Europe’s top court handed down a searing verdict on U.S. surveillance powers on Thursday, ruling for the second time that EU data would not be safe from snooping under a transatlantic data protection deal.
The ruling, which cancels the Privacy Shield agreement, throws billions of dollars in digital trade into legal limbo and reignites a spat over surveillance that dates back more than five years to U.S. whistleblower Edward Snowden’s revelations about American spying.
The Court of Justice of the European Union ruled that Privacy Shield — which replaced an earlier data transfer agreement called Safe Harbor — did not offer adequate protection for EU data when it was shipped overseas because U.S. surveillance law were too intrusive.
In the same ruling, the Luxembourg-based court upheld the legality of instruments used to export data out of Europe, called Standard Contractual Clauses (SCCs). But it required EU privacy watchdogs to suspend data transfers to any country where EU standards cannot be met, opening the way for challenges based on the surveillance systems of other countries.
At a time of growing tension between Brussels and Washington, the ruling is set to inflame relations even more. Donald Trump’s administration has already lashed out at Europe’s privacy system, the General Data Protection Regulation, saying it provides cover for cybercriminals.
Now the two sides will be hard-pressed to come up with an arrangement to keep data flowing across the Atlantic— for the third time.
So far, both sides have struck conciliatory notes. A senior U.S. official told POLITICO this week that Washington was ready to revisit privacy protection for EU data if Privacy Shield was struck down. And Didier Reynders, the European commissioner in charge of data protection, said after the ruling that he would discuss it with U.S. counterparts with an eye to finding a new deal.
"I look forward to working constructively with them [the United States] to develop a strengthened and durable transfer mechanism,” the Belgian politician said in a statement.
But today’s ruling suggests tinkering around the edges will not be enough and that substantive changes to U.S. surveillance powers will be needed for a new deal.
While the U.S. signaled openness to "tweaks" of its privacy system, it’s far from clear whether these amount to a reformation of U.S. surveillance powers, as the EU court suggested might be required.
For the European Commission, which backed Privacy Shield as a workable mechanism, the ruling amounts to a powerful new rebuke just one day after the EU court shot down a €13 billion tax ruling against Apple.
The demise of the agreement will also be noted in London.
Officials are scrambling to keep data flows free with the EU after Brexit. But campaigners have long questioned whether intrusive surveillance laws in the U.K. are acceptable for the EU, and the Privacy Shield judgment today raises the bar for any deal between London and Brussels.
Echoes of Snowden
Nobody will welcome the news with more enthusiasm than Max Schrems, the Austrian privacy activist who filed a case in 2013 against Facebook that lies at the heart of Thursday’s ruling.
Schrems argued that revelations of widespread American snooping by whistleblower Snowden showed that EU data hoovered up by the social media company was not safe from snooping in the U.S.
The complaint led to the EU’s top court in 2015 striking down a data transfer agreement between the U.S. and the EU known as Safe Harbor, which was later replaced by the Privacy Shield.
However, Schrems complained that fundamental issues with America’s surveillance regime remained even under Privacy Shield, urging regulators to veto Facebook’s use of SCCs to transfer data across the Atlantic.
The case ended up in the Luxembourg-based court again after Ireland’s Data Protection Commission — the privacy regulator in charge of overseeing Facebook in Europe — refused to nix the social media company’s data transfers.
Instead, the Irish regulator called for judges to invalidate SCCs in general, broadening out the case far beyond Facebook.
In a statement today, Schrems said he is "very happy" with the judgment. "It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market,” he said.
He added that the judges placed the ball firmly in the court of EU data protection authorities, who the court stressed today have a duty to check whether data transferred abroad is protected to a European standard.
"The Court is not only telling the Irish DPC to do its job after seven years of inaction, but also that all European DPAs have a duty to take action and cannot just look the other way."
The Irish data protection commission and Facebook did not immediately respond the a request for comment.
The ruling was cheered by privacy campaigners across Europe, with Estelle Massé, privacy lead at digital rights NGO Access Now, saying in a statement that the European Commission had been "irresponsible" to adopt the Privacy Shield in the first place.
"From the get-go, the Commission ignored the legal opinion of data protection experts and civil society, who urged against this deal’s adoption. Time and time again, we reiterated that not suspending the deal was a big mistake.”
Reaction from industry was mixed.
Thomas Boué, a policy wonk at influential tech lobby BSA | The Software Alliance said the invalidation of the Privacy Shield is "removing one of the most flexible and trusted compliance mechanisms, which are widely used by SMEs for transatlantic business."
He called on data protection authorities to release guidance and to hold off enforcing the ruling for a grace period, like they did after Safe Harbor was struck down.
Source: politico.com
See more here: news365.stream
