A major agreement governing the transfer of EU citizens’ data to the United States has been struck down by the European Court of Justice (ECJ).
The EU-US Privacy Shield let companies sign up to higher privacy standards, before transferring data to the US.
But a privacy advocate challenged the agreement, arguing that US national security laws did not protect EU citizens from government snooping.
Max Schrems, the Austrian behind the case, called it a win for privacy.
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market,” he said.
US Secretary of Commerce Wilbur Ross said his department was “deeply disappointed” by the decision.
He said he hoped to “limit the negative consequences” to transatlantic trade worth $7.1 trillion (£5.6tn).
What happens next?
The EU-US Privacy Shield system “underpins transatlantic digital trade” for more than 5,300 companies. About 65% of them are small-medium enterprises (SMEs) or start-ups, according to University College London’s European Institute.
Affected companies will now have to sign “standard contractual clauses”: non-negotiable legal contracts drawn up by Europe, which are used in other countries besides the US.
They are already used by many big players. Microsoft, for example, has issued a statement saying it already uses them and is unaffected.
The last time a major deal like this was struck down in 2015 – also from a case involving Max Schrems – a grace period was brought in as companies figured out what to do.
Mr Schrems had also challenged the validity of the SCCs, but the ECJ chose not to abolish them.
But it did warn that those contracts should be suspended by data protection watchdogs, if the guarantees in them are not upheld.
Mr Schrems’ case was partly prompted by leaks from ex-CIA contractor Edward Snowden which revealed the extent of US surveillance.
European data protection law says data can only be transferred out of the EU – to the United States or elsewhere – if appropriate safeguards are in place.
But the ECJ said US “surveillance programmes… are not limited to what is strictly necessary”.
- Facebook quizzed in court on data transfers
- Google and Facebook face GDPR complaints
“The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred,” it said.
“The limitations on the protection of personal data arising from the domestic law of the United States… are not circumscribed in a way that satisfies requirements.”
“This is a bold move by Europe,” Jonathan Kewley, co-head of technology at law firm Clifford Chance, said.
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot.”
He also warned that standard contractual clauses (SCCs) will be much more closely scrutinised from now on.
Data protection expert Tim Turner agreed, saying the ECJ’s warning over the standard clauses could spell further trouble for US companies.
“If the law in the relevant country – let’s say the USA – could override what the contract says, they don’t work,” he said.
“I don’t know how much appetite they have to do this, but it’s hard to imagine that any European regulator would say that SCCs work for the US, and the pressure will pile on for them to make the assessment.
“I don’t think SCCs escaped the court’s judgement – for some key countries, it’s probably just a stay of execution.”