The ECJ (European Court of Justice) has declared that the EU–US Privacy Shield fails to protect people’s rights to privacy and data protection.
The Privacy Shield was adopted in 2015 as way for organisations on both sides of the Atlantic to transfer personal data for commercial reasons.
It was intended to address the failures of its predecessor, Safe Harbor, which had been deemed invalid by the ECJ following legal action from the Austrian privacy activist Max Schrems.
Schrems also led the case against the Privacy Shield, saying that: “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market”.
What does this mean for transatlantic data transfers?
European data protection law states that personal data can only be transferred outside the EU if appropriate safeguards are in place.
The Privacy Shield ostensibly ensured that those safeguards were in place, but the ECJ has ruled that the US government’s mass surveillance practices contradict those protections.
The 5,000 or so organisations that currently use the framework will now have to rely on standard contractual clauses, which are currently used for data transfers between the EU and the rest of the world.
Schrems also challenged the validity of these, and although the ECJ chose not to abolish them, it did restrict their applicability.
Organisations and regulators must conduct a case-by-case analyses of standard contractual clauses to determine whether protections concerning government access to data meet EU standards, thus casting doubt on how valid they will be for data transfers between the EU and the US.
Privacy trade war
Jonathan Kewley, co-head of technology at the law firm Clifford Chance, described the ruling as “a bold move by Europe”.
He added that “What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot.”
Meanwhile, Estelle Massé, Senior Policy Analyst at Access Now, said it was “irresponsible” of lawmakers to adopt the Privacy Shield in the first place, from both from a legal and political perspective.
“We hope that, this time, the European Commission draws the necessary conclusions from the ruling and works on all the necessary reforms,” she added.