Europe’s highest court today struck out the EU-US Privacy Shield agreement, overturning the legal basis that allows more than half a million US companies to exchange data with Europe.
The European Court of Justice (ECJ) ruled that Privacy Shield fails to ensure European citizens adequate right of redress when data is collected by the US National Security Agency (NSA) and other US intelligence services in a 63 page judgement.
The court upheld the validity of another legal mechanism, standard contractual clauses (SCCs), which allow European companies to legally share data with the US and other countries – but added caveats to their use.
The decision will force the EU and the US back to the negotiating table to draft a version of Privacy Shield that gives EU citizens stronger privacy rights under US surveillance laws.
The US Secretary of Commerce, Wilbur Ross said that the Department of Commerce was ‘deeply disappointed’ with the decision to strike down Privacy Shield.
“We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments,” he said.
Companies that rely on the Privacy Shield agreement to exchange data between the US and the EU as part of their international trade will face uncertainty and disruption as they seek other legal mechanisms to transfer data.
The case is the latest twist in a seven-year legal battle by Austrian lawyer Max Schrems against Facebook Ireland, over the legality of its transfer of personal data of its EU customers to the US.
“The court clarified, for a second time now, that there is a clash of EU privacy law and US surveillance law,” said Schrems. “As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
Privacy Shield struck down
Today’s decision marks the second time the European court has struck down the data sharing agreement between the EU and the US.
The court found that Privacy Shield, like its predecessor Safe Harbour, which was struck down by the court in 2015, gave the requirements of US national security and law enforcement agencies priority over the rights of EU citizens.
Privacy Shield “condoned” interference with the fundamental rights of EU citizens when their data is transferred to the US, it said.
The European court found that US surveillance laws meant that the US did not offer privacy protections equivalent to those under EU law, ruling they were not proportionate and went beyond what was strictly necessary.
In particular, it found that US laws did not give EU citizens rights of redress through the courts if their data was misused.
The court disagreed with the European Commission that the Ombudsperson, set up in Privacy Shield to provide redress to EU citizens, provided effective redress for EU citizens.
It said the Ombudsperson mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law” and it failed to ensure that the Ombudsperson was independent or had the powers to make decisions that were binding on the US intelligence services.
SCCs given green light – with conditions
The court found that EU law, and General Data Protection Regulation (GDPR) in particular, applies when companies transfer data to countries outside the EU, even when that data is processed by third-party governments for national security, defence and state security.
People must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries, as they would receive in the EU under GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data.
SCCs are used to transfer data from the EU to some 180 countries, including Australia, Singapore, South Korea, Brazil, India and Mexico, according to the Business Software Alliance (BSA).
Although the court found that SCCs were legally valid, it said any data transfer agreements must take into account the legal system of the country receiving the data and any access governments or public authorities have to data on EU citizens.
The court said companies had a responsibility to ensure that the companies outside the EU they plan to share data with granted privacy protection equivalent to EU law.
The receiving company has to inform the data exporter of any inability to comply with the SCC and the company sending the data is obliged to suspend data transfers if EU privacy laws are breached, it said.
The court made it clear that data protection regulators would be required to act if companies transfer data to the US or other countries without meeting European privacy safeguards.
Tanguy Van Overstraeten, Linklaters
Data protection authorities (DPAs) are “required to suspend or prohibit a transfer of personal data to a third country” where they believe that country cannot comply with standard data protection clauses.
The court said that regulators must act if a company exporting the data has failed to suspend data transfers itself and that data protection cannot be ensured in any other way.
Tanguy Van Overstraeten, partner and global head of privacy and data protection at law firm Linklaters, said the decision would impact large companies, which make hundreds or thousands of data transfers through standard contractual clauses.
“Large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients. The court has made it clear companies cannot justify them using a tick box exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed,” he said.
Van Overstraeten said it would become more difficult for companies to transfer data to countries with strong surveillance powers, including the US, India and China.
“Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims,” he said.
Max Schrems: Regulators must enforce the law
Schrems said the ruling had put an end to the discretion of data protection authorities to decide not to take action when data transfers are in breach of EU data protection law.
Schrems has been pressing the Irish Data Protection Commissioner (DPC) to take action against Facebook after filing a complaint in 2013 that Facebook Ireland was transferring personal data of EU citizens to Facebook Inc in the US, in breach of EU data protection and human rights law.
“Authorities like the Irish DPC have so far undermined the success of the GDPR by simply not processing complaints. The court has clearly told the DPAs to get going and enforce the law”
He argued that US surveillance programmes, including the Prism program exposed by whistleblower Edward Snowden, which extracts data from communication services companies, including Facebook, did not respect the privacy rights of non-US citizens.
“The court is not only telling the Irish DPC to do its job after seven years of inaction, but also telling all European DPAs that they have a duty to take action and cannot just look the other way. This is a fundamental shift going far beyond EU-US data transfers,” he said.
“Authorities like the Irish DPC have so far undermined the success of the GDPR by simply not processing complaints. The court has clearly told the DPAs to get going and enforce the law.”
He said that decision meant Facebook would not be able to use SCCs for EU-US data transfers, and if it continued to violate the law, the DPC would have to “take urgent action”.
Court decision will affect trade between EU and US
The Business Software Alliance, one of the parties to the case, said the court’s decision to invalidate Privacy Shield would create a barrier for electronic commerce between the US and the EU.
“Today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic,” said Thomas Boué, director general of the BSA.
Thomas Boué, BSA
“The impacts will be felt by large and small enterprises on both side of the Atlantic, when businesses are focused on recovering from the economic impacts of Covid-19 and are increasingly relying on data-driven tools and services to do so,” he said.
Renzo Marchini, partner at law firm Fieldfisher, said that although businesses could continue to use SCCs, there was “a big but” – the court has made it clear that businesses will need to ensure that any country they transfer data to offers “essentially equivalent” protection to the EU.
“How is any European business – certainly smaller ones – supposed to do that?” he said. “This is crying out for urgent guidance from regulators. It is impractical for any but the largest businesses to do this assessment.”
It is difficult to see how regulators would be able to allow data transfers to the US under standard contractual clauses, following the court’s invalidation of Privacy Shield, said Marchini.
Caitlin Fennessy, research director at the International Association of Privacy Professionals, claimed the court’s decision would adversely impact US companies that share data with the US.
“Today’s decision effectively blocks legal transfers of personal data from the EU to the US. It will undoubtedly leave tens of thousands of US companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually,” she said.
Max Schrems said today that industry lobbying groups had exaggerated the impact of the ruling on businesses, as in practice “necessary” data flows can still continue legally under article 49 of GDPR.
“This is a solid basis for most legal transactions with the US. In simple words, the US has now been brought back to the ‘normal’ situation that the EU has with most other third countries, but lost its special access to the EU market over US surveillance,” he said.
Companies may relocate data to Europe
Data flows between the US and the EU are unlikely to dry up immediately. It is likely that the European Commission will give companies that rely on Privacy Shield a grace period to make new arrangements.
Jonathan Kewley, Clifford Chance
Many companies are expected to switch from Privacy Shield to standard contractual clauses to continue to transfer data legally.
The European Commission is in the process of revising SCCs to take into account GDPR, and confirmed it modify them following the European court’s decision.
European Commission Vice President Jourova said at a press conference today that the Commission will be working with the US counterparts including, US Commerce Secretary Wilbur Ross, and Attorney General William Bar, to develop robust EU-US data transfers.
Jonathan Kewley, co-head of technology at law firm Clifford Chance, said some companies were likely to respond by localising their data in Europe.
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying its data standards can be trusted, but those in the US cannot,” he said. “We predict that the outcome could be more Europe data localisation, with more customer data staying in Europe as a result.”
