Protection is guaranteed by the company hosting your personal data. The level of protection is governed by the legal framework of the country, as well as the specific contract or Terms & Conditions. When transferring data, it is therefore important to check the level of protection provided by the company in question.
Data transferred to French companies is carefully monitored and protected, which is very reassuring for users. French data hosting companies must conform to the French 1978 Data Processing, Files and Freedoms Act, European Directive 95/46/CE and Convention 108 established by the Council of Europe. In France, this legal framework is managed and enforced by the CNIL (Commission nationale de l’informatique et des libertés). In Europe, more and more countries are setting up similar independent data protection agencies. But, what about companies in non-European countries?
The situation is far less reassuring in relation to the recently signed UE-US Privacy Shield, which applies to data transferred from the European Economic Area to the United States. Negotiated in 2015-2016, it is based on specific commitments from the US government and a decision by the European Commission. On 12 July 2016, the commission accepted the terms, which, in theory, comply with level of protection applied within the European Union. Rather than an international treaty, it is a series of measures regulating data transferred from a EU member state to the United States, vital since October 2015 when the Safe Harbor was deemed invalid by the European Court of Justice.
From the very beginning, the agreement has received significant criticism. Max Schrems, the Austrian lawyer who destroyed Safe Harbor, put forwards his arguments against the Privacy Shield during the Cloud Independence Day, just before it was ratified. He declared that, “the Privacy Shield poses both commercial and public policy problems.” He criticized the commercial use of personal data and highlighted that European companies still don’t have the same rights as their American counterparts. Furthermore, he cast doubt on the impartiality of the designated mediator, who is responsible to the US Foreign Office. Max Schrems emphasized that the problem of mass surveillance remained unchanged given that the text keeps the 6 exceptions provided for in Safe Harbor: “detecting and fighting activities by powerful foreign powers; anti-terrorism; fighting nuclear armament; cybersecurity; detecting and fighting threats to the United States and armed allies; and fighting trans-national criminal threats,” which is incompatible with to the case-law of the European Court of Justice.
French companies are subject to diverse personal data regulations, CNIL control and monitoring by the Financial Markets Authority, as well as European personal data rules (GDPR), which from 2018 will impose serious sanctions for infringements to this legislation, as does the Privacy Shield.
Through its president Isabelle Falque-Pierrotin, the Article 29 Data Protection Working Party declared that the Privacy Shield represented a “major step forward” in personal data protection at a press conference in Belgium on 13 April 2016. However, the G29 also expressed some reservations and asked for clarification on certain points as, “it is difficult to understand all the documents and appendices. There isn’t just one document.” Falque-Pierrotin highlighted that the mass data surveillance carried out by US intelligence agencies, which undermined Safe Harbor, was still possible with the Privacy Shield. The European Court of Justice will give its verdict on the matter by the end of the year.
The G29 feel that the agreement does not provide enough guarantees in relation to the rights, powers and recourses of the ombudsperson. Despite representing major data protection advances, the agreement still raises numerous doubts, criticisms and points of clarification before users will be able to fully trust certified companies.
As a French company, Pomelo-Paradigm respects and protects your data.