European justice has overturned the primary legal mechanism that thousands of companies use to send data from the European Union to the United States.
In a judgment handed down on Thursday, the Court of Justice of the EU (CJEU) has questioned the security of this data transfer formula for European citizens, known as a privacy shield.
The Luxembourg Court especially warns that the regulations do not limit some surveillance programs of the North American Administration, so that “there are no guarantees for non-nationals” of the United States that may be subject to control.
Thousands of companies use this mechanism to transfer data from the EU to the United States. Not only technological but also service, finance, or consulting companies.
“Justice has just made a brutal cut between the US and the EU, a cut that affects the entire digital economy,” says Natalia Martos, founder, and CEO of the Legal Army law firm.
This does not mean that the companies that require these transfers have to stop operating immediately.
The court has not objected to transfers based on the so-called standard contractual clauses derived from the general European data protection regulation ( standard contractual clauses or SCC).
These clauses constitute a safeguard that, in principle, is still in force and will be held by the largest companies. Those that do not have them signed will have to stop operating immediately.
The sentence comes from the battle waged by Austrian activist Maximillian Schrems against Facebook.
From the European Center for Digital Rights (ECDR) -Noyb, the institution he chairs, clarifies that the victory achieved by Schrems does not mean that the firms cannot transfer their data abroad.
“The data transfer can be based on the informed consent of the user, which can be revoked at any time. The European regulation also allows the data transfers that are necessary to fulfil a contract.
This is a solid foundation for most legal transactions with the United States, “says Anna Nichols, a Noyb attorney.
Schrems himself affirmed that the United States would have to make reforms to return to the privileged status conferred by that shield. “The court explicitly stressed that invalidation of the privacy shield will not create a loophole, as crucial data streams can still take place.
The United States now simply returns to the situation of a normal country without special access to EU data, “he said in a statement.
The lobby, on the other hand, the technology companies in Brussels regretted the decision, considering that it creates “legal uncertainty for thousands of companies” based on the privacy shield.
“We are confident that lawmakers will quickly develop a sustainable solution, in line with EU law, to ensure the continuity of data flows that underpin the transatlantic economy,” he said.
The scope of the failure is not clear. Martos questions the SCC clauses because, although the court does not rule on them, they require a safe country treatment for the State receiving the data.
“Since the Court has already said that the United States is not, it will be difficult for these clauses to continue to be maintained. But all North American companies will try to use them, or the digital economy between the US and the EU will collapse.”
“The most directly affected are the thousands of US technology companies that have invested heavily in their data privacy compliance programs under the privacy shield, both to demonstrate that they are ‘best in class’ as well as to be certain. about the legal positions of their businesses,” says Raúl Rubio, a technology partner at Baker McKenzie.
The EU Court has resolved the case launched by Austrian Maximillian Schrems against Facebook. The activist waged a legal war against the American giant by rejecting that the Irish subsidiary of Facebook could transfer his data to its North American servers.
They are being processed, alleging that the practices of the United States do not offer sufficient protection to the European citizen.
European justice gives him reason and invalidates the so-called privacy shield. This is a mechanism established in 2016 to protect the personal data of Europeans.
They were sent to the other side of the Atlantic for commercial use after justice rejected the formula that preceded it, the so-called safe harbour.
The privacy shield allows personal data to be transferred from one EU company to another in the United States, only if that company processes (i.e., subsequently uses, stores, and transfers) the personal data per several regulations.
Well-defined protection and safeguards. The protection conferred on personal data applies regardless of whether you are a citizen of the European Union.
The court believes, however, that these safeguards are not sufficient. European justice points out that, as was the case with the previous mechanism, there is a risk of “interference with the fundamental rights of individuals” whose data is transferred because of “the primacy of the requirements regarding national security, the public interest and compliance with US law. “
On the other hand, the court does validate transfers based on standard clauses derived from the general European data protection regulation.
The court also considers that the limitations to data protection “are not regulated according to the requirements” that could be expected to be equivalent to community law.
And finally, it stops on the question of specific surveillance programs in the United States of which citizens of another country could be “potentially targeted”.
“Although the same regulation establishes requirements that the US authorities must respect when applying for the surveillance programs in question, it does not confer on interested parties enforceable rights to the US authorities before the courts,” adds EU justice.
For all these reasons, the CJEU decides to declare the privacy shield decision “invalid.”