In the same ruling, the Luxembourg-based court upheld the legality of the instruments used to export data outside of Europe, called Standard Contractual Clauses (SCC). But it required EU privacy watchdogs to suspend data transfers to any country where EU standards cannot be met, opening the way for challenges based on other countries’ surveillance systems.
At a time of increasing tension between Brussels and Washington, the ruling will further provoke relations. The Donald Trump administration has already lashed out at Europe’s privacy system, the General Data Protection Regulation, saying it provides coverage to cybercriminals.
Now the two sides will have a difficult time reaching an agreement to keep data flowing across the Atlantic for the third time.
So far, both sides have played reconciliation notes. A senior US official told POLITICO this week that Washington was ready to revisit EU data privacy protection if the Privacy Shield were removed. And Didier Reynders, the European commissioner in charge of data protection, said after the ruling that he would discuss it with his American counterparts with the aim of finding a new deal.
“I look forward to working constructively with them [the United States] develop a strengthened and durable transfer mechanism, ”the Belgian politician said in a statement.
But today’s ruling suggests that it will not be enough to play around the edges and that substantial changes in America’s surveillance powers will be needed for a new deal.
While the US signaled openness to “tweaks” to its privacy system, it is unclear whether this amounts to a reform of the US surveillance powers, as the EU court suggested.
For the European Commission, which backed the Privacy Shield as a viable mechanism, the ruling amounts to a powerful new reprimand just a day after the EU court rejected a € 13bn tax ruling against Apple.
The disappearance of the agreement will also be observed in London.
Authorities are struggling to keep data flows free with the EU after Brexit. But activists have long questioned whether intrusive surveillance laws in the UK are acceptable to the EU, and the Privacy Shield ruling today raises the bar for any deal between London and Brussels.
Echoes of Snowden
No one will welcome the news with more enthusiasm than Max Schrems, the Austrian privacy activist who filed a 2013 case against Facebook that is at the heart of Thursday’s ruling.
Schrems argued that the revelations of the widespread US inquiry by whistleblower Snowden showed that the EU data accumulated by the social media company was not safe from spying in the US.
The complaint prompted the EU’s highest court in 2015 to annul a data transfer agreement between the US and the EU known as Safe Harbor, which was later replaced by the Privacy Shield.
However, Schrems complained that fundamental problems with the U.S. surveillance regime remained even under the Privacy Shield, and urged regulators to veto the use of Facebook’s SCC to transfer data across the Atlantic.
The case ended in the Luxembourg-based court again after the Irish Data Protection Commission, the privacy regulator in charge of overseeing Facebook in Europe, refused to reject data transfers from the social media company.
Instead, the Irish regulator asked judges to invalidate CECs in general, extending the case far beyond Facebook.
In a statement today, Schrems said he is “very happy” with the ruling. “It is clear that the United States will have to seriously change its surveillance laws if American companies want to continue to play an important role in the EU market,” he said.
He added that the judges placed the ball firmly in the court of the EU data protection authorities, which the court stressed today that they have a duty to verify whether the data transferred abroad is protected according to a European standard.
“The Court not only tells the Irish DPC to do its job after seven years of inaction, but all European DPAs have a duty to take action and cannot look the other way.”
The Irish data protection commission and Facebook did not immediately respond to a request for comment.
The ruling was applauded by privacy activists across Europe, with Estelle Massé, privacy leader for digital rights NGO Access Now, saying in a statement that the European Commission had been “irresponsible” to adopt the Privacy Shield in the first place .
“From the first moment, the Commission ignored the legal opinion of the data protection experts and civil society, who urged against the adoption of this agreement. Time and again, we reiterate that not suspending the agreement was a big mistake “
The industry reaction was mixed.
Thomas Boué, a political agent in the influential technology lobby BSA | The Software Alliance said the invalidation of the Privacy Shield is “eliminating one of the most flexible and reliable compliance mechanisms, which are widely used by SMEs for transatlantic business.”
He called on data protection authorities to release guidance and postpone the application of the resolution for a grace period, as they did after Safe Harbor was shot down.
