Brussels/Washington – Today, in a landmark decision, the Court of Justice of the European Union struck down the EU-US Privacy Shield as it fails to protect people’s rights to privacy, data protection and access to remedy.
The decision comes as part of the ruling on the “Schrems II” case, which deals with larger EU-US data transfer questions, and led to the invalidation of this deal under which companies can self-certify to move data from the EU to the US.
Since the adoption of the Privacy Shield in 2016, Access Now has repeatedly called for the suspension of this deal due to its failures. Each year since, we have provided extensive comments to the European Commission on the annual review of the functioning of the deal. We have repeatedly highlighted legal and policy developments that called into question the validity of the arrangement, including enhanced US surveillance that show disregard for human rights globally.
“It was irresponsible for the European Commission to adopt the Privacy Shield both from a legal and political perspective. From the get go, the Commission ignored the legal opinion of data protection experts and civil society, who urged against this deal’s adoption. Time and time again, we reiterated that not suspending the deal was a big mistake, not only because it endangered people’s rights, but because it also created legal uncertainties for companies.” said Estelle Massé, Senior Policy Analyst at Access Now. “We hope that, this time, the European Commission draws the necessary conclusions from the ruling and works on all the necessary reforms.”
“U.S. privacy laws are weak and surveillance laws are broad, which has led to today’s decision where the Court has no other option but to suspend the Privacy Shield to protect people’s rights,” said Eric Null, U.S. Policy Manager at Access Now. “Unless the U.S. passes meaningful, strong, and comprehensive privacy legislation and curtails the government’s surveillance authorities, we’ll just be here again in a few years.”
The Privacy Shield was adopted following the invalidation of its predecessor, the EU-US Safe Harbour, by the CJEU in 2015 for the same failures. Both cases were brought to Court by privacy activist Max Schrems as the European Commission and the Irish Data Protection Commission failed to act.
What happens now that the Privacy Shield has been struck down?
Striking down the Privacy Shield puts an end to a broken framework that is ill-suited to protect people’s rights to privacy and data protection. That does not mean, however, that the internet will come to a standstill, or that data will no longer flow.
For companies relying on the Privacy Shield to transfer data, other mechanisms allowing for data to move from the EU to the US exist and can be used, such as the Standards Contractual Clauses or Binding Corporate Rules. While not perfect, they do offer greater protection for users and stronger oversight than the Privacy Shield. The Court upheld the validity of the clauses today, although the European Commission will need to reform them to incorporate more safeguards.
What would be the ideal replacement?
Now that the Privacy Shield has been nullified, the EU could start re-negotiating a new framework with the US.
For the US to be granted a long-term adequacy status that ensures the protection of human rights, we recommend the following legislative changes at minimum:
- The US must adopt comprehensive privacy and data protection framework that puts users at the center and provides meaningful avenues for redress and oversight;
- Non-US persons, including Europeans, must be granted greater right to redress in case of rights violations due to unlawful data processing in the US or by US authorities; and
- The US must significantly reform its surveillance practices and take actions to protect the human rights of all people, no matter where they are from.