款体系将保留,刚开始已经签订的标准合同将保持有效,但必须由数据保护当局根据(欧盟法院)的裁决进行审查,如有必要予以暂停。”德国前数据保护主管彼得•沙尔在博客中写道。

现在怎么办?

当然,为欧洲人提供服务的美国企业并非每家都是Facebook或谷歌。如果并没有出现美国专门机构根据FISA第702条审查收集的数据,比如航空公司或零售商,那么仍然可以援引标准合同条款。

而现在最大的不同在于,必须首先说服欧盟隐私监管机构,欧洲客户的数据在美国并未受到监控。

“援引标准合同条款的数据出口商和进口商首先必须核实(数据流向国家)的保护水平。进口商还有义务向出口商报告出现的问题。”JMW律师事务所的合伙人托尼•维塔莱在一份声明中表示。

如果企业的业务中处理欧洲人的个人数据对履行用户合同属于“必要”,比如电子邮件提供商处理邮件数据,那么根据欧盟法律也没有问题。

“法庭明确强调,隐私之盾无效不会造成‘法律真空’,因为至关重要的数据流仍然可以继续。”在裁决通过后,提起诉讼的诉讼当事人马克斯•施雷姆斯发表声明称。

但无论规模大小,现在很多美国企业可能仍然在四处奔忙寻找法律解决方案,解决7月16日上午突然降临的问题。

目前唯一可靠且一劳永逸的解决方案就是修改美国隐私和监视法。估计硅谷很快就会加强相关方面的游说。(财富中文网)

译者:Feb

如果一家美国企业有欧洲用户或客户,而且会将个人数据传到美国供企业使用,那么它就应该了解欧盟最高法院的动向。

因为欧洲法院(CJEU)近期做出了一项重要裁决。最后结果可能是企业无法再为欧盟的用户提供服务,即便不是现在,不远的将来也会发生。

隐私保护

如果美国企业利用欧洲用户的个人数据,那么就要提出合法理由。因为美国并没有欧盟级别强大的联邦隐私法(或者说根本没有全面的联邦隐私法)。

到目前为止,保持合法性最简单的方法就是加入所谓的“隐私之盾”成员,只要能自证遵守欧盟的规定即可。而“隐私之盾”是根据美国和欧盟2016年达成的同名跨大西洋协议制定。

如今当初的协议宣告结束。7月16日,欧盟委员会宣布取消协议并立即生效,主要有两个原因:一是即便相关企业已经是成员,协议并未阻止美国情报部门调用企业数据;二是欧盟公民在美国没有有效的申诉手段。

美国商务部的反应是,在某种意义上这仍然是商业问题。商务部对裁决发布了一份表示失望的声明,称将“继续管理‘隐私之盾’项目,包括处理提交给‘隐私之盾框架’的自证和重新证明,以及维护‘隐私之盾’成员名单。”

美国商务部还补充称,“当前的决定并不能免除企业参与‘隐私之盾’承诺的义务。”

而欧洲人却不敢苟同。套用巨蟒剧场《死鹦鹉》短剧的台词就是:“隐私之盾”已经死了;完了;离开了人世,谢幕了,给上帝唱诗去了。这是一份死协议。

因此,你可以继续遵守成员义务,尽可能尊重欧盟隐私法。但在欧洲人看来,从欧盟往美国传输数据传输不再合法。而之前加入“隐私之盾”就是为了让数据传输合法。

(不过,在美国遵守承诺可能仍然有法律上的原因。“如果参与隐私之盾的企业做出隐私承诺,那么不履行承诺就可能因为欺诈而受到处理。”Alston & Bird律师事务所的高级律师彼得•斯维尔说。)

7月16日,数据创新中心(Center for Data Innovation)的高级政策分析师艾琳•奇沃特在一份声明中详细介绍了影响:“这一决定对欧洲和美国5000多家将欧美隐私之盾作为跨大西洋数据传输法律依据的企业造成了严重冲击。如今数据传输的依据会立刻推翻,很多情况下欧美之间的数据传输将中止,而且多家企业并没有合适的替代方案。”

标准合同条款

但如果隐私之盾并不是数据传输唯一的法律依据呢?

