Essentially, The Court is allowing third parties (in this case 'countries as a third party') to provide a contract with users that is supposed to afford the same protections as the GDPR but here in the US and other countries.
Really?
My interpretation of this new decision is that they are now creating a loophole to allow the "Terms of Agreement" to function as a "privacy shield".
Does this really sound like data protection?
My experience with the terms of agreement is that users don't read them and website owners use the terms to hide protection for themselves. How will relaxing the privacy shield policy make a user's data more safe?
I think we're headed for trouble by turning over the power to create individual, contractural agreements for users that come from website owners (whether they are tech giants or small businesses).
The good, the bad and the sleazy
Generally, I believe most websites will try their best to comply with GDPR and provide their users with the information they need regarding the transfer of their data.
It's also possible that some websites won't know what they are supposed to do; or how to provide the necessary information to their users. This begs the question: Should service providers rely on the site owners to comply or are they ultimately responsible?
And I also believe there are those companies that will throw in some legal gymnastics into the "terms" and then we will be right back where we started before GDPR.
This is only an opinion
There is a lot of room for interpretation of this decision and how it will affect users in the future. My hope is that, those of us in the software development community will see this as a potential red flag. We ultimately represent the users - especially those users who don't know they have rights regarding their data; or how to protect their data even when notified through a 'terms of agreement contract'.
Oldest comments (2)
We will see how this decision will be interpreted in courts. In general, GDPR was impossible to adhere to when not hosting in the EU. So the general notion to ratify other countries after vetting their according laws is the right way. As the US currently does not fulfill these requirements, but e.g. California is close to it, we will see what that means for a general assessment of US privacy laws in the eye of the EU.
Here is what we did preparing. Our lawyers still not sure how to proceed. We implemented a Data Governance feature in ConfigCat, so customers can decide if they want to their data distributed globally or only in the EU based CDN. Being a European comapny we reviewed all our sub-contractors an swaped the ones who fall under the FISA 702 regulations. Not sure what else to be done. Seems like we are going to face region based data handling issues more often in the future. configcat.com/blog/2020/11/28/eu-u...