The Court of Justice of the European Communities (ECJ) has rejected an important agreement governing the transfer of data from EU citizens to the United States.
The EU-EE Privacy Shield. Allows companies to subscribe to higher privacy standards, before transferring data to the US.
But a privacy advocate questioned the deal, arguing that US national security laws did not protect EU citizens from government interference.
Max Schrems, the Austrian behind the case, called it a victory for privacy.
“It is clear that the United States will have to seriously change its surveillance laws if American companies want to continue to play a role in the EU market,” he said.
US Commerce Secretary Wilbur Ross said his department was “deeply disappointed” by the decision.
He said he hoped to “limit the negative consequences” to transatlantic trade worth $ 7.1 trillion (£ 5.6 trillion).
What happens next?
The EU-EE Privacy Shield system. USA “Supports Transatlantic Digital Commerce” for more than 5,300 companies. About 65% of them are small and medium-sized enterprises (SMEs) or start-ups, according to the European Institute at University College London.
The affected companies will now have to sign “standard contractual clauses”: non-negotiable legal contracts drawn up by Europe, which are used in countries other than the United States.
They are already used by many great players. Microsoft, for example, released a statement saying it already uses them and is unaffected.
The last time a major deal like this was closed in 2015, also due to a case involving Max Schrems, a grace period was introduced when companies figured out what to do.
Schrems had also questioned the validity of the CECs, but the ECJ decided not to abolish them.
But he did warn that these contracts should be suspended by the data protection officers, if the guarantees in them are not respected.
Surveillance laws
Mr. Schrems’ case was motivated in part by leaks by former CIA contractor Edward Snowden that revealed the extent of United States surveillance.
European data protection law says that data can only be transferred outside of the EU, to the United States, or elsewhere, if appropriate safeguards are in place.
But the ECJ said that “America’s surveillance programs … are not limited to what is strictly necessary.”
- Facebook questioned in court about data transfers
- Google and Facebook face GDPR complaints
“The national security, public interest and law enforcement requirements of the United States take precedence, so they tolerate interference with the fundamental rights of the people whose data is transferred,” he said.
“The limitations on the protection of personal data that arise from the national law of the United States … are not circumscribed in a way that satisfies the requirements.”
‘Bold move’
“This is a bold move on the part of Europe,” said Jonathan Kewley, co-chief technology officer for the law firm Clifford Chance.
“What we’re seeing here looks suspiciously like a privacy trade war, where Europe says its data standards can be trusted, but those in the United States can’t.”
He also warned that standard contract terms (SCC) will be examined much more closely from now on.
Data protection expert Tim Turner agreed, saying that the ECJ’s warning about standard clauses could spell more trouble for US companies.
“If the law in the relevant country, say the United States, could override what the contract says, they don’t work,” he said.
“I don’t know how much of an appetite they have to do this, but it’s hard to imagine any European regulator saying SCCs work for the US, and the pressure will increase for them to do the assessment.”
“I don’t think the SCCs escaped the court ruling; for some key countries, it’s probably just a stay of execution.”