EU court strikes down key data-sharing mechanism between Europe and the U.S.

Facebook CEO Mark Zuckerberg
Facebook CEO Mark Zuckerberg speaks to the European Parliament on data privacy in 2018.
(AFP/Getty Images)

The EU’s top court has ruled that a transatlantic agreement used by thousands of companies to transfer data between the EU and U.S. does not protect the privacy of European citizens.

In a statement Thursday, judges at the European Court of Justice in Luxembourg said that the Privacy Shield agreement did not limit access to data by U.S. authorities “in a way that satisfies requirements that are essentially equivalent to those required under EU law.”

The impact of the ruling was not immediately clear. While thousands of corporations, including tech companies, banks, law firms and carmakers, rely on Privacy Shield to move data easily between the two regions, the court said they might continue to do so under so-called standard contractual clauses, or SCCs, which are essentially individual legal agreements covering how data will be treated.

Companies will now have to carefully analyze whether their SCCs are sufficient to ensure that data in the U.S. are treated in line with Europe’s General Data Protection Regulation.

“The [court] has made it clear companies cannot justify them using a ‘tick box’ exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed,” said Tanguy Van Overstraeten, partner and global head of privacy and data protection at Linklaters.


Google has been fined about $57 million by French regulators for violating Europe’s tough new data-privacy rules.

He added that European data regulators might now be encouraged to be more proactive, since the court said they were obliged to suspend or ban data transfers if EU companies failed to show they were complying with the GDPR.

“This does not just affect data transfers to the U.S.,” he said. “Other jurisdictions, such as India or China, also have strong state surveillance powers, so transfers to those jurisdictions may also need careful examination.”

The court ruling came after the Austrian privacy campaigner Max Schrems filed a complaint against Facebook, arguing that his privacy was violated once the company transferred his data to the U.S., where it could be explored by U.S. intelligence agencies.

Privacy Shield was the successor of the Safe Harbor agreement, which was also dismantled by European judges in 2015 following a case by Schrems. On Thursday he called for the U.S. to “seriously change their surveillance laws if U.S. companies want to continue to play a major role in the EU market”.

Laws are very different when governments consider something a right and not a privilege.

Schrems suggested that the judgment would stop Facebook from transferring data to the U.S. because its platforms were used for surveillance by U.S. intelligence. “The judgment makes it clear that companies cannot just sign the SCCs, but also have to check if they can be complied with in practice,” he said.

Eva Nagle, associate general counsel at Facebook, said the company welcomed the court’s decision to confirm the validity of SCCs for data transfers outside the EU.

“Like many businesses, we are carefully considering the findings and implications of the decision of the [European] Court of Justice in relation to the use of Privacy Shield and we look forward to regulatory guidance in this regard,” she said. “We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure.”

Other tech companies rushed to reassure clients that data transfers were still possible between the EU and the U.S.

Popular dating apps share users’ information — including sexual orientation — with ad-tech firms, a report says. That raises questions about how they’re tackling California’s new privacy law.

Julie Brill, chief privacy officer at Microsoft, said: “The court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.

“Although today’s ruling invalidated the use of Privacy Shield moving forward, the SCCs remain valid.”

Thomas Boue, director-general of Europe, Middle East and Africa policy at the Business Software Alliance, which represents companies including Microsoft, Oracle and IBM, said: “We are relieved that SCCs remain valid, which is a positive outcome. But today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic.”

In response to the judgment, Brussels said it would accelerate its work on the modernization of the SCCs to ensure that the mechanisms could handle the vast flows of private data outside the EU.

A European Union court has ruled in favor of technology giant Apple and Ireland in the company’s dispute with the EU over $15 billion in back taxes.

Vera Jourova, EU executive vice president in charge of values and transparency, said the commission would also continue to push the U.S. administration to accelerate work on an American federal privacy law.

“We have never hidden that we want to see more convergence when it comes to the framework for data protection [in the U.S.],” said Jourova. “We would like to see on the American side a federal law that would be equivalent or similar to the General Data Protection Regulation.”

© The Financial Times Ltd. 2020. All rights reserved. FT and Financial Times are trademarks of the Financial Times Ltd. Not to be redistributed, copied or modified in any way.