Top EU court rules data transfer deal with US is invalid

The European Union’s top court has ruled that a data transfer deal between EU nations and the United States is invalid because of concerns about America’s surveillance practices. 

The court wrote in a press release announcing the decision that U.S. “limitations on the protection” of personal data transferred from the E.U. “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under E.U. law.”

The decision effectively blocks the privileged access to personal data from Europe that many U.S. companies, including tech giants like Facebook, received thanks to an agreement reached in 2016, according to Reuters. The ruling cannot be appealed.

The agreement, known as the EU-US Privacy Shield, was set up in 2016 to create a framework that protected personal data when it was transferred to U.S. companies for commercial use. Invalidating the framework could impact some 5,000 businesses that had signed onto to the agreement. 

The Court of Justice of the EU reached the ruling due to worries that the U.S. could demand access to user data on national security grounds. 

The Associated Press noted that the court’s ruling could force regulators to evaluate transatlantic data transfers to ensure Europeans’ personal data is protected according to EU standards. 

“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market,” Max Schrems, an Austrian activist whose concerns about Facebook’s handling of data helped spur the case, told the AP. 

Commerce Secretary Wilbur Ross added to Reuters that the Trump administration would remain in contact with the European Commission about the effects of the ruling. 

“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” Ross said.

The EU court’s decision zeroed in on fears over how personal data is being stored, which has become a chief concern of many governments around the world. 

While the court invalidated the transatlantic agreement, it upheld a data transfer mechanism known as standard contractual clauses. The clauses are used by many companies to transfer Europeans’ data around the world for services like cloud infrastructure and data hosting. 

Following the ruling, Microsoft Chief Privacy Officer Julie Brill said in a blog post that it would have no impact on the ability to transfer data using its cloud services. 

“We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” Brill wrote. “The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.”

The Software & Information Industry Association said the decision would bring “significant data flows to a halt” despite an annual review’s finding that the so-called Privacy Shield protected users’ data. 

“Though many headlines on this case focus on its impact on social media, the reverberations are much more profound and widespread,” SIIA President and CEO Jeff Joseph said in a statement. “Thousands of companies of all sizes rely on Privacy Shield across a wide range of industries. They opened their business this morning to find their transfer mechanism for critical data flows possibly shut off.”

–Updated at 10:57 a.m.