Recently, the EU top court, known as the Court of Justice of the European Union (CJEU), delivered its ruling invalidating the ‘EU-US Privacy Shield’ that it doesn’t offer sufficient protection of data transferred by the social media company to servers in the United States.
A decision that throws a cat among the pigeons of international data transfers. The ruling is likely to have far-reaching implications for tech companies doing business in Europe.
Admittedly, the decision was a major blow for U.S. global surveillance that heavily relies on private partners.
What is the EU-US Privacy Shield? It’s the primary data transfer agreement between the EU and the United States. The Privacy Shield framework became operational on 1 August 2016.
This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. It allows the free transfer of data to companies that are certified in the US under the Privacy Shield.
Specifically, the Framework includes strong data protection obligations on companies receiving personal data from the EU, safeguards on US government access to data, effective protection and redress for individuals, and an annual joint review by EU and US to monitor the correct application of the arrangement.
The Court decision invalidating the agreement has a twofold implication: it can no longer be used by organizations to transfer personal data from the EU to the US and global companies relying on Privacy Shield for transatlantic data transfers should ensure they comply with local regulations and adapt with the least amount of risk.
This case was referred to the EU top Court [CJEU] by privacy campaigner Max Schrems, an Australian citizen. He [Max] had earlier complained to the Data Protection Commissioner in Ireland, where Facebook has its European headquarters, that U.S. law doesn’t offer sufficient protection against surveillance of data transferred by the social media company to servers in the United States.
In transferring any data from the EU, Facebook solely relied on a data transfer tool known as Standard Contractual Clauses (SCCs) and sometimes in addition to the now defunct Privacy Shield Framework.
Back in October 2015, the European Court of Justice issued a landmark ruling declaring invalid the European Commission’s July 26, 2000 decision on the legal adequacy of "the U.S.-EU Safe Harbor Framework.”
On July 12, 2016, the European Commission issued an adequacy decision on the EU-U.S. Privacy Shield Framework. This new Framework, which replaced the Safe Harbor program, provides a legal mechanism for companies to transfer personal data from the EU to the United States.
The recent ECJ ruling has widely been seen as a major global victory for privacy. Arguably, it raises the bar for a global set of data protection standards, and for the U.S. specifically to enact a comprehensive set of data privacy rules to bring it into line with other global regions that do have such rules.
In other words, the judgment declared that existing framework is no longer a valid mechanism to transfer personal data from the European Union to the United States.
While the EU and the USA recognise the vital importance of data protection and the significance of cross-border data transfers to their citizens and economies, an adequate level of protection of data privacy remains a golden rule.
In 2018, the EU instituted the General Data Protection Regulation (GDPR), a central instrument on privacy and data protection. Using the GDPR as guidance, the ECJ held that the quality of protection offered by the Privacy Shield does not meet the standard of protection guaranteed to EU citizens.
In its decision, the ECJ also confirmed the validity of another data transfer mechanism known as Standard Contractual Clauses (SCCs). That’s to say companies have to utilize the SCC system as well as the General Data Protection Regulation (GDPR), until a new framework is designed.
It is, however, noteworthy that the European Court of Justice ruling doesn’t bar data transfers from the EU to the U.S., but rather allows national data protection authorities to review individual transfers. The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights.
Like anywhere in the world, there’s a need to have clear rules to govern the transfer of personal data to the third country.
It’s not uncommon that the level of data protection in all countries is not the same, except in the EU where it’s much more guaranteed. But, as a matter of principle, data privacy must be legally watertight, by providing real and meaningful protection, and there must be proper enforcement.
In closing, according to the European Court of Justice ruling, the General Data Protection Regulation is the oldest instrument for data protection.
Particularly, in the view of the EU Court, the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. That third country must ensure, by reason of its domestic law or its international commitments, an adequate level of protection.
The writer is a law expert.