ECJ rules main mechanism for transferring information fails to protect EU citizens’ privacy
The EU’s top court has ruled that a transatlantic agreement used by thousands of companies to transfer data between the EU and US does not protect the privacy of European citizens. In a statement on Thursday, judges at the European Court of Justice (ECJ) in Luxembourg said that the Privacy Shield agreement did not limit access to data by US authorities “in a way that satisfies requirements that are essentially equivalent to those required under EU law”.
The impact of the ruling was not immediately clear. While thousands of corporations, including tech companies, banks, law firms and carmakers, rely on Privacy Shield to move data easily between the two regions, the court said they might continue to do so under so-called standard contractual clauses (SCCs), essentially individual legal agreements covering how data will be treated.
Companies will now have to carefully analyse whether their SCCs are sufficient to ensure that data moving overseas are treated in line with Europe’s General Data Protection Regulation (GDPR). “The [ECJ] has made it clear companies cannot justify them using a ‘tick box’ exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed,” said Tanguy Van Overstraeten, partner and global head of privacy and data protection at Linklaters.
The court ruling came after the Austrian privacy campaigner, Max Schrems, filed a complaint against Facebook, arguing that his privacy was violated once the company transferred his data to the US, where it could be explored by US intelligence agencies. Privacy Shield was the successor to the Safe Harbour agreement, which was also dismantled by European judges in 2015 following a case by Mr Schrems.
On Thursday he called for the US to “seriously change their surveillance laws if US companies want to continue to play a major role in the EU market”. Mr Schrems suggested the judgment would stop Facebook from transferring data to the US because its platforms were used for surveillance by US intelligence. “The judgment makes it clear that companies cannot just sign the SCCs, but also have to check if they can be complied with in practice,” he said. Facebook said it welcomed the confirmation that it could use SCCs to transfer data and that it was “carefully considering” the ruling.
“We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure,” said Eva Nagle, associate general counsel at Facebook. “We look forward to regulatory guidance in this regard,” she added. Daniel Tozer, Head of Data and Technology at Harbottle & Lewis, said that it was unclear how companies could ensure SCCs to the US would meet standards of data protection given surveillance laws which led to the collapse of Privacy Shield.
“Some companies will decide that these data transfers are no longer appropriate and will restructure their operations to reduce or remove such transfers,” he added. Other tech companies rushed to reassure clients that data transfers were still possible between the EU and the US. Julie Brill, chief privacy office at Microsoft, said: “The court’s ruling does not change your ability to transfer data today between the EU and US using the Microsoft cloud.
“Although today’s ruling invalidated the use of Privacy Shield moving forward, the SCCs remain valid.” Thomas Boué, director-general of Europe, Middle East and Africa policy at the Business Software Alliance, which represents companies including Microsoft, Oracle and IBM, said: “We are relieved that SCCs remain valid, which is a positive outcome. But today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic.”
In response to the judgment, Brussels said it would accelerate its work on modernising SCCs to ensure they can handle the vast flows of private data outside the EU. Vera Jourova, EU executive vice-president in charge of values and transparency, said the commission would also continue to push the US administration to accelerate work on an American federal privacy law. “We have never hidden that we want to see more convergence when it comes to the framework for data protection [in the US],” said Ms Jourova.
“We would like to see on the American side a federal law that would be equivalent or similar to the General Data Protection Regulation”. The end of Privacy Shield is likely to affect future data transfers between the EU and UK after the end of the post-Brexit transition period in December. “In practice, this means that unless the UK starts reforming its surveillance laws now, reaching an adequacy deal by end 2020, or any time really, will be difficult,” said Estelle Masse, senior policy analyst at Access Now.
If UK companies were instead forced to use SCCs, said David Dumont, data privacy partner at Hunton Andrews Kurth, they would be “subject to much greater levels of scrutiny” by EU data protection agencies. In February, Google announced it was moving UK user data to the US, which experts said was likely to avoid legal risks around Brexit.