Top EU Court Strikes Down EU-US Privacy Shield Data Deal

The highest court in Europe has ruled that the transatlantic data transfer deal is invalid due to concerns about US surveillance of the data by American intelligence agencies.

The ruling from the European Court of Justice is hugely significant, as it potentially disrupts thousands of companies that rely on the agreement for the transfer of data between the United States and Europe.

The European Commission’s Privacy Shield data framework, as it is known, came into force in July 2016. It replaced the EU-US Safe Harbour deal which had been in place since 2000, but right from the start it proved controversial with concerns about US spying.

Privacy Shield / Safe Harbour 2.0

The Privacy Shield had been designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data transfer rules.

It should be remembered that the ECJ in 2015 had suspended the original Safe Harbour agreement that allowed data-sharing between the EU and the US.

The Privacy Shield (or Safe Harbour 2.0) had been drafted in the wake of the Edward Snowden revelations about the scale of US and its NSA agency spying on friends and allies.

The United States and the European Union had been forced to change it after an initial agreement submitted in February 2016 was rejected by European Watchdogs for not being robust enough.

The two sides then agreed to stricter rules for companies holding information on Europeans and clearer limits on US surveillance. And this reworked Privacy Shield agreement was then approved by EU member states and adopted in July 2016.

But despite the reworked agreement, concerns about US surveillance still persisted and Austrian privacy activist Max Schrems took the case to court in his long-running dispute with Facebook.

And now the European Court of Justice has issued its ruling, which cannot be appealed.

It effectively ends the privileged access that companies in the United States (such as Facebook) had to personal data from Europe and puts the country on a similar footing to other nations outside the 27-country bloc.

The ruling saw the European Union releasing a statement, explaining the protracted case in full.

Legal expert

Legal expert confirmed to Silicon UK in a statement it was concerns about US surveillance program that triggered the ruling

“The landmark ruling in the Schrems II case has just landed, declaring the EU-US Privacy Shield invalid and upholding the standard contractual clauses as valid,” explained Toni Vitale, partner and head of data protection at JMW Solicitors.

“Put simply, the CJEU have an issue with the interference of the US national security and law enforcement agencies having priority over the fundamental right of privacy of the persons whose data is transferred to the US, and the surveillance program utilised in the USA,” said Vitale.

“The limitation this places on the protection of personal data in the USA means that the EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary,” said Vitale. “As such, the EU-US Privacy Shield has been declared invalid and it can no longer be relied on as a lawful mechanism by which to legitimately transfer data to the US.”

“This means companies who currently rely on the EU-US Privacy Shield for transferring data to the US will no longer be able to rely on this, and will instead have to consider which alternative legal mechanism to rely on – something easier said than done given the EU’s issues with the US privacy legal system,” Vitale added.

What next?

Another expert agreed agreed this ruling is going to cause a headache for firms transferring European data to the United States.

“This is going to leave many companies on both sides of the Atlantic scrambling to adjust their processes,” said Darren Wray, CTO at data privacy experts Guardum.

“What this means for any organisation relying on the Privacy Shield is that they will no longer be able to share EU personal information when sending documents to businesses in the US,” said Wray. “In many cases, the personal information may not be vital to the process, but the historically manual process of redacting documents has meant that organisations have taken the easy route by ensuring that their US partners are registered and comply with the Privacy Shield programme.”

“Companies on both sides of the Atlantic are going to need to look at a solution for this problem, in cases where the personal data is not required by the US-based company, companies should look at auto-redaction solutions,” said Wray.

“Where the personal data is required for the US-based company to provide the service, companies will have to look at legal and contractual based solutions in the form of Standard Contractual Clauses,” he added. “Like any contractual change, this is unlikely to be a quick fix and will leave some companies facing the risk of breaking the law by using business processes and computer systems that send EU based personal information without the appropriate legal protection in place.

“The ICO and other EU data protection regulators are, I’m sure, going to be keeping a close eye on companies that fall into this category – I think we could we see the first fines for deliberately breaching the DPA 2018/GDPR this year as a result of this ruling and company’s not knowing that they need or how they need to respond,” Wray concluded.

Can you protect your privacy online? Take our quiz!