City academic comments on European Court of Justice's Privacy Shield ruling
The European Court of Justice (ECJ) has ruled that the EU-US Privacy Shield, a transatlantic agreement used by thousands of companies to transfer data between the European Union and the United States, does not protect the privacy of European citizens.
In their 16th July 2020 judgement, the ECJ stated that the agreement did not limit access to data by US authorities “in a way that satisfies requirements that are essentially equivalent to those required under EU law”.
The ECJ judgement also marked the most recent development in a seven-year legal battle by Austrian lawyer Max Schrems against Facebook Ireland, over the legality of its transfer of personal data of its EU customers to the US.
Commenting on the judgement, The City Law School’s Jean Monnet Chair of Law & Transatlantic Relations, Professor Elaine Fahey, said:
The Privacy Shield was a transatlantic data transfer regime covering over a billion citizens, consumers, businesses and agencies, and was one of the most sophisticated in the world. It was developed as a stronger and revitalised version of Safe Harbour but raised serious concerns for rights and obligations. Transatlantic review processes after three years of Privacy Shield governance produced only modest progress. Evidence suggests that many larger companies used Standard Contractual Clauses (SCCs) preventatively rather than the Privacy Shield, whereas the majority of Small and Medium Enterprises (SMEs) found the Privacy Shield more efficient and cost-effective, with many larger businesses concerned about their legal vulnerability.
Professor Fahey adds:
“In a very cryptically worded decision, the CJEU held that a national supervisory authority could suspend or prohibit a transfer of data to a third country pursuant to the standard data protection clause in the annex to that decision. However, the CJEU held that the Commission’s finding that US law was of an adequate level of protection essentially equivalent to EU law under the GDPR read in light of the Charter, was called into question by the surveillance programmes in section 702 of the US Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, because they authorised surveillance programmes. FISA did not indicate limitations on powers, and the Executive Order did not confer enforceable rights on EU citizens against the US authorities. This violated the principle of proportionality because surveillance programmes could not be regarded as limited to what was strictly necessary.”
“The CJEU held that the annulment of the adequacy decision did not create a legal vacuum on account of the provisions of Article 49 of the GDPR allowing for derogations in special situations. Considerable review processes have now been foisted upon businesses to take action, particularly US cloud service providers falling under FISA as to protecting the tapping of transferred data from the US National Security Agency/Federal Bureau of Investigations (NSA/FBI). Data controllers will need to take action to comply urgently with the decision or otherwise face swingeing fines.”