The European Court of Justice has ruled that the transfer of data from the EU to the United States through a mechanism known as Privacy Shield, employed by thousands of American companies including Facebook, does not comply with EU privacy regulations; it’s a decision with wide-ranging implications.
In a press release, the European Union’s highest court outlined the ruling that the certification is “not limited to what is strictly necessary” for processing that data, and therefore exposes EU citizens to surveillance in the US.
While it cuts the Privacy Shield avenue, which is used not only by tech and social media companies but by most transatlantic firms, SCCs, or Standard Contractual Clauses – individual legal protections about personal data – remain valid.
These will become a key route for the transfer of data, similar to that expected to become useful to British companies in the event of a messy Brexit. In all cases, the use of SCCs, while valid, must use EU regulations as a gold star, and give European Regulators latitude to step in when there are indications of malfeasance. In this case, that comes in the shape of American surveillance law.
“[T]he requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country,” the ruling states.
It continues by saying that the domestic laws of the United States “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law”, leaving personal data vulnerable to “access and use by US public authorities”.
Effectively, this is a story about privacy laws in the European Union colliding with surveillance laws of the United States.
The ruling stems from a case originally brought by Max Schrems, an Austrian privacy rights campaigner and lawyer, and is the culmination of a long and difficult case against Facebook, originally filed in 2011 but accelerated following revelations from Edward Snowden in 2013. An important aspect was revealing PRISM, the program that allowed the NSA access to tech firms’ data, wherever it came from.
As TechCrunch points out, the ruling doesn’t concern “necessary” data transfer, as in contacting a company directly through email, but the kind of big transfers of data that move data from one jurisdiction to another for processing.
Commenting on the ruling, Schrems said “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law.
“As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.
“This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable – when shit hits the fan, you can’t blame the fan.”
Sourced from the ECJ, TechCrunch, WARC