On July 16, the European Court of Justice (CJEU) ruled that the “Privacy Shield” for transferring data between the EU and the US provided inadequate privacy protections in the US, thus rendering the framework invalid under European law.
The ruling highlights an imbalance in the standards for US-EU data privacy. In 2018 the European Union passed the General Data Protection Regulation (GDPR), now Europe’s primary legal framework for protecting personal data privacy. The GDPR created specific requirements for the overseas transfer of data, limiting it to countries with adequate data privacy laws.
The US was not one of them, thus the need for an additional framework: The Privacy Shield, designed jointly by the European Commission, Swiss Administration and the US Department of Commerce in 2016, created such a framework by enabling individual companies to certify higher privacy standards and thus become eligible data recipients.
Standing Up to Facebook
This month’s CJEU decision resulted from a complaint against Facebook filed by Austrian data privacy activist and lawyer Max Schrems, who argued that EU citizens’ data was not private in the US, as American national security regulations did not protect it from government surveillance.
Facebook is an online behemoth, boasting 2.5 billion active monthly users. That’s 32% of the world population. As a global network, Facebook makes transatlantic data transfers routinely, and had done so using the Privacy Shield framework.
On the day of the decision, Schrems hailed it a “100% win – for privacy,” he said in a Tweet. “The US will have to engage in serious surveillance reform to get back to a “privileged” status for US companies.”
This is not the first legal victory for Schrems, who previously won a case against Facebook in 2015, alleging that the social media giant had allowed the US government to access his data. The CJEU ruled that Safe Harbor, the data transfer mechanism used at the time, was not compliant with EU data protection law and thus invalid, which gave birth to its replacement, the Privacy Shield.
The Old and the New
The differences between the old Safe Harbor and the new Privacy Shield frameworks, however, were not as far-reaching as Schrems had perhaps desired. While the new framework did close some key loopholes, such as making companies liable for onward data transfers and requiring organizations to provide recourse mechanisms and accept binding arbitration, it still allowed companies to self-certify compliance to privacy principles.
Max Schrems’ interest in data privacy was sparked during a semester abroad in Silicon Valley in 2011, when a Facebook lawyer gave a guest lecture to his class. Schrems subsequently requested that Facebook divulge what data they had on him, receiving a 1,200 page document in reply. In August of that year, he filed his first of many complaints against Facebook with the Irish Data Protection Commissioner.
Over 5000 US companies had been relying on the Privacy Shield. After the CJEU decision, the European Data Protection Board announced that “Transfers on the basis of this legal framework are illegal.” With no grace period to transition away from the Privacy Shield framework, it is now up to companies to find alternative mechanisms and determine themselves, whether they can guarantee protection of users’ data from US government surveillance.