EU-US Privacy Shield data-sharing framework declared invalid by ECJ

‘The only way to overcome this clash is for the US to introduce solid privacy rights for all people,’ one digital rights expert argues

The European Union’s highest court has annulled the ‘EU-US Privacy Shield’, after ruling that the transatlantic data-transfer mechanism fails to safeguard the data privacy rights of EU citizens.

Announced today (July 16), the landmark decision means that companies seeking to transfer the personal data of EU-based customers to the US must instead sign legal contracts similar to those used by other countries.

Called Standards Contractual Clauses (SCCs), these EU-sanctioned, non-negotiable contracts were deemed valid in the EU Court of Justice (ECJ) ruling.

Max Schrems, an Austrian lawyer and privacy rights champion, first brought the case against Facebook in 2013 after the Edward Snowden leaks showed that tech giants were being obliged to grant the National Security Agency (NSA) access to their users’ data.

“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law,” said Schrems in a statement on the ruling by NOYB – aka None of Your Business, another name for the European Center for Digital Rights – which he co-founded.

“As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”

Data transfer

US firms previously resorted to using SCCs to authorize the transfer of data across the Atlantic following the ECJ’s 2015 decision to strike down Safe Harbor, another EU-US data transfer mechanism.

The EU-US Privacy Shield then emerged in 2016 with restrictions on US government access to EU citizens’ data and a mechanism through which EU citizens could submit complaints to a regulator.

Companies were also held liable if they transferred data to third parties that failed to adhere to the Privacy Shield’s terms.

However, the General Data Protection Regulation (GDPR), in force since 2018, has since raised the bar for complying with EU data privacy rules.

The ECJ said the Privacy Shield’s protections were not “essentially equivalent” to those required under EU law because “the surveillance programmes based on those provisions are not limited to what is strictly necessary”.

The court also ruled that “the provisions do not grant data subjects actionable rights before the courts against the US authorities”.

An ombudsperson created to handle complaints under the mechanism potentially lacked the independence and authority “to adopt decisions that are binding on the US intelligence services”, said the ECJ.

The ruling can’t be appealed.

Big Tech pushback

The news will come as a blow to tech firms with a global userbase and a business model built on harnessing personal data. Facebook, for one, has consistently argued that striking down the Privacy Shield would disrupt transatlantic trade.

“There needs to be a different mindset to how the challenges of international transfers to the US are met, because failed schemes like this have significant impacts for individuals and for businesses,” said Stewart Room, global head of data protection and cybersecurity at DWF, a global law firm.

“Businesses will be asking themselves, ‘What is next?’ There are other countries that pose challenges to privacy rights and data protection and they raise obvious questions about the potential for other legal action.”

Read more of the latest data privacy news

These problematic countries could include the UK, now a former EU member, according to Vitale, partner and head of data protection at UK-based JMW Solicitors.

“Post Brexit, the UK could be deemed to have inadequate protection given the lack of judicial oversight over the security forces, and this could this lead to a ban on exports of data from the EU to the UK in the future,” he said.

Deciding “which alternative legal mechanism to rely on”, said Vitale, is “something easier said than done given the EU’s issues with the US privacy legal system”.

He suggested that “data exporters and importers using the standard contract clauses must verify the level of protection in the third country first”, while the “the importer also has a duty to report any issues to the exporter.”

Thomas Boué, director general of EMEA policy at the Software Alliance, also known as BSA, said: “Today’s ECJ decision creates a challenge for more than 5,300 US-based companies – including over 250 with headquarters in Europe – that relied on the Privacy Shield to transfer personal data to and from Europe.

“70% of the companies certified to the Privacy Shield were SMEs, and they will now have to spend time and resources finding alternatives to carry out daily business transactions like processing payroll, sending emails, or storing documents on cloud-hosted servers.”

NOYB has published the ECJ’s full judgement on its website.

RECOMMENDED Remote working during coronavirus pandemic leads to rise in cyber-attacks, say security professionals