Privacy Shield: Top EU Court Strikes Down Data Transfer Pact

The European Union’s top court voided a transatlantic data-sharing pact this week, ruling that EU residents’ data, when moved to the U.S., are not sufficiently protected from that government’s surveillance. The legal battle began in 2013, when privacy activist Max Schrems complained to the Irish Data Protection Commissioner, pointing to Edward Snowden’s leaks as proof that U.S. law did not protect against scrutiny. Countries outside of the European Union and companies that want to move EU data abroad must now meet strict EU data laws.

CNBC reports that, “this could be a massive burden for multinationals, given they transfer huge sets of data all over the world.” Schrems’ original complaint against Facebook “reached the European Court of Justice (ECJ), which in 2015 ruled that the then Safe Harbour Agreement, which allowed European users’ data to be moved to the U.S., was not valid and did not adequately protect European citizens.”

Companies in Europe adopted Standard Contractual Clauses (SCCs) to move data across the Atlantic while the EU and U.S. developed the new Privacy Shield framework.

In this latest decision — which cannot be appealed — “the ECJ ruled … that these SCCs were a valid way to transfer data but invalidated the use of the Privacy Shield framework.” General Data Protection Regulation (GDPR), which debuted in 2018, “has allowed European users to have a stronger say over how companies use their information.”

“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted, but those in the U.S. cannot,” said Jonathan Kewley, co-head of law firm Clifford Chance’s Tech Group. “We predict that the outcome could be more Europe data localization, with more customer data staying in Europe as a result.”

According to Eduardo Ustaran, global co-head of the Hogan Lovells Privacy and Cybersecurity practice, “the big practical takeaway is that all European companies must bear in mind other countries’ powers over data when engaging in global data flows.” At law firm Linklaters, partner Tanguy Van Overstraeten stated that, “the [ECJ] has made it clear companies cannot justify them using a ‘tick box’ exercise of putting SCCs in place.”

“Instead,” he explained, “the risks associated with those transfers need to be properly assessed.” He added that the ruling could “encourage other data protection regulators in Europe to assess international data transfers more ‘aggressively’.”

The Washington Post reports that, “the ruling was likely to increase transatlantic tensions at a moment when President Trump has already been threatening tariffs and retaliation against the European Union for what he says are unfair business practices.” As many companies examine how they collect and store European customers’ data, they “potentially [could be] making a choice between setting up costly Europe-based data hubs or curtailing business in Europe altogether.”

“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” said U.S. Commerce Secretary Wilbur Ross.