Top EU court ditches transatlantic data transfer deal
LUXEMBOURG (Reuters) - Europe’s highest court ruled on Thursday that a transatlantic data transfer deal is invalid because of concerns about U.S. surveillance in a decision that could disrupt thousands of companies that rely on the agreement.
The ruling, which cannot be appealed, effectively ends the privileged access companies in the United States had to personal data from Europe and puts the country on a similar footing to other nations outside the 27-country bloc.
The so-called Privacy Shield was set up in 2016 by Washington and Brussels to protect personal data when it is sent to the United States for commercial use after a previous agreement known as Safe Harbour was ruled invalid in 2015.
More than 5,000 companies have signed up to use the Privacy Shield. The case was triggered by a long-running dispute between Facebook and Austrian privacy activist Max Schrems who shot to fame for his role in overturning Safe Harbour.
Facebook had no immediate comment.
“In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-U.S. persons,” the Court of Justice of the European Union (CJEU) in Luxembourg said.
“It looks perfect,” Schrems said.
“One of the biggest takeaways is that we would need fundamental reform in U.S. surveillance laws if U.S. companies still want to have any kind of decent access to the European market,” he told Reuters TV.
The U.S. Department of Commerce said it would remain in close contact with the European Commission to try to limit the negative consequences of the ruling.
“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” said Commerce Secretary Wilbur Ross.
‘PRIVACY TRADE WAR’
EU concerns about data transfers have mounted since former U.S. intelligence contractor Edward Snowden’s revelations in 2013 of mass U.S. surveillance.
The court is saying that the surveillance regime in the U.S. does not respect the rights of EU citizens and puts U.S. state interests over the interests of individuals, Jonathan Kewley, co-head of technology at law firm Clifford Chance said.
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted, but those in the U.S. cannot,” he said.
Kewley said the outcome could be that more customer data remains stored in Europe, which is what happened after Safe Harbour was annulled.
Judges upheld the validity of another data transfer mechanism known as standard contractual clauses (SCCs).
They are used by thousands of companies including Facebook, industrial giants and carmakers to transfer Europeans’ data around the world for services ranging from cloud infrastructure, data hosting, payroll and finance to marketing.
However, the court stressed that under SCCs, privacy watchdogs must suspend or prohibit transfers outside the EU if data protection cannot be assured.
Schrems said this meant companies that fall under U.S. surveillance laws, such as Facebook, could not use the clauses to shift data to the United States.
“Facebook will have to literally split their system somehow in two parts and then reconnect the parts that are necessary.”
Schrems said before the case that transactions by Europeans such as booking a hotel or a hire car in the United States or sending an email to someone there would not be affected. His concerns centred more on the way personal data is stored.
Microsoft said Thursday’s rulings did not affect its customers ability to transfer data between the EU and the United States using the Microsoft cloud.
“We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” Microsoft Chief Privacy Officer Julie Brill said.
The case - C-311/18 Facebook Ireland and Schrems - went the CJEU after Schrems challenged Facebook’s use of the standard clauses, saying they lacked sufficient data protection safeguards.
Comments are closed on this story.