The European Union’s top court struck down the so-called Privacy Shield, a key method to transfer data across the Atlantic, amid fears over potential US surveillance.
Thursday’s decision by the EU Court of Justice means thousands of businesses that ship commercial data across the Atlantic risk turmoil in their day-to-day activities. While a second, contract-based system to transfer data was approved, the judges saved their critiques for US surveillance.
The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the US National Security Agency. Privacy campaigner Max Schrems has been challenging Facebook Inc. in the Irish courts -- where the social media company has its European base -- arguing that EU citizens’ data is at risk the moment it gets transferred to the US.
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” Schrems said after the ruling. “This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws.”
November Election
While the court did approve Standard Contractual Clauses system to transfer data, the ruling offers another grievance to stoke the growing animosity between the US and the EU in the run up to November’s presidential election.
The White House has already announced the withdrawal of thousands of troops from Germany and pulled the plug on efforts to reach a settlement on digital taxes.
The EU meanwhile has fended off a US attempt to muscle in on the negotiations over a settlement between Serbia and Kosovo in the Balkans. Hanging over all of it is President Donald Trump’s threat to impose tariffs on European cars, a step which would massively escalate the trade dispute between the two sides.
On the data front, the EU top court in a surprise decision in 2015 struck down an earlier trans-Atlantic data-transfer system, called Safe Harbor, over concerns U.S. spies could get unfettered access to EU data. Facebook warned ahead of Thursday’s ruling that similar economic turmoil would be in store if the court does the same.
Privacy Scramble
Scrambling to put together an alternative tool for companies, the EU and US in early 2016 reached an accord on the Privacy Shield, saying it would guarantee EU citizens robust privacy protection and the right to judicial review. But the Shield has been on wobbly feet since the start over concerns that not enough was being done on the US side.
“The invalidation of the Privacy Shield is a big blow for the more than 5,300 companies and organizations that have been relying on the Shield to send data from the EU to the US,” said Wim Nauwelaerts, a lawyer at Alston & Bird. “They will have to look for alternatives quickly.”
The decision is also a big defeat for the European Commission, the EU’s executive authority, which spent huge efforts on the Shield. It also puts “significant pressure on data protection authorities to take their job more seriously in checking data transfers,” said Joerg Hladjk, a lawyer with Jones Day in Brussels.
EU Justice Commissioner Didier Reynders said the ruling “provides useful clarifications on the EU standards” for decisions allowing a safe and smooth data flow between the EU and another nation. The Privacy Shield was one of several such decisions the EU has reached with some nations.
Reach Out
“I will reach out to my US counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism,” he said.
What’s changed since the EU court’s 2015 ruling is that the bloc has passed one of the strictest data protection laws, the General Data Protection Regulation. This gives watchdogs unprecedented powers, raising potential fines for companies to as much as 4% of global annual sales. The Privacy Shield was also subjected to annual EU-US reviews.
Thursday’s ruling will affect how non-European firms from Google to TikTok Inc. transfer data from European services for processing outside the region.
The judgment “removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic” for large and small enterprises in both the US and Europe, said Thomas Boue, director general for policy in Europe at BSA The Software Alliance, whose members include Microsoft Corp. and Oracle Corp.
But the court was focused on giving individuals more power to protect their data. It said people “must have the possibility of bringing legal action before an independent and impartial court.”
The judges also criticized US surveillance programs that may access bulk personal data being transferred from Europe to the US without any judicial review.
The court said annulling the Privacy Shield “is not liable” to create a legal vacuum.
The long list of participants in the case also includes the US government, which is rare in the EU courts.
The case is: C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Max Schrems.
©2020 Bloomberg L.P.