The European Court of Justice (ECJ) has for the second time struck down an agreement between the EU and US which facilitates the transfer of data from Europe to the United States and which permits the US intelligence services to access such data for national security reasons.
The decision forms part of a long-running legal case taken against Facebook through the Irish courts by Austrian privacy campaigner Max Schrems.
This morning, the ECJ declared the so-called Privacy Shield agreement between the EU and United States as invalid as it did not sufficiently protect the data of European citizens.
In a statement, Eva Nagle, associate general counsel at Facebook said it was looking at the implications of the European court ruling.
"Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of Privacy Shield and we look forward to regulatory guidance in this regard," she said.
"We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure," she added.
The Data Protection Commission has strongly welcomed today's judgment from the ECJ.
In a statement, the commission said that the judgment firmly endorses the position that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the US.
It said that the judgment will require careful consideration in the coming days and weeks.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
The US Department of Commerce said it would remain in close contact with the European Commission to try to limit the negative consequences of the ruling.
"While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission's adequacy decision underlying the EU-US Privacy Shield, we are still studying the decision to fully understand its practical impacts," said Commerce Secretary Wilbur Ross.
Privacy Shield replaced a previous data transfer agreement between Washington and Brussels known as Safe Harbour. That was also struck down by the ECJ in 2015 following a similar complaint taken through the Irish courts, and taken against the Irish Data Protection Commissioner (DPC), by Mr Schrems.
On that occasion Mr Schrems complained that Facebook was obliged to hand over his private data to the US intelligence and security services.
The complaint was taken in the light of the revelations by the US whistleblower Edward Snowden over the surveillance of the private data of EU citizens by American spy agencies.
Following that ruling the EU and US brokered a replacement system, whereby data could still be transferred from Europe to the United States.
Known as Privacy Shield, it offered greater protections to EU citizens, required the US authorities to take account of EU privacy concerns and to deepen relations with EU data privacy commissioners.
However, today the ECJ threw out Privacy Shield on the basis that it did not meet the standard of protection for EU citizens which is guaranteed by the General Data Protection Regulation (GDPR), the EU's main data privacy regime.
The court declared that the scope of GDPR still covered any processing of EU data by US surveillance authorities.
Since GDPR provided safeguards, rights and legal remedies for EU citizens, the court declared that that privacy regime had to be interpreted as meaning that EU citizens whose data is transferred to the US are entitled to "a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, as underpinned by the Charter of Fundamental Rights".
The court pointed out that the Charter guaranteed "respect for private and family life, personal data protection and the right to effective judicial protection".
So in other words, Privacy Shield has been struck down, but SCCs are ok. The Privacy Shield decision is quite a surprise and a big deal. It was put in place just a few years ago to replace Safe Harbour, which was also struck down by the court.— Will Goodbody (@willgoodbody) July 16, 2020
Judges ruled that under Privacy Shield any decisions by the US national security services had "primacy" and this therefore "condoned" interference with the fundamental rights of EU citizens whose data were transferred to the US.
The ECJ essentially ruled that any privacy protections under US law when it comes to surveillance were not as strong as those provided under EU law.
In particular, the court held that US surveillance of personal data breached the principle of proportionality, in the sense that such surveillance programmes were not limited to what was strictly necessary.
Judges held that Privacy Shield did not enshrine any limitations to how such surveillance programmes were implemented, nor did Privacy Shield hold any guarantees for potentially targeted non-US persons.
Although the US authorities are required to comply with certain provisions when carrying out surveillance, these provisions do not give EU citizens actionable rights before the courts against the US authorities, the court found.
The court also held that the mechanism within Privacy Shield which creates an Ombudsman, to which complaints can be made, was inadequate because it did not provide citizens with any course of action which provided guarantees "substantially equivalent" to those required by EU law.
The independence of such an Ombudsman was not guaranteed, nor would the Ombudsman be able to adopt decisions that were binding on US intelligence services.
The court, however, ruled that so-called Standard Contractual Clauses (SCCs) continue to be valid.
These are clauses that are inserted into legal contracts between EU companies and companies from third countries, such as the US, with whom the EU does not have a data protection adequacy agreement.
SCCs were used as a fallback following the striking down of Safe Harbour in 2015 and the establishment of its successor, Privacy Shield. They allowed firms such as Facebook to legally transfer data as they essentially copied over EU protections into such contracts.
Today's judgement was the result of a follow up case taken by Mr Schrems through the Irish courts over whether or not SCCs should be permitted to facilitate the transfer of data to the US.
The ECJ has ruled that SCCs remain valid so long as data protection commissioners and the companies that use such contracts can ensure that third countries are able to enforce the data protections the contracts contain.
The court rules that data protection commissioners are required to "suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means,"
Judges concluded that just because SCCs did not bind the authorities of a third country, such as the US, as to which data could be transferred, that did not call such contracts into question.
However, they were only valid insofar as there are "effective mechanisms that make it possible... to ensure compliance with the level of protection required by EU law".
The court also held that SCCs would be suspended or prohibited if there was any breach of the contracts, or if it was impossible to honour them. As such data exporters and their recipients were obliged to verify, prior to a transfer of the data, whether that level of protection is respected in the third country concerned.
#ECJ: the Decision on the adequacy of the protection provided by the EU-US Data Protection Shield is invalidated, but @EU_Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries is valid #Facebook #Schrems pic.twitter.com/BgxGAvuq3T— EU Court of Justice (@EUCourtPress) July 16, 2020
Lawyers representing a group of software companies gave a mixed reaction.
"The Court’s decision to invalidate the US-EU Privacy Shield without hearing argument on the merits of the Shield will be disappointing to many," said Lisa Peets of Covington & Burling, representing the BSA Software Alliance.
"But more positively, the Court has upheld the ability to use the Standard Contractual Clauses for personal data transfers to the United States. This will be a huge relief to companies across Europe.
"Data flows between Europe and the United States are an integral part of the European economy and of the day-to-day lives of millions of European consumers, and the SCCs are the backbone for many of those data transfers."
Ms Peets continued: "As for the Privacy Shield, the European Commission will be highly focused on finding a resolution and will be actively working work with the US Government to identify a path forward.
"In the interim, and pending the response from European data protection authorities, Privacy Shield-certified companies will be seeking alternative ways to transfer personal data from the EU to the US - such as the Clauses."
The European Union's competition chief Margrethe Vestager said that EU court rulings this week, which saw courts reject a key EU tool used to transfer Europeans' personal data across the Atlantic and reject an EU order for Apple to pay €13 billion in Irish back taxes, were a "loss".
"The first thing you do when you get a court judgement is to read it very, very carefully. And we are still in the process of doing that. Of course, it's a loss, because it was an annulment by the court," Vestager said during an online event.
"The only comfort here is that the court agrees with us that we can use state aid tools to look at fiscal state aid as well. But now we read it very carefully, and then decide on next steps," she said.