Top E.U. Court Overturns Transatlantic Data Transfer Pact

• The E.U. Court of Justice (CJEU) has struck down Privacy Shield, a key data-sharing protocol that allows American companies to transfer personal information about E.U. citizens to the U.S for processing. It ruled that the regulation cannot be trusted as it does not protect E.U. citizens from mass surveillance programs operated by U.S. intelligence agencies like the NSA.
• The ruling, in short, means that companies cannot provide E.U. customers with lesser privacy rights just by moving their data to a non-E.U. jurisdiction. In other words, any company dealing with European citizens' data must provide privacy protections equivalent to those of the E.U., like the GDPR, irrespective of where the data is transferred, stored, or processed.

• This applies to data that companies such as Facebook and Google outsource to U.S. data centres, but it does not affect "necessary" data transfers that take place when users in Europe send an email to a recipient in the U.S., or book a flight or a hotel on a U.S. website.
• The protracted legal battle started back in 2013, when privacy activist Max Schrems lodged a complaint against Facebook with the Irish Data Protection Commissioner, alleging that, in the wake of Edward Snowden revelations, the U.S. law did not offer sufficient protections against surveillance by public authorities. In 2015, the European Court of Justice ruled that the then Safe Harbor Agreement, which allowed European users' data to be moved to the U.S., was not valid and did not adequately protect European citizens.
• To replace the Safe Harbor principle, the E.U. and the U.S. Department of Commerce developed a new data transfer agreement called the Privacy Shield framework.
• Although the latest judgement invalidates the use of the Privacy Shield, it has also upheld another data transfer protocol known as Standard Contractual Clauses (SCCs), which are aimed at protecting personal data leaving the E.U. through contractual obligations in compliance with the GDPR's requirements in non-E.U. territories.
• But there's a catch: "The CJEU has made it clear in its ruling that even within the SCCs a data flow must be stopped if a U.S. company falls under surveillance laws (such as FISA 702)." This effectively means that tech companies like Apple, Facebook, Google and Microsoft, which use SCCs for transatlantic data transfers, will "need to identify the legal basis for the data transfer," while giving data protection agencies in the E.U. the power to suspend data transfers which are taking place via SCCs to countries where data protections are not adequate.
• "It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the E.U. market," Schrems said in a statement after the CJEU ruling. "This judgment is not the cause of a limit to data transfers, but the consequence of U.S. surveillance laws."