Privacy Shield, a key tool used by the EU to transfer personal data to major US companies, has been ruled invalid by the European Court of Justice.
A landmark ruling from the Court of Justice of the EU (CJEU) will require major tech companies and EU member states to rethink how they handle user data. Publishing its decision today (16 July), the CJEU said that the EU-US data protection agreement known as Privacy Shield is invalid.
However, the Standard Contractual Clauses (SCCs) that a number of companies use to transfer user data to countries that fall outside of GDPR regulation has been ruled to be valid. SCCs are designed to ensure that European citizens enjoy the same level of protection for their personal data when it is processed outside the EU. They are used by thousands of companies to transfer data outside of the EEA.
A previous ruling by the European Commission said there was no evidence of a conflict between US surveillance laws and the EU’s data protection laws.
In its ruling today, the CJEU said that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”.
It added that the framework set in place by Privacy Shield is “not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary”.
Data protection agencies in Europe are “also required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence”.
Second victory for Schrems
The case originated in Ireland in 2015 after privacy advocate Max Schrems brought a complaint against Facebook to the Data Protection Commission (DPC). He argued that the social network could send his personal data to the US where it is possible for companies to provide user data to the country’s government surveillance programmes.
This marks the second privacy agreement between the US and EU to be ruled invalid following cases brought by Schrems to the European court. In 2015, his objections saw Safe Harbour dismantled and Privacy Shield being created as its replacement.
The Irish High Court brought the case against Privacy Shield to Europe in 2017. In May of this year, Schrems was calling on the EU to speed up a legal decision.
Commenting after today’s ruling, Schrems welcomed the decision, describing it as a “total blow to the Irish DPC and Facebook”.
“The court clarified for a second time now that there is a clash of EU privacy law and US surveillance law,” he said.
“As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”