Business

Firms left scrambling as Europe’s top court strikes down EU-US Privacy Shield

A major agreement governing the transfer of EU citizens’ data to the United States has been struck down by the European Court of Justice (ECJ), leaving many companies that routinely transfer data between the EU and the US scrambling to find a legal way to do so.

The agreement, known as the EU-US Privacy Shield, allowed companies sign up to higher privacy standards before transferring data to the US. It became operational in 2016 and was designed to protect the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.

But Max Schrems, an Austrian privacy advocate, challenged the agreement, arguing that US national security laws did not protect EU citizens from government snooping.

Mr Schrems called the ECJ ruling a win for privacy.

“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market,” he said.

Mr Schrems’ concern was that Section 702 of the US Foreign Intelligence Surveillance Act (FISA) permits the US National Security Agency to collect foreign intelligence belonging to non-Americans located outside the US, by way of obtaining their data stored with electronic communications services providers, such as Facebook.

In its ruling, the ECJ agreed.

“In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes or the existence of guarantees for potentially targeted non-US persons,” the court said, highlighting that EU citizens do not have “actionable rights” against US authorities amid such a regime of surveillance.

Affected companies will now have to sign “standard contractual clauses”: non-negotiable legal contracts drawn up by Europe, which are used in other countries besides the US.

They are already used by many big players. Microsoft, for example, has issued a statement saying it already uses them and is unaffected.

developmentaid

“Companies need to have reliable and stable mechanisms to send data from the EU to the United States,” said Thomas Boué, director general of policy EMEA at BSA, a lobbyist for the global software industry. “This is an unwelcome development at a time when businesses on both sides of the Atlantic are focusing on recovering from the economic impacts of Covid-19 and are increasingly relying on data-driven tools and services to do so.”

Mr Boué added that 70 per cent of the companies certified to the Privacy Shield were SMEs, and they will now have to spend time and resources finding alternatives to carry out daily business transactions like processing payroll, sending emails, or storing documents on cloud-hosted servers.

“We stand ready to work immediately with the European Commission, the US Government, and the transatlantic business community, who share the common goal of finding a new, sustainable data transfer mechanism that will work for the long term,” said Boué. “More positively, the Court has upheld the ability to use Standard Contractual Clauses as a responsible, trusted tool to transfer personal data outside Europe, including to the United States.”

Standard Contractual Clauses – or SCCs – are the main transfer mechanism used by 90 percent of companies that transfer data internationally. SCCs, which are issued by the European Commission, were also under review by the ECJ. SCCs underpin transfers of personal data from the EU to some 180 countries, including Australia, Singapore, South Korea, Brazil, India, and Mexico. These clauses impose a range of contract-based obligations to help ensure EU law’s strong privacy protections flow with any personal data sent outside of the EU. The SCCs impose mandatory safeguards and companies that use SCCs also apply additional safeguards that are tailored to each specific transfer.

Unlike many news and information platforms, Emerging Europe is free to read, and always will be. There is no paywall here. We are independent, not affiliated with nor representing any political party or business organisation. We want the very best for emerging Europe, nothing more, nothing less. Your support will help us continue to spread the word about this amazing region.

You can contribute here. Thank you.

emerging europe support independent journalism