#PrivacyShield - European court declares the EU-US data sharing agreement invalid

Max Schrems standing outside the Irish Data Protection Commissioner's office

For the second time in less than five years, the Court of Justice of the European Union has found that an EU/US data-sharing agreement fails to meet EU data-protection standards. The ‘Safe Harbor’ agreement was struck down in 2015 and was quickly replaced with the ‘Protection Shield’, this too now lies in tatters. 

The court ruled that in order to be valid the EU/US agreement would need to provide protections equivalent to those guaranteed under the EU’s General Data Protection Regulation and protect the right to privacy and data protection which are enshrined in Article 7 and 8 of the EU’s Charter of Fundamental Rights.

#ECJ: the Decision on the adequacy of the protection provided by the EU-US Data Protection Shield is invalidated, but @EU_Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries is valid #Facebook #Schrems pic.twitter.com/BgxGAvuq3T

— EU Court of Justice (@EUCourtPress) 16 July, 2020

On a more positive note, the court found that the Commission’s decision on standard contractual clauses (SCC) to transfer personal data to processors established in third countries (outside the EU) is valid - as long as there is prior agreement that the correct level of protection is provided. 

The whole problem arises from domestic law in the United States. Schrems, the eponymous litigant behind the judgment known as Schrems II, said: “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."

BREAKING: The EU's Court of Justice has just invalidated the "Privacy Shield" data sharing system between the EU and the US, because of overreaching US surveillance. All details available here: https://t.co/xN4HKhZaBT #PRISM #FISA702 #Privacy #PrivacyShield #SCCs #GDPR #CJEU

— Max Schrems ???? (@maxschrems) July 16, 2020

The EU was already forewarned that the CJEU was likely to strike down the privacy shield and the decision was preempted by early discussions with the EU’s American counterparts. Commission Values Vice President Věra Jourová said: “Both Didier and I have been in contact with US Commerce Secretary Wilbur Ross in the past days.”

Justice Commissioner Didier Reynders added that he had spoken with Attorney General William Barr in December and that he was looking forward to a constructive discussion tomorrow (17 July) with Wilbur Ross on the way forward.

US Secretary of State Wilbur Ross said: “We hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies — but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies — including the 5,300+ current Privacy Shield participants — be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.” 

In the statement, the Department of Commerce says it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. However, Reynders said: “In the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under the GDPR.”

Bridget Treacy, data privacy partner at Hunton Andrews Kurth LLP based in London, commenting on the judgement said: “SCCs, commonly utilized for transfers around the globe, will be subject to much closer scrutiny by data exporters and by EU regulators.  Transfers of personal data from the EU to the US will require particular care given comments made by the Court about US surveillance. But all personal data transfers from the EU, whether to the US or elsewhere (including the UK after 1 January 2021) will now require much closer scrutiny.”

David Dumont, data privacy partner at Hunton Andrews Kurth LLP based in Brussels said: “Businesses that rely on the SCCs will be required to evaluate each data transfer recipient to determine whether the recipient offers an adequate level of protection. This will mean assessing what type of personal data is being transferred, how it will be processed, whether it may be subject to access by government agencies for surveillance purposes and, if so, what safeguards are available. If a recipient is not able to provide an adequate level of protection, EU businesses are required to suspend those data transfers, failing which a regulator may do so. Urgent guidance will be required from data-protection regulators as to what practical level of scrutiny they expect from businesses relying on SCCs.”

Brexit

As the UK leaves the EU at the end of the year, it will have to request a data-adequacy agreement. The UK’s mass surveillance, run through their intelligence agency (GCHQ) and revealed by Edward Snowden, showed how the UK was trawling through the data of millions of private communications and sharing their findings with the US National Security Agency, as well as other countries’ intelligence agencies. The European Court of Human Rights ruled this surveillance unlawful. Given the UK’s record the European Parliament is likely to exact strong assurances on any data protection agreement. 

Treacy said: “The ruling on the Privacy Shield is likely to have implications for the UK’s hopes for a post-Brexit data protection adequacy ruling from the European Commission. The UK can expect its surveillance laws to be subject to similar scrutiny to those of the US, to assess whether they respect the privacy rights of EU citizens.”

Dumont said: “Most EU companies plan to rely on SCCs to transfer personal data to the UK once the Brexit transition period ends. This judgment signals that the SCCs mechanism will be subject to much greater levels of scrutiny, and that EU data-protection authorities will be expected to be more proactive in enforcing these requirements, suspending transfers if necessary.”

Background

Interview with Sophie Int'Veld from 2016

Interview with Max Schrems in 2018

Share this article: