The Court of Justice of the European Union ruled on Thursday to invalidate a 2016 decision by the European Commission that set up an E.U.-U.S. data privacy shield, finding it does not provide tough enough protections against any snooping by U.S. intelligence services.
The ruling by the E.U.'s top court to strike down the so-called E.U.-U.S. Privacy Shield unravels the main conduit for data transfers between the 27-nation bloc and the United States. Justices cited concerns about the far-reaching nature of U.S. surveillance in the wake of U.S. whistleblower Edward Snowden's leaks about American spying.
It is the second instance in which the Luxembourg-based court, or CJEU, ruled E.U. citizens' private data are not safe in American hands. Part of its decision hinged on the role played by the E.U. ombudsperson, a public advocacy office, the court said in a statement.
The ombudsperson "does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by E.U. law," the court said, "such as to ensure both the independence of the ombudsperson provided for by that mechanism and the existence of rules empowering the ombudsperson to adopt decisions that are binding on the U.S. intelligence services."
In the same ruling, the court upheld the legality of the commission's 2o10 legal instruments, known as Standard Contractual Clauses, for exporting personal data to processors set up in third countries. The court's findings correlate with a nonbinding opinion from the court's advocate general in December.
However, the landmark decision on the Privacy Shield, in a case known as "Data Protection Commissioner vs. Facebook Ireland and Maximillian Schrems," requires E.U. suspension of any data transfers that fail to meet the continent's strict privacy standards — a decision likely to prompt fresh skepticism of surveillance.
"These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens," Facebook associate general counsel, Eva Nagle, said in a statement.
"Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of Privacy Shield and we look forward to regulatory guidance in this regard,” she said. “We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure."
Regulators promise 'continuity'
The court's decision to invalidate the Privacy Shield but to confirm the Standard Contractual Clauses "means that the transatlantic data flows can continue, based on the broad toolbox for international transfers" provided by the E.U. data privacy rules known as the General Data Protection Regulation, or GDPR, said Věra Jourová, vice president of the European Commission for values and transparency.
"I know citizens and businesses are seeking reassurance today on both sides of the Atlantic. So let me be clear: we will continue our work to ensure the continuity of safe data flows," Jourová, a Czech politician and lawyer, said in a statement. "I see this an opportunity for the European Union to continue the dialogue with our American partners."
Europe’s data privacy rules were adopted in 2016. GDPR became enforceable on May 25, 2018, affecting businesses and consumers around the world — and also the many international organizations that process personal data and must respect the right to privacy.
The centerpiece of the European Union’s new rules, and what makes them relevant for international organizations, is the policy of accountability. Data handlers must demonstrate compliance. People can ask for everything that is known about them and have it all deleted in keeping with their “right to erasure.”
Even Facebook was not entirely ready for them; a viral Associated Press photo of CEO Mark Zuckerberg’s notes for his U.S. Senate hearing in April 2018 revealed he was instructed not to say that Facebook already did everything required by GDPR.
The case before Europe's top court stemmed from a complaint by Maximillian Schrems, an Austrian activist and law student. After Snowden, then as a U.S. National Security Agency contractor, leaked thousands of classified documents on U.S. surveillance programs in 2013 — including details of how Facebook had provided American intelligence with access to Europeans' personal data — Schrems filed a complaint against Facebook.
Since Facebook's base of European operations is in Ireland, an E.U. member, Schrems argued GDPR should forbid Facebook and other tech companies from sending personal data to the United States, where data privacy is not as strict.
The justices noted that GDPR requires that personal data transferred to a third country "must be afforded a level of protection essentially equivalent to that guaranteed within the E.U. by the GDPR."
But the U.S. data privacy rules, they concluded, "are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under E.U. law, by the principle of proportionality, in so far as the surveillance programs based on those provisions are not limited to what is strictly necessary."
The complaint already resulted in the court ruling in 2015 to invalidate the E.U.-U.S. Safe Harbor data transfer agreement, which was replaced by the Privacy Shield.
The ruling to invalidate the Privacy Shield likely means intensified scrutiny of Facebook, other major tech companies and thousands of multinational corporations that do business in Europe and the United States, who must now await another E.U.-U.S. data transfer solution from European and American authorities.
Didier Reynders, the European commissioner for justice who oversees data protection, said he welcomed the court's validation of Standard Contractual Clauses, which are "the most used tool for international transfers of personal data," and will soon begin trying to find a new deal with American legal authorities.
"We will be in contact also in the coming days and look forward to working constructively with them to develop a strengthened and durable transfer mechanism," he said. "In the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under the GDPR."