Max Schrems has won a new victory against Facebook and how the social network handles personal data. After having the US's 'safe harbour' status for data transfers overturned in 2015, the privacy activist has won a new case at the EU Court of Justice overturning the Privacy Shield agreement which replaced it in 2016. This means it is not legal for EU-based companies to transfer personal data to the US, as the country does not offer sufficient protection as required under the EU's privacy law.
The court did uphold the possibility of companies using so-called standard contract clauses to allow data transfers outside the EU. These contracts, approved by the European Commission and data protection regulators, allow companies to transfer personal data outside the EU even if the Commission has not delivered a so-called adequacy decision on the destination country, that it meets EU privacy standards. Many companies rely on these clauses for transfers to the US, especially after Schrems succeeded in having the US's original 'safe habour' status removed by the EU court in 2015.
In its latest decision, the court found that it was up to the companies to ensure that the country where they transfer the data offers sufficient protection in line with what's provided in the EU under the General Data Protection Regulation. This is in line with the earlier opinion issued by the court's advocate general. If a company finds the necessary level of protection is not possible in the recipient country, it must suspend the data transfers.
Irish data regulator may act
In addition, the court confirmed that EU data protection regulators must suspend data transfers under the model contracts if they find the recipient country does not provide sufficient privacy protection. This means that the Irish Data Protection Commissioner, which has oversight of Facebook's operations across the EU, may act on Schrems' request to suspend Facebooks's data transfers to its servers in the US, if the regulator finds the data protection in the US is inadequate.
Schrems said in an initial reaction that he was "very happy" with the ruling, as the court seemed to follow his arguments in all aspects. "This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market," he said.
No legal protection in US
As for the US, the EU court found that it does not offer the protection required under the GDPR. The ombudsman system set up under the Privacy Shield agreement between the US and EU does not offer people the same legal recourse as in the EU if they feel their rights have been violated. The ombudsman's independence is not guaranteed, and its decisions are not binding on US intelligence services, the court noted.
Furthermore, the collection of personal data by security services for surveillance in the US is not limited in a way that meets the EU requirement of proportionality, the court said. Under EU law, personal data can be collected only to the extent that it is strictly necessary, meaning subjects must be informed as much as possible and the data deleted when no longer used. In the US, there are no such restrictions on data collection by security services, nor any specific protections for non-Americans subject to the surveillance.
US transfers 'questionable'
The Irish DPC said it "strongly welcomed" the court ruling, as the issue of EU-US data transfers had been "inherently problematic" since the initial court decision in 2015. It noted that the existence of an adequacy decision like the Privacy Shield had prevented it from taking action to block certain data flows, but it acknowledged the new court opinion gave regulators a "central role" in the matter.
The EU court's latest opinion makes clear that in practice, data transfers to the US even using the standard contract clauses are "questionable", the DPC said. It added "this is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis." The DPC said it would work with other national regulators in the EU to develop a common standpoint based on the court decision.
Market uncertainty
The court decision swiftly drew a negative reaction from industry groups. The Computer and Communications Industry Association, which represents major companies such as Amazon, Google, BT, Ebay and Facebook, said the decision would create legal uncertainty for the thousands of businesses relying on the Privacy Shield for their daily business.
"We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy," the group said. "We hope enforcement authorities will grant Privacy Shield signatories time to migrate to alternative legal mechanisms."
Commission says EU-US transfers may continue
The European Commission noted that the court upheld the model contracts, which means data flows to the US can continue. The Commission already started working to update the contract clauses and would cooperate with national regulators and the EU's Data Protection Board to ensure the contracts respect the court ruling and GDPR, according to justice commissioner Didier Reynders.
More time would be needed however to consider the implications for the Privacy Shield, he said, adding that Commission was already in touch with US officials, including Attorney General William Barr to discuss a way forward. "In the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under the GDPR," according to the commissioner.
