The European Union’s top court has invalidated a key data-sharing protocol that allows American companies to transfer personal information about EU citizens to the US for processing. The court says the regulation, known as Privacy Shield, cannot be trusted as it does not protect EU citizens from mass surveillance programs operated by US intelligence agencies like the NSA.
A clash between the EU right to privacy and US desire for surveillance
The ruling in the case today (known as Schrems II, after its claimant, privacy activist and lawyer Max Schrems) will have a serious effect on a range of US businesses, but it will be of particular concern to tech and social media companies like Facebook that process large amounts of personal data — exactly the information that the EU wants to safeguard.
The judgment is by no means all-encompassing. It has no effect on what the EU calls “necessary” data transfers — which cover everything from emails sent between the US and EU to bookings for holidays to business transactions — nor does it mean transfers of personal data to the US from the EU must stop immediately.
Instead, thousands of US companies that use Privacy Shield will now have to find new legal mechanisms to ensure the safety of any EU data they process or move where they process that data, most likely to data centers within the EU. More broadly speaking, the judgment shows that the EU continues to view US mass surveillance as a breach of the bloc’s fundamental rights — ensuring that there will be many more legal challenges to come.
A history of surveillance
The history of today’s ruling is complex, but at its heart is European anger over American spying.
The man who brought the case, Max Schrems, originally filed a complaint against Facebook in 2013 following revelations about the NSA’s PRISM surveillance program. PRISM, which began in 2007 under the guise of anti-terrorism surveillance, collected user data from America’s biggest tech companies, including Microsoft, Yahoo, Google, YouTube, Skype, Apple, and Facebook. The argument is that by collecting Schrems’ personal information and transfer it to the US for processing, Facebook was exposing him to indiscriminate mass surveillance, which is illegal under the EU’s Charter of Fundamental Rights.
Schrems’ case has bounced around various EU courts since 2013, as judges validated and then invalidated their peers’ rulings, creating and destroying new regulations as they go. The case has already led to the annulment of an earlier data privacy protocol between the EU and US known as the Safe Harbor Principles, and now it’s claimed another scalp: the Privacy Shield, introduced in 2016 to replace Safe Harbor.
In their ruling, though, the judges of the EU’s top court, the Court of Justice, suggest they’re not convinced any privacy agreements can keep the personal data of EU citizens safe from American surveillance, so long as it’s processed in the US under the country’s current laws.
“The limitations on the protection of personal data arising from the domestic law of the United States [...] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” they write.
In other words: US law is designed to facilitate mass surveillance in a way that’s fundamentally at odds with the privacy protections guaranteed to EU citizens. Notably, although the US has passed some surveillance reform to protect the privacy of its own citizens, it doesn’t apply those same safeguards to the rest of the world.
Reacting to the ruling, Schrems was adamant that there’s only one way forward for American companies now: “surveillance reform.”
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” he said in a statement. “As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners.”
“We have never hidden that we would like to see more convergence.”
In a press briefing following the announcement, the European Commission suggested it felt the same way. Věra Jourova, vice president for Values and Transparency, told reporters that the EU would work with America to replace Privacy Shield, but added that she hoped the US would “reflect” on the underlying differences between the two countries’ legislation.
“We have never hidden that we would like to see more convergence,” said Jourova, according to TechCrunch. “We would like to see on American side the federal law on data protection which would be equivalent or very similar to the GDPR which would stipulate equivalent and strong safeguards for the protection of private data of the citizens.”
The devil’s in the data
So are data flows across the Atlantic now outlawed? Not at all. But the ruling from the European Court of Justice does leave some big unanswered questions, particularly for US tech firms because of their unique position with regards to American surveillance.
Firstly, although the Privacy Shield has been invalidated, today’s judgment also upheld another, much more widely used data transfer protocol known as Standards Contractual Clauses, or SCCs. These clauses are widely used by US tech giants like Facebook and Microsoft as well as other companies like banks, shops, and airlines. Now that Privacy Shield is invalid, the SCCs remain to EU-US data transfers legally nice and sound.
As Microsoft said in a blog post this morning: “For years we have provided customers with overlapping protections under both the Standard Contractual Clauses (SCCs) and Privacy Shield frameworks for data transfers. Although today’s ruling invalidated the use of Privacy Shield moving forward, the SCCs remain valid. Our commercial customers are already protected under SCCs.”
However, while SCCs will keep data transfers legal for the foreseeable future, today’s ruling suggests US tech firms will also be open to future legal challenges.
As the nonprofit privacy group NOYB (founded by Schrems himself) noted: “The CJEU has made it clear in its ruling that even within the SCCs a data flow must be stopped if a US company falls under this surveillance law. This applies to practically all IT companies (such as Microsoft, Apple, Google or Facebook) that all fall under FISA 702.”
Wouter Seinen, a partner at law firm Baker McKenzie, told The Verge that he agreed with this assessment of the ruling. “The Court’s decision paves the way for individual scrutiny of these data transfer arrangements by [authorities] in each of the 27 EU member states,” said Seinen. “A case-by-case approach must be taken.”
To be clear, most US companies that process personal data from the EU (including banks, shops, and airlines, for example) won’t be affected. Only those firms that fall under certain US surveillance laws now seem to be open to future legal challenges. As is typical for the EU: it seems all this will go back to the courts, once again.