The Court of Justice of the European Union has ruled that Privacy Shield, an arrangement between the EU Commission and the United States, under which companies transfer personal data from the European Union to the United States, is invalid.
This judgment stemmed from a complaint by Max Schrems to the Irish Data Protection Commission. Mr Schrems lodged the complaint to prevent Facebook Ireland transferring data to the servers of Facebook Inc. in the United States. He claimed that the law and practices in the United States did not offer sufficient protection against access by the public authorities to the data transferred to that country.
The Data Protection Commission brought proceedings before the High Court, in order to refer questions to the Court of Justice for a preliminary ruling. Among other questions, the referring court raised the issue of the validity of Decision 2016/1250, also known as the ‘Privacy Shield’, and asked whether EU law applies to the transfer of personal data to countries outside the EU, where it can be processed by authorities for national security and law enforcement purposes.
On the validity of Privacy Shield, the Court said that the Commission’s arrangement “enshrines the position that the requirements of US national security, public interest and law enforcement have primacy” and facilitates the interference with the fundamental rights of those whose data is transferred to the US.
In the view of the Court, “the limitations on the protection of personal data arising from the domestic law of the US on the access and use by US public authorities of such data transferred from the European Union to that third country, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” In particular, the Court mentioned that the principle of proportionality was absent from the Decision. Under Privacy Shield, surveillance programmes are not restricted to accessing data that is strictly necessary, in line with the principle of proportionality.
The Court also highlighted that for certain surveillance programmes, there was no mention of any limitation on their powers to access data or to target non-US citizens. In addition, the Court pointed out that the arrangement did not provide for any cause of action before a body which offers procedural guarantees which are substantially equivalent to those required by EU law, such as the independence of the Ombudsperson in question and the ability of that Ombudsperson to make decisions that are binding on US intelligence services.
Based on the above analysis, the Court of Justice declared Decision 2016/1250 to be invalid.
The Court added that “standard contractual clauses”, a tool used by thousands of companies to transfer data around the world, were valid but recommended that they be used more effectively. These clauses are only valid if they contain mechanisms to ensure compliance with EU data protection law.
FLAC (Free Legal Advice Centres) represented EPIC, the Electronic Privacy Information Centre, a Washington based NGO, to act as a ‘friend of the court’ (amicus curiae) in this case. As an amicus curiae, EPIC provided the High Court and the CJEU with a comprehensive assessment of the strengths and weaknesses of the US legal system and the protection afforded to the personal data of people resident in the EU, including Ireland, a perspective that was of assistance to both the High Court and the CJEU in assessing the adequacy of US law from a EU data protection perspective.
“This is another landmark ruling for privacy rights by the Court of Justice, and a clear signal that the United States needs to reform its surveillance laws or risk losing its position as a global technology leader. Congress should act quickly to bring U.S. law in line with international human rights standards.” said Alan Butler, EPIC Interim Executive Director and General Counsel.
According to Eilis Barry, FLAC Chief Executive, “As a small NGO with limited funding, which seeks to act as a counter-balance to large business and state interests, EPIC needed representation in order to be able to participate, and we in FLAC, as one of the few independent law centres in Ireland, were pleased to support a peer NGO seeking to uphold fundamental rights."
Click here for the decision in Data Protection Commissioner v. Facebook & Max Schrems.
Click here and here for previous PILA Bulletin articles on the case.