Europe's highest court has struck down a key agreement between the U.S. and the European Union concerning data privacy. In a ruling Thursday, the European Court of Justice found that the EU-U.S. Privacy Shield fails to protect Europeans' rights to data privacy when companies are transferring those data to the U.S.
The decision promises to have major repercussions for the more than 5,300 companies covered by the framework, ranging from banks to social media giants such as Facebook and Twitter. Under the Privacy Shield, implemented in 2016, self-certified companies that comply with the agreement's requirements are considered to have met the EU's higher standard for data privacy.
The ECJ disagreed with that conclusion, however. In its ruling, the court found that surveillance laws in the U.S. "are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required" under EU law.
In other words, the deal's principal flaws rest not so much with its member companies' practices, as with the U.S. government itself. Justices found that federal laws such as the Foreign Intelligence Surveillance Act "cannot be regarded as limited to what is strictly necessary" and fail to meet "minimum safeguards" guaranteed by the EU.
"The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred," the court wrote in a press release explaining the decision.
That potentially leaves lots of companies in a tough spot, as Commerce Secretary Wilbur Ross argued in a statement released Thursday. He said his department is "deeply disappointed" in a ruling that may have "negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments."
"Data flows are essential not just to tech companies, but to businesses of all sizes in every sector," Ross added.
It is unclear exactly what comes next for the companies covered under the deal. Ross said the Department of Commerce is "studying the decision" now, and in the meantime the department vowed to continue the program despite the ruling.
One alternative for these companies — for now, at least — may be found in the ruling itself. Even as the court struck down the Privacy Shield, it upheld the legality of standard contractual clauses, or SCCs, which were composed by the European Commission.
These provisions, which also lay out the responsibilities concerning data transfers, were acceptable to the court because they allow EU regulators to intervene in individual instances where they suspect the destination country won't adequately protect Europeans' data. In statements released after the ruling, tech giants such as Facebook and Microsoft said they also use SCCs for data transfer.
"The Court explicitly highlighted that the invalidation of the Privacy Shield will not create a 'legal vacuum' as crucially necessary data flows can be still undertaken," said Max Schrems, the Austrian attorney and privacy activist who brought the case. "The US is now simply put back to an average country with no special access to EU data."
For Schrems, the issue has become something of a crusade. It was his case that effectively led to the end of the Privacy Shield's predecessor, Safe Harbor, in 2015. That framework was also struck down by the European Court of Justice because it failed to protect Europeans' data privacy.
The attorney celebrated his second major victory in court as a vindication and an unmistakable sign that change is needed in the U.S.
"It is clear," he said in a statement Thursday, "that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market."
Copyright 2020 NPR. To see more, visit https://www.npr.org.