LAST UPDATE | 16 Jul 2020
THE EUROPEAN COURT of Justice (ECJ) has ruled that a key arrangement designed to protect EU citizens’ personal data when it is transferred to the US is invalid.
In a ruling this morning, the court found that Privacy Shield, a data protection agreement between the EU and the US, is invalid.
Under US law, some companies can provide data to the US government for surveillance programmes, including Apple, Microsoft, Facebook, Google and Yahoo.
However under the EU’s Charter of Fundamental Rights, every citizen is entitled to have their personal data protected, which is underpinned by GDPR.
The ruling was made following a case taken by Austrian privacy lawyer Max Schrems, who took the case to highlight the gulf between these two things.
It is expected to have significant implications for personal privacy policies and trans-Atlantic business. In a statement this afternoon, the US Secretary of Commerce said his department was “deeply disappointed” by the ruling.
The case was first brought to the Irish High Court after Schrems complained to the Data Protection Commissioner (DPC) about Facebook’s use of standard contractual clauses (SCC) to transfer personal data to the US.
SCCS are used by companies to transfer data to countries where the General Data Protection Regulation (GDPR) does not apply.
In its ruling, the ECJ said that although SCCs were still valid, the Privacy Shield agreement was not.
In a statement this afternoon, the Data Protection Commission said it “strongly welcomes” the ruling.
It said the ruling “firmly [endorses] the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States”.
“While the judgment most obviously captures Facebook’s transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally.
“The Court also agreed with the DPC’s view that, whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.”
In a statement, Schrems described the court’s ruling as “a total blow” to the DPC and Facebook.
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market,” he said.
He also said that the court had put an end to the unlimited discretion of DPAs not to act upon complaints they receive about companies like Facebook.
“The Court is not only telling the Irish DPC to do its job after seven years of inaction, but also that DPAs have a duty to take action and cannot just look the other way,” he said.
“This is a fundamental shift going far beyond EU-US data transfers. Authorities like the Irish DPC have so far undermined the success of the GDPR. The Court has clearly told the DPAs to get going and enforce the law.”
Privacy Shield
The case originally focused on SCCs, an EU invention in which companies outside Europe commit to meeting EU laws on data and privacy.
It was first taken in the Irish courts, because Facebook’s European headquarters is based in Dublin, meaning the company is also regulated by the DPC.
The DPC subsequently referred the complaint to the Supreme Court, which in turn referred it to the ECJ.
In its ruling this morning, the ECJ struck down Privacy Shield, saying it failed to provide Europeans with safeguards against US surveillance and security laws.
The arrangement, which is currently used by over 5,000 US companies, was made to provide firms with a mechanism to comply with data protection requirements when transferring personal data across the Atlantic.
It was created following another case taken by Schrems in 2015 against a similar arrangement, known as Safe Harbour, which tech giants like Facebook depended on to do business. That case saw Safe Harbour ruled invalid as well.
During the latest hearings, judges took a special interest in Privacy Shield, with a legal advisor to the court warning that the mechanism may be illegal, just like Safe Harbour.
Both cases stemmed from revelations by Edward Snowden in 2013 of mass digital spying by US agencies at a time when increasing amounts of personal data was being collected by big tech firms.
Schrems believes that this has a detrimental impact on the privacy of European citizens who used these companies, which include Apple, Microsoft, Facebook, and Google.
Today, the ECJ’s judges said that even though Privacy Shield requires that the US must comply with EU privacy law, its provisions “do not grant Europeans actionable rights before the courts against the US authorities.”
The court said, however, said that SCCs could stand, giving companies an alternative framework with which to comply.
US reaction
US Secretary of Commerce Wilbur Ross said his department is studying the decision to “fully understand its practical impacts” but added they were “deeply disappointed” with the ruling.
“We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments,” Ross said.
CCIA, the lobby for US big tech, criticised the decision, “which creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic.”
“We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy,” CCIA added.
With reporting by © – AFP 2020
To embed this post, copy the code below on your site
have your say