The European Union’s top court on Thursday found that a key framework used to transfer user data by technology giants to the US was invalid, ruling that it does not provide adequate privacy protection to EU citizens.
The European Court of Justice nevertheless partially sided with Facebook (FB) by ruling in favour of key contracts used to transfer the data of the bloc’s citizens to other countries, even as it opened up the social media giant to further challenges and called into question their use for transfers to the US.
The invalidation of the framework, known as the Privacy Shield, is a blow for the EU, which had hoped that it would afford EU citizens the protections outlined within the bloc’s charter of fundamental rights while still allowing data transfers to firms in the US.
The core of the issue was on the contradiction between US law, which requires social media firms to hand over user data to national security agencies, and both the charter and the GDPR regulation, which give every EU citizen substantial data privacy rights.
The European Court of Justice found that contracts known as standard contractual clauses — which are far more routinely used for data transfers than the Privacy Shield — were valid, however.
But the court also outlined ways in which specific clauses could be struck down, ruling that such clauses are legal only if the data protections they promise can be assured under the laws of the countries where the data of EU citizens is sent.
“Everyone is focusing on Facebook as a familiar household name, but in reality, this is a massive strengthening of the EU’s regulatory power in order to enforce its human rights-based vision of data processing,” Simon McGarr, one of Europe’s top data protection experts, told Yahoo Finance.
Mass surveillance in the US
Referencing mass surveillance programmes in the US, the court said that US law was “not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” raising serious doubts about whether standard contractual clauses can be used for transfers to the country.
The validity of the clauses, the court said, depends on whether there are “effective mechanisms” that make it possible to ensure compliance with the protections required by EU law.
The court said that technology firms had an “obligation” to verify, prior to any data transfer to a country outside the bloc, that the data would be afforded the same level of protection as within the EU.
"They've created an entire system around standard contractual clauses which has to be relied upon,” said McGarr.
“It’s now incumbent on both the company sending the data and the company receiving the data, and EU data regulators, to do their own examination of the enforceability of those contracts under local laws of every single receiving country,” he said.
The case began as a complaint to Ireland’s Data Protection Commission against Facebook by Austrian privacy activist Max Schrems, and was referred to the bloc’s top court by the Irish High Court.
“The court’s decisions relating to US protections are clearer than any other third-party country, in that it has made it extremely difficult to see how the Data Protection Commission can avoid making a decision that would lead to a halting of data transfers to the US,” said McGarr.
Facebook said in a statement that it was “carefully considering the findings and implications of the decision.”
“We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure,” said Eva Nagle, an associate general counsel at the company.
In a statement, Schrems said he was “very happy” with the judgement, calling it a “total blow” to Facebook and the Irish Data Protection Commission.
“It is clear that the US will have to seriously change their surveillance laws if US companies want to continue to play a major role on the EU market,” he said.
As part of a previous case taken by Schrems, the court in 2015 struck down the Privacy Shield’s predecessor agreement, known as Safe Harbour, for similar reasons.