Europe’s highest court today struck out the EU-US Privacy Shield agreement, overturning the legal basis that allows…
more than half a million US companies to exchange data with Europe.
The European Court of Justice (ECJ) ruled that Privacy Shield fails to ensure European citizens adequate right of redress when data is collected by the US National Security Agency (NSA) and other US intelligence services in a 63 page judgement.
The court upheld the validity of another legal mechanism, standard contractual clauses (SCCs), which allow European companies to legally share data with the US and other countries – but added caveats to their use.
The decision will force the EU and the US back to the negotiating table to draft a version of Privacy Shield that gives EU citizens stronger privacy rights under US surveillance laws.
The US Secretary of Commerce, Wilbur Ross said that the Department of Commerce was ‘deeply disappointed’ with the decision to strike down Privacy Shield.
“We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments,” he said.
Companies that rely on the Privacy Shield agreement to exchange data between the US and the EU as part of their international trade will face uncertainty and disruption as they seek other legal mechanisms to transfer data.
The case is the latest twist in a seven-year legal battle by Austrian lawyer Max Schrems against Facebook Ireland, over the legality of its transfer of personal data of its EU customers to the US.
“The court clarified, for a second time now, that there is a clash of EU privacy law and US surveillance law,” said Schrems. “As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
Privacy Shield struck down
Today’s decision marks the second time the European court has struck down the data sharing agreement between the EU and the US.
The court found that Privacy Shield, like its predecessor Safe Harbour, which was struck down by the court in 2015, gave the requirements of US national security and law enforcement agencies priority over the rights of EU citizens.
Privacy Shield “condoned” interference with the fundamental rights of EU citizens when their data is transferred to the US, it said.
The European court found that US surveillance laws meant that the US did not offer privacy protections equivalent to those under EU law, ruling they were not proportionate and went beyond what was strictly necessary.
In particular, it found that US laws did not give EU citizens rights of redress through the courts if their data was misused.
The court disagreed with the European Commission that the Ombudsperson, set up in Privacy Shield to provide redress to EU citizens, provided effective redress for EU citizens.
It said the Ombudsperson mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law” and it failed to ensure that the Ombudsperson was independent or had the powers to make decisions that were binding on the US intelligence services.
SCCs given green light – with conditions
The court found that EU law, and General Data Protection Regulation (GDPR) in particular, applies when companies transfer data to countries outside the EU, even when that data is processed by third-party governments for national security, defence and state security.
People must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries, as they would receive in the EU under GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data.
SCCs are used to transfer data from the EU to some 180 countries, including Australia, Singapore, South Korea, Brazil, India and Mexico, according to the Business Software Alliance (BSA).
Although the court found that SCCs were legally valid, it said any data transfer agreements must take into account the legal system of the country receiving the data and any access governments or public authorities have to data on EU citizens.
The court said companies had a responsibility to ensure that the companies outside the EU they plan to share data with granted privacy protection equivalent to EU law.
The receiving company has to inform the data exporter of any inability to comply with the SCC and the company sending the data is obliged to suspend data transfers if EU privacy laws are breached, it said.
The court made it clear that data protection regulators would be required to act if companies transfer data to the US or other countries without meeting European privacy safeguards.
Tanguy Van Overstraeten, Linklaters
Data protection authorities (DPAs) are “required to suspend or prohibit a transfer of personal data to a third country” where they believe that country cannot comply with standard data protection clauses.
The court said that regulators must act if a company exporting the data has failed to suspend data transfers itself and that data protection cannot be ensured in any other way.
Tanguy Van Overstraeten, partner and global head of privacy and data protection at law firm Linklaters, said the decision would impact large companies, which make hundreds or thousands of data transfers through standard contractual clauses.
“Large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients. The court has made it clear companies cannot justify them using a tick box exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed,” he said.
Van Overstraeten said it would become more difficult for companies to transfer data to countries with strong surveillance powers, including the US, India and China.
“Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims,” he said.
Max Schrems: Regulators must enforce the law
Schrems said the ruling had put an end to the discretion of data protection authorities to decide not to take action when data transfers are in breach of EU data protection law.
Schrems has been pressing the Irish Data Protection Commissioner (DPC) to take action against Facebook after filing a complaint in 2013 that Facebook Ireland was transferring personal data of EU citizens to Facebook Inc in the US, in breach of EU data protection and human rights law.
“Authorities like the Irish DPC have so far undermined the success of the GDPR by simply not processing complaints. The court has clearly told the DPAs to get going and enforce the law”
He argued that US surveillance programmes, including the Prism program exposed by whistleblower Edward Snowden, which extracts data from communication services companies, including Facebook, did not respect the privacy rights of non-US citizens.
“The court is not only telling the Irish DPC to do its job after seven years of inaction, but also telling all European DPAs that they have a duty to take action and cannot just look the other way. This is a fundamental shift going far beyond EU-US data transfers,” he said.
