From top: Facebook HQ, Dublin; Privacy activist Max Schrems outside the High Court, Dublin in 2015
The European Court of Justice has ruled that Privacy Shield, the EU-US data protection agreement, is invalid.
The case was referred to the European court by Ireland’s High Court.
It began as a 2015 complaint to the Irish Data Protection Commissioner, made by Austrian activist Max Schrems (see below).
The outcome could potentially have major implications for the way technology companies handle European citizens’ data.
It specifically relates to the personal data Facebook holds on its European users, which the company sends to its US-based data centres.
However, the ruling could impact any company that sends user data to the US or potentially any other country outside of the EU.
The Privacy Shield framework established between the EU and US was designed to allow data transfers between the two jurisdictions.
EU court rules EU-US data protection agreement invalid (RTE)
Privacy activist and party to the case Max Schrems says:
“I am very happy about the judgment. At first sight it seems the Court has followed us in all aspects.
This is a total blow to the Irish Data protection Commissioner (DPC) and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market.”
The Court clarified for a second time now that there is a clash of EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners.
Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.
This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court to say the unavoidable – when shit hits the fan, you can’t blame the fan.”
CJEU invalidates “Privacy Shield” in US Surveillance case (nypob.eu)