The EU‘s Court of Justice has struck down its Privacy Shield pact with the United States due to concerns about US surveillance.
In a statement on Thursday, EU judges said the data-sharing agreement doesn’t sufficiently protect the privacy of the bloc’s citizens.
“The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” the court said in a statement.
#ECJ: the Decision on the adequacy of the protection provided by the EU-US Data Protection Shield is invalidated, but @EU_Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries is valid #Facebook#Schremspic.twitter.com/BgxGAvuq3T
— EU Court of Justice (@EUCourtPress) July 16, 2020
The case stems from a complaint lodged by Austrian privacy activist Max Schrems about Facebook transferring his data to servers in the US. Schrems argued that Washington’s prioritization of digital surveillance over privacy contravened EU laws and rights.
In a statement, Schrems said he was “very happy about the judgment.”
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” he added.
After a first read of the judgement on #PrivacyShield it seems we scored a 100% win – for our privacy
The US will have to engage in serious surveillance reform to get back to a "privileged" status for US companies.
— Max Schrems 🇪🇺🇦🇹 (@maxschrems) July 16, 2020
The decision will deal a significant blow to Facebook and the thousands of other companies that rely on the Privacy Shield to move data from the EU to the US. However, they will still be allowed to use another data transfer mechanism known as standard contractual clauses (SCC).
The judges ruled that SSCs remained a valid method of sending data to a country outside the bloc, so long as the country “ensures an adequate level of data protection.”