“Authorities like the Irish DPC have so far undermined the success of the GDPR by simply not processing complaints. The court has clearly told the DPAs to get going and enforce the law.”
He said that decision meant Facebook would not be able to use SCCs for EU-US data transfers, and if it continued to violate the law, the DPC would have to “take urgent action”.
Court decision will affect trade between EU and US
The Business Software Alliance, one of the parties to the case, said the court’s decision to invalidate Privacy Shield would create a barrier for electronic commerce between the US and the EU.
“Today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic,” said Thomas Boué, director general of the BSA.
Thomas Boué, BSA
“The impacts will be felt by large and small enterprises on both side of the Atlantic, when businesses are focused on recovering from the economic impacts of Covid-19 and are increasingly relying on data-driven tools and services to do so,” he said.
Renzo Marchini, partner at law firm Fieldfisher, said that although businesses could continue to use SCCs, there was “a big but” – the court has made it clear that businesses will need to ensure that any country they transfer data to offers “essentially equivalent” protection to the EU.
“How is any European business – certainly smaller ones – supposed to do that?” he said. “This is crying out for urgent guidance from regulators. It is impractical for any but the largest businesses to do this assessment.”
It is difficult to see how regulators would be able to allow data transfers to the US under standard contractual clauses, following the court’s invalidation of Privacy Shield, said Marchini.
Caitlin Fennessy, research director at the International Association of Privacy Professionals, claimed the court’s decision would adversely impact US companies that share data with the US.
“Today’s decision effectively blocks legal transfers of personal data from the EU to the US. It will undoubtedly leave tens of thousands of US companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually,” she said.
Max Schrems said today that industry lobbying groups had exaggerated the impact of the ruling on businesses, as in practice “necessary” data flows can still continue legally under article 49 of GDPR.
“This is a solid basis for most legal transactions with the US. In simple words, the US has now been brought back to the ‘normal’ situation that the EU has with most other third countries, but lost its special access to the EU market over US surveillance,” he said.
Companies may relocate data to Europe
Data flows between the US and the EU are unlikely to dry up immediately. It is likely that the European Commission will give companies that rely on Privacy Shield a grace period to make new arrangements.
Jonathan Kewley, Clifford Chance
Many companies are expected to switch from Privacy Shield to standard contractual clauses to continue to transfer data legally.
The European Commission is in the process of revising SCCs to take into account GDPR, and confirmed it modify them following the European court’s decision.
European Commission Vice President Jourova said at a press conference today that the Commission will be working with the US counterparts including, US Commerce Secretary Wilbur Ross, and Attorney General William Bar, to develop robust EU-US data transfers.
Jonathan Kewley, co-head of technology at law firm Clifford Chance, said some companies were likely to respond by localising their data in Europe.
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying its data standards can be trusted, but those in the US cannot,” he said. “We predict that the outcome could be more Europe data localisation, with more customer data staying in Europe as a result.”
Decision could affect EU-UK data transfers
Today’s decision is likely to impact data transfers between the EU and the UK following Brexit. Data transfers from the UK to the EU will be unaffected until 2024.
But it is not yet certain whether the EU concludes that the UK offers EU citizens adequate protection for their data, under the UK’s surveillance law, the Investigatory Powers Act.
Daniel Tozer, head of data and technology at law firm Harbottle & Lewis, said the ability of companies to transfer data between the EU and the UK was uncertain following the judgment.
“This judgment raises questions about the UK’s ability to be awarded data protection ‘adequacy’ by the EU, given the UK’s own surveillance laws and its membership of the Five Eyes programme. Data transfers between the EU and the UK from 1 January 2021 could well become very challenging indeed,” he said
Jim Killock, executive director of the Open Rights Group said that, following the judgment, the UK would have to choose between maintaining the high privacy standards of the EU or lower privacy standards of the US after Brexit.
“The UK’s surveillance regime will be questioned after this judgment, as Europe has rejected Privacy Shield precisely because of concerns over surveillance. Similarly, standard contractual clauses cannot now be relied on,” he said.
Irish DPC: Data transfers to US now ‘questionable’
The Irish Data Protection Commission, which referred the case to the European Court of Justice, said the decision supports the concerns of the regulator and the Irish High Court that EU citizens do not receive the level of protection demanded by the EU when their data is transferred to the US.
“While the judgment most obviously captures Facebook’s transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally,” it said in a statement.
Although the court found that SCCs were valid, their use to transfer personal data to the US was now questionable, the regulator, headed by Helen Dixon, said.
“This is an issue that will require further and careful examination, not least because assessments will need to be made on a case-by-case basis,” it said.
Facebook considers implications
Eva Nagle, associate general counsel for Facebook, said the social media network was considering the implications of the court’s decision to strike down Privacy Shield.
“We welcome the decision of the Court of Justice of the European Union to confirm the validity of standard contractual clauses for transfers of data to non-EU countries. These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens,” she said.