European court strikes down EU-US Privacy Shield user data exchange agreement as invalid

The decision could have immediate ramifications for the transfer of user data between the US and Europe.
Written by Charlie Osborne, Contributing Writer

A crucial mechanism for transferring EU citizen data between the United States and Europe has been ruled as invalid in what could be a major blow to thousands of companies.

Known as the EU-US Data Privacy Shield, the pact was designed for the exchange of data across country borders with high and legally-enforced data protection standards, including preventing the bulk collection of user information and limiting access to EU citizen data. 

SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

However, privacy and rights groups have long been concerned about the protection awarded to EU user data moved out of the region and into another -- as well as what agencies may then be able to access this information for surveillance purposes. 

Max Schrems, an Austrian lawyer and activist, has been leading the fight against such data exchanges in light of US surveillance laws and Edward Snowden's revelations concerning the US National Security Agency (NSA)'s mass spying activities on American citizens. 

The NSA's Prism tool, for example, was reportedly used to mine data from major technology companies, including Apple, Microsoft, Yahoo, Google, and Facebook. 

Schrems lodged a complaint against Facebook in 2013 with Ireland's Data Protection Commission (DPC), arguing that information sent outside of the EU to US servers could be at risk of exploitation by US law enforcement and public agencies. (Ireland is Facebook's base for European operations.)

Schrems requested the suspension or prohibition of the transfer of his personal data from the EU to the United States.

The complaint was dismissed on the grounds of a 2000 European Commission (EC) ruling, which deemed the protection of data in the US as "adequate."

The lawyer took the matter to the Irish High Court, which referred the case on to the EU's Court of Justice (ECJ). In 2015, the court invalidated the Safe Harbor principle, a 15-year-old agreement that permitted European data to be sent to US servers. 

Irish authorities were then ordered to examine whether or not the "transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."

The abolition of Safe Harbor led to the creation of Standard Contractual Clauses (SCCs) to facilitate data transfers between the EU and non-EU countries, as well as Privacy Shield. 

Schrems then challenged the use of SCCs by Facebook to move data, and now, the EU Court of Justice has decided Privacy Shield is invalid due to GDPR. 

See also: Mac users trying to trade cryptocurrencies targeted by Gmera Trojan operators

The EU's General Data Protection Regulation (GDPR) was introduced in 2018 to reform archaic data laws that had little relevance to today's world of mass data collection, storage, and security breaches. 

Under the terms of GDPR, data controllers -- organizations that handle user or customer information -- must provide an adequate level of protection and security, as well as obtain clear consent from individuals they collect data from. 

GDPR also set out clear legal guidelines on liability, should a data controller experience a data breach caused by lax data protection or inadequate cybersecurity measures. 

However, this protection only applies in the European area, and so data transfers elsewhere became a sticking point.

While SCCs are still considered valid, the court said (.PDF):

"The court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU."

CNET: Trump reportedly gave CIA more cyberattack powers with secret order

If a country cannot provide adequate protection, then personal data transfers must be suspended or prohibited. In the United States, law enforcement and national security issues have primacy, and therefore may clash with EU data protection principles. 

The court noted that principles including "respect for private and family life, personal data protection, and the right to effective judicial protection" may not be maintained due to surveillance programs in the country that may not exclude non-US citizens when their information is stored there. 

"The EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary," explained Toni Vitale, partner at JMW Solicitors. "This means companies who currently rely on the EU-US Privacy Shield for transferring data to the US will no longer be able to rely on this, and will instead have to consider which alternative legal mechanism to rely on -- something easier said than done given the EU's issues with the US privacy legal system."

SCCs can still be used for data transfers, but it is up to data exporters and importers to check and verify data protection mechanisms of "essential equivalence" to the EU in the target country first -- as well as report any issues. EU data protection regulators may then step in and suspend data transfers. 

TechRepublic: Ransomware accounts for a third of all cyberattacks against organizations

Given the US' surveillance stance, the use of SCCs to transfer information may no longer be considered acceptable in many cases. 

Enterprise companies will be able to weather the storm, but SMBs will likely struggle with taking on the role of assessor and, therefore, guidance will be needed on how to make the transition from Privacy Shield setups to SCCs. Either that, or they may consider switching to EU regional data processing. 

As for Schrems, the decision was met with celebration

"As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people -- including foreigners," Schrems commented. "Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards