Thursday

26th May 2022

EU top court bins 'Privacy Shield' in Schrems privacy case

  • This ruling is the second big win for Austrian privacy activist Max Schrems (l), who also won a landmark case on data transfer in 2015 that led to the invalidation of the 'Privacy Shield' predecessor - the 'Safe Harbour' programme (Photo: Martin Hanzel)

Austrian privacy activist Max Schrems on Thursday welcomed the decision by the European Union's Court of Justice (ECJ) in his case against Facebook, which ruled that the EU-US data transfer pact fails to protect EU citizens' rights to privacy.

The EU-US 'Privacy Shield' - an agreement to share personal data for commercial purposes in use by more than 5,300 companies - was previously criticised by privacy activists and MEPs on the civil liberties committee - who called for its suspension in 2018.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

  • Austrian privacy activist Schrems argued that Facebook made personal data transferred to it available to certain US authorities - such as the NSA and FBI (Photo: Amy Osborne / Getty Images)

"I am very happy about the judgment. It seems the court has followed us in all aspects. This is a total blow to the Irish DPC [Data Protection Commission] and Facebook," said Schrems in a statement.

"The US will have to seriously change their surveillance laws if US companies want to continue to play a major role in the EU market," he added.

This ruling is the second big win for Schrems, who won a landmark case on data transfer in 2015 that led to the invalidation of the Privacy Shield's predecessor - the 'Safe Harbour' programme.

After Safe Harbour was scrapped by the EU's top court, Facebook started using so-called standard contractual clauses to shift the data to the United States.

At the end of 2015, Schrems issued a complaint about Facebook to the Irish data protection authorities, the site of Facebook's European HQ, and called for the suspension of Facebook's use of these clauses - claiming that these data transfers lack sufficient data-protection safeguards.

After Irish data protection authorities referred the matter to the country's High Court in 2016, they subsequently referred it to the ECJ with 11 questions that challenged EU-US data transfers more generally.

Fine print

While the long-standing legal battle led to the invalidation EU-US Privacy Shield on Thursday, the ECJ also recognised that standard contractual clauses are a valid tool for data transfers between the EU and third countries.

However, the ruling also points out that any EU regulator - such as the Irish data protection authorities - has the obligation to suspend or prohibit data transfers which take place under standard contractual clauses to third countries where data protections are not adequate.

EU concerns about data transfers mounted following revelations of US mass surveillance made in 2013 by former National Security Agency (NSA) agent Edward Snowden.

In his complaint, Schrems argued that Facebook made personal data transferred to it available to certain US authorities, such as the NSA and FBI - which could carry out mass surveillance on EU citizens without a meaningful legal framework.

The ECJ ruling concluded on Thursday that non-US persons can be potentially targeted by surveillance programmes for foreign intelligence and the US-EU Privacy Shield, therefore, cannot ensure a level of protection equivalent to that guaranteed by the EU data protection rules (GDPR).

Additionally, the court noted that EU citizens do not enjoy the same remedies as US citizens since the Fourth Amendment to the American constitution, used to challenge unlawful surveillance, does not apply to EU citizens.

'Deeply disappointed'

The commission said that they will engage in bilateral contact with their American counterparts to discuss how to improve and align the data transfer agreement to the ruling.

"I see this an opportunity for the EU to continue the dialogue with our American partners and as an opportunity to engage in solutions that reflect the values we share as democratic societies," said the EU commissioner for values and transparency Věra Jourová.

Following the announcement of the judgment, US secretary of commerce Wilbur Ross said that he was "deeply disappointed" that the EU's top court scrapped a key arrangement between Europe and the US.

"We hope to be able to limit the negative consequences to the $7.1 trillion [€6.2 trillion] transatlantic economic relationship that is so vital to our respective citizens, companies, and governments," he said in a statement.

"As our economies continue their post-Covid-19 recovery, it is critical that companies be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield," Ross added.

Watchdogs concerned by EU-US data pact

European data protection authorities tell US to improve oversight on 'Privacy Shield' scheme, otherwise they would go to the EU's highest court.

US firms ignoring EU court ruling on data, Schrems warns

Facebook and other big US firms have no intention of respecting the landmark ruling by the EU's highest court on data transfers to the US. The court in July dramatically scrapped Privacy Shield, citing US surveillance concerns.

Opinion

Schrems privacy ruling risks EU's ties to digital world

With more and more trade moving to the digital realm, Europe can ill-afford to cut itself off. Meanwhile, China continues to advance a vision for an internet that is fractured along national boundaries and controlled by governments.

Stakeholder

The CPDP conference wants multidisciplinary digital future

During the Computers, Privacy and Data Protection (CPDP) conference, many high-level discussions will touch upon the dynamics of decision-making in the design of new technologies, including the importance of inclusion, diversity, and ethics perspectives within these processes.

EU Commission won't probe 'Pegasus' spyware abuse

The European Commission says people should file their complaints with national authorities in countries whose governments are suspected of using an Israeli-made Pegasus spyware against them.

News in Brief

  1. Dutch journalists sue EU over banned Russia TV channels
  2. EU holding €23bn of Russian bank reserves
  3. Russia speeds up passport process in occupied Ukraine
  4. Palestinian civil society denounce Metsola's Israel visit
  5. Johnson refuses to resign after Downing Street parties report
  6. EU border police has over 2,000 agents deployed
  7. Dutch tax authorities to admit to institutional racism
  8. Rutte calls for EU pension and labour reforms

Stakeholders' Highlights

  1. Nordic Council of MinistersNordic delegation visits Nordic Bridges in Canada
  2. Nordic Council of MinistersClear to proceed - green shipping corridors in the Nordic Region
  3. Nordic Council of MinistersNordic ministers agree on international climate commitments
  4. UNESDA - SOFT DRINKS EUROPEEfficient waste collection schemes, closed-loop recycling and access to recycled content are crucial to transition to a circular economy in Europe
  5. UiPathNo digital future for the EU without Intelligent Automation? Online briefing Link

Latest News

  1. EU summit will be 'unwavering' on arms for Ukraine
  2. Orbán's new state of emergency under fire
  3. EU parliament prevaricates on barring Russian lobbyists
  4. Ukraine lawyer enlists EU watchdog against Russian oil
  5. Right of Reply: Hungarian government
  6. When Reagan met Gorbachev — a history lesson for Putin
  7. Orbán oil veto to deface EU summit on Ukraine
  8. France aims for EU minimum-tax deal in June

Join EUobserver

Support quality EU news

Join us