EU Court Of Justice Deems Privacy Shield Unlawful
The EU-US Privacy Shield has been declared invalid, meaning it is now unlawful to transfer personal data to the USA using it. In a judgment announced today, the Court of Justice of the European Union (‘CJEU’) ruled that the Privacy Shield scheme for transfers of personal data from the EU to the United States is unlawful.
The decision follows a case brought against the privacy campaigner Max Schrems against Facebook Ireland, when Facebook Ireland said it could not ensure adequate privacy protections for users in Europe with respect to their personal data sent to Facebook in the United States. This was due to the different nature of the US legal system’s rules on national security, privacy and data protection.
Max Schrems, an Austrian lawyer and privacy rights champion, first brought the case against Facebook in 2013 after the Edward Snowden leaks showed that tech giants were being obliged to grant the National Security Agency (NSA) access to their users’ data.
“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law,” said Schrems in a statement on the ruling by NOYB – aka None of Your Business, another name for the European Center for Digital Rights – which he co-founded.
“As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
US firms previously resorted to using SCCs to authorize the transfer of data across the Atlantic following the ECJ’s 2015 decision to strike down Safe Harbor, another EU-US data transfer mechanism.
The EU-US Privacy Shield then emerged in 2016 with restrictions on US government access to EU citizens’ data and a mechanism through which EU citizens could submit complaints to a regulator.
Companies were also held liable if they transferred data to third parties that failed to adhere to the Privacy Shield’s terms.
However, the General Data Protection Regulation (GDPR), in force since 2018, has since raised the bar for complying with EU data privacy rules.
The ECJ said the Privacy Shield’s protections were not “essentially equivalent” to those required under EU law because “the surveillance programmes based on those provisions are not limited to what is strictly necessary”.
The court also ruled that “the provisions do not grant data subjects actionable rights before the courts against the US authorities”.
And an ombudsperson created to handle complaints under the mechanism potentially lacked the independence and authority “to adopt decisions that are binding on the US intelligence services”, said the ECJ.
The ruling can’t be appealed.
Big Tech pushback
The news will come as a blow to tech firms with a global userbase and a business model built on harnessing personal data. Facebook, for one, has consistently argued that striking down the Privacy Shield would disrupt transatlantic trade.
“There needs to be a different mindset to how the challenges of international transfers to the US are met, because failed schemes like this have significant impacts for individuals and for businesses,” said Stewart Room, global head of data protection and cybersecurity at DWF, a global law firm.
“As such, the EU-US Privacy Shield has been declared invalid and it can no longer be relied on as a lawful mechanism by which to legitimately transfer data to the US.”
Schrems said he was very happy about the judgement. “This is a total blow to the Irish DPC and Facebook,” he said. “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.
“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”