Thursday’s decision by the EU Court of Justice on the so-called Privacy Shield means thousands of businesses that ship commercial data to the U.S. risk turmoil in their day-to-day activities.
While a separate contract-based system to transfer data was approved, the judges’ doubts about American data protection also plunge that alternative method into legal uncertainty.
The controversy stretches back to 2013, when former contractor
“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market,” Schrems said after the ruling. “This judgment is not the cause of a limit to data transfers, but the consequence of U.S. surveillance laws.”
While the court did approve Standard Contractual Clauses system to transfer data, the ruling offers another grievance to stoke the growing animosity between the U.S. and the EU in the run up to November’s presidential election.
The White House has already announced the withdrawal of thousands of troops from Germany and pulled the plug on efforts to reach a settlement on digital taxes.
The EU meanwhile has fended off an American attempt to muscle in on the negotiations over a settlement between Serbia and Kosovo in the Balkans. Hanging over all of it is President
On the data front, the EU top court in a surprise decision in 2015
“The invalidation of the Privacy Shield is a big blow for the more than 5,300 companies and organizations that have been relying on the Shield to send data from the EU to the U.S.,” said
The decision is also a big defeat for the
The Irish Data Protection Commission, the main EU privacy watchdog for some of Silicon Valley’s biggest companies said the ruling’s “scope extends far beyond” the dispute that pitted it against Schrems over Facebook’s data transfers.
“Whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU,” the Irish authority said. Even though the use of standard contractual clauses was cleared by EU judges, “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”
This could affect thousands of companies, not only those who relied on the Privacy Shield. Banks, who mostly rely on the clauses could be affected too, say lawyers.
A “European bank that uses a U.S. company to store or analyze transactional data will be affected by the Schrems decision if that U.S. provider either relied on the Privacy Shield or was subject to Standard Contractual Clauses,” Eduardo Ustaran, a lawyer with Hogan Lovells in London said.
“Customers of those banks will have the right to question the level of safeguards for their data, and data protection authorities have the power to scrutinize the same,” he said.
EU Justice Commissioner
U.S. Commerce Secretary Wilbur Ross said his department was “deeply disappointed” and was studying the ruling to “fully understand its practical impacts.”
The U.S. hopes “to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments,” Ross said in a statement. As “economies continue their post-Covid-19 recovery, it is critical that companies -- including the 5,300+ current Privacy Shield participants-- be able to transfer data without interruption.”
Both sides said they will continue talks as soon as possible to evaluate next steps. Still, Commission Vice President
Since the EU court’s initial ruling in 2015, the bloc has put in place the General Data Protection Regulation, one of the world’s strictest privacy laws. This gives watchdogs unprecedented powers and raises potential fines for companies to as much as 4% of global annual sales. The Privacy Shield was also subjected to annual EU-U.S. reviews.
The EU judges’ new decision “makes it very difficult -- if not impossible -- for most companies doing business in Europe to outsource significant volumes of data to tech companies in the United States for processing or for backup purposes,” the
Thursday’s ruling will affect how non-European firms from
The judgment “removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic” for large and small enterprises in both the U.S. and Europe, said Thomas Boue, director general for policy in Europe at BSA The Software Alliance, whose members include
But the court was focused on giving individuals more power to protect their data. It said people “must have the possibility of bringing legal action before an independent and impartial court.”
The judges also criticized U.S. surveillance programs that may access bulk personal data being transferred from Europe to the U.S. without any judicial review. The court said annulling the Privacy Shield “is not liable” to create a legal vacuum.
The long list of participants in the case also includes the U.S. government, which is rare in the EU courts.
The case is: C-311/18, Data Protection Commissioner v.
(Updates with details of the ruling throughout)
--With assistance from
To contact the editors responsible for this story:
Peter Chapman, Christopher Elser
© 2020 Bloomberg L.P. All rights reserved. Used with permission.