“Not good enough!” In its latest judgment, the European Court of Justice (ECJ) came to the same conclusion as it did in 2015: the transfer of data from the EU to the US violates the right to privacy as well as European data protection laws because data are not sufficiently protected against interception by US agencies such as the National Security Agency (NSA) or the FBI. The court also found that legal protections were insufficient.
For these reasons, the Luxembourg judges have now also declared the so-called “Privacy Shield” invalid. The European Commission had created the Privacy Shield in 2015 as a kind of seal of approval for companies, a set of ground rules for data transfers to the USA that allowed companies to be compliant with data protection requirements.
Creating the mechanism became necessary when the ECJ set aside the previous arrangement, the “Safe Harbor” agreement with the US.
The proximate cause of the ECJ’s latest landmark decision was the same as that of the previous one, namely a complaint filed by Max Schrems, an Austrian data protection activist. Schrems had complained to the Irish Data Protection Commissioner about the transfer of his Facebook data to the US.
(The European headquarters of Facebook, a California-based company, are in Ireland.) The Irish courts referred the subsequent legal dispute to the ECJ.
The Privacy Shield was a lazy compromise from the outset, designed to minimize the number of changes required in response to the first ECJ ruling. In the run-up to the judgment, companies and industry associations expressed their serious misgivings regarding the cancellation of the Privacy Shield because, they averred, there would be no legal alternatives for transferring data from the EU to the USA in its absence.
Thousands of companies work according to Privacy Shield rules, including large German enterprises such as SAP, Siemens, or Aldi. They now run the risk of incurring significant fines under the General Data Protection Regulation (GDPR) unless they stop transferring data.
These companies are not choosing the more common approach of using standard contractual clauses to govern data transmission, an approach Facebook also applies. In its judgment, the ECJ did not declare these standard contractual clauses invalid, nor had Max Schrems attacked them. They remain a viable legal alternative.
Still, many of these companies are worried about their businesses. In the face of rising panic, they are well-advised to keep their wits about them. For example, data transfers which are absolutely essential to fulfil orders (article 49 GDPR), such as sending e-mails to US-based recipients or confirming travel reservations, continue to be possible. Max Schrems himself also drew attention to this point.
The clear message sent from Luxembourg was absolutely essential. The EU’s high data protection standards have to be complied with, even for transatlantic data transfers. They are not a side show, something that can be taken care of in passing, through deals that look good on paper but are ineffective in practice.
Data protection in the United States is simply too weak for this to be an option. Since the Snowden revelations, there is no longer any doubt about the extent of surveillance in the US.
US law also gives government agencies far-reaching access to user data, and companies based in the US have to comply with these regulations. Users of services such as Facebook should be highly critical of standard contractual clauses which supposedly protect their data during transfer to the US.
The Irish data protection agency requested the ECJ to take a closer look at data transfers on the basis of these clauses and to prohibit them if “standard data protection clauses are not being complied with or cannot be complied with in the country in question”.
What we now need are sustainable solutions that guarantee privacy while also giving companies legal certainty. Max Schrems is calling for a “reform of surveillance legislation in the US”. He is right, even though it is difficult to anything about it from this side of the Atlantic.
Still, the fact is that it isn’t Europe that has to do something about its data protection standards. The ball is in the Americans’ court. It is mainly US companies that want to implement their business models with millions of customers in Europe and which, therefore, have to take European data protection legislation seriously.
If policymakers don’t respond, these companies will have to take the lead and exert pressure on the US government. The proliferating surveillance legislation is already giving them headaches when they think about how to develop their business models further.
If the EU Commission wants to spare itself further “Schrems judgments”, substantive changes will have to be made. The ECJ has made it clear that it is not willing to turn a blind eye. And this is comforting to know.