Europes top court handed down a searing verdict on U.S. surveillance powers on Thursday, ruling for the second time that EU data would not be safe from snooping under a transatlantic data protection deal.
The ruling, which cancels the Privacy Shield agreement, throws billions of dollars in digital trade into legal limbo and reignites a spat over surveillance that dates back more than five years to U.S. whistleblower Edward Snowdens revelations about American spying.
The Court of Justice of the European Union ruled that Privacy Shield — which replaced an earlier data transfer agreement called Safe Harbor — did not offer adequate protection for EU data when it was shipped overseas because U.S. surveillance law were too intrusive.
In the same ruling, the Luxembourg-based court upheld the legality of instruments used to export data out of Europe, called Standard Contractual Clauses (SCCs). But it required EU privacy watchdogs to suspend data transfers to any country where EU standards cannot be met, opening the way for challenges based on the surveillance systems of other countries.
At a time of growing tension between Brussels and Washington, the ruling is set to inflame relations even more. Donald Trumps administration has already lashed out at Europes privacy system, the General Data Protection Regulation, saying it provides cover for cybercriminals.
Now the two sides will be hard-pressed to come up with an arrangement to keep data flowing across the Atlantic— for the third time.
So far, both sides have struck conciliatory notes. A senior U.S. official told POLITICO this week that Washington was ready to revisit privacy protection for EU data if Privacy Shield was struck down. And Didier Reynders, the European commissioner in charge of data protection, said after the ruling that he would discuss it with U.S. counterparts with an eye to finding a new deal.
“I look forward to working constructively with them [the United States] to develop a strengthened and durable transfer mechanism,” the Belgian politician said in a statement.
But todays ruling suggests tinkering around the edges will not be enough and that substantive changes to U.S. surveillance powers will be needed for a new deal.
While the U.S. signaled openness to “tweaks” of its privacy system, its far from clear whether these amount to a reformation of U.S. surveillance powers, as the EU court suggested