EU's Court of Justice invalidates data sharing under Privacy Shield due to US surveillance.

Facebook and Co can no longer transfer data of EU citizens under Privacy Shield because this undermines the data protection guaranteed by the GDPR.

Today's landmark decision for privacy rights by the European Court of Justice invalidates Privacy Shield - a US-EU agreement. Privacy Shield was passed to give Silicon Valley tech companies easier access to the European market. This special arrangement for US companies is now null and void. If the US wants to re-establish a similar agreement, they first need to drastically change their surveillance laws.


Privacy Shield no longer valid

Privacy activist Max Schrems and his organization NOBY (short for non of your business) has filed a lawsuit against the data transferring practice of Facebook right after the introduction of the GDPR in May 2018.

The European Court of Justice (ECJ) today declared in its judgment that US laws do not adequately protect the data of European citizens as the surveillance programs in the US are not limited to what is strictly necessary.

The Court pointed out “that, in respect of certain surveillance programs, those provisions do not indicate any limitations on the power they confer to implement those programs, or the existence of guarantees for potentially targeted non-US persons.”

Thus, the EU’s Court of Justice has declared the Privacy Shield data sharing system between the EU and the US as invalid.

Privacy win for Europeans

Max Schrems says that this a privacy win across the board: “I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws if US companies want to continue to play a major role on the EU market.”

Questionable data protection in the US

One major problem that the EU court pointed out is that data of foreigners is not protected in the USA. The protections that are there - even if limited - only apply to US citizens. The NSA can get full access to any and all data of non-US citizens from Facebook at any time. In addition, non-US data subjects have no actionable rights before the courts against the US authorities, which violates the “essence” of certain EU fundamental rights, the ECJ found.

According to the judgment, the European Commission did not adequately assess the US surveillance laws when passing the Privacy Shield agreement. Instead, the Commission bent to US pressure. In addition, the US does not have adequate privacy protection laws on its own, the APRA proposal is still work in progress and no one knows whether it is ever going to get passed.

As a consequence, transferring the data under Privacy Shield would deny European citizens the data protection rights granted to them under the GDPR.

”On all those grounds, the Court declares Decision 2016/1250 invalid,” the EU Court decided.

The conflict of differences in data protection laws can only be solved in two ways:

  1. The USA and the EU will not pass a “new” Privacy Shield agreement, which will mean that Silicon Valley companies will not get special access to the European market.

  2. Or, the USA changes their surveillance laws in such a way that data from people living in the European Union are protected in a way that satisfies the high requirements of the GDPR.

Max Schrems comments: “The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."

"This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable - when shit hits the fan, you can’t blame the fan.”

No Privacy Shield-privilege

Data flows to the US are still possible under Article 49 of the GDPR. However, they have to be limited to the absolutely necessary to fulfill a contract. In addition, if a user wants their data to flow to the US, this is also legal, but consent can be withdrawn at any time by the user.

In short: The US has no privilege anymore when it comes to transferring data of EU citizens. US tech companies have lost their special access to the EU market because of US surveillance.

Schrems says: “The Court explicitly highlighted that the invalidation of the Privacy Shield will not create a ‘legal vacuum’ as crucially necessary data flows can be still undertaken. The US is now simply put back to an average country with no special access to EU data.”

This is a landmark victory for privacy rights.