An EU court has struck down a privacy agreement that made it possible to share the data of EU citizens with the US.
Under the EU-US Privacy Shield, companies could implement higher privacy standards to allow for the transfer of EU citizen data. This was necessary because of the EU’s stricter privacy legislation. In spite of the goals behind the Privacy Shield, privacy groups raised a number of concerns about its effectiveness.
In particular, advocates were concerned about the privacy threat the US government poses. Thanks to the Edward Snowden leaks, the world is aware of the US government’s long history of digital spying, even on law-abiding citizens. Advocates were concerned that, even if a company met the necessary data sharing privacy requirements, there was no guarantee the US government wouldn’t snoop on any shared data.
Max Schrems, an Austrian privacy advocate, initially filed the complaint that eventually made its way to the European Court of Justice (ECJ). After considering the case, the ECJ struck down the law.
This will have major ramifications for many companies with customers in the EU. At the very least, companies will need to use Standard Contractual Clauses. This is a type of non-negotiable legal contract drawn up in the EU that governs data transfers. Specifically, they are used to make sure any data transfer abides by the GDPR privacy laws, especially when transferring the data to a country that does not have the same level of privacy protection.
The ECJ’s decision is a big win for privacy advocates, and will no doubt put additional pressure on the US to adopt privacy regulation of its own.