Tech companies like Facebook could be prevented from sending data back to the United States after the latest ruling in a long-standing European legal saga revealed that there were not enough protections from agencies spying intelligence services.
The decision of the Court of Justice of the European Union (CJEU) does not immediately put an end to these transfers, but obliges the data protection authorities (DPA) of the different Member States to control the sending of any new data for s ” ensure that personal information of individuals remains protected in accordance with EU data protection laws (GDPR).
The complaint, which dates back to October 2014, was filed by Austrian privacy activist Max Schrems. He argued, following Snowden’s revelations, that the privacy of European citizens could not be guaranteed if their data was sent to the United States, given evidence of eavesdropping by the National Security Agency (NSA) ) the country and the fact that the American authorities The system only protected the rights of American citizens.
Schrems’ initial complaint led to the cancellation of the EU / US “safe harbor”, which governed the transfer of data between the two countries, and to the creation of a new treaty, the “protective shield” data »EU / US. This latest decision also reversed this policy.
“At first glance, it looks like the court has followed us in all aspects,” Schrems said in a statement. “It is a blow to the Irish DPC [data protection commission] and Facebook. It is clear that the United States will have to make serious changes to its supervisory laws if American companies are to continue to play a role in the EU market. “
“The court is telling not only the Irish DPC to do its job after seven years of inaction, but also that the DPA has a duty to act and cannot just look away,” he added. “This is a fundamental change that goes far beyond EU-US data transfers. Authorities like the Irish DPC have so far undermined the success of the GDPR. The court clearly told the data protection authorities to go ahead and apply the law. “
The move is not a complete halt to data transfers between the EU and the United States, said Lisa Peets, partner at Covington, which represented the UK software industry in the case. The court confirmed the use of “standard contractual clauses” (CSC) to transfer personal data between Europe and the United States, allowing companies to request specific user consent for the data to be exported.
“Data flows between Europe and the United States are an integral part of the European economy and the daily lives of millions of European consumers, and CCS is the backbone of many of these data transfers” said Peets. “With regard to the privacy shield, the European Commission will be very focused on finding a resolution and will work actively with the United States government to identify a way forward. “
With the end of the Brexit withdrawal agreement on the horizon, the decision also poses new problems for the United Kingdom in defining its future relations with the EU. Without a new replacement for the privacy shield, the UK could be forced to choose between frictionless data transfers with the United States or the EU on December 31, warned partner and chief data protection officer Toni Vitale data at JMW Solicitors.
“After Brexit, the UK could be seen as having insufficient protection given the lack of judicial control over the security forces,” added Vitale, “and this could lead to a ban on data exports from the EU to the UK in the future. . ”