EU court rejects data transfer tool in Max Schrems case
Privacy agreement doesn’t offer sufficient protection to EU citizens’ data, court finds
Austrian privacy activist Max Schrems: “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.” Photograph: Getty
Europe’s top court has declared an arrangement under which companies transfer personal data from the European Union to the US invalid due to concerns about US surveillance powers.
The ruling in the long-running battle between Facebook, Ireland’s Data Protection Commissioner and the Austrian privacy activist Max Schrems found that the so-called Privacy Shield agreement does not offer sufficient protection of EU citizens’ personal data.
“The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities . . . are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” the court said in a statement.
The ruling is a blow to the thousands of companies, including Facebook that rely on the Privacy Shield to transfer data across the Atlantic, and to the European Commission, as it unpicks an arrangement it designed with US authorities to allow companies to comply with EU data protection law.
“Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of privacy shield and we look forward to regulatory guidance in this regard,” said Facebook’s associate general counsel, Eva Nagle.
The judgment by the Luxembourg-based Court of Justice of the European Union also upheld another tool, standard contractual clauses, used by hundreds of thousands of companies to transfer data around the world, while recommending that they be used more effectively.
Standard contractual clauses are only valid if they contain “effective mechanisms” to ensure compliance with the protections offered by EU law, and it is the “obligation” of technology firms to verify this before transferring data outside the EU, the court found. If compliance cannot be honoured, the contracts should allow for the suspension of data transfer, it said.
Mr Schrems had complained to the Irish Data Protection Commissioner about the transfer of his data by Facebook for processing in the United States.
Ireland’s High Court had asked the ECJ for a ruling to clarify details regarding whether EU law applies to the transfer of personal data to countries outside the EU, where it can be processed by authorities for national security and law enforcement purposes.
The ECJ found that the Privacy Shield arrangement does not provide people with recourse to an authority that “offers guarantees substantially equivalent to those required by EU law”, the court said in a statement.
It pointed out that the ombudsperson system created in the Privacy Shield arrangement to deal with complaints did not ensure “the independence of the ombudsperson” or “rules empowering the ombudsperson to adopt decisions that are binding on the US intelligence services”.
Reacting to the ruling, Mr Schrems said the court had confirmed that US surveillance powers, under which foreign citizens have fewer privacy protections than US citizens, are in conflict with EU data protection rights.
“I am very happy about the judgment. It seems the court has followed us in all aspects. This is a total blow to the Irish DPC [Data Protection Commissioner] and Facebook,” Mr Schrems said in a statement. “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”
A complaint by Mr Schrems previously led to the striking down by the court of the predecessor of the Privacy Shield, the US-EU Safe Harbour agreement.
US secretary of commerce Wilbur Ross said his department was “deeply disappointed” with the ruling invalidating Privacy Shield.
“We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies and governments,” he said.
The Data Protection Commission said it welcomed the judgment and that it would “require careful consideration in the coming days and weeks”.
The American Chamber of Commerce Ireland also said it was concerned at the decision to invalidate which, it said, gave rise to great uncertainty and complexity.
The European Commission said it would study the judgment and work closely with US counterparts to update their agreement “to ensure the continuity of safe data flows”.