EU throws out US data sharing deal over surveillance fears

In its ruling it said that “in respect of certain surveillance programmes”, EU citizens are not given “actionable rights before the courts against US authorities”. US citizens, on the other hand, are given protections. 

It also said EU data protection authorities needed to take firmer action when they received complaints over data transfers. 

Mr Schrems said: “I am very happy about the judgment. At first sight it seems the Court has followed us in all aspects.

“This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market.”

Facebook said it was “carefully considering” the ruling.

Eva Nagle, associate general counsel at Facebook, said: “We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure. We look forward to regulatory guidance in this regard.”

Microsoft, meanwhile, said it had  previously “provided customers with overlapping protections under both the standard contractual clauses and privacy shield frameworks for data transfers”.

“Although today’s ruling invalidated the use of Privacy Shield moving forward, the SCCs remain valid. Our commercial customers are already protected under SCCs.”

The ruling does not mean all data transfers outside the EU will stop, as the court decided so-called “standard contractual clauses” will still be valid, which is another legal mechanism that can be used by companies.

The ECJ decision does, however, mean the US and EU will need to renegotiate their data privacy deal, and it is also likely to complicate UK-EU negotiations over a treaty that would allow continued data transfers between the UK and EU after the end of the Brexit transition period on December 31.

It will reinforce the European Commission negotiators’ focus on guarantees and protections around the work of security services in talks over the data adequacy agreement.

“This judgment sets a high bar for an adequacy decision, especially when private sector data is processed for national security purposes,” said Steve Peers, Professor of EU law at the University of Essex.

Heather Burns, a fellow at policy group Coadec, agreed that the move was a “shot across the bow” for the UK, which is in the process of looking at how it will share data with the EU after Brexit. 

Boris Johnson in February said the UK was planning to set up sovereign controls over its data and could diverge away from EU rules.

Ms Burns said: “The Government needs to wake up and listen to the implications of this ruling today. It’s a clear legal precedence which says, if you have a system which allows you to work to European protection standards and all that data still flows to a surveillance apparatus, that is a blocker to adequacy.”

British and EU negotiators are holding talks in Brussels today before a full round of trade negotiations next week in London.  

Brussels has called for a “a high level of personal data protection” which “fully respects the Union’s personal data protection rules” in the negotiations over the future relationship. 

Source Article