By Foo Yun Chee and Marine Strauss
LUXEMBOURG (Reuters) – Europe’s highest court ruled on Thursday that a transatlantic data transfer deal is invalid because of concerns about U.S. surveillance in a decision that could disrupt thousands of companies that rely on the agreement.
The ruling effectively ends the privileged access companies in the United States had to personal data from Europe and puts the country on a similar footing to other nations outside the bloc, meaning data transfers are likely to face closer scrutiny.
The so-called Privacy Shield was set up in 2016 by Washington and Brussels to protect personal data when it is sent to the United States for commercial use after a previous agreement known as Safe Harbour was ruled invalid in 2015.
More than 5,000 companies have signed up to use the Privacy Shield. The case was triggered by a long-running dispute between Facebook and Austrian privacy activist Max Schrems who shot to fame for his role in overturning Safe Harbour.
“In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-U.S. persons,” the Court of Justice of the European Union (CJEU) in Luxembourg said in its ruling, which cannot be appealed.
“It looks perfect,” Schrems said.
“One of the biggest takeaways is that we would need fundamental reform in U.S. surveillance laws if U.S. companies still want to have any kind of decent access to the European market,” he told Reuters TV.
Facebook said it was studying the ruling and looked forward to regulatory guidance on its impact.
“We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure,” Eva Nagle, associate general counsel at Facebook, said in a statement.
The U.S. Department of Commerce said it would remain in close contact with the European Commission to try to limit the negative consequences of the ruling.
“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” said Commerce Secretary Wilbur Ross.
‘PRIVACY TRADE WAR’
EU concerns about data transfers have been growing ever since former U.S. intelligence contractor Edward Snowden’s revelations in 2013 of mass U.S. surveillance.
The court is saying that the surveillance regime in the U.S. does not respect the rights of EU citizens and puts U.S. state interests over the interests of individuals, Jonathan Kewley, co-head of technology at law firm Clifford Chance said.
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted, but those in the U.S. cannot,” he said.
Kewley said the outcome could be that more customer data remains stored in Europe, which is what happened after Safe Harbour was annulled.
Judges upheld the validity of another data transfer mechanism known as standard contractual clauses (SCCs).
They are used by thousands of companies including Facebook, industrial giants and carmakers to transfer Europeans’ data around the world for services ranging from cloud infrastructure, data hosting, payroll and finance to marketing.
However, the court stressed that under SCCs, privacy watchdogs must suspend or prohibit transfers outside the EU if data protection in other countries cannot be assured.
Schrems said this meant companies that fall under U.S. surveillance laws, such as Facebook, could not use the clauses to shift data to the United States.
“The importance of the judgment cannot be underestimated. While companies can still rely on SCCs, underlying transfers will be subject to much greater scrutiny,” said David Dumont, data privacy partner at Hunton Andrews Kurth LLP in Brussels
Facebook welcomed the decision on SCCs.
“These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens,” Nagle said.
Schrems said before the ruling that transactions by Europeans such as booking a hotel or hire car in the United States or emailing someone there would not be affected. His concerns centred more on the way personal data is stored.
Microsoft said Thursday’s rulings did not affect its customers ability to transfer data between the EU and the United States using the Microsoft cloud.
“We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” Microsoft Chief Privacy Officer Julie Brill said.
The case – C-311/18 Facebook Ireland and Schrems – went to the CJEU after Schrems challenged Facebook’s use of the standard clauses, saying they lacked sufficient data protection safeguards.
(Reporting by Foo Yun Chee; Additional reporting by Kirsti Knolle in Vienna and Keith Weir in London; Editing by David Clarke)
PHOTO: European Commissioner for Values and Transparency Vera Jourova and European Commissioner for Justice Didier Reynders hold a news conference on data protection at international level at the European Commission in Brussels, Belgium July 16, 2020. Stephanie Lecocq/Pool via REUTERS