Europe's top court on Thursday struck down a data privacy pact that had allowed companies to transfer private user data between servers in Europe
Europe’s top court on Thursday struck down a data privacy pact that had allowed companies to transfer private user data between servers in Europe and the United States. However, EU citizens’ data can still be sent to the US and other countries under a separate, existing mechanism.
In a case brought against internet giant Facebook, the European Court of Justice in Luxembourg ruled that the data transfer agreement “Privacy Shield” failed to adequately protect Europeans’ data against US surveillance and security law and was therefore invalid.
Privacy Shield was the successor to an earlier data transfer pact struck down by the EU court after Edward Snowden revealed the practice of mass digital spying by US agencies.
Data transfers out of the EU will be allowed to continue under another legal mechanism called contractual clauses, an EU invention in which companies outside Europe commit to EU data and privacy laws.
Such transfers are now likely to come under greater scrutiny and the EU and US may work towards a new arrangement that guarantees privacy protection for European internet users in the US.
Victory for privacy activist
Plaintiff Maximilian Schrems welcomed the ruling.
“It seems we scored a 100% win,” Schrems wrote on Twitter following the verdict.
The Austrian privacy activist was also responsible for bringing about the end of Privacy Shield’s predecessor “Safe Harbour” following the Snowden revelations.
In the latest case, Schrems had argued that it was unlawful for his data, compiled by Facebook Ireland, to be transferred to the company’s US branch without his permission.
Because American intelligence agencies can access EU Facebook users’ private data, it meant that EU citizens’ data are not sufficiently protected. There is also no means to appeal this transfer, he said.
The Irish Data Protection Commissioner filed a case before the High Court of Ireland, who referred it to the European Court of Justice.
Existing pact catches court’s interest
The case had originally focused on contractual clauses before judges took an interest in Privacy Shield.
The deal currently lays out data transfer policy for over 5,000 US companies.
Privacy shield supporters had argued that while the deal is used by tech powerhouses, it also allows smaller US companies to provide services in Europe.