Another setback for the European Commission. After a ruling in favour of Apple the day before, the EU Court of Justice on Thursday 16 July invalidated the data protection shield put in place between the European Union and the United States, provoking a chorus of reactions (Case C-311/18) (see EUROPE 12526/18).
Data protection advocates called it a victory, while businesses spoke of a “blow to transatlantic trade”. The authorities reacted with restraint. While the European Commission has said that it has been considering improvements to this mechanism, better known as the ‘Privacy Shield’, for several months, the Americans have been more ambiguous, with US Secretary of Commerce Wilbur Ross going so far as to state that “the Commerce Department will continue to administer the Privacy Shield program”.
Standard contractual clauses and the Privacy Shield
This case dates back to 2013, when Max Schrems filed a complaint with Irish regulators demanding the interruption of the flow of data between Facebook’s European seat in Ireland and its parent company in California. The Austrian lawyer felt that his personal data, once in the United States, were less protected since they could be requested by intelligence agencies such as the NSA or the FBI. He obtained a first victory in 2015 with the cancellation of the predecessor of the ‘Privacy Shield’, the ‘Safe Harbour’.
This time, the Court was asked to rule on the validity of the standard contractual clauses established in 2010 by the Commission (Decision 2010/87) and used by Facebook to transfer data in its possession. However, while the Commission considered these clauses “valid” under the General Data Protection Regulation, provided that they are effectively implemented in the non-Member State, the same cannot be said for the ‘Privacy Shield’ transatlantic agreement (Decision 2016/1250).
Indeed, the judges in Luxembourg consider that the American surveillance programmes are not sufficiently restricted to meet the requirements of proportionality (no limitations or guarantees for non-US citizens). They add that the Privacy Shield does not confer to the concerned individuals rights enforceable against US authorities before the courts, nor does it provide them with an adequate means of redress. And they denounced the limits on the independence of the ombudsman provided for under the scheme and their ability to adopt binding decisions.
Discussion scheduled for 17 July
Reacting to the sledgehammer blow, Commissioner for Justice Didier Reynders said a video conference with the US Secretary of Commerce was to be held the next day. “There are different ways of adapting the situation, but I do not want to prejudge”, the Commissioner said, suggesting that the role and competences of the Ombudsman would necessarily be affected, given the clarity of the judgment in this regard.
Asked about the need for the Americans to review their supervisory regime, the Commissioner for Values and Transparency, Vera Jourova, acknowledged that she has never made a secret of her wish to see more regulatory convergence, in particular to ensure that the US federal data protection law “is equivalent or similar to the GDPR”. “Much has been done, but there is no magic wand: it is up to the Americans to act”, she said, eliding over the fact that the Commission had, on three occasions, given a positive assessment of the Privacy Shield (see EUROPE 12355/9).
For his part, Wilbur Ross denounced the difficulties that such a judgment posed for companies already weakened by the Covid-19 crisis. “It is essential that businesses, including the 5,300+ current participants in the data protection shield, are able to transfer data without interruption, consistent with the strong protections offered by the data protection shield”, he said.
A “100%” victory for data protection, according to Schrems
After Safe Harbour, Max Schrems - who claims to have submitted more than 45,000 pages of documents to the Court - has thus notched a second victory with the cancellation of the Privacy Shield. “It's a 100% victory”, the privacy advocate wrote on Twitter, adding that the standard contractual clauses did not allow unlimited data transfer, as they lapse when companies are subject to surveillance rules.
In the European Parliament, MEP Sophie in't Veld (Renew Europe, Netherlands) spoke of a “victory for the protection of personal data, but a crushing defeat for the European Commission on the legality of the data transfer system”, recalling that Parliament had already voted in 2018 to suspend this system.
For its part, the EPP group was much more concerned about the consequences for companies. A concern shared by the federation of private employers, BusinessEurope, which is calling for a moratorium on the decision, or even a new “temporary shield”, until a more permanent solution is negotiated.
On behalf of Parliament’s Committee on Civil Liberties, Juan Fernando López Aguilar (S&D, Spain) called on the Commission to clarify the effects of this judgment as soon as possible, questioning its impact on other tools (such as the “umbrella agreement” and the ongoing negotiations on the Cloud Act).
The digital lobbies also lamented the European decision. Facebook, for its part, “welcomed the confirmation that the contractual terms are valid” and said it looks forward to regulatory guidance on Privacy Shield. (Original version by Sophie Petitjean, with the help of Hermine Donceel)