EU-US Privacy Shield struck down by European court
The Privacy Shield agreement governing the transfer of personal data between the EU and the United States has been struck down by the Court of Justice of the European Union (CJEU).
In a landmark ruling, the court said there are insufficient safeguards on EU citizens’ personal data in the US because the US gives primacy to national security and law enforcement without respect to the principle of proportionality.
However, the European Commission said transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under the GDPR.
Today’s ruling follows years of litigation brought before the Irish courts by Austrian privacy campaigner Max Schrems, who started bringing proceedings in 2013 after Edward Snowden revealed the extent of US mass surveillance.
His actions against Ireland’s Data Protection Commissioner and Facebook Ireland previously led to the Safe Harbour agreement being struck down in 2015. Privacy Shield was supposed to replace Safe Harbour while complying with EU law.
In a statement, Mr Schrems said: “I am very happy about the judgment. It seems the court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws if US companies want to continue to play a major role on the EU market.”
Professor Herwig Hofmann, one of the lawyers arguing the Schrems cases before the CJEU, said: “The CJEU has invalidated the second Commission decision violating EU fundamental data protection rights. There can be no transfer of data to a country with forms of mass surveillance.
“As long as US law gives its government the powers to vacuum-up EU data transiting to the US, such instruments will be invalidated again and again. The Commission’s acceptance of US surveillance laws in the Privacy Shield decision left them without defence.”
VÄ›ra Jourová, vice-president for values and transparency in the European Commission, said: “The Court of Justice declared the Privacy Shield decision invalid, but also confirmed that the standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries.
“This means that the transatlantic data flows can continue, based on the broad toolbox for international transfers provided by the GDPR, for instance binding corporate rules or standard contractual clauses.”