EU-US Privacy Shield receives hard blow from European court rule

• The EU-US Privacy Shield has been struck down by European court as falling short from standard protection regulations
• The court’s ruling will have a profound impact on the US$7.1 trillion transatlantic trade
• US-based companies are urging policymakers to develop a sustainable plan to maintain seamless transatlantic trade 

The EU-US Privacy Shield Frameworks were designed “to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce,” as written in its official site.

The data transfer system enables companies to adhere to higher standards in data privacy and protection before transferring data to the US; however, a privacy activist and lawyer, Max Schrems, has challenged the agreement, citing concerns for the inadequacy of US national security laws in protecting EU citizens’ data.

The highly anticipated ruling came to a conclusion yesterday as The Court of Justice of the European Union (CJEU) announced its decision. 

The press release stated, “The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield.”

#ECJ: the Decision on the adequacy of the protection provided by the EU-US Data Protection Shield is invalidated, but @EU_Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries is valid #Facebook #Schrems pic.twitter.com/BgxGAvuq3T

— EU Court of Justice (@EUCourtPress) July 16, 2020

In brief, the court’s findings were “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.” Adding on, the EU-US Privacy Shield system intended to mitigate this interference does not in a way that “satisfies requirements that are essentially equivalent” to EU laws.

Schrems, the privacy advocate behind the case, said, “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market,” as reported on BBC.

Across the Atlantic, US Commerce Secretary Wilbur Ross expressed his disappointment towards the decision.

As reported by WSJ, Ross was in touch with his European counterparts and hoped to limit the “negative consequences to the US$7.1 trillion trans-Atlantic economic relationship that is so vital to our respective citizens, companies, and governments.”

A policy paper by University College London’s European Institute stated that the EU-US Privacy Shield system “facilitates unrestricted commercial data flows across the Atlantic” and “underpins transatlantic digital trade” for more than 5,300 firms, of which 65% of the certified firms are SMEs.

The paper published in May also noted, “It is highly plausible that Privacy Shield will be struck down by the European Court of Justice in future,” citing “unresolved concerns regarding U.S. government access to EU citizens’ data for law enforcement and national security purposes,” as the reason.

Thursday’s decision will see affected companies required to sign “standard contractual clauses,” non-negotiable legal contracts drawn up by Europe, which are used for the dealings between EU and non-EU countries.

US-based tech giants such as Amazon, Facebook, and Google, alongside other businesses, called for policymakers to develop a sustainable and viable solution for both sides of the Atlantic “to ensure the continuation of data flows which underpins the transatlantic economy,” a statement reads.

Meanwhile, Microsoft was swift to respond and issued a statement clarifying “the Court’s ruling does not change your ability to transfer data today between the EU and US using the Microsoft cloud.”