European court strikes down EU-US Privacy Shield user data exchange agreement as invalid
A crucial mechanism for transferring EU citizen data between the United States and Europe has been ruled as invalid in what could be a major blow to thousands of companies.
Known as the EU-US Data Privacy Shield, the pact was designed for the exchange of data across country borders with high and legally-enforced data protection standards, including preventing the bulk collection of user information and limiting access to EU citizen data.
However, privacy and rights groups have long been concerned about the protection awarded to EU user data moved out of the region and into another — as well as what agencies may then be able to access this information for surveillance purposes.
Max Schrems, an Austrian lawyer and activist, has been leading the fight against such data exchanges in light of US surveillance laws and Edward Snowden s revelations concerning the US National Security Agency NSA s mass spying activities on American citizens.
The NSA s Prism tool, for example, was reportedly used to mine data from major technology companies, including Apple, Microsoft, Yahoo, Google, and .
Schrems lodged a complaint against in with Ireland s Data Protection Commission DPC, arguing that information sent outside of the EU to US servers could be at risk of exploitation by US law enforcement and public agencies. Ireland is s base for European operations.
Schrems requested the suspension or prohibition of the transfer of his personal data from the EU to the United States.
The complaint was dismissed on the grounds of a European Commission EC ruling, which deemed the protection of data in the US as adequate.
The lawyer took the matter to the Irish High Court, which referred the case on to the EU s Court of Justice ECJ. In , the court invalidated the Safe Harbor principle, a -year-old agreement that permitted European data to be sent to US servers.
Irish authorities were then ordered to examine whether or not the transfer of the data of s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.
The abolition of Safe Harbor led to the creation of Standard Contractual Clauses SCCs to facilitate data transfers between the EU and non-EU countries, as well as Privacy Shield.
Schrems then challenged the use of SCCs by to move data, and now, the EU Court of Justice has decided Privacy Shield is invalid due to GDPR.
The EU s General Data Protection Regulation GDPR was introduced in to reform archaic data laws that had little relevance to today s world of mass data collection, storage, and security breaches.
Under the terms of GDPR, data controllers — organizations that handle user or customer information — must provide an adequate level of protection and security, as well as obtain clear consent from individuals they collect data from.
GDPR also set out clear legal guidelines on liability, should a data controller experience a data breach caused by lax data protection or inadequate cybersecurity measures.
However, this protection only applies in the European area, and so data transfers elsewhere became a sticking point.
The court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU.
If a country cannot provide adequate protection, then personal data transfers must be suspended or prohibited. In the United States, law enforcement and national security issues have primacy, and therefore may clash with EU data protection principles.
The court noted that principles including respect for private and family life, personal data protection, and the right to effective judicial protection may not be maintained due to surveillance programs in the country that may not exclude non-US citizens when their information is stored there.
The EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary, explained Toni Vitale, partner at JMW Solicitors. This means companies who currently rely on the EU-US Privacy Shield for transferring data to the US will no longer be able to rely on this, and will instead have to consider which alternative legal mechanism to rely on — something easier said than done given the EU s issues with the US privacy legal system.
SCCs can still be used for data transfers, but it is up to data exporters and importers to check and verify data protection mechanisms of essential equivalence to the EU in the target country first — as well as report any issues. EU data protection regulators may then step in and suspend data transfers.
Given the US surveillance stance, the use of SCCs to transfer information may no longer be considered acceptable in many cases.
Enterprise companies will be able to weather the storm, but SMBs will likely struggle with taking on the role of assessor and, therefore, guidance will be needed on how to make the transition from Privacy Shield setups to SCCs. Either that, or they may consider switching to EU regional data processing.
As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners, Schrems commented. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.