A top European court ruled Thursday that companies moving personal user data from the EU to other jurisdictions will have to provide the same protections given inside the bloc.
The ruling could impact how companies transfer European users’ data to the United States and other countries, such as the U.K.
The legal battle started back in 2013, when privacy activist Max Schrems lodged a complaint with the Irish Data Protection Commissioner. He argued that, in light of the Edward Snowden revelations, U.S. law did not offer sufficient protection against surveillance by public authorities.
Schrems raised the complaint against the social network Facebook which, like many other firms, was transferring his and other user data to the States.
It reached the European Court of Justice (ECJ), which in 2015 ruled that the then Safe Harbour Agreement, which allowed European users’ data to be moved to the U.S., was not valid and did not adequately protect European citizens.
As a result, companies operating in Europe switched to Standard Contractual Clauses or SCCs, which ensured they could still move data across the Atlantic. In the meantime, the European Union and the United States developed a new agreement, the Privacy Shield framework, to replace the Safe Harbour agreement.
The ECJ ruled Thursday that these SCCs were a valid way to transfer data, but invalidated the use of the Privacy Shield framework.
In practical terms, this means that non-EU countries, or companies looking to move European users’ data abroad, will have to ensure an equivalent level of protection to the strict European data laws.
“Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR (General Data Protection Regulation) concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR,” the court said Thursday.
GDPR regulation, introduced in 2018, has allowed European users to have a stronger say over how companies use their information.
“In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country,” the court added.
A new trade war?
Jonathan Kewley, co-head of technology at law firm Clifford Chance, said that the decision is a “bold move by Europe.”
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted, but those in the U.S. cannot. We predict that the outcome could be more Europe data localisation, with more customer data staying in Europe as a result,” he added.
As well as creating further tension between the United States and Europe, the ruling has consequences for many large businesses.
Tanguy Van Overstraeten, partner at law firm Linklaters said: “This is less of a win for businesses than it appears. Large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients. The (ECJ) has made it clear companies cannot justify them using a ‘tick box’ exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed.”
“Similarly, this may encourage data protection regulators to clamp down on international transfers more aggressively, with the possibility of transfers to jurisdictions with strong state surveillance powers becoming increasingly difficult,” he added.