A highly anticipated ruling by the European Union’s Court of Justice invalidated Privacy Shield, a data transfer framework between the European Union and the United States.
Privacy Shield regulated the exchange of personal data for commercial purposes between the EU and the US. It was used by more than 5,300 companies for transatlantic digital trade.
The ruling is colloquially referred to as Schrems II, in reference to Austrian privacy activist and lawyer, Max Schrems, who challenged Privacy Shield, claiming that US national security laws did not protect EU citizens from government surveillance.
Schrems’s Claim
Schrems challenged Facebook’s transferring of personal data from EU users to servers in the US under Privacy Shield.
As many other European users, his personal data was transferred by Facebook Ireland to Facebook’s servers in the US. He claimed that American law does not guarantee sufficient protection against access by US public authorities.
Schrem’s complaints were based on US surveillance laws, by which US national security, public interest, and law enforcement have primacy over the privacy of user’s data, and therefore interfere with the fundamental rights of users.
He had initially complained against Facebook’s data transfer to the US in 2013, following leaks by whistleblower Edward Snowden. His leaks revealed the extent of US surveillance over user’s data, which clearly collided with European citizen’s fundamental rights to privacy and data protection.
In 2015, based on Schrems’s earlier claims, the EU court overturned the then-standing Safe Harbour framework which allowed Facebook to transfer the personal data of EU users to the US, indicating that data in the US was not subjected to the same safeguards and limits as in the EU. Based on this decision, the European Commission set up Privacy Shield to replace Safe Harbour.
Privacy Shield Decision
The court ruled that personal data transferred outside of the EU must have “the level of protection essentially equivalent to that guaranteed within the EU.” It found that the mechanisms in the EU-US Privacy Shield, which had been set up to mitigate the interference with fundamental rights of persons whose data are transferred to a third country, fail to comply with the required legal standard of “essential equivalence” with EU law.
It is important to clarify that the decision does not concern “necessary” data transfers, such as emails being sent to book a hotel room. This kind of data processing is based on the user’s informed consent, which can be withdrawn at any moment. Instead, the decision involves the bulk of data being outsourced for processing from the EU to the US.
Another data transferring mechanism is through Standard Contractual Clauses (SCC). While also brought up in the complaint, the Court did not strike down this mechanism in the ruling. However, it did indicate that in a first step EU companies and non-EU recipients must review the law in the respective countries and that EU regulators must get involved if they suspect data is flowing to unsafe locations outside of the EU bloc.
‘Bold Move’ for Europe
Jonathan Kewley, co-head of technology at law firm Clifford Chance, called the EU court’s ruling a “bold move.”
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot,” he continued.
Schrems II made it clear that the European Commission’s assessment of US surveillance laws under the Privacy Shield was not thorough enough. A possible effect of the decision might be that more companies will switch to regional processing for the data of European users.
Schrems applauded the ruling: “It is clear that the US will have to seriously change their surveillance laws if US companies want to continue to play a major role in the EU market.”