EU court of justice strikes down data-sharing pact with US over snooping fears

The Canary

The Court of Justice of the European Union (CJEU) has ruled an agreement that allows big tech companies to transfer data to the United States is invalid.

It said national regulators need to take tougher action to protect the privacy of users’ data.

The ruling to invalidate Privacy Shield will complicate the transfer of a lot of data outside the EU and it could require regulators to vet any new transfers due to concerns the US government can snoop on people’s data for national security reasons.

Facebook advertising campaign
Companies such as Facebook routinely move data between servers around the world (Dominic Lipinski/PA)

It will no longer simply be assumed that tech companies such as Facebook will adequately protect the privacy of its European users’ data when it sends it to the US.

Rather, the EU and US will likely have to find a new agreement that guarantees that Europeans’ data is afforded the same privacy protection in the US as it is in the EU, which has some of the toughest standards in the world.

The case began after former US National Security Agency (NSA) contractor Edward Snowden revealed in 2013 that the US government, along with the UK government, was snooping on people’s online data and communications.

The revelations included detail on how Facebook gave US security agencies access to the personal data of Europeans.

Austrian activist and law student Max Schrems that year filed a complaint against Facebook, which has its EU base in Ireland, arguing personal data should not be sent to the US, as many companies do, because the data protection is not as strong as in Europe.

Though the legal case was triggered by concerns over Facebook in particular, it could have far-reaching implications for all tech companies that move large amounts of data over the internet if regulators find that US privacy protections are insufficient and block the transfers.

Things like email, flight and hotel reservations would not be affected.

Schrems said the ruling amounted to a victory for privacy.

“The US will have to engage in serious surveillance reform to get back to a ‘privileged’ status for US companies,” he wrote on Twitter.

Alexandre Roure, a senior manager at Computer & Communications Industry Association, said the decision “creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers”.

He added: “We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy.”

We need your help ...

The coronavirus pandemic is changing our world, fast. And we will do all we can to keep bringing you news and analysis throughout. But we are worried about maintaining enough income to pay our staff and minimal overheads.

Now, more than ever, we need a vibrant, independent media that holds the government to account and calls it out when it puts vested economic interests above human lives. We need a media that shows solidarity with the people most affected by the crisis – and one that can help to build a world based on collaboration and compassion.

We have been fighting against an establishment that is trying to shut us down. And like most independent media, we don’t have the deep pockets of investors to call on to bail us out.

Can you help by chipping in a few pounds each month?

The Canary Support us