The highest court in Europe has struck down the EU-US Privacy Shield over concerns that the agreement leaves the data of European customers too exposed to US government surveillance.
The agreement, which has been in place since 2016, allows companies operating in the EU to transfer data back to the US and over 5,000 companies currently operate under its terms.
In a press release, the Court of Justice of the European Union (CJEU) explained why it came to the decision to strike down the Privacy Shield, saying:
“In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”
Before Privacy Shield was put into effect, the Safe Harbor agreement governed how EU customer data was shared between Europe and the US. However, just as it did with the agreement that replaced it, the CJEU invalidated Safe Harbor in 2015 after a privacy advocate from Australia named Maximillian Schrems challenged it in court.
Now that CJEU has struck down the EU-US Privacy Shield, US companies operating in Europe or handling the data of European customers will either have to negotiate new individual sets of contractual terms and conditions called Standard Contract Clauses (SCC) with the EU or just stop moving data from European operations back to the US.
While the ruling applies to data that is moved to US servers for internal reasons, it does not affect “necessary” data transfers which occur when Europeans use online services located in the US.
US tech giants including Microsoft, Facebook and others responded to CJEU’s ruling by assuring their customers that their European operations would not be significantly changed as many already use SCCs. For instance, Microsoft’s Julie Brill explained in a blog post that commercial and public sector customers would not be affected by the fact that the Privacy Shield had been invalidated, saying:
“We want to be clear: if you are a commercial or public sector customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.”
Via Ars Technica