Decision could affect EU-UK data transfers
Today’s decision is likely to impact data transfers between the EU and the UK following Brexit. Data transfers from the UK to the EU will be unaffected until 2024.
But it is not yet certain whether the EU concludes that the UK offers EU citizens adequate protection for their data, under the UK’s surveillance law, the Investigatory Powers Act.
Daniel Tozer, head of data and technology at law firm Harbottle & Lewis, said the ability of companies to transfer data between the EU and the UK was uncertain following the judgment.
“This judgment raises questions about the UK’s ability to be awarded data protection ‘adequacy’ by the EU, given the UK’s own surveillance laws and its membership of the Five Eyes programme. Data transfers between the EU and the UK from 1 January 2021 could well become very challenging indeed,” he said
Jim Killock, executive director of the Open Rights Group said that, following the judgment, the UK would have to choose between maintaining the high privacy standards of the EU or lower privacy standards of the US after Brexit.
“The UK’s surveillance regime will be questioned after this judgment, as Europe has rejected Privacy Shield precisely because of concerns over surveillance. Similarly, standard contractual clauses cannot now be relied on,” he said.
Irish DPC: Data transfers to US now ‘questionable’
The Irish Data Protection Commission, which referred the case to the European Court of Justice, said the decision supports the concerns of the regulator and the Irish High Court that EU citizens do not receive the level of protection demanded by the EU when their data is transferred to the US.
“While the judgment most obviously captures Facebook’s transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally,” it said in a statement.
Although the court found that SCCs were valid, their use to transfer personal data to the US was now questionable, the regulator, headed by Helen Dixon, said.
“This is an issue that will require further and careful examination, not least because assessments will need to be made on a case-by-case basis,” it said.
Facebook considers implications
Eva Nagle, associate general counsel for Facebook, said the social media network was considering the implications of the court’s decision to strike down Privacy Shield.
“We welcome the decision of the Court of Justice of the European Union to confirm the validity of standard contractual clauses for transfers of data to non-EU countries. These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens,” she said.
Timeline of Max Schrems’ battle with the EU and the US
26 July 2000: The European Commission makes a decision to allow data transfers between the EU and the US between organisations that self-certify as being compliant under Safe Harbour. European regulators have the right to suspend data transfers if the principles of Safe Harbour are breached.
2008: Austrian lawyer Max Schrems starts using Facebook.
1 December 2009: The EU Charter of Fundamental Human Rights is given legal status. Article 7 provides for the respect for private and family life. Article 8 requires the protection of personal data.
January 2013: Facebook’s chief operating officer, Sheryl Sandberg, lobbies world leaders in a series of one-on-one meetings to water down proposals for the law that ultimately became the General Data Protection Regulation (GDPR).
May 2013: Edward Snowden reveals the interception and surveillance of telecommunications and internet by the US National Security Agency (NSA) on a massive global scale.
6 June 2013: The Washington Post reveals the existence of the Prism program which enables the NSA to collect personal data, including emails, photographs and videos, from internet providers, including Microsoft, Google and Facebook.
25 June 2013: Max Schrems makes a formal complaint to the Irish Data Protection Commission against Facebook Ireland. He cites probable cause that Facebook is breaking the Irish Data Protection Act and the European Data Protection Directive by providing “mass access” to data on European citizens to the NSA.
25 July 2013: The Data Protection Commission Ireland rejects Schrems’ complaint, arguing it is frivolous and vexatious.
31 July 2013: The Guardian newspaper reports the existence of a top secret NSA program, X Keyscore, that enables it to collect nearly everything an internet user does online.
18 June 2014: In the Irish High Court, judge Desmond Hogan asks the European Court of Justice to determine whether the Irish Data Protection Commission is bound by the Safe Harbour Agreement. The judgment found that the US routinely accesses personal data on a “mass and undifferentiated basis”.
