In a far reaching decision for GDPR by the European Court of Justice today, the EU-US Privacy Shield has been struck down. The abbreviated text of the decision can be viewed on twitter here, (p3) while the official text published on curia.europa.eu can be found Here starting in section 163.
To summarize the key points, in the view of the European Court of Justice the primacy under which US law enforcement and intelligence agencies gather information on subjects is too broad and not limited to what’s strictly necessary. The full text from the curia site specifically mentions PRISM and UPSTREAM mass surveillance programs as an example of being too broad.
The ruling disputes the proportionality in essence of this type of collection of personal data particularly for non-US persons. It also highlights the problem of judicial recourse for EU citizens, in other words, what about a complaint mechanism if I don’t like how my personal data is being used.
Privacy shield introduced the role of an ombudsman based in the US for which the State Department website this role is described as
“a position dedicated to facilitating the processing of requests from EU and Swiss individuals relating to national security access to data transmitted from the European Union or Switzerland to the United States”
In today’s ruling by the ECJ, the Ombudsman’s authority is called into question. Specifically, the Ombudsman cannot guarantee independence or enforce legally binding rules on intelligence agencies for example. This is in contrast to EU citizens who can be afforded legally binding protections from their country’s data protection authority and/or the ECJ if their rights have proven to be violated by state surveillance agencies.
So what does Max Schrems make of the judgement? Unsurprisingly he was critical of the establishment and issued the following statement via his website noyb.eu
“I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”…
“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley”
He goes on to criticize the Irish DPC in perceived unnecessary delays and failure to enforce standard contractual clauses SCC’s. Understandably he feels vindicated although it might be a bit early for a victory lap, as we have yet to see what changes come of it all and particularly how social media giants may respond.
What does this all Mean?
Well the good news first is that standard contractual clauses (SCC’s) and binding corporate rules (BCR’s) are still upheld for third country transfers so the world keeps spinning for multi-nationals and their legal departments. But now the bad news, safe harbor and now privacy shield have fallen under the bus and now seems more unlikely than even ever that data protection needs will outweigh US state security needs to an extent where a successor to privacy shield would work. The two terms, data privacy and mass surveillance are diametrically opposed and will remain so.
The options facing the EU and US authorities are now either to accept that
- A derogation for national intelligence agencies is emplaced
- The US ombudsman gets extra enforcement powers which satisfy the ECJ
- Offending Data is somehow not transported or minimally transported between the US and processed within regions much like a data center region for Amazon AWS for example
- Or we remain in limbo until somebody budges and yields to the ECJ
In any scenario, trust is called into question again and hence the working relationship between the US and EU remains under pressure from activists. Both sides put effort into trying to make privacy shield a substantive piece of legislation but the ghosts of Edward Snowdens revelations and Cambridge Analytica are still haunting the data privacy house.
I suspect though that the impasse will be broken but it’s going to need stronger language than what’s in place now.
Read our related article 10 Steps to designing the right data protection program