ECJ privacy decision brings US (and Facebook) into line with other third countries

Image by thedescrier is licensed under CC BY 2.0
Share this article

Even before the general data protection regulation (GDPR) came into force, US authorities had lobbied hard, with some success, to dilute the protections the EU wanted when it agreed the so-called privacy shield. The privacy shield is designed broadly to guarantee an equivalent, not identical, level of protection for data as the GDPR. It has never quite matched the higher requirements of the EU, but has been a pragmatic if imperfect solution to date.

The EU has a different mindset to the US on data protection and privacy. The EU does not prioritise commodifying and selling on our data and sees personal data as being owned by the individual rather than companies; in theory at least. That is behind the key principle that any data relating to an EU citizen handled by any company anywhere in the world must comply with the GDPR. It must also now heed EU fundamental rights.

In many respects, the EU’s GDPR is seen as a good model for protecting citizens’ rights to respecting their personal data. It gave regulators the power to fine companies up to 4 per cent of their global income if they broke the rules. But the legal process is extremely time-consuming and prohibitively expensive, so ordinary citizens are usually unable to avail themselves of their right to have their data privacy respected.

Privacy rights activist, Max Schrems, has campaigned successfully over flaws in the GDPR for many years. His latest seven-year fight has addressed the social media giants. He has recorded another win with a case that involves his concerns over the efficiency and diligence of the Irish Data Protection Commission in enforcing the GDPR.

Max Schrems
Photo credit: noyb

On 16 July, the EU’s court (ECJ) ruled in his favour stating that far-reaching US surveillance laws conflict with and violate the ‘essence’ of the EU’s fundamental rights. The US limits most protections to “US persons”, but does not protect data of foreign customers of US companies. If you want to know whether you or your business are under surveillance, the only way to find out, it to go to court.

Max Schrems said:

“The court clarified for a second time now that there is a clash of EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.

“This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the court to say the unavoidable – when shit hits the fan, you can’t blame the fan.”

The judgment also makes clear the court’s dissatisfaction with the EU Commission, stating that the latter had not undertaken a thorough and accurate assessment of US surveillance laws in the privacy shield. Instead, it argued, it succumbed to US pressure when passing privacy shield.

According to Herwig Hofmann, law professor at the University of Luxembourg and one of the lawyers arguing the Schrems cases before the court, the judgment means, “There can be no transfer of data to a country with forms of mass surveillance. As long as US-law gives its government the powers to vacuum-up EU data transiting to the US, such instruments will be invalidated again and again. The Commission’s acceptance of US surveillance laws in the Privacy Shield decision left them without defence.”

As a result of the decision, data protection authorities have a duty to act when they get a complaint, and are not only responsible for doing so but must ensure, “that the GDPR is fully enforced with all due diligence”. This means that the many data protection authorities in the EU member states who have undermined the success of the GDPR by not processing complaints can no longer simply use their discretion to evade the fact that they must give primacy to EU standards.


More articles from Juliet Lodge:


Schrems says, “This is a fundamental shift going far beyond EU-US data transfers … The court has clearly told the DPAs to get going and enforce the law.”

Moreover, standard contractual clauses (SCCs) can’t be used anymore by Facebook and US companies that fall under US surveillance. Before signing any agreement, EU companies and non-EU recipients of data must review the law in the respective third country before proceeding. Only if there is no conflicting law, may they use the SCCs. If they don’t, and where US surveillance law violates EU provisions, the relevant Data Protection Authority (DPA) must use the “emergency clause” built into the SCCs (Article 4 of the Standard Contractual Clauses).

This means that Facebook may not use the SCCs for EU-US data transfers anymore and companies must double check that they comply with EU law before signing the SCCs.

Image by stockcatalog is licensed under CC BY 2.0

Even so, there is no room for complacency because court action is prohibitively expensive. This particular case has taken seven years and as Schrems said, it had “more than 45,000 pages of documents submitted. Maintaining the power to argue such cases is only possible with the support of noyb’s now more than 3,200 members. The myth that a law student can just do this on his own is unfortunately wrong.”

This is not the end of the matter though because ‘necessary’ data flows can continue to flow under Article 49 of the GDPR, for example, to fulfil a contract or where a user has given informed consent.

Overall, the effect is to bring the US into line with the arrangements the EU has with all other third countries – including the UK next year. The US has lost its special access to EU data.

Schrems concludes, “The court explicitly highlighted that the invalidation of the Privacy Shield will not create a ‘legal vacuum’ as crucially necessary data flows can be still undertaken. The US is now simply put back to an average country with no special access to EU data.”

More information is available via the noyb [My Privacy is None of Your Business] website where information is updated frequently.

Can you help us reach more readers?