On July 16, 2020, the European Union’s top court, the Court of Justice, struck down the trans-Atlantic data privacy transfer pact in a case called Schrems II. The agreement bewteen the US and EU known as the Privacy Shield, allows businesses to transfer data between the United States and European Union, even though U.S. privacy laws do not meet the higher level of data protection of EU law. Data transfer is essential for businesses that rely on the pact to operate their businesses across the Atlantic. For example, multi-national corporations routlinely obtain shipping consumer data from the EU for further use in the US. The Court of Justice ruled that the transfer of data leaves European citizens exposed to US government surveillance and did not comply with EU data privacy law. The Court explained: "although not requiring a third country to ensure a level of protection identical to that guaranteed in the EU legal order, the term ‘adequate level of protection’ must, as confirmed by recital 104 of that regulation, be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter."
Companies in the U.S. can work out privacy protections by contract, but such contracts also must comply with EU privacy standards. The Court explained: "the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation."
Ars Technica explains the origins of Privacy Shield and the troubles that have long existed with the agreement. Prior to Privacy Shield being adopted, the agreement governing the sharing of consumer data across the Atlantic was called the Safe Harbor. In 2015, the Safe Harbor was invalidated after being challenged by Maximillian Schrems, an Austrian privacy advocate, because it conflicted with EU law. After the Safe Harbor was struck down by the Court of Justice, EU lawmakers and the US Department of Commerce negotiated the Privacy Shield, which went effect in 2016. But many in the EU questioned its validity and lawfulness.
In Schrems II, the Court of Justice agreed. According to Axios, Schrems complained that the clause in Facebook's data contract was insufficient to protect Europeans from US government surveillance. The Court agreed, ruling that once the data entered the US, it was impossible to adequately ensure the protection of the data. European citizens would have no redress in the US for violations of the EU standards of privacy. The Privacy Shield did not provide equivalent privacy protection.
So what happens next? EU and the US officials must negotiate a new data sharing agreement between the EU and the US that can be equivalent to the level of privacy protection in the EU. Tech companies like Google and Facebook have issued assurances that this decision will not affect their operations in Europe because the companies have alternative data-transfer contracts, according to Ars Technica. It remains to be seen whether a new transatlantic data sharing agreement can be reached in a way that comports with EU privacy law.
-written by Bisola Oni