Tech Firms Like Facebook Must Restrict Data Sent From EU To US, Court Rules

The European Court of Justice has ruled that the “Privacy Shield” data transfer agreement, which had allowed tech companies to transfer EU user data to the US, failed to adequately protect Europeans’ data from US surveillance and security laws and was therefore invalid. What this means is companies like Facebook “could be prevented from sending data back to the US,” reports The Guardian. From the report: The ruling of the court of justice of the European Union (CJEU) does not immediately end such transfers, but requires data protection authorities (DPAs) in individual member states to vet the sending of any new data to make sure people’s personal information remains protected according to the EU’s data protection laws (GDPR). The complaint, which goes back to October 2014, was lodged by Austrian privacy activist Max Schrems. He argued, following the Snowden revelations, that the privacy of European citizens could not be guaranteed if their data was sent to the US, given the evidence of widespread eavesdropping by the country’s National Security Agency (NSA), and the fact that the US legal system only protected the rights of US citizens. Schrems’ initial complaint led to the overturning of the EU/US “safe harbor,” which had governed data transfer between the two countries, and the creation of a new treaty, the EU/US “privacy shield.” This latest ruling has overturned that policy too. […]

The ruling is not a total halt on data transfers between the EU and US, said Lisa Peets, a partner at Covington, which represented the UK’s software industry in the case. The court upheld the use of “standard contractual clauses” (SCCs) to transfer personal data between Europe and US, allowing companies to seek specific consent from users for data to be exported. “Data flows between Europe and the United States are an integral part of the European economy and of the day-to-day lives of millions of European consumers, and the SCCs are the backbone for many of those data transfers,” Peets said. “As for the privacy shield, the European commission will be highly focused on finding a resolution and will be actively working work with the US government to identify a path forward.”