25 March 2015: The European Court of Justice begins considering the privacy case brought by Max Schrems. The case has implications for the legality of Safe Harbour, which permits data transfers between the EU and the US.
6 October 2015: The Court of Justice rules that the Safe Harbour agreement that allowed EU-US data transfers is invalid, following Schrems’ complaint.
20 November 2015: Facebook Ireland signs an agreement with Facebook Inc to transfer data on Facebook’s European customers to the US using standard contractual clauses (SCCs), as an alternative to Privacy Shield.
1 December 2015: Schrems files an updated complaint with the Irish DPC. He asks the Irish data protection commissioner to make a ruling prohibiting transfers of data between Facebook Ireland and Facebook Inc in the US on the grounds that Facebook Inc is illegally making his data available to US intelligence through the Prism collection program.
2016: The Irish Data Protection Commissioner files a law suit against Schrems and Facebook in the Irish High Court to refer further questions to the European Court of Justice.
28 June 2016: The US Department of Justice argues that the legal case brought by the Irish Data Protection Commission against Facebook and Max Schrems raises issues of national security.
8 July 2016: Facebook and Irish business claim in court that a legal challenge to SCCs could cut 1% from Europe’s GDP if it succeeds.
19 July 2016: In an unusual move, the Irish Court joins the US government to the case. The European Privacy Information Centre, a non-government organisation, the Business Software Alliance and Digital Europe are also joined to the case.
26 July 2016: The Irish High Court agrees a date for a three-week hearing into the legality of data transfers between the EU and the US.
7 February 2017: The Data Protection Commission Ireland begins legal action in the commercial court in Dublin against Facebook and Schrems. Helen Dixon argues that the court should require the European Court of Justice to decide if transatlantic data transfer channels breach privacy rights of EU citizens. The US government argues that the case could have sweeping commercial ramifications.
3 October 2017: The Irish High Court decides to ask the ECJ to rule over the validity of data transfers between the EU and the US. The court’s ruling over the safeguards to protect EU data against collection by the US NSA under its Prism and Upstream programs.
11 October 2017: Lawyers for the US government argue that it is “critically important” that its views are heard when a Dublin court raises questions over the legality of data transfers between the EU and the US with the ECJ.
January 2018: Justice Caroline Costello announces that the court will take its time to formulate questions to put to the ECJ, following four days of legal argument. Facebook makes an application to correct “certain factual errors” made in an earlier ruling in October 2017.
2 May 2018: Facebook fails a belated attempt to delay Dublin’s High Court by referring key questions that could decide the lawfulness of data transfers between Europe and the US to the European Union’s Court of Justice.
12 April 2018: The Irish High Court proposes 11 questions for determination by the European Court of Justice that will test whether companies can legally transfer data to the US in the light of disclosures by Edward Snowden that the US is engaged in large-scale surveillance of EU citizens.
9 May 2018: The Irish High Court refers 11 questions over the validity of SCCs and Privacy Shield to the ECJ.
1 November 2018: Facebook makes an unprecedented appeal to the Irish Supreme Court in an attempt to halt the Irish High Court referring questions over the validity of EU-US data transfer agreements to the European Court of Justice.
21-23 January 2019: The Supreme Court in Dublin hears a three-day appeal from Facebook against a decision by the Irish High Court to refer 11 questions about the legality of data transfers between Europe and the US to the ECJ, in which the US government gives evidence. The Irish Data Protection Commission argues that Facebook is attempting to head off an adverse finding by the European court that SCCs are illegal.
12 December 2019: The Advocate General Henrik Saugmandsgaard Øe finds in a primary opinion that standard contractual clauses are lawful, but raises questions over the impact of US surveillance on the legality of Privacy Shield.
Read more on Privacy and data protection
Irish High Court dismisses legal bid by Facebook over EU-US data transfers
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
Facebook takes legal action against Irish privacy watchdog
Irish privacy watchdog orders Facebook to stop sending user data to the US