The European Union’s top court ruled Thursday that an agreement that allows big tech companies to transfer data to the U.S. is invalid and that national regulators need to take tougher action to protect the privacy of users’ data.
The ruling does not mean an immediate halt to all data transfers outside the EU, as there is another legal mechanism that some companies can use. But it means that the scrutiny over data transfers will be ramped up and that the EU and U.S. may have to find a new system that guarantees that Europeans’ data is afforded the same privacy protection in the U.S. as it is in the EU.
In 2013, Austrian activist and law student Max Schrems filed a complaint against Facebook, which has its EU base in Ireland, arguing that personal data should not be sent to the U.S., as many companies do because the data protection is not as strong as in Europe. The EU has some of the toughest data privacy rules under a system known as General Data Protection Regulation (GDPR).
“It seems we scored a 100% win,” Schrems said on Twitter.
“For our privacy, the U.S. will have to engage in serious surveillance reform to get back to a ‘privileged’ status for U.S. companies,” he added.
The case began after former U.S. National Security Agency contractor Edward Snowden revealed in 2013 that the American government was snooping on people’s online data and communications. The revelations included details on how Facebook gave U.S. security agencies access to the personal data of Europeans.
At the time, the EU court said the U.S. spying was incompatible with European norms on privacy.
The previous decision struck down a deal called “Safe Harbor” that allowed for data transfers between Europe and U.S. servers, throwing transatlantic business into legal limbo.
Its replacement “Privacy Shield,” which is currently used by over 5,000 U.S. companies, has now been invalidated as well.
The judges said that even though the deal requires that the U.S. must comply with EU privacy law, the deal’s provisions “do not grant Europeans actionable rights before the courts against the U.S. authorities.”
The court said, however, that another arrangement, known as standard contractual clauses, could stand, giving companies an alternative framework.
The case decided Thursday originally focused on these complex clauses, an EU invention in which companies outside Europe commit to meeting EU laws on data and privacy.
These arrangements are however far more legally cumbersome for companies than a bilateral deal such as “Privacy Shield.”
During the hearings, judges turned their focus to “Privacy Shield” and a legal adviser to the court warned that it may be illegal.
Schrems’ latest case began in Ireland, the hub for Facebook’s activities in the EU. The Irish Data Protection Commission referred the complaint to Ireland’s top court, which turned it over to the judges in Luxembourg.
CCIA, the lobby for U.S. big tech, criticized the decision, “which creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic.”
“We trust that EU and U.S. decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy,” CCIA added.