The Court of Justice of the European Union has struck down the current mechanism for EU-US data flows on the grounds that the United States does not provide adequate data protections.
The Privacy Shield agreement was swiftly negotiated in 2016 to replace the previous transatlantic pact, Safe Harbor, which the court also declared invalid. Privacy Shield is used by many US-based tech companies, like Facebook, to transfer personal data from Europe to the United States for processing.
EU national Maximillian Schrems has challenged the legitimacy of the mechanism, arguing that US mass surveillance activities, which were very publicly detailed by Edward Snowden, violate the fundamental rights of EU citizens to privacy and are against the EU’s national interests.
The landmark judgement, delivered on Thursday, states that the US government may indeed pry into personal data held on US servers, citing national security or law enforcement requirements. The court ruled that the establishment of a Privacy Shield Ombudsperson position cannot make up for that intervention.
#ECJ: the Decision on the adequacy of the protection provided by the EU-US Data Protection Shield is invalidated, but @EU_Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries is valid #Facebook #Schrems pic.twitter.com/BgxGAvuq3T— EU Court of Justice (@EUCourtPress) July 16, 2020
This effectively means the Court of Justice does not believe that the data of EU nationals is being held and protected in the US under the same restrictions as it would be under EU rules.
The decision paves the way for European regulators to declare all data flows relying on the Privacy Shield framework unlawful.
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” Schrems said of the ruling.
“As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
Privacy Shield appeared after Schrems challenged the validity of Safe Harbor in courts in 2013 following Snowden’s revelations about the National Security Agency. That case was called Schrems I, and the latest one is titled Schrems II.
The campaigner, a Facebook user, argued at the time that the company’s transfer of his data from its subsidiary in Ireland to the head business in California fails to respect his privacy.
When the Court of Justice invalidated Safe Harbor, Facebook resorted to so-called standard contractual clauses (SCCs) to operate in the EU (something other tech companies can do until a new data protection mechanism is negotiated). SCCs are contracts for data transfer signed between the EU and non-EU countries if the European Commission decides that those countries provide sufficient safeguards on data protection.
Thursday’s decision by the court did not invalidate the SCCs as it did with Privacy Shield, although it agreed that European regulators (DPAs) must review the existing SCCs and intervene if they feel that data protection in those third countries is not duly enforced.