Facebook(涉及此案)和微软之类的美国公司多年来一直依赖“标准合同条款”的机制。顾名思义,都是由欧盟委员会撰写已就绪的条款,概述了一系列符合欧盟严格的《通用数据保护条例》的权利和责任。

尽管法院可以撤销“标准合同条款”,但其并未这么做。

法院称,“标准合同条款”总体上没有什么问题,如果有企业违反相关条款或无法遵守相关规定,比如说因为企业无法阻止本国情报部门对数据进行大规模监视,法院则可以根据具体情况宣布条款无效。

这也是为何对Facebook以及其他依赖标准合同条款将欧洲数据传输到美国的美国大型科技公司来说,推翻隐私之盾体系是个问题。

2013年斯诺登事件曝光导致美国监控法做出了有限改革,但《外国情报监视法》(FISA)第702条仍然允许从大型科技公司大量收集非美国人的私人数据。

美国一些人认为,只有当相关机构真正查看数据时,监控才真正开始,而查看数据是更受限制的活动。但欧洲人认为,监控从收集就已经开始。所以在欧洲人看来,美国经常对欧洲人的数据进行大规模监控,而处理数据的美国公司对此无能为力。

这种现象已经非常严重,会破坏隐私之盾(及其前身安全港)。因此,如果Facebook等企业使用的标准合同条款受到欧盟隐私监管机构的挑战,很难想象将如何继续。

“尽管原则上标准合同条款体系将保留,刚开始已经签订的标准合同将保持有效,但必须由数据保护当局根据(欧盟法院)的裁决进行审查,如有必要予以暂停。”德国前数据保护主管彼得•沙尔在博客中写道。

现在怎么办?

当然,为欧洲人提供服务的美国企业并非每家都是Facebook或谷歌。如果并没有出现美国专门机构根据FISA第702条审查收集的数据,比如航空公司或零售商,那么仍然可以援引标准合同条款。

而现在最大的不同在于,必须首先说服欧盟隐私监管机构,欧洲客户的数据在美国并未受到监控。

“援引标准合同条款的数据出口商和进口商首先必须核实(数据流向国家)的保护水平。进口商还有义务向出口商报告出现的问题。”JMW律师事务所的合伙人托尼•维塔莱在一份声明中表示。

如果企业的业务中处理欧洲人的个人数据对履行用户合同属于“必要”,比如电子邮件提供商处理邮件数据,那么根据欧盟法律也没有问题。

“法庭明确强调,隐私之盾无效不会造成‘法律真空’,因为至关重要的数据流仍然可以继续。”在裁决通过后,提起诉讼的诉讼当事人马克斯•施雷姆斯发表声明称。

但无论规模大小,现在很多美国企业可能仍然在四处奔忙寻找法律解决方案,解决7月16日上午突然降临的问题。

目前唯一可靠且一劳永逸的解决方案就是修改美国隐私和监视法。估计硅谷很快就会加强相关方面的游说。(财富中文网)

译者:Feb

If you're an American company with European users or customers, and you transfer their personal data to the U.S. for company use, you need to be aware of what just went down at the EU's top court today.

That's because the Court of Justice (CJEU) just made a huge ruling. The upshot: It's possible you will no longer be able to serve people in the EU—if not now, then in the not-too-distant future.

Privacy Shield

U. S. companies using Europeans' personal data need some sort of legal justification for doing so. That's because the U.S. lacks an EU-strength federal privacy law (or indeed any comprehensive federal privacy law at all).

By far the easiest way to keep things legal was to sign up to the so-called Privacy Shield register—essentially, self-certifying that the company will stick to EU rules. This register was created under a transatlantic deal of the same name, struck between the U.S. and EU in 2016.

That deal is now dead. The CJEU on July 16 canceled it with immediate effect, basically for two reasons: It didn't stop U.S. intelligence from poking around companies' data even if they were on the list, and there was no effective way for EU citizens to file a complaint about this in the U.S.

The U.S. Department of Commerce reacted by indicating it would be, in a sense, business as usual. In a statement expressing disappointment with the ruling, the department said it would "continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List."

It added, "Today’s decision does not relieve participating organizations of their Privacy Shield obligations."

The Europeans beg to differ. To paraphrase Monty Python's Dead Parrot sketch, Privacy Shield has passed on; it has kicked the bucket; it has shuffled off its mortal coil, run down the curtain, and joined the bleeding choir invisible. It is an ex-agreement.

