Data Transfer Blues for the U.S. as ECJ Strikes Down Privacy Shield

Abhinav Raj, Writer
@uxconnections

Europe’s top court invalidated the EU-US data transfer mechanism, restricting data flow across the Atlantic

In a major victory for privacy-rights activists across Europe, the Court of Justice of the European Union on Thursday overturned its trans-Atlantic pact with the United States that provided for a data transfer mechanism across the Atlantic. 

The Privacy Shield agreement of 2016 offered a streamlined transfer of personal data to support transatlantic commerce between firms in the European Union and the United States. Till date, the EU-U.S. Privacy Shield frameworks ratified by the U.S. Department of Commerce and the European Commission provided as the flagship data transfer mechanism for over 5300 listed companies.

“The General Data Protection Regulation (‘the GDPR’) provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection,” stated a press release by the European Court of Justice. The ECJ asserted that the protection under the EU-US Privacy Shield Frameworks proved inadequate in safeguarding the data of the citizens of the European Union. 

In the interim, ECJ is upholding Standard Contractual Clauses (SCC) as the transfer mechanism available to firms to ensure the commerce is not interrupted.

To Bite Another Byte?

The series of data privacy reforms in the European Court began when a case was filed against Facebook Ireland by Austrian activist Max Schrems, colloquially referred to as Schrems II. Schrems claimed that the firm’s practice of transferring data outside the EU and into the U.S. violated his data privacy rights and his data was left susceptible to probing. 

The threat to data wasn’t all speculative. In 2013 a National Security Agency intelligence contractor Edward J. Snowden brought to light some startling revelations about the NSA and its partners’ surveillance of foreign nationals and U.S. citizens. Snowden unearthed some of the darkest secrets of the NSA, most notably the PRISM program, wherein the agency tapped into servers of some of the biggest internet platforms including Facebook, Microsoft, Google and Yahoo to track online communication. 

Needless to say, the evidence did not tip the scales in favour of the Privacy Shield program. 

The ECJ noted the States’ utilisation of mass surveillance practices and the inability of the Europeans to seek any redressal under the Privacy Shield Framework. The measures to safeguard the data of citizens in the EU have effectively proven to be inadequate in the third country context, or anywhere outside the boundaries of the EU. 

“The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent,” stated the judgement of the Court. 

The European Union has made a statement through the ruling: the data protection rights of the citizens of the EU must be honoured within or outside the jurisdiction of the European Court of Justice.  

A veil of uncertainty shrouds the truth of what happens with our sensitive data once it’s transferred out of the EU; how our information is tracked, subjected to scrutiny, and stored. Every so often whistle-blowers like Edward Snowden make the choice to bring the grim realities of data privacy violations to light, and live to pay the price. But is the price of basic liberty worth paying? 

Edward Snowden asserts it is. 

“‘I can’t allow the US to destroy privacy, internet freedom and basic liberties”, believes Snowden.