The EU Court of Justice has struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US, triggering a fresh wave of legal confusion over the transfer of EU subjects' data to America.
Austrian privacy activist Max Schrems brought the latest edition of the long-running case (informally known as Schrems II) in 2015, complaining that Ireland's data protection agency wasn't preventing Facebook Ireland Ltd (as EU representative of the Zuckerberg empire) from beaming his data to the US.
Once his data was in the US, Schrems argued, no EU-style data privacy controls were legally enforceable by him or anyone else in that situation. America's plethora of three-letter spy agencies could then help themselves to it in various legal and not-so-legal ways, at least under EU rules.
Today the EU Court of Justice ruled that the now-dead Privacy Shield arrangement – itself a replacement of Safe Harbor – "does not grant data subjects actionable rights before the courts against the US authorities," meaning EU citizens could not challenge a breach of the arrangement by a company in the US handling EU personal data.
The court said that Section 702 of the US Foreign Intelligence Surveillance Act (explained here by the Electronic Frontier Foundation), when read together with a US presidential order and a policy directive on data collection by spies, failed to meet EU data protection requirements.
And we're back with the third review of Privacy Shield: Meh, sighs the European CommissionREAD MORE
In doing so, the court ruled against the EU Commission, which only last year said Privacy Shield was working OK.
In effect, the EU court said American spies had too much free rein to harvest EU citizens' data from US companies. Promises to appoint an ombudsman to oversee EU-compliant data protection rules in the States were no good for the EU, ruled its judges, because the ombudsman would have been appointed directly by the US foreign secretary – and had no power to order his country's spies to stop handling EU citizens' data.
The Software Alliance told The Reg it was "pleased that today’s decision by the European Court of Justice (ECJ) upheld Standard Contractual Clauses, consistent with BSA’s amicus brief and arguments submitted to the Court," but "disappointed that the ECJ invalidated the EU-US Privacy Shield."
US Secretary of Commerce Wilbur Ross also said the Department of Commerce was "deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield."
He added his department hoped to "limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments."
Not an immediate screeching halt
The practical effects of the ruling are likely to be limited as data-related "standard contractual clauses" (SCCs, added by firms to contracts governing all EEA-UK data flows), something else Schrems complained about, were not struck down or ruled invalid.
At a press conference late this morning, commission vice-president Vera Jourová, who has responsibility for values and transparency, reassured businesses:
The Court of Justice declared the Privacy Shield decision invalid, but also confirmed that the standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries.
This means that the transatlantic data flows can continue, based on the broad toolbox for international transfers provided by the GDPR, for instance binding corporate rules or Standard Contractual Clauses.
"It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market," said Schrems this morning.
GDP-arrrrrrgggghhh! A no-deal Brexit: So what are you going to do with all that lovely data?READ MORE
The US IT and Innovation Foundation (ITIF), meanwhile, complained the ruling was "irresponsible" and would treat the US with a "double standard".
"In the midst of a global pandemic during which global data flows are more vital than ever, [the ruling] puts all global data transfers from the EU at risk and wreaks havoc on the digital economy," said ITIF's Eline Chivot. "It will immediately upend, and in many cases even halt, data transfers between the EU and the United States, leaving many businesses with no suitable alternative."
While it was not immediately clear whether any businesses had stopped moving personal data across the Atlantic after this morning's judgment, Chivot made the point that US laws on government access to personal data were not "unique", seemingly calling on the EU to reject other countries' data access laws in the same way.
Declaring existing mechanisms for holding the US government to account for data abuses not good enough, the EU court ruled that "the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law," adding:
Data subjects may find that the administrative and judicial authorities of the Member States have insufficient powers and means to take effective action in relation to data subjects' complaints based on allegedly unlawful processing, in that third country, of their data thus transferred, which is capable of compelling them to resort to the national authorities and courts of that third country.
The judgment is published (PDF, 63 pages) on the EU Court of Justice website. ®