This morning, in one of the most highly anticipated court cases in data protection, the Court of Justice of the European Union invalidated the legal underpinnings of the EU-U.S. Privacy Shield. This arrangement allowed more than 5,000 U.S. companies to transfer EU users’ data to the U.S. for processing and storage, and was adopted in 2016 after the CJEU declared the preceding Safe Harbour agreement invalid in the 2015 Schrems I case. In this case, the CJEU determined that U.S. intelligence surveillance law does not provide safeguards sufficient under EU law to permit the transfer of personal information from the EU to the U.S.
“This should be a wake up call to both the U.S. Congress and the U.S. Intelligence Community that stronger privacy protections must be built into intelligence surveillance authorities,” said Alexandra Givens, President and CEO of the Center for Democracy & Technology. “People outside the U.S. have rights that U.S. surveillance law and practice must honor. Surveillance reform has long been a human rights imperative; now, it is an economic imperative as well,” she added.
The decision was taken in the context of the Schrems II case, a preliminary ruling addressed to the CJEU by the Irish High Court. The CJEU was asked to rule on the validity of both the Privacy Shield and the Commission Decision 2010/87 regarding standard contractual clauses (SCCs), which sometimes govern the transfer of personal data from companies in EU Member States to processors established in third countries.
In short, the Court decided that:
- The safeguards provided by U.S. laws on the access and use by public authorities of data transferred from the European Union do not satisfy the requirements of EU law because, among other things, they do not grant European citizens actionable rights against the U.S. authorities.
- Even if the SCCs remain valid, the competent national data protection authorities are required to suspend or prohibit a transfer of personal data to the U.S. where U.S. law fails to appropriately protect Europeans’ personal data.
The CJEU’s ruling references GDPR Article 49, which, despite the annulment of Privacy Shield, permits certain “necessary” data transfers to continue to flow between the two continents where, for example, the user has explicitly consented to the transfer or the data flow is necessary to fulfill the terms of a contract.
Renewing its 2015 surveillance reform recommendations, CDT is calling on Congress to:
- Prohibit “upstream” surveillance through which the U.S. government temporarily seizes virtually all internet-based communications flowing into or out of the U.S., and which is being challenged at the Fourth Circuit Court of Appeals in Wikimedia v. NSA;
- Strictly limit the purposes for which the U.S. intelligence agencies may obtain personal data under Section 702 of the Foreign Intelligence Surveillance Act;
- Establish stronger constraints on U.S. officials’ ability to gain access to and use that data; and
- Ensure that anyone whose rights may have been violated in the intelligence surveillance context can obtain effective redress.