The European Union’s top court struck down a key method used by Facebook Inc. and other companies to transfer data across the Atlantic amid fears over potential U.S. surveillance.
Thursday’s decision by the EU Court of Justice on the so-called Privacy Shield means thousands of businesses that ship commercial data to the U.S. risk turmoil in their day-to-day activities.
While a separate contract-based system to transfer data was approved, the judges’ doubts about American data protection also plunge that alternative method into legal uncertainty.
The controversy stretches back to 2013, when former contractor Edward Snowdenexposed the extent of spying by the U.S. National Security Agency. Privacy campaigner Max Schrems has been challenging Facebook in the Irish courts — where the social media company has its European base — arguing that EU citizens’ data is at risk the moment it gets transferred to the U.S.
“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market,” Schrems said after the ruling. “This judgment is not the cause of a limit to data transfers, but the consequence of U.S. surveillance laws.”
November Election
While the court did approve Standard Contractual Clauses system to transfer data, the ruling offers another grievance to stoke the growing animosity between the U.S. and the EU in the run up to November’s presidential election.
The White House has already announced the withdrawal of thousands of troops from Germany and pulled the plug on efforts to reach a settlement on digital taxes.
The EU meanwhile has fended off an American attempt to muscle in on the negotiations over a settlement between Serbia and Kosovo in the Balkans. Hanging over all of it is President Donald Trump’s threat to impose tariffs on European cars, a step which would massively escalate the trade dispute between the two sides.
On the data front, the EU top court in a surprise decision in 2015 struck down an earlier trans-Atlantic data-transfer system, called Safe Harbor, over concerns U.S.spies could get unfettered access to EU data. Facebook warned ahead of Thursday’s ruling that similar economic turmoil would be in store if the court does the same.
U.S. Companies Left Scrambling After EU Data Transfer Pact Dies
Scrambling to put together an alternative tool for companies, the EU and U.S. in early 2016 reached an accord on the Privacy Shield, saying it would guarantee EU citizens robust privacy protection and the right to judicial review. But the Shield has been on wobbly feet since the very start over concerns that not enough was being done on the American side.
“The invalidation of the Privacy Shield is a big blow for the more than 5,300 companies and organizations that have been relying on the Shield to send data from the EU to the U.S.,” said Wim Nauwelaerts, a lawyer at Alston & Bird. “They will have to look for alternatives quickly.”
The decision is also a big defeat for the European Commission, the EU’s executive authority, which spent huge efforts on the Shield. It puts “significant pressure on data protection authorities to take their job more seriously in checking data transfers,” said Joerg Hladjk, a lawyer with Jones Day in Brussels.
The Irish Data Protection Commission, the main EU privacy watchdog for some of Silicon Valley’s biggest companies said the ruling’s “scope extends far beyond” the dispute that pitted it against Schrems over Facebook’s data transfers.
“Whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU,” the Irish authority said. Even though the use of standard contractual clauses was cleared by EU judges, “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”
This could affect thousands of companies, not only those who relied on the Privacy Shield. Banks, who mostly rely on the clauses could be affected too, say lawyers.
A “European bank that uses a U.S. company to…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
