EU Court of Justice Deems Privacy Shield Unlawful

The EU-US Privacy Shield has been declared invalid, meaning it is now unlawful to transfer personal data to the USA using it.

In a judgment announced today, the Court of Justice of the European Union (‘CJEU’) ruled that the Privacy Shield scheme for transfers of personal data from the EU to the United States is unlawful.

The decision follows a case brought against the privacy campaigner Max Schrems against Facebook Ireland, when Facebook Ireland said it could not ensure adequate privacy protections for users in Europe with respect to their personal data sent to Facebook in the United States. This was due to the different nature of the US legal system's rules on national security, privacy and data protection.     

Initially, the Privacy Shield was negotiated with the US Department of Commerce between 2015 and 2016 to remedy the collapse of the Safe Harbour agreementin 2015, when the first Schrems case brought the end of that procedure.  

Amanda Brock, CEO at OpenUK, said: “The question really is how to bridge the gap between the UK and European privacy requirements and the fact that the US does not meet the ‘adequate protections test’, despite a huge number of European companies in our platform economy processing personal data there.

“If business goes down the route of a further sticking plaster, then it runs the risk of Schrems 3. It really is time for us to look long and hard at the issues cause by the US approach to privacy.”

However the CJEU has upheld the validity of the Standard Contractual Clauses scheme, thereby providing a safety net for transatlantic business. Also, EU data protection authorities will have a new role in assessing third countries’ protection and could ban exports of data to certain countries, and data exporters and importers using the standard contract clauses must verify the level of protection in the third country first.

Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP), said this “will undoubtedly leave tens of thousands of U.S. companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually.”

The judgement determined the General Data Protection Regulation (GDPR) provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards.

In particular, the declaration was on decision 2016/1250, which refers to the adequacy of the protection provided by the EU-U.S. Privacy Shield, and that has been declared invalid.

Toni Vitale, partner and head of data protection at JMW Solicitors, said: “Put simply, the CJEU have an issue with the interference of the US national security and law enforcement agencies having priority over the fundamental right of privacy of the persons whose data is transferred to the US, and the surveillance program utilized in the USA.

“The limitation this places on the protection of personal data in the USA means that the EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary.

“As such, the EU-US Privacy Shield has been declared invalid and it can no longer be relied on as a lawful mechanism by which to legitimately transfer data to the US.”

Schrems said he was very happy about the judgement. “This is a total blow to the Irish DPC and Facebook,” he said. “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.

“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."

What’s Hot on Infosecurity Magazine?