EU Court decision that US does not meet data privacy standards could challenge data deregulation through trade deals

July 20, 2020: The Court of Justice of the European Union ruled on July 16 that EU data agencies must suspend data transfers to any country where the EU standards for data privacy cannot be met. It ruled that one particular arrangement, the US Privacy Shield, failed to meet the standards, and this has a direct impact on Facebook.

The ruling also may also have implications for digital trade chapters in trade agreements like the Australia-Singapore Digital Economy Agreement and current WTO negotiations, which propose deregulation of data flows across borders without adequate privacy safeguards. See AFTINET’s submission on these issues here.

Austrian privacy activist Max Schrems had bought a case that European data was not protected from surveillance by US security agencies, based on the 2013 revelations of Edward Snowden of National Security Agency collection of European communications data.

The decision will have “direct, meaningful impacts on the ability of firms established in the EU to conduct business globally, and a particular impact on the largest commercial relationship in the world,” the Information Technology Industry Council’s senior manager of policy, Alexa Lee, wrote in a blog post ahead of the verdict.

The decision is a direct challenge to current surveillance programs of US security agencies.

Following the ruling, Schrems said he was "very happy" with the judgment. "It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” he said.

The ruling was cheered by privacy campaigners across Europe, with Estelle Massé, privacy lead at digital rights NGO Access Now, saying in a statement that the European Commission had been "irresponsible" to adopt the US Privacy Shield in the first place.

The Access Now statement added: “For companies relying on the Privacy Shield to transfer data, other mechanisms allowing for data to move from the EU to the US exist and can be used, such as the Standards Contractual Clauses or Binding Corporate Rules. While not perfect, they do offer greater protection for users and stronger oversight than the Privacy Shield. The Court upheld the validity of the clauses today, although the European Commission will need to reform them to incorporate more safeguards. These include:

  1. The US must adopt a comprehensive privacy and data protection framework that puts users at the center and provides meaningful avenues for redress and oversight;
  2. Non-US persons, including Europeans, must be granted greater right to redress in case of rights violations due to unlawful data processing in the US or by US authorities; and
  3. The US must significantly reform its surveillance practices and take actions to protect the human rights of all people, no matter where they are from.