Data transfer law between EU and USA overturned by European Court of Justice

An important agreement on the transfer of EU citizens' data to the US has been overturned by the European Court of Justice (ECJ).

What is it about?

The so-called "Privacy Shield" agreement between the EU and the U.S. previously allowed companies to sign up to higher data protection standards before transferring data to the U.S.. Advocates of European data protection, however, challenged the agreement, arguing that the data protection standards in place in the U.S. do not meet EU standards - especially by releasing data to authorities such as the FBI or the NSA. Austrian privacy activist Max Schrems, who had triggered the ECJ's review of the agreement, called the ruling a victory for privacy. "It is clear that the U.S. needs to seriously change its surveillance laws if U.S. companies want to continue to play a role in the [digital] EU market," Schrem said. U.S. Commerce Secretary Wilbur Ross, on the other hand, said his department was "deeply disappointed" with the decision. He said he hopes the U.S. can limit the "negative impact" of the ruling on $7.1 trillion worth of transatlantic trade.

What are the consequences?

The Privacy Shield agreement underpins transatlantic "digital trade" for more than 5,300 companies. About 65% of them are small and medium-sized enterprises (SMEs) or startups, according to University College London's European Institute. Affected companies will now have to sign "standard contractual clauses": non-negotiable legal contracts drawn up by Europe and used in countries other than the US. They are already used by many large companies. Microsoft, for example, has issued a statement saying it already uses them and is not concerned. Following the end of the predecessor Safe Harbors agreement, which was overturned by the ECJ back in 2015, affected companies were given a three-month transition period to convert their data transfers.

The reasoning

The first case prompted by Mr. Schrems was triggered in part by former CIA employee Edward Snowden, who revealed the extent of U.S. data surveillance. The European General Data Protection Regulation (GDPR) states that personal data may only be transferred from within the EU to the U.S. or other third countries if appropriate safeguards are in place to protect the data. However, according to the ECJ, U.S. surveillance programs are not limited to what is strictly necessary and therefore do not comply with the European GDPR. Thus, the court found that the Privacy Shield agreement "gives priority to the requirements of national security, public interest and compliance with U.S. law, which allows interference with the fundamental rights of individuals whose data is transferred to the United States."
"These restrictions on the protection of personal data are not limited in a way that meets [European] requirements."
This ruling will create hurdles for American providers of cloud storage solutions. Ultimately, the decision means that the storage of personal data of EU citizens in such clouds violates EU law, i.e. the GDPR, and thus threatens penalties. The benefits of these American services for European companies and authorities will therefore be limited.

Want to learn more about the decision? Read the press release of the European Court of Justice..