EU-US Privacy Shield failed to protect data of EU citizens, court rules

The European Court of Justice has today ruled that the EU-US Data Privacy shield has failed to protect the privacy and data of EU citizens.

In a ruling today the court stated:

The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield.

The privacy shield is used by 5378 organizations to transfer data between the EU and the US, ideally, in line with EU data protection measures. From the program's website:

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination).

Now, in a landmark ruling, the EU's top court has ruled that the Privacy Shield agreement did not in fact limit access to data and protect privacy "in a way that satisfies requirements that are essentially equivalent to those required under EU law."

As noted by Reuters:

The ruling effectively ends the privileged access companies in the United States had to personal data from Europe and puts the country on the same footing as other nations outside the 27-country bloc.

However, companies will still be able to access data using SCCs, standard contractual clauses set up on an individual basis by companies, as long as they sufficiently protect data in line with GDPR.

The case was led by Max Schrems, an Austrian privacy activist who filed a complaint against Facebook over the transfer of his data to the US. In response to the ruling Max stated:

"One of the biggest takeaways is that we would need fundamental reform in U.S. surveillance laws if U.S. companies still want to have any kind of decent access to the European market. For a lot of the companies it's going to be a fundamental shift because they basically have to separate U.S. data processing from EU data processing."

U.S. Commerce Secretary Wilbur Ross said the Department of Commerce was "deeply disappointed" with the decision, and that it was studying the decision to "fully understand its practical impacts." CEO of The Software Alliance Victoria Espinel said:

"The good news is that SCCs (Standard Contractual Clauses) remain valid. But today's Privacy Shield decision will create challenges for more than 5,300 businesses, 70% of which are SMEs, across a range of sectors at a time when the ability to send data abroad is crucial to the economic recovery from COVID-19"

As FT notes, the ruling will likely also have ramifications for the UK following the end of the Brexit-transition period at the end of this year.

You can read the full judgment here.