So you can continue to abide by the register's obligations—essentially, respecting EU privacy law as best you can—but that no longer means your EU-U.S. data transfers are legal in European eyes. Which was the whole point of the register to start with.

(There may still be a legal reason to keep those promises over in the U.S., though. "Companies that have made privacy promises under Privacy Shield could be subject to enforcement for deceptive practices if they do not live up to those privacy promises," said Peter Swire, a senior counsel at law firm Alston & Bird.)

Eline Chivot, senior policy analyst at the Center for Data Innovation, described the impact well in a statement July 16: "The decision delivers a severe blow to the operations of over 5,000 European and American companies who use the EU-U.S. Privacy Shield as the legal basis for transatlantic data transfers. It will immediately upend, and in many cases even halt, data transfers between the EU and the United States, leaving many businesses with no suitable alternative."

Standard contractual clauses

But what if Privacy Shield isn't your only legal basis for those transfers?

Some U.S. companies such as Facebook (the firm involved in this particular case) and Microsoft have for years also been relying on a mechanism called "standard contractual clauses," or SCCs. These are, as the name suggests, oven-ready clauses that the European Commission wrote, again outlining a range of rights and responsibilities in line with the EU's strict GDPR privacy law.

The court did not strike down SCCs, though it had the option to do so.

It said SCCs were fine in general because an EU privacy regulator can still invalidate them on a case-by-case basis if a company is breaking the clauses' terms or is unable to stick to them—because, say, it can't stop the intelligence services back home from conducting mass surveillance on the data.

This is where the striking-down of the Privacy Shield becomes a problem for Facebook and any other big American tech company relying on SCCs to send Europeans' data over to the U.S.

Although the Snowden revelations of 2013 led to some limited reforms in U.S. surveillance law, Section 702 of the Foreign Intelligence Surveillance Act (FISA) still allows for the mass collection of non-Americans' personal data from Big Tech firms.

Some in the U.S. argue that surveillance starts only when the agencies actually look at the data—which is a more restricted activity. But the Europeans see surveillance as starting at the point of collection. So in European eyes, the U.S. regularly conducts mass surveillance on Europeans' data—and there's nothing the U.S. companies handling that data can do about it.

That's serious enough to have scuppered Privacy Shield (and its predecessor, Safe Harbor), so it is difficult to see how the SCCs used by a company like Facebook can survive if challenged before an EU privacy authority.

"Although the system of standard contractual clauses will remain in principle and the standard contracts concluded will initially remain in force, they will have to be reviewed and, if necessary, suspended by the data protection authorities in the light of the [CJEU] ruling," wrote former German data protection chief Peter Schaar in a blog post.

So what now?

Of course, not every American company serving Europeans is a Facebook or Google. If you don't have U.S. agencies scrutinizing your data under Section 702 of FISA—if, for example, you're an airline or a retailer—then SCCs could still work for you.

The big difference now is that you'll first have to convince EU privacy regulators that European customers' data isn't subject to surveillance in the U.S.

"Data exporters and importers using the standard contract clauses must verify the level of protection in the [country where the data is going] first. The importer also has a duty to report any issues to the exporter," said Toni Vitale, a partner at JMW Solicitors, in a statement.

And if your processing of Europeans' personal data is "necessary" for the fulfillment of your user contracts—if you're an email provider handling emails, for example—then that's also automatically kosher under EU law.

"The court explicitly highlighted that the invalidation of the Privacy Shield will not create a 'legal vacuum' as crucially necessary data flows can be still undertaken," Max Schrems, the litigant who brought the case, said in a statement after the ruling came through.

But an awful lot of U.S. companies, big and small, are still likely to be flailing around now, looking for a legal solution to a problem that abruptly landed in their laps on July 16 morning.

The only reliable, long-term solution would be changes in U.S. privacy and surveillance law. Expect to see Silicon Valley's lobbying efforts step up on that front very soon.

财富中文网所刊载内容之知识产权为财富媒体知识产权有限公司及/或相关权利人专属所有或持有。未经许可,禁止进行转载、摘编、复制及建立镜像等任何使用。
0条Plus
精彩评论
评论

撰写或查看更多评论

请打开财富Plus APP

前往打开