Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

EU Court Blocks Data Pact Amid Fears Over U.S. Surveillance (4)

July 16, 2020, 3:16 PM

The European Union’s top court struck down a key method used by Facebook Inc. and other companies to transfer data across the Atlantic amid fears over potential U.S. surveillance.

Thursday’s decision by the EU Court of Justice on the so-called Privacy Shield means thousands of businesses that ship commercial data to the U.S. risk turmoil in their day-to-day activities.

While a separate contract-based system to transfer data was approved, the judges’ doubts about American data protection also plunge that alternative method into legal uncertainty.

The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the U.S. National Security Agency. Privacy campaigner Max Schrems has been challenging Facebook in the Irish courts -- where the social media company has its European base -- arguing that EU citizens’ data is at risk the moment it gets transferred to the U.S.

WATCH: An EU court banned the data-transfer pact amid fears over U.S. surveillance.
Source: Bloomberg

“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market,” Schrems said after the ruling. “This judgment is not the cause of a limit to data transfers, but the consequence of U.S. surveillance laws.”

November Election

While the court did approve Standard Contractual Clauses system to transfer data, the ruling offers another grievance to stoke the growing animosity between the U.S. and the EU in the run up to November’s presidential election.

The White House has already announced the withdrawal of thousands of troops from Germany and pulled the plug on efforts to reach a settlement on digital taxes.

The EU meanwhile has fended off an American attempt to muscle in on the negotiations over a settlement between Serbia and Kosovo in the Balkans. Hanging over all of it is President Donald Trump’s threat to impose tariffs on European cars, a step which would massively escalate the trade dispute between the two sides.

On the data front, the EU top court in a surprise decision in 2015 struck down an earlier trans-Atlantic data-transfer system, called Safe Harbor, over concerns U.S. spies could get unfettered access to EU data. Facebook warned ahead of Thursday’s ruling that similar economic turmoil would be in store if the court does the same.

U.S. Companies Left Scrambling After EU Data Transfer Pact Dies

Scrambling to put together an alternative tool for companies, the EU and U.S. in early 2016 reached an accord on the Privacy Shield, saying it would guarantee EU citizens robust privacy protection and the right to judicial review. But the Shield has been on wobbly feet since the very start over concerns that not enough was being done on the American side.

“The invalidation of the Privacy Shield is a big blow for the more than 5,300 companies and organizations that have been relying on the Shield to send data from the EU to the U.S.,” said Wim Nauwelaerts, a lawyer at Alston & Bird. “They will have to look for alternatives quickly.”

The decision is also a big defeat for the European Commission, the EU’s executive authority, which spent huge efforts on the Shield. It puts “significant pressure on data protection authorities to take their job more seriously in checking data transfers,” said Joerg Hladjk, a lawyer with Jones Day in Brussels.

The Irish Data Protection Commission, the main EU privacy watchdog for some of Silicon Valley’s biggest companies said the ruling’s “scope extends far beyond” the dispute that pitted it against Schrems over Facebook’s data transfers.

“Whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU,” the Irish authority said. Even though the use of standard contractual clauses was cleared by EU judges, “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”

This could affect thousands of companies, not only those who relied on the Privacy Shield. Banks, who mostly rely on the clauses could be affected too, say lawyers.

A “European bank that uses a U.S. company to store or analyze transactional data will be affected by the Schrems decision if that U.S. provider either relied on the Privacy Shield or was subject to Standard Contractual Clauses,” Eduardo Ustaran, a lawyer with Hogan Lovells in London said.

“Customers of those banks will have the right to question the level of safeguards for their data, and data protection authorities have the power to scrutinize the same,” he said.

EU Justice Commissioner Didier Reynders said the ruling “provides useful clarifications” on the EU standards for decisions allowing a safe and smooth data flow between the EU and other nations.

U.S. Commerce Secretary Wilbur Ross said his department was “deeply disappointed” and was studying the ruling to “fully understand its practical impacts.”

The U.S. hopes “to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments,” Ross said in a statement. As “economies continue their post-Covid-19 recovery, it is critical that companies -- including the 5,300+ current Privacy Shield participants-- be able to transfer data without interruption.”

Next Steps

Both sides said they will continue talks as soon as possible to evaluate next steps. Still, Commission Vice President Vera Jourova said after the ruling the EU “cannot do magic and change American laws from Europe, it’s for the American colleagues to reflect on that.”

Since the EU court’s initial ruling in 2015, the bloc has put in place the General Data Protection Regulation, one of the world’s strictest privacy laws. This gives watchdogs unprecedented powers and raises potential fines for companies to as much as 4% of global annual sales. The Privacy Shield was also subjected to annual EU-U.S. reviews.

The EU judges’ new decision “makes it very difficult -- if not impossible -- for most companies doing business in Europe to outsource significant volumes of data to tech companies in the United States for processing or for backup purposes,” the American Civil Liberties Union said in a statement.

Thursday’s ruling will affect how non-European firms from Google to TikTok Inc. transfer data from European services for processing outside the region.

The judgment “removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic” for large and small enterprises in both the U.S. and Europe, said Thomas Boue, director general for policy in Europe at BSA The Software Alliance, whose members include Microsoft Corp. and Oracle Corp.

But the court was focused on giving individuals more power to protect their data. It said people “must have the possibility of bringing legal action before an independent and impartial court.”

The judges also criticized U.S. surveillance programs that may access bulk personal data being transferred from Europe to the U.S. without any judicial review. The court said annulling the Privacy Shield “is not liable” to create a legal vacuum.

The long list of participants in the case also includes the U.S. government, which is rare in the EU courts.

The case is: C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Max Schrems.

(Updates with details of the ruling throughout)

--With assistance from Aoife White and Ben Sills.

To contact the reporters on this story:
Stephanie Bodoni in Luxembourg at;
Natalia Drozdiak in Brussels at

To contact the editors responsible for this story:
Anthony Aarons at

Peter Chapman, Christopher Elser

© 2020 Bloomberg L.P. All rights reserved. Used with permission.