European Union Court Invalidates Special Data Privacy Shield Granted U.S. Firms

Article

LUXEMBOURG – Europe’s highest court ruled on Thursday that a transatlantic data transfer deal is invalid because of concerns about U.S. surveillance in a decision that could disrupt thousands of companies that rely on the agreement.

The ruling, which cannot be appealed, effectively ends the privileged access companies in the United States had to personal data from Europe and puts the country on a similar footing to other nations outside the 27-country bloc.

The so-called Privacy Shield was set up in 2016 by Washington and Brussels to protect personal data when it is sent to the United States for commercial use after a previous agreement known as Safe Harbour was ruled invalid in 2015.

Reaction After EU Court Strikes Down Transatlantic Data Transfer Deal Reuters – Following are some responses to the ruling: Max Schrems, Austrian privacy activist: “One of the biggest takeaways is that we would need fundamental reform in U.S. surveillance laws if U.S. companies still want to have any kind of decent access to the European market.” “For a lot of the companies it’s going to be a fundamental shift because they basically have to separate U.S. data processing from EU data processing.” U.S. Commerce Secretary Wilbur Ross: “While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.” Microsoft: “We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud,” Microsoft Chief Privacy Officer Julie Brill said in a blog. BSA| The Software Alliance (Software industry Lobby group): “The good news is that SCCs (Standard Contractual Clauses) remain valid. But today’s Privacy Shield decision will create challenges for more than 5,300 businesses, 70% of which are SMEs, across a range of sectors at a time when the ability to send data abroad is crucial to the economic recovery from COVID-19,” said Victoria Espinel, CEO and President. Tanguy Van Overstraeten, Partner and Global Head of Privacy and Data Protection, at law firm Linklaters: “For the thousands of businesses registered with the U.S. Privacy Shield, this will be groundhog day; this is the second time the FTC (Federal Trade Commission) operated scheme has been struck down after the Shield’s predecessor – the Safe Harbour – was struck down in 2015. Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims.” Bridget Treacy, data privacy partner at Hunton Andrews Kurth LLP in London: “This was an unexpected result. For businesses that transfer personal data from the EU to the US, this represents the worst of all possible outcomes. SCCs, commonly utilized for transfers around the globe, will be subject to much closer scrutiny by data exporters and by EU regulators. Transfers of personal data from the EU to the U.S. will require particular care given comments made by the Court about US surveillance.” (Compiled by Keith Weir; Editing by David Clarke)

More than 5,000 companies have signed up to use the Privacy Shield. The case was triggered by a long-running dispute between Facebook and Austrian privacy activist Max Schrems who shot to fame for his role in overturning Safe Harbour.

Facebook had no immediate comment.

“In respect of certain surveillance programs, those provisions do not indicate any limitations on the power they confer to implement those programs, or the existence of guarantees for potentially targeted non-U.S. persons,” the Court of Justice of the European Union (CJEU) in Luxembourg said.

“It looks perfect,” Schrems said.

“One of the biggest takeaways is that we would need fundamental reform in U.S. surveillance laws if U.S. companies still want to have any kind of decent access to the European market,” he told Reuters TV.

The U.S. Department of Commerce said it would remain in close contact with the European Commission to try to limit the negative consequences of the ruling.

“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” said Commerce Secretary Wilbur Ross.

‘PRIVACY TRADE WAR’

EU concerns about data transfers have mounted since former U.S. intelligence contractor Edward Snowden’s revelations in 2013 of mass U.S. surveillance.

The court is saying that the surveillance regime in the U.S. does not respect the rights of EU citizens and puts U.S. state interests over the interests of individuals, Jonathan Kewley, co-head of technology at law firm Clifford Chance said.

“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted, but those in the U.S. cannot,” he said.

Kewley said the outcome could be that more customer data remains stored in Europe, which is what happened after Safe Harbour was annulled.

Judges upheld the validity of another data transfer mechanism known as standard contractual clauses (SCCs).

They are used by thousands of companies including Facebook, industrial giants and carmakers to transfer Europeans’ data around the world for services ranging from cloud infrastructure, data hosting, payroll and finance to marketing.

However, the court stressed that under SCCs, privacy watchdogs must suspend or prohibit transfers outside the EU if data protection cannot be assured.

Schrems said this meant companies that fall under U.S. surveillance laws, such as Facebook, could not use the clauses to shift data to the United States.

“Facebook will have to literally split their system somehow in two parts and then reconnect the parts that are necessary.”

Schrems said before the case that transactions by Europeans such as booking a hotel or a hire car in the United States or sending an email to someone there would not be affected. His concerns centered more on the way personal data is stored.

Microsoft said Thursday’s rulings did not affect its customers ability to transfer data between the EU and the United States using the Microsoft cloud.

“We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” Microsoft Chief Privacy Officer Julie Brill said.

The case – C-311/18 Facebook Ireland and Schrems – went the CJEU after Schrems challenged Facebook’s use of the standard clauses, saying they lacked sufficient data protection safeguards.

(Reporting by Foo Yun Chee; Additional reporting by Kirsti Knolle in Vienna; Editing by David Clarke)