Getty Images / WIRED
Facebook and thousands of other companies that move personal data across the Atlantic face a major headache after the EU’s top court ruled that a key data-sharing mechanism was invalid.
The European Court of Justice said that the EU-US Privacy Shield failed to protect privacy and data protection rules. The landmark ruling will have substantial ramifications for thousands of companies currently sharing data with the US.
The ruling handed down by the highest court of EU law is complex, but those who brought the case will hope this victory forces the European Commission to introduce more safeguards to protect European data handled when it is handled and processed by American companies. As part of the same ruling, the Court also decided that another data transfer mechanism, Standards Contractual Clauses, or SSCs, remain valid.
Max Schrems, an Austrian lawyer and privacy rights advocate, has been leading a crusade against Facebook in the courts since 2011, which gained momentum following the Edward Snowden revelations. Responding to the ruling on Twitter, Schrems said it was a “100% win” for privacy.
“The US will have to engage in serious surveillance reform to get back to a ‘privileged’ status for US companies,” he added. How that plays out remains to be seen, but in the short term it creates substantial uncertainty for companies that previously relied on the Privacy Shield mechanism to move data across the Atlantic.
To understand what this morning’s ruling means for privacy rights, you need to go back to the beginning of Schrems’ battle with Facebook in 2013. Under the Charter of Fundamental Rights of the European Union, every citizen in the EU has a right to have their data processed fairly, with their consent, and for specified purposes. Yet, if an American company sends an EU citizen’s data back to the US, there is a risk that the US National Security Agency (NSA) will get access to that data.
Former NSA contractor Snowden revealed that the PRISM programme gave the NSA access to data from major tech firms such as Facebook, Apple, Google, and Microsoft among others. Schrems was therefore arguing that Facebook was aiding the NSA in conducting mass surveillance of EU citizens.
Schrems complained to the Irish Data Protection Commission as Facebook’s European headquarters is based there. After his initial complaint was rejected, Schrems took his case to the country’s High Court – which referred it on to the European Court of Justice (ECJ). This resulted in the demolishing of Safe Harbour, a 15-year-old agreement which governed data transfers between the EU and the US. It was found that the agreement was unable to guarantee adequate safeguards for the protection of EU citizens’ data, therefore Safe Harbour was invalidated in late 2015.
After Safe Harbour’s abrogation, US firms switched to a different, EU-approved template to transfer EU data to company servers in the US, known as standard contractual clauses, or SCCs. “SCCs were the main route to transferring data once there were questions about the Safe Harbour regime,” says Lorna Woods, a law professor at the University of Essex. Those SCCs, the ECJ has ruled, are still valid.
A new data transfer agreement replacing Safe Harbour – called the EU-US Privacy Shield – was created in 2016 between the EU and US. The Privacy Shield restricts the US government from accessing EU citizens’ data, adds provisions for EU citizens to refer complaints to a regulator and requires that companies who wish to transfer data to a third party must ensure that the third party also follows the Privacy Shield principals.
As Facebook and other companies began using SCCs to transfer data to the US, Schrems submitted a new complaint to the Irish Data Protection Commissioner, this time challenging Facebook’s use of SCCs to transfer data. Once again, it was referred to the Irish High Court and then up to the ECJ. While the Privacy Shield wasn’t part of Schrems’ initial complaint, the Irish Court’s request pulled the Privacy Shield into the case as well.
So, what happens now that the Privacy Shield has been ruled invalid? Well, it’s not a catastrophe for the firms who rely on it as they can switch to SCC. Woods says that if the ECJ takes issue with how SCCs and the Privacy Shield operate, then questions will be moved to the data controller – Facebook, for example – and what controls Facebook has over that data once it’s somewhere else. “Can it ensure that it’s not accessed by third parties?” asks Woods. “That is where the fight will go.”
Alex Lee is a writer for WIRED. He tweets from @1AlexL
More great stories from WIRED
☢️ Nine years on, Fukushima’s mental health fallout lingers
🦆 Google got rich from your data. DuckDuckGo is fighting back
😷 Which face mask should you buy?
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn
Get The Email from WIRED, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm sharp.
Thank You. You have successfully subscribed to our newsletter. You will hear from us shortly.
Sorry, you have entered an invalid email. Please refresh and try again.