Skip to content


EU court rules EU-US data protection agreement invalid

The European Court of Justice has rejected a key EU tool used to transfer Europeans’ personal data across the Atlantic for commercial use.

However, it upheld the validity of another tool used by hundreds of thousands of companies to transfer data worldwide.

The court ruled that Privacy Shield, the EU-US data protection agreement, is invalid, while it considers Standard Contractual Clauses for the transfer of personal data to processors established in third countries to be valid.

The case centred on the agreements companies use to send personal data to non-EU countries, with the court deciding whether they properly protect individuals’ right to privacy.

Standard Contractual Clauses are used by many firms to transfer data to countries that do not come under the EU’s General Data Protection Regulation.

They are supposed to ensure European data has the same protections abroad as it does inside the EU.

However, questions have been raised about whether that is the case in certain countries, in particular the US, where technology companies are legally obliged to give surveillance services access to user data.

The case was referred to the European court by Ireland’s High Court.

It began as a 2015 complaint to the Irish Data Protection Commissioner, made by Austrian activist Max Schrems.

The outcome could potentially have major implications for the way technology companies handle European citizens’ data.

It specifically relates to the personal data Facebook holds on its European users, which the company sends to its US-based data centres.

However, the ruling could impact any company that sends user data to the US or potentially any other country outside of the EU.

The Privacy Shield framework established between the EU and US was designed to allow data transfers between the two jurisdictions.

It was created after a previous case involving Mr Schrems ended with another framework – Safe Harbour – being deemed invalid.

Max Schrems has today welcomed today’s decision by the European Union’s top court in his case against Facebook.

He said the legal basis for more then 5,000 US companies that use the EU-US Privacy Shield to import personal data to the US was found to violate EU laws. 

“It looks perfect,” he said in a spontanious reaction when the ruling hit headlines at his office in Vienna. 

“The CJEU has anulled the “Privacy Shield” decision by the European Commission that allowed EU companies to easily transfer (“outsource”) personal data to US providers in large quantities,” non-profit NOYB, which he chairs, said in a statement. 

“This decision is based on overreaching US surveillance laws that only protect “US persons” but not foreigners,” it said.

Article Source: Click Here