Pre-paid payment cards in a post-schrems world: a case study on the effects of the privacy shield principles
Autor | Katherine E. Ruiz Díaz |
Cargo | Esq. is a practicing attorney in private practice, working on Commercial and Securities Law |
Páginas | 86-106 |
PRE-PA I D PAY M E N T CARDS IN A POST-SCHREMS
WORLD: A CASE STUDY ON THE EFFECTS OF THE
PRIVACY SHIELD PRINCIPLES
KATHERINE E. RUIZ DÍAZ*
Introduction ......................................................................................................................... 86
I.
Schrems
and the E.U.-U.S. Privacy Shield Framework ..................................... 88
A. E.U.-U.S. Safe Harbor Privacy Principles and the Safe Harbor Decision .. 88
B. Post
Schrems
and the New E.U.-U.S. P rivacy Shield F ramework ..............94
II. The Regulated World of the Pre-Paid Payment Card ........................................ 96
A. K.Y.B./K.Y.C. Regulations in the United States: Moving Towards
Transparency ................................................................................................................... 97
B. K.Y.C. and Payment Services Regulation in the European Union .............. 99
III. Pre-Paid Cards and Privacy Shield: Changing the Industry ........................... 102
Conclusion: Wa s Change Long Over Due? .................................................................. 104
INTRODUCTION
On October 2015, the Court of Justice of the European Union (CJEU or
the Court) in
Schrems v. Data Commissioner
1
completely changed how U.S.
companies do business in the European Union (E.U.). T he star of this case was
Maximillian Schrems, a lawyer, Austrian citizen, and — more importantly — a
Facebook user circa 2008 . As is the case with other subs cribers residi ng i n the
E.U., some or all the data provided by Schrems to Facebook was transferred from
Facebook’s Irish subsidiary to servers l ocated in the United S tates, where it was
processed. In light of the revelations made in 2013 by Edward Snowden
concerning the activities of the United States intelli gence services (in particular
the U.S. National Security Agen cy or N.S.A.), Schrems presented a complaint
before the Irish Data Protection Commissioner, arguing that the law and practice
of the United States did not offer sufficient protection against surveillance by the
public authorities of the data transferred to that country.
2
The Data
Commissioner rejected the complaint, on gr ounds that in the so-called
Safe
* Katherine E. Ru iz Díaz, Esq. is a practicing attorney in private practice, working on Commercial
and Securities Law. She received her B.A. from Boston University in 2014, and her J.D. from the
University of Puerto Rico School of Law in 2017. This article was originally written for a seminar
on International Business Transactions at the University of Puerto Rico School of Law, under the
supervision of Prof. Luis A. Aviles, to whom she gives her thanks for his guidance.
1
C-362/14, Schrems v. Data Protection Commissioner, 2 015 E.C.R. 650 [hereinafter,
Schrems
].
2
Id.
¶ 28.
University of Puerto Rico Business Law Journal
Vol. 9
87
Harbor Decision
,
3
the Commission considered that under the
safe harbour
scheme
the United States ensured an adequate level of protection of the personal
data transferred.
4
Economic relations between the E.U. and the United States predate the
European Economic Community, and their governmental institutions constantly
encourage trade through bilateral trade agreements and government incentives.
5
As technology progressed and inevitably made its way into transnational and
international business, customer data as an exchangeable commodity quickl y
emerged as key in the development of the industry. These developments brought
implications on fundamental rights protected by the E.U. & U.S. laws, namely,
the rights to privacy. This, along with the parallel experimental rise of modern
terrorism and cybercrimes, it became imminent that such market should be
regulated.
When elaborating its decision in the
Schrems
case, the CJEU stated that
no provision of the Directive
6
prevents oversight by the natio nal supervisory
authorities of transfers of personal data to third countries which have been the
subject of a Commission decision; the Court alone has jurisdiction to determine
the validity of a directive. The Court added that legislation permitting the public
authorities to have access on a generalized basis to the content of electronic
communications must be regarded as compromising the essence of the
fundamental right to privacy. Thus, the Court declared the
Safe Harbor Decision
— and consequently, the Safe Harbor Privacy Principles — invalid.
The
Schrems
decision was praised by many as a milestone towards data
protection reform and the human right to privacy. But human rights are not the
only area of law that
Schrems
has directly affected. Data protection is an issue
that goes beyond the arena of human rights, and spil ls over into, for example, the
scope of international and transactional law. This decision has als o had very
specific consequences for many industries. The CJEU’s ruling in
Schrems
seriously complicated operations for U.S. companies that had relied on Safe
Harbor Privacy Principles to do business. Compliance with Safe Harbor
Principles was relatively easy, and provided a way for U.S. companies to transfer
personal data between the United States an d the E.U.
7
By finding the Safe Harbor
Principles inadequate to protect the privacy of E.U. citizens, the Court’s decision
stripped U.S. companies from the ability to transfer E.U. citizens’ personal data
among E.U. Member States and the United States for commercial purpos es. One
3
Commission Decision 2000/520, 2000 O.J. (L 215).
4
Id.
¶ 29.
5
See, e.g.
, European Commission,
Countrie s a nd re gions: United State s
, (last updated Apr. 29,
2016) (http://ec.europa.eu/trade/policy/countries-and-regions/countries/united-states/ (last
visited Jun. 16, 2018); United States Mission to the European Union,
Doing B usiness in the
European Union
,
https://useu.usmission.gov/doing-business-local.html ( last visited Jun. 16, 2018).
6
Council Directive 95/46/EC, 1995 O.J. (L 281).
7
See
Sharon G. Lin,
A new , “safer” harbor for personal data t ransfer?
, N.C. J. INT’L L. (March 10,
2016 11:47 AM), http://blogs.law.unc.edu/ncilj/2016/03/10/a-new-safer-harbor-for-personal-data-
transfer/ (last visited on Jun. 1, 2018).
Para continuar leyendo
Solicita tu prueba