The European Court of Justice has struck down a data sharing deal between the EU and the US over surveillance concerns, in a huge blow for thousands of companies that rely on it.
Judges at Europe’s top court expressed concern that data shared between the bloc and US via the Privacy Shield agreement is “not limited to what is strictly necessary”, and said that national regulators need to take tougher action to protect the privacy of users’ data.
The much-anticipated legal ruling weighed up the balance of US surveillance law versus European data protection and privacy, and found that private information of EU citizens is not properly protected when companies transfer it to US soil.
The court said that “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law”.
The ruling is a major blow to thousands of tech companies, social media firms, banks and law firms that use the agreement to transfer large waves of data between the US and Europe.
The legal battle, known colloquially as the Schrems II case after two lengthy campaigns by activist and lawyer Max Schrems, has direct ramifications for companies such as Facebook.
US law obliges certain technology giants, such as Facebook, Google, Apple and Twitter, to give its surveillance service access to the data they hold on grounds of national security.
Schrems argued that this clashes with the EU’s Charter of Fundamental Rights, which hands every EU citizen the right to have their personal data protected.
In 2015, Schrems complained to Ireland’s Data Protection Commissioner that Facebook was violating EU laws, as his Facebook data could be accessed by US authorities without legal redress.
Schrems’ complaint was taken to the Irish court system, as the tech giant is regulated by Irish law, and was ultimately referred to the European Union’s Court of Justice.
Eduardo Ustaran, co-head of the global Privacy and Cybersecurity practice at Hogan Lovells, said: “While predictable, the outcome of the decision is hugely important. The big practical takeaway is that all European companies must bear in mind other countries’ powers over data when engaging in global data flows.
“It is important not to frame it only as a conflict between European privacy versus US surveillance. The court is reiterating its previous stance in similar cases where irrespective of the practical consequences, European data protection rights will always prevail over disproportionate interference by governments.”
Rafi Azim-Khan, head of data privacy at law firm Pillsbury, said “The arrival of the GDPR in 2018 represented one the biggest shifts in data privacy law in 20 years. Today’s ruling is likely to be as seismic for any business that currently uses or hoped to use the Privacy Shield scheme to move data across borders with ease.
“A real challenge is that many businesses had come to rely on the Privacy Shield with its self certification ease of use. Now it has been struck down, these firms will be forced to review all relevant contracts to make sure they are worded properly and include all the relevant EU approved clauses that allow for the international transfer of data.
“This is a potentially huge spanner in the works.”