Decipher: EU Court Strikes Down Privacy Shield

The European Court of Justice struck down Privacy Shield, an agreement between the United States and the European Union on how U.S. companies handle personal data for European users, because the privacy protections for European users under the framework were “inadequate.

The decision comes as part of the ruling for Facebook v Schrems, the case in which privacy activist Max Schrems complained to the Irish Data Protection Commissioner that Facebook was transferring his (and other European users’) data to data centers in the U.S. The problem was that under US law, the Clarifying Lawful Overseas Use of Data Act of 2018 (CLOUD Act), a US court can demand a US company hand over personal data for an individual, which meant the company wouldn’t be able to provide users with the privacy controls mandated under Europe’s General Data Protection Regulation.

“Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR (General Data Protection Regulation) concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR,” the European Court of Justice said in its ruling.

The EU and US negotiated the EU-US Umbrella Agreement on Data Protection, or Privacy Shield, after the EU court struck down Safe Harbor in October 2015 for being insufficient to protect EU citizens’ privacy rights. Privacy Shield allows US companies to transfer EU user data outside the EU and not have to set up data centers in Europe specifically to handle EU data. The court said with this ruling that companies cannot provide users with lesser privacy rights by moving European users’ data to data centers outside of Europe.

The combination of section 702 of the US Foreign Intelligence Surveillance Act and US policies showed that the US government had authority to harvest EU citizens’ data from US companies, in a manner “not limited to what is strictly necessary,” the court said. The broad surveillance powers do not meet EU data protection requirements.

Privacy Shield “does not grant data subjects actionable rights before the courts against the US authorities,” the Court of Justice said in its decision. There is no provision in this framework for EU citizens to challenge the US company for mishandling their data stored on US servers.

“The implications of this decision are potentially monumental, and has sent the privacy community scrambling,” said Heather Federman, vice-president of privacy and policy at BigID.

Under the Privacy Shield framework, companies could define privacy using Standard Contractual Clauses—but the new ruling indicates that SCCs have to, at the bare minimum, protect user data in the manner required by the General Data Protection Regulation and other privacy laws. In short, the privacy protection is tied to the information, not the location where the information is stored, processed, or transferred. Companies have to comply with GDPR even if the data of the European users are in US servers, or potentially face high fines.

“Standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries,” said Vera Jourová, vice-president of the European Commission. EU data processors will make sure that companies that have signed SCCs are complying with GDPR.