Europe's top court kills Privacy Shield that allowed US data sharing

Europe's top court kills Privacy Shield that allowed US data sharing

The decision affects thousands of companies doing business in Europe, ranging from banks to social media companies like Facebook. They may have to either set up European data hubs or stop doing business in the bloc altogether, pending any renegotiation. However, the ruling only applies to specific types of data and won’t affect “necessary” data transfers like emails, vacation bookings and news site access.

US commerce secretary Wilbur Ross gave a statement saying, in essence, that the US will study the ruling but is simply going to ignore it for now.

We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship. The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.

The decision was not a huge surprise, as many players felt the new privacy shield was full of holes that could easily be attacked in court. In Europe, privacy activists see the ruling as a victory. It’s known as Schrems II after EU lawyer Max Schrems who helped kill the previous EU/US arrangement known as Safe Harbor, and Schrems himself weighed in.

“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” he said. “As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”

Businesses, understandably, aren’t so happy. “This decision creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers,” said Alexandre Roure from the CCIA tech lobby group. “We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy.”