US-EU Privacy Shield data-sharing pact invalidated over surveillance fears

Europe’s top court struck a blow to companies that rely on transferring data between Europe and the US on Thursday by ruling the Privacy Shield data-sharing agreement invalid.

In the ruling by the European Court of Justice, judges expressed concerns that Privacy Shield certification did not adequately protect the data of European citizens from US surveillance activities in the same way they are protected in the EU. Essentially, there is no guarantee that privacy protections provided for by law within the EU can be upheld when people’s data travels to the US.

“The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent,” said the judgement.

The case was brought to the CJEU by lawyer and activist Max Schrems, who has been pursuing cases related to the protection of European citizens’ data ever since the Edward Snowdon revelations exposed the extent of US surveillance activities back in 2013. His cases largely pertain to data transfers by Facebook, and start at the Irish court level, as that is where the company’s European headquarters are based, before being escalated up the judicial ladder. But the impact of data-sharing agreements is far-reaching, affecting not just social media companies, but banks, law firms and many other types of companies.

Schrems said in a statement that he was very happy about the court’s decision, and on Twitter called it a “100% win” for privacy. “It seems the Court has followed us in all aspects,” he said. “This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”

Privacy Shield was supposed to replace the previous Safe Harbor agreement, which was also ruled invalid by the court back in 2015, following another case brought by Schrems. Other data-sharing mechanisms do exist, so the internet will not immediately come to a standstill, but it will disrupt the framework most companies rely upon to transfer data between the US and the EU.

“It was irresponsible from the European Commission to adopt the Privacy Shield both from a legal and political perspective,” said Estelle Massé, senior policy analyst at digital rights group Access Now. “From the get go, the Commission ignored the legal opinion of data protection experts and civil society, who urged against this deal’s adoption.

“We hope that, this time, the European Commission draws the necessary conclusions from the ruling and works on all the necessary reforms,” she added.

The European Commission is set to hold a press conference later today, during which it will respond to the court’s decision.