Europe’s top court on Thursday rejected the validity of a mechanism used by thousands of companies to send data to the United States, backing concerns about U.S. surveillance raised by privacy activist Max Schrems in his clash with Facebook.
The EU-U.S. Privacy Shield was set up in 2016 to protect the personal data of Europeans when it is transferred across the Atlantic for commercial use. The same court also rejected its predecessor, known as Safe Harbour, in 2015.
“In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-U.S. persons,” the EU Court of Justice said.
“It looks perfect,” Schrems said in a spontaneous reaction when the ruling hit headlines at his office in Vienna.
However, judges upheld the validity of another data transfer mechanism known as standard contractual clauses but stressed that privacy watchdogs must suspend or prohibit transfers outside the EU if the protection of the data cannot be ensured.
Hundreds of thousands of companies including Facebook, industrial giants and carmakers use these clauses to transfer Europeans’ data around the world for services ranging from cloud infrastructure, data hosting, payroll and finance to marketing.
If the court had invalidated those clauses, companies could have to suspend the data transfers that underpin standard contractual clauses or face hefty fines for breach of EU privacy laws. Other options are costly and complex and seldom used.
The case – C-311/18 Facebook Ireland and Schrems – went to the Court of Justice of the European Union (CJEU) in Luxembourg after Schrems challenged Facebook’s use of the standard clauses, saying they lacked sufficient data protection safeguards.
Schrems shot to fame for winning a legal battle in 2015 to overturn Safe Harbour. EU concerns about data transfers mounted after former U.S. intelligence contractor Edward Snowden’s revelations in 2013 of mass U.S. surveillance.
The Irish Data Protection agency, which is Facebook’s lead regulator, took the case to the Irish High Court, which then sought guidance from the CJEU.
Last December, a CJEU adviser said such data transfer mechanisms were legal with the caveat that they could be blocked if countries receiving such information fail to meet European data protection standards.
In the EU, the General Data Protection Regulation (GDPR), introduced in 2018, seeks to increase individuals’ control over their personal information. Companies that fail to comply are liable to fines of up to 4% of global annual turnover.