EU top court bins 'Privacy Shield' in Schrems privacy case

"I am very happy about the judgment. It seems the court has followed us in all aspects. This is a total blow to the Irish DPC [Data Protection Commission] and Facebook," said Schrems in a statement.

"The US will have to seriously change their surveillance laws if US companies want to continue to play a major role in the EU market," he added.

This ruling is the second big win for Schrems, who won a landmark case on data transfer in 2015 that led to the invalidation of the Privacy Shield's predecessor - the 'Safe Harbour' programme.

After Safe Harbour was scrapped by the EU's top court, Facebook started using so-called standard contractual clauses to shift the data to the United States.

At the end of 2015, Schrems issued a complaint about Facebook to the Irish data protection authorities, the site of Facebook's European HQ, and called for the suspension of Facebook's use of these clauses - claiming that these data transfers lack sufficient data-protection safeguards.

After Irish data protection authorities referred the matter to the country's High Court in 2016, they subsequently referred it to the ECJ with 11 questions that challenged EU-US data transfers more generally.

Fine print

While the long-standing legal battle led to the invalidation EU-US Privacy Shield on Thursday, the ECJ also recognised that standard contractual clauses are a valid tool for data transfers between the EU and third countries.

However, the ruling also points out that any EU regulator - such as the Irish data protection authorities - has the obligation to suspend or prohibit data transfers which take place under standard contractual clauses to third countries where data protections are not adequate.

EU concerns about data transfers mounted following revelations of US mass surveillance made in 2013 by former National Security Agency (NSA) agent Edward Snowden.

In his complaint, Schrems argued that Facebook made personal data transferred to it available to certain US authorities, such as the NSA and FBI - which could carry out mass surveillance on EU citizens without a meaningful legal framework.

The ECJ ruling concluded on Thursday that non-US persons can be potentially targeted by surveillance programmes for foreign intelligence and the US-EU Privacy Shield, therefore, cannot ensure a level of protection equivalent to that guaranteed by the EU data protection rules (GDPR).

Additionally, the court noted that EU citizens do not enjoy the same remedies as US citizens since the Fourth Amendment to the American constitution, used to challenge unlawful surveillance, does not apply to EU citizens.

'Deeply disappointed'

The commission said that they will engage in bilateral contact with their American counterparts to discuss how to improve and align the data transfer agreement to the ruling.

"I see this an opportunity for the EU to continue the dialogue with our American partners and as an opportunity to engage in solutions that reflect the values we share as democratic societies," said the EU commissioner for values and transparency Věra Jourová.

Following the announcement of the judgment, US secretary of commerce Wilbur Ross said that he was "deeply disappointed" that the EU's top court scrapped a key arrangement between Europe and the US.

"We hope to be able to limit the negative consequences to the $7.1 trillion [€6.2 trillion] transatlantic economic relationship that is so vital to our respective citizens, companies, and governments," he said in a statement.

"As our economies continue their post-Covid-19 recovery, it is critical that companies be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield," Ross added.