The European Court of Justice has today issued a ruling that voids the existing Privacy Shield agreement for data sharing between the European Union and United States due to the fact that it does not adequately safeguard the private data of European citizens.
The ruling is certain to have an impact on almost every business, no matter the size, operating in the EU. It comes following a long and arduous legal battle that was initiated as far back as 2013 when privacy activist Max Schrems lodged a complaint with the Irish Data Protection Commission (DPC). This complaint was in relation to disclosures about secretive US surveillance agency programmes that access user data from a roster of huge US social media and internet firms. In particular, Schrems and his data privacy lobby group noyb were critical of the manner that Facebook completed data transfers.
Schrems made allegations that, due to the Edward Snowden revelations, US legislation did not allow adequate security against surveillance by public authorities. This complaint was made primarily against Facebook. A ruling was made that the agreement between the EU and US for data sharing, then referred to as the Safe Harbour Agreement was no longer valid. As part of this businesses began to use Standard Contractual Clauses (SCCs) to continue sharing data between the two markets while a new agreement, known as Privacy Shield, was formulated.
Today’s ruling essentially means that Privacy Shield has been invalidated and there are new compliance burdens being placed on the use of SCC transfers to all countries external of the EU. Basically in order to do so companies receiving data in the external jurisdictions will be required to complete an independent review to ascertain if the destination country has sufficient legislation for the the contract clauses to be enforced.
Additionally, data protection authorities in all EU member states will be responsible for overseeing these transfers and will be expected to prevent transfer flows if they are being sent to a country where the data protection legislation has been deemed insufficient or problematic.
The ECJ released the following comment with the ruling: “Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR (General Data Protection Regulation) concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”
It went on: “In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.”
He went on: “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”“This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable – when shit hits the fan, you can’t blame the fan.”
Commenting on the ruling Simon McGarr, one of Europe’s top data protection experts, told Yahoo Finance news: “Everyone is focusing on Facebook as a familiar household name, but in reality, this is a massive strengthening of the EU’s regulatory power in order to enforce its human rights-based vision of data processing.”
He added: “It’s now incumbent on both the company sending the data and the company receiving the data, and EU data regulators, to do their own examination of the enforceability of those contracts under local laws of every single receiving country.”
The full consequences of today’s will be seen in the coming days and months but there is now a huge question mark over how companies can transfer data from the EU to the US without being in breach of the General Data Protection Regulation if they are using Privacy Shield or SCCs as a basis for doing so.
Associate general counsel at Facebook, Eva Nagle, released a statement confirming that tha the company is already review the impact of this ruling. She said: “Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of Privacy Shield and we look forward to regulatory guidance in this regard. We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure.”
In a statement released which welcomed the decision, the Data Protection Commission of Ireland said : “the Court also agreed with the DPC’s view that, whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.”