Europe’s Top Court Collapses The Privacy Shield In Facebook Data Transfer Case
An important update from our Budapest office, “The Court of Justice of the European Union collapsed today the Privacy Shield, therefore Privacy policies of US-EU entities need to be reconsidered.” - Tamás Weiszbart
The Court of Justice of the European Union has delivered a fatal blow to the Privacy Shield agreement negotiated with the United States Department of Commerce in 2016. This morning the Court declared the Privacy Shield to be invalid on the grounds that U.S. law does not provide adequate protections for the privacy and data protection rights of people whose personal information are transferred to the U.S. from Europe.
The purpose of the Privacy Shield was to legitimise these transfer on legal grounds, which are now governed by the EU General Data Protection Regulation, or "GDPR". Due to the way E.U. law is constructed, there are limits on when and how personal data can be exported from Europe, but the Privacy Shield was intended to operate as a workaround and gateway. It was meant to create legal and operational protections in the U.S. for European personal data that were "essentially equivalent" to the privacy and data protection rights that are enjoyed by people in the EU.
Edward Snowden's influence continues to be felt
Standing behind today's outcome is the spectre of Edward Snowden, whose disclosures in 2013 about the surveillance activities of the U.S. national security agencies triggered many legal challenges to the systems governing international data transfers between Europe and the U.S., based on concerns around privacy rights. One of the most effective challenges was commenced against Facebook Ireland, about exports of their European users' personal data to Facebook Inc. in California. That challenge led to the Court of Justice declaring the Safe Habour agreement invalid in 2015, because Safe Harbour did not create an "essentially equivalent" scheme for privacy and data protection rights to the one in the E.U.. The Safe Harbour agreement was the Privacy Shield's predecessor.
Privacy rights campaigner vindicated
The Privacy Shield was meant to correct the deficits of the Safe Harbour agreement, but Max Schrems, the privacy rights campaigner behind the Safe Harbour legal challenge, disputed that the goal was achieved. His legal action against the Privacy Shield has proved him right. Again.
This outcome will be warmly welcome by privacy rights campaigners, but it will leave businesses who have invested in the Privacy Shield confused. It is also a deep embarrassment for the European Commission, which has now twice experienced legal defeat on a flagship policy in this critical area for Transatlantic relationships. The reaction in the U.S. will be keenly watched, for political implications.
A lifeline for Transatlantic trade
The judgment should not crater Transatlantic trade, however, because European law has other mechanisms that can keep data flows alive. One of these is the E.U.'s scheme called "Standard Contractual Clauses", which was also examined by the Court of Justice. To the likely relief of many, the Court upheld the validity of the Standard Contractual Clauses, throwing a lifeline to those organisations that have invested in the Privacy Shield.
Next steps
Signs of political fallout will be closely watched, but in the meantime any organisation that is relying on the Privacy Shield will need to adjust its practices, to keep its data flows lawful and to avoid legal action in Europe.