The European Union’s top court has invalidated a key data-sharing protocol that allows American companies to transfer personal information about EU citizens to the US. The court says the regulation, known as Privacy Shield, is invalid as it does not protect EU citizens from mass surveillance programs operated by American intelligence agencies like the NSA.
The ruling in the case, known as Schrems II, after its original claimant, privacy activist and lawyer Max Schrems, will have a profound effect on a range of US businesses, from banks to law firms. But it will be of particular concern to large tech companies like Facebook that handle large amounts of personal data. These firms need to ensure the protection of this data from mass surveillance programs, or change how and where they process it.
Importantly, today’s ruling applies only to certain types of personal data. It has no affect on what the EU calls “necessary” data transfers, such as emails sent between the US and EU, bookings for holidays, business transactions, access to news sites, and so on.
In their ruling, the EU judges said that the current arrangement of data transfers clash with the EU’s Charter of Fundamental rights, which ensures individuals’ right to privacy.
“The limitations on the protection of personal data arising from the domestic law of the United States […] are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” they wrote. In other words: US law is designed to facilitate mass surveillance while EU law enshrines individual privacy.
Reacting to the ruling, Schrems said it showed that the only way forward for American companies was widespread “surveillance reform.”
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” said Schrems. “As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners.”
The ruling invalidates the Privacy Shield, which is used by thousands of US firms to transfer data across the Atlantic, but it also upholds a more recent and more wide-ranging form of data transfer known as Standards Contractual Clauses or SCCs.
However, such agreements are only valid if the country processing the data has privacy protections equivalent to that of the EU. That means that companies that use SSCs to transfer data to America (which include Facebook) may no longer be able to do so, as the ruling on Privacy Shield has outlined a fundamental clash between EU and US law.