Uncertain Future for EU-US Data Transfer as ECJ Voids ‘Privacy Shield’ Agreement

The European Court of Justice (ECJ) has effectively ended the current existing Privacy Shield agreement for data sharing between the European Union and United States due to the fact that it does not adequately protect the private data of European citizens.

This decision is bound to effect the way that companies operate in the EU and comes at the end of a long and hard fought legal battle. This battle stared in 2013 when privacy activist Max Schrems lodged a complaint with the Irish Data Protection Commission (DPC).  This complaint was linked to disclosures regarding secretive US surveillance agency programmes that access user data from a range of huge US social media and internet firms. In particular, Schrems and his data privacy lobby group noyb were critical of the manner that Facebook carried out data transfers.

Schrems made claims that, due to the Edward Snowden revelations, US legislation did not permit adequate security against surveillance by public authorities. This complaint was made chiefly against Facebook. A ruling was issued tt the agreement between the EU and US for data sharing, then referred to as the Safe Harbour Agreement was no longer in place. Due to this companies began to use Standard Contractual Clauses (SCCs) so they could go on continue sharing data between the two markets while a new agreement, known as Privacy Shield, was devised.

This new decision basically means that Privacy Shield has been invalidated and there are new compliance rule for the use of SCC transfers to all countries external of the EU. Basically in order to do so companies receiving data in the external jurisdictions will be obligated to carry out an independent review to ascertain if the destination country has adequate laws for the the contract clauses to be enforced.

Along with this all data protection bodies for EU member states will be charged with overseeing these transfers and will be expected to stop transfer flows if they are being sent to a country where the data protection legislation has been deemed inadequate or problematic.

The ECJ published a statement saying: “Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR (General Data Protection Regulation) concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”

It continued: “In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.”