Sunday

14th Aug 2022

EU top court bins 'Privacy Shield' in Schrems privacy case

  • This ruling is the second big win for Austrian privacy activist Max Schrems (l), who also won a landmark case on data transfer in 2015 that led to the invalidation of the 'Privacy Shield' predecessor - the 'Safe Harbour' programme (Photo: Martin Hanzel)

Austrian privacy activist Max Schrems on Thursday welcomed the decision by the European Union's Court of Justice (ECJ) in his case against Facebook, which ruled that the EU-US data transfer pact fails to protect EU citizens' rights to privacy.

The EU-US 'Privacy Shield' - an agreement to share personal data for commercial purposes in use by more than 5,300 companies - was previously criticised by privacy activists and MEPs on the civil liberties committee - who called for its suspension in 2018.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

  • Austrian privacy activist Schrems argued that Facebook made personal data transferred to it available to certain US authorities - such as the NSA and FBI (Photo: Amy Osborne / Getty Images)

"I am very happy about the judgment. It seems the court has followed us in all aspects. This is a total blow to the Irish DPC [Data Protection Commission] and Facebook," said Schrems in a statement.

"The US will have to seriously change their surveillance laws if US companies want to continue to play a major role in the EU market," he added.

This ruling is the second big win for Schrems, who won a landmark case on data transfer in 2015 that led to the invalidation of the Privacy Shield's predecessor - the 'Safe Harbour' programme.

After Safe Harbour was scrapped by the EU's top court, Facebook started using so-called standard contractual clauses to shift the data to the United States.

At the end of 2015, Schrems issued a complaint about Facebook to the Irish data protection authorities, the site of Facebook's European HQ, and called for the suspension of Facebook's use of these clauses - claiming that these data transfers lack sufficient data-protection safeguards.

After Irish data protection authorities referred the matter to the country's High Court in 2016, they subsequently referred it to the ECJ with 11 questions that challenged EU-US data transfers more generally.

Fine print

While the long-standing legal battle led to the invalidation EU-US Privacy Shield on Thursday, the ECJ also recognised that standard contractual clauses are a valid tool for data transfers between the EU and third countries.

However, the ruling also points out that any EU regulator - such as the Irish data protection authorities - has the obligation to suspend or prohibit data transfers which take place under standard contractual clauses to third countries where data protections are not adequate.

EU concerns about data transfers mounted following revelations of US mass surveillance made in 2013 by former National Security Agency (NSA) agent Edward Snowden.

In his complaint, Schrems argued that Facebook made personal data transferred to it available to certain US authorities, such as the NSA and FBI - which could carry out mass surveillance on EU citizens without a meaningful legal framework.

The ECJ ruling concluded on Thursday that non-US persons can be potentially targeted by surveillance programmes for foreign intelligence and the US-EU Privacy Shield, therefore, cannot ensure a level of protection equivalent to that guaranteed by the EU data protection rules (GDPR).

Additionally, the court noted that EU citizens do not enjoy the same remedies as US citizens since the Fourth Amendment to the American constitution, used to challenge unlawful surveillance, does not apply to EU citizens.

'Deeply disappointed'

The commission said that they will engage in bilateral contact with their American counterparts to discuss how to improve and align the data transfer agreement to the ruling.

"I see this an opportunity for the EU to continue the dialogue with our American partners and as an opportunity to engage in solutions that reflect the values we share as democratic societies," said the EU commissioner for values and transparency Věra Jourová.

Following the announcement of the judgment, US secretary of commerce Wilbur Ross said that he was "deeply disappointed" that the EU's top court scrapped a key arrangement between Europe and the US.

"We hope to be able to limit the negative consequences to the $7.1 trillion [€6.2 trillion] transatlantic economic relationship that is so vital to our respective citizens, companies, and governments," he said in a statement.

"As our economies continue their post-Covid-19 recovery, it is critical that companies be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield," Ross added.

Watchdogs concerned by EU-US data pact

European data protection authorities tell US to improve oversight on 'Privacy Shield' scheme, otherwise they would go to the EU's highest court.

US firms ignoring EU court ruling on data, Schrems warns

Facebook and other big US firms have no intention of respecting the landmark ruling by the EU's highest court on data transfers to the US. The court in July dramatically scrapped Privacy Shield, citing US surveillance concerns.

Opinion

Schrems privacy ruling risks EU's ties to digital world

With more and more trade moving to the digital realm, Europe can ill-afford to cut itself off. Meanwhile, China continues to advance a vision for an internet that is fractured along national boundaries and controlled by governments.

Opinion

The Digital Services Act — a case-study in keeping public in dark

Companies and lobby groups like Spotify, Google and International Federation of the Phonographic Industry (IFPI) were able to lobby member states using live knowledge of the trilogue discussions on content-ranking systems, advertising and liability for search engines.

Stakeholder

The CPDP conference wants multidisciplinary digital future

During the Computers, Privacy and Data Protection (CPDP) conference, many high-level discussions will touch upon the dynamics of decision-making in the design of new technologies, including the importance of inclusion, diversity, and ethics perspectives within these processes.

News in Brief

  1. Germany to help nationals cope with energy price spike
  2. Germany wants pipeline from Portugal
  3. Ukraine urges US to sanction all Russian banks
  4. Spain evacuates 294 Afghans
  5. EU sanctions have 'limited' effect of Russian oil production
  6. Donors pledge €1.5bn to Ukraine's war effort
  7. Sweden overtakes France as EU's top power exporter
  8. Italy's far-right star in European charm offensive

Stakeholders' Highlights

  1. EFBWW – EFBH – FETBBConstruction workers can check wages and working conditions in 36 countries
  2. Nordic Council of MinistersNordic and Canadian ministers join forces to combat harmful content online
  3. European Centre for Press and Media FreedomEuropean Anti-SLAPP Conference 2022
  4. Nordic Council of MinistersNordic ministers write to EU about new food labelling
  5. Nordic Council of MinistersEmerging journalists from the Nordics and Canada report the facts of the climate crisis
  6. Council of the EUEU: new rules on corporate sustainability reporting

Latest News

  1. Defying Russian bombs, Ukraine football starts 2022 season
  2. Sweden to extradite man wanted by Turkey
  3. EU must beware Beijing's new charm offensive
  4. Forest fire near Bordeaux forces over 10,000 to flee
  5. Estonia and Latvia sever China club ties
  6. Russian coal embargo kicks in, as EU energy bills surge
  7. Only Western unity can stop Iran hostage-diplomacy
  8. Kosovo PM warns of renewed conflict with Serbia

Join EUobserver

Support quality EU news

Join us