LUXEMBOURG (CN) — Swayed by evidence that U.S. intelligence authorities surveil users illegally, the EU’s highest court struck down a pact that lets companies move data between the United States and European Union.
The European Commission had signed off on the agreement known as the EU-U.S. Privacy Shield, but the European Court of Justice ruled that the deal lacks safeguards required by the General Data Protection Regulation.
Adopted in 2016, the GDPR says transfers of personal data to a country outside the EU may only take place if the country has an adequate level of data protection.
The long-awaited judgment released this morning marks the Luxembourg-based court’s second rejection of a data-sharing arrangement with the EU — both based on complaints from Austrian privacy activist Max Schrems. His challenges stemmed from information leaked by Edward Snowden, the former National Security Agency contractor, in 2013 that U.S. government intelligence agencies had used a program called Prism to collect huge swaths of electronic communications about internet users from private businesses.
“The Commission found … that ‘while individuals, including EU data subjects … have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered,’” Thursday’s ruling from the Grand Chamber states. “Thus, as regards E.O. 12333, the commission emphasized … the lack of any redress mechanism. In accordance with the case-law … the existence of such a lacuna in judicial protection in respect of interferences with intelligence programs based on that presidential decree makes it impossible to conclude, as the commission did in the Privacy Shield Decision, that United States law ensures a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter.”
Facebook and other tech companies rely on data pacts to transfer data from countries in the European Union to the United States or elsewhere in the world. The EU has reached such deals with only 11 countries, including Japan, prompting disappointment Thursday on both sides of the Atlantic.
U.S. Commerce Secretary Wilbur Ross said Thursday that America will continue to work with the European Commission on the matter, touting a desire to shield what is a “$7.1 trillion transatlantic economic relationship.”
“As our economies continue their post-Covid-19 recovery, it is critical that companies — including the 5,300+ current Privacy Shield participants — be able to transfer data without interruption,” Ross said in a statement.
Industry sources were less politic.
“Today’s decision is nothing short of irresponsible,” said Eline Chivot of the Information Technology and Innovation Foundation said in a statement, counting more than 5,000 European and U.S. companies that now must scrambling to comply with the ruling.
“In the midst of a global pandemic during which global data flows are more vital than ever, it puts all global data transfers from the EU at risk and wreaks havoc on the digital economy,” Chivot said in a statement.
An Austrian lawyer, Schrems filed his original complaint with the Irish Data Protection Commission as Facebook has its European headquarters there.
“It is clear that the U.S. will have to seriously change its surveillance laws if U.S. companies want to continue to play a role in the EU market,” Schrems said in a statement Thursday.
Following the ruling known as Schrems I — in which the European court tossed out the previous U.S.-EU data-sharing arrangement called the Safe Harbor Framework — Facebook and other tech companies switched to using standard contractual clauses that let users give permission to transfer their data outside of the EU.
The EU later put in place the Privacy Shield Framework, which it claims was more robust than its predecessor.
“We do not want to have the EU stop using standard contractual clauses, but we call for them to enforce the existing rules,” one of Schrems’ lawyers, Eoin McCullough, told the court in a hearing last year.
In response to the Thursday’s outcome, an EU official did not go so far as to promise a third pact. “Our ambition is to respond together and figure out ways we can adapt to the decision,” the EU’s Justice Commissioner Didier Reynders said in a statement.
In addition to Privacy Shield, many companies ruling also more technical standard contractual clauses to govern user data expectations. Though Thursday’s warning upholds such clauses, the court did warn that their validity depends on whether countries “ensure compliance with the level of protection required by EU law.”
Regarding the framework for contractual clauses, the court said it “provides for effective mechanisms which, in practice, ensures that the transfer to a third country of personal data … is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them.”
Facebook took heart in this silver lining on contractual clauses but said the new ban on Privacy Shield will require further attention. “We look forward to regulatory guidance in this regard,” Eva Nagle, the company’s associate general counsel, said in a statement.
As compared with a bilateral deal like Privacy Shield, however, contractual clauses are far more legally cumbersome.
The court “removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic,” Thomas Boue, director general for policy in Europe at BSA The Software Alliance, whose members include Microsoft and Oracle, said in a statement.
Schrems called Thursday’s decision “a total blow to the Irish DPC and Facebook,” using an abbreviation for the Data Protection Commissioner.
CCIA, a U.S. trade group for the tech industry, lamented the legal uncertainty that flows from Thursday’s ruling.
“We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy,” CCIA said in a statement.
Because contractual clauses remain legal, the industry predicts little immediate fallout.
Julie Brill, a vice president at Microsoft, touted the U.S. software giant’s “overlapping protections” that use both the clauses and Privacy Shield.
“We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” she said in a statement.
Thursday’s ruling follows an advisory opinion of a court magistrate last year that backed the validity of U.S.-EU data transfers.
On Wednesday, the European court sided with Ireland and Apple over an accusation from the U.S. that the island nation was providing illegal state aid in the form of a sweetheart tax deal.