Another blow has been struck to US companies wishing to do business in the European Union, as the ‘Privacy Shield’ regulation which allowed EU citizen data to be transferred to and processed in the US has been deemed invalid by the European Court of Justice. Privacy Shield was itself designed to replace an older data transfer mechanic/regulation called ‘Safe Harbor’, which also met the wrath of European lawmakers back in 2015.
Both the ruling on Safe Harbor and Privacy Shield came as a result of cases brought against Facebook by Austrian privacy activist Max Schrems.
Schrems complained to the Irish Data Protection Commisioner that Facebook Ireland (the EU arm of Facebook) was transferring his data back to the USA, via Safe Harbor, where data protection laws would allow it to be accessed by US government agencies (such as the CIA, FBI & more) without his consent, which he argued was a violation of his rights under European data protection laws. This influential court battle became known as Schrems I.
The ECJ sided with Schrems and once Safe Harbour was invalidated, Privacy Shield was introduced to allow US companies to continue operating in the EU, while giving EU residents greater confidence that their data was being handled appropriately with respect to their data protection rights.
Schrems did not believe that the new Privacy Shield agreement accomplished this, and brought a second case (known as Schrems II) to the Irish DPC against Facebook Ireland. This is the case that was ruled on this month, which will no doubt leave US companies rethinking their approach to doing business in the EU. The ECJ stated that Privacy Shield “does not grant data subjects actionable rights before the courts against the US authorities”.
The EU is the world’s largest trading bloc, home to some of the richest countries (and citizens) in the world, likely meaning US companies won’t simply back out of the market. However, as long as US data protection laws allow for US government entities to access EU resident data without any oversight from EU regulatory bodies, it is likely that a permanent solution will be hard to find.
For now, business will go on
Privacy Shield isn’t the only mechanism that exists to allow US companies to operate within the EU. Standard Contractual Clauses (SCCs) may also be used to legally process EU resident data in the US, and many US companies who do business in the EU will have seen the death of privacy shield coming and ensured that they had sufficient SCCs in place that they could continue operating should the worst happen.
In a statement made last Thursday, the EU Commision vice president Vera Jourová confirmed that SCCs would remain in use:
“The Court of Justice declared the Privacy Shield decision invalid, but also confirmed that the standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries. This means that the transatlantic data flows can continue, based on the broad toolbox for international transfers provided by the GDPR, for instance binding corporate rules or Standard Contractual Clauses.”
Schrems himself reportedly believes SCCs do not go far enough either to ensure his rights are enforceable in the US, stating “it is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market”.
While we may or may not see a third case (Schrems III?) brought by Schrems against Facebook Ireland, one thing is for sure – data protection is constantly changing, and the EU looks sure to continue leaving its mark on the global landscape for years to come.