Europe’s highest court today struck down the agreement by which companies operating in the EU are allowed to transfer data to the United States. The court ruled that the agreement leaves European customers’ data too exposed to US government surveillance.
The agreement, known as Privacy Shield, has been in place since 2016, and more than 5,000 companies operate under its terms. Boiled down, the Court of Justice of the European Union (CJEU) basically ruled that US law is too weak to protect EU citizens’ data to the extent EU law demands. As the court put it in a press release (PDF):
The limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by US public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.
As a result of the case, US companies doing business in Europe or handling data from European clients will either have to negotiate new individual data-handling arrangements, called Standard Contract Clauses (SCC), with the EU or stop porting data from European operations into the US. The ruling applies to data that companies such as Facebook move around to US servers for internal reasons, but it does not affect “necessary” data transfers, such as take place when someone in Europe sends an email to a recipient in the US, books a flight or a hotel on a US website, or does something equally mundane.
From 2000 to 2015, the agreement governing the sharing of EU customer data between Europe and the United States was called Safe Harbor. The CJEU invalidated Safe Harbor in 2015, following a legal challenge from Maximillian Schrems, a privacy advocate from Austria. In the wake of the Snowden revelations, Schrems alleged the Safe Harbor agreement (which permitted NSA access to EU citizens’ personal data) stood in conflict with EU law. The court agreed and invalidated the Safe Harbor framework in October 2013.
EU lawmakers, together with the US Department of Commerce, rapidly pulled together the Privacy Shield framework after Safe Harbor was tossed, and the European Commission adopted it in 2016. The framework, however, faced deep skepticism before lawmakers even voted to adopt it. EU regulators warned before the deal was even formally signed that “Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the court.”
Regulators also warned at the time that Privacy Shield might be in conflict with Europe’s sweeping privacy law, the General Data Protection Regulation (GDPR). EU lawmakers adopted that law in 2016, and it has been in effect since 2018.
Schrems in 2016 joked to Ars that although he wanted someone to file suit, he personally wasn’t necessarily interested in being the one to do so. As it turns out, however, he did—the case on which the CJEU ruled today is commonly calledSchrems II—and once again won.
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” Schrems said in a statement after the CJEU ruling. “This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws.”
Major US tech companies were quick to deliver assurance that the ruling will not substantially change their operations in Europe for the time being, with many confirming they already use SCCs in addition to Privacy Shield agreements.
“If you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” Microsoft wrote in a corporate blog post. “The court ruling does not change your ability to transfer data today between the EU and US using the Microsoft cloud.”
Microsoft also plans to “work proactively with the European Commission and the US government to address the issues raised by the ruling,” the company added.
Facebook representative Eve Nagle issued a statement saying, “We welcome the decision of the Court of Justice of the European Union to confirm the validity of Standard Contractual Clauses for transfers of data to non-EU countries.” The statement added that Facebook, “like many businesses,” is now “carefully considering the findings and implications of the decision” and “looks forward to regulatory guidance in this regard.”
Tech trade groups wasted no time calling on US and EU regulators to quickly develop a firm regulatory framework to replace the now-defunct Privacy Shield.
“The collapse of the Privacy Shield will disproportionately affect small- to medium-sized businesses that make up 70 percent of the companies using the Privacy Shield,” said Morgan Reed, president of the App Association, which represents more than 5,000 app developers globally. “This decision leaves thousands of US and EU companies without a much-needed data sharing mechanism and will significantly disrupt the transatlantic data market, worth hundreds of billions of dollars. We urge the European Union and the US government to negotiate a replacement as quickly as possible to guarantee legal certainty for all businesses who use cross-border data transfers and to ensure the continued growth of the transatlantic data economy.”
The Computer & Communications Industry Association—which represents many of the large tech companies you’ve heard of including Amazon, Facebook, and Google—echoed the sentiment. “This decision creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers,” CCIA Senior Manager of Public Policy Alexandre Roure said. “We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the trans-Atlantic economy.”