Europe's highest court today struck down the agreement by which companies operating in the EU are allowed to transfer data to the United States. The court ruled that the agreement leaves European customers' data too exposed to US government surveillance.
The agreement, known as Privacy Shield, has been in place since 2016, and more than 5,000 companies operate under its terms. Boiled down, the Court of Justice of the European Union (CJEU) basically ruled that US law is too weak to protect EU citizens' data to the extent EU law demands. As the court put it in a press release (PDF):
The limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by US public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.
As a result of the case, US companies doing business in Europe or handling data from European clients will either have to negotiate new individual data-handling arrangements, called Standard Contract Clauses (SCC), with the EU or stop porting data from European operations into the US. The ruling applies to data that companies such as Facebook move around to US servers for internal reasons, but it does not affect "necessary" data transfers, such as take place when someone in Europe sends an email to a recipient in the US, books a flight or a hotel on a US website, or does something equally mundane.
Privacy Shield?
From 2000 to 2015, the agreement governing the sharing of EU customer data between Europe and the United States was called Safe Harbor. The CJEU invalidated Safe Harbor in 2015, following a legal challenge from Maximillian Schrems, a privacy advocate from Austria. In the wake of the Snowden revelations, Schrems alleged the Safe Harbor agreement (which permitted NSA access to EU citizens' personal data) stood in conflict with EU law. The court agreed and invalidated the Safe Harbor framework in October 2013.
EU lawmakers, together with the US Department of Commerce, rapidly pulled together the Privacy Shield framework after Safe Harbor was tossed, and the European Commission adopted it in 2016. The framework, however, faced deep skepticism before lawmakers even voted to adopt it. EU regulators warned before the deal was even formally signed that "Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the court."
Regulators also warned at the time that Privacy Shield might be in conflict with Europe's sweeping privacy law, the General Data Protection Regulation (GDPR). EU lawmakers adopted that law in 2016, and it has been in effect since 2018.
Schrems in 2016 joked to Ars that, although he wanted someone to file suit, he personally wasn't necessarily interested in being the one to do so. As it turns out, however, he did—the case on which the CJEU ruled today is commonly called Schrems II—and once again won.
"It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market," Schrems said in a statement after the CJEU ruling. "This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws."
Slow change
Major US tech companies were quick to deliver assurance that the ruling will not substantially change their operations in Europe for the time being, with many confirming they already use SCCs in addition to Privacy Shield agreements.
"If you are a commercial customer, you can continue to use Microsoft services in compliance with European law," Microsoft wrote in a Read More – Source
[contf] [contfnew]
arstechnica
[contfnewc] [contfnewc]