EU-US data transfers at critical risk as ECJ invalidates Privacy Shield

The main entrance to the European Court of Justice (ECJ) in Luxembourg, 19 December 2019. [EPA-EFE/JULIEN WARNAND]

The EU-US Privacy Shield agreement that attempts to guarantee the secure transmission of EU data to the United States, has been declared invalid by the European Court of Justice, in a ruling that will provoke major disruption to transatlantic data flows.

The ruling by Europe’s highest court on Thursday (16 July) found that the scope and pervasiveness of the US surveillance framework does not allow for a sufficient degree of protection for European data, putting it at a risk that would violate rights afforded to citizens under the EU’s general data protection regulation (GDPR).

“The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” the court found, adding that the domestic law in this regard refers to US surveillance programmes.

The ruling is a big win for Austrian Privacy activist Max Schrems, a defendant in the case, who had argued that the Privacy Shield does not provide for adequate protection of EU data.

“I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook,” a statement from Schrems read on Thursday.

“It is clear that the US will have to seriously change their surveillance laws if US companies want to continue to play a major role on the EU market.”

FISA 702

In this regard, Schrems’ concern was that Section 702 of the US Foreign Intelligence Surveillance Act (FISA), permits the National Security Agency to collect foreign intelligence belonging to non-Americans located outside the US, by way of obtaining their data stored with electronic communications services providers, such as Facebook.

In Thursday’s ruling, the ECJ concurred with this view.

“In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes or the existence of guarantees for potentially targeted non-US persons,” the court said, highlighting that EU citizens do not have ‘actionable rights’ against US authorities amid such a regime of surveillance.

For Oliver Patel, a research associate at UCL’s European Institute, the ruling on Privacy Shield came as no surprise, following the 2015 decision of the European courts to invalidate the Safe Harbour agreement, the previous framework in place that attempted to ensure adequacy between EU and US data transfers.

In a previous case in 2015, Schrems successfully mounted a legal challenge over the EU’s ‘Safe Harbour’ privacy principles, developed to prevent private companies in the EU or the US from losing or accidentally revealing personal data belonging to citizens.

That year, ECJ Advocate General Yves Bot issued an opinion to the court that stated the Safe Harbour agreement should be rendered invalid, and added that individual data protection authorities could suspend data transfers to other countries should there be evidence of data protection rights being breached.

The ECJ ultimately upheld Bot’s opinion and the Safe Habour agreement was invalidated.

Patel believes Thursday’s ruling confirms what had been obvious all along: the incompatibility of the US surveillance framework with EU privacy protections.

“This now makes it crystal clear how FISA 702 is incompatible with the EU’s charter of fundamental rights,” he told EURACTIV.

“It’s even audacious to think that the Commission could ever have sought to argue otherwise.”

In terms of US surveillance reform, Patel believes it may eventually come, but not as a direct result of Thursday’s ruling.

“The US surveillance framework is a fundamental part of the country’s political identity,” he said. “Reform could eventually come, but I don’t think it will be as a result of the European Court of Justice. The US needs to decide whether it wants to prioritise its own surveillance regime or EU data transfers.”

Industry speaks out  

Elsewhere, the ruling provoked concern among some privacy professionals and industry players.

“Today’s decision effectively blocks legal transfers of personal data from the EU to the U.S. It will undoubtedly leave tens of thousands of U.S. companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually,” said Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).

“The Court has invalidated the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies depend, claiming it fails to limit U.S. government access to data to what is strictly necessary and proportional or to provide actionable judicial redress,” added Fennessy, who had had a hand in devising the Privacy Shield.

Meanwhile, members of the industry were also quick to voice their worry about the future for EU-US data transfers.

“Companies need to have reliable and stable mechanisms to send data from the EU to the United States. Today’s decision will pose an unhelpful barrier to EU-US e-commerce at a time when global trading relations are growing increasingly complicated,” a statement from Thomas Boué, European director-general for policy at BSA, the software trade association, said.

On the subject of Standard Contractual Clauses, individual agreements that facilitate the global transmission of EU data, the court ruled that such accords are theoretically valid but risks involved with contracting particular data transfers to third countries must be taken into account.

Such agreements should be invalidated at the discretion of national data protection authorities, the Court said on Thursday.

“Unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with.”

Despite the concern, Article 49 of the EU’s GDPR details the conditions under which data transfers can continue under in the absence of an adequacy decision or appropriate safeguards, meaning that ‘necessary’ transfers can continue.

[Edited by Zoran Radosavljevic]

Subscribe to our newsletters