Tipsheet

EU Court Overturns US Data-sharing Arrangement, Says U.S. Violates Privacy Rights

U.S. companies who operate in the EU will have to adjust to a new datamining system after a Court of Justice (CJEU) ruling on Thursday overturned the U.S.-EU “Privacy Shield” agreement. “Privacy Shield” was developed by the U.S. Department of Commerce and the European Commission (EC) in 2016 to replace a contested “Safe Harbor” system.

“We will continue our work to ensure the continuity of safe data flows,” said EC Vice-President Jourová.

The Schrems' lawsuit overturned “Safe Harbor” in 2015 and instituted “Privacy Shield” instead, a system many privacy activists, including the American Civil Liberties Union, have criticized as “weak” and “cumbersome.”

Privacy advocate Max Schrems drove both data shields before the CJEU. Disturbed by the revelations of Edward Snowden in 2013 involving U.S. surveillance overreach, Schrems challenged Facebook as an alleged “prism” of the U.S. program. 

Over 5,000 companies participate in the "Privacy Shield," a mechanism for protecting the data of European users when exported to a third-party country like the United States. They rely on Standard Contractual Clauses (SCCs), essentially terms of use, to regulate the kinds of data that companies can transfer from European users to data centers in the U.S.

“We welcome the decision of the Court of Justice of the European Union to confirm the validity of Standard Contractual Clauses for transfers of data to non-EU countries,” said Facebook spokesperson Eva Nagle.

The court ruled that current SCC and Privacy Shield mechanisms do not effectively shield data when the third country, in this case the U.S., does not enforce equally stringent data protections. Finding U.S. surveillance laws that allow for access to otherwise protected data on the grounds of national security concerns too broad, the court determined that the Privacy Shield permitted U.S. violation of European “fundamental rights.” 

Regional regulators, many of whom are already overstretched, have a legal obligation to analyze and suspend data transfers that don’t comply with EU protections.

Secretary of Commerce Wilbur Ross expressed his disappointment at the court’s decision. “As our economies continue their post-COVID-19 recovery, it is critical that companies … be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.”  

Thomas Boue of the Business Software Alliance, told the Financial Times: “We are relieved that SCCs remain valid, which is a positive outcome. But today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic.”

Microsoft also affirmed that data transfers for commercial customers are still possible via SCCs, but noyb interprets the court ruling to read that SCCs do not protect from U.S. surveillance policy: “This is also not a 'half win,' as 100 percent of the outsourcing that may be subject to US surveillance is not allowed - no matter if under Privacy Shield or SCCs.”

Marieke Gehrmann and Fritz Ulli-Pieper at TaylorWessing explain that while the SCCs are “valid in principle,” companies “in individual cases” must ensure an “adequate level of protection.”

Last year, the EC met with the Department of Homeland Security to discuss methods of modernizing SCCs. 

EC leaders reassured constituents that it plans to work with the European Data Protection Board and American agencies to develop a satisfactory data transfer mechanism. 

Analysts and representatives from firms that deal in personal data admit that the implications of the ruling are still ambiguous. It could mean large tech companies like Facebook and Apple will have to establish data centers in Europe or retract their services from the region entirely. At minimum, companies will have to overhaul existing data transfer processes to ensure compliance with the EU’s stricter privacy protection guidances, disrupting and perhaps contracting their European operations. Some data flows that involve explicit user consent, such as information given to book a hotel room, will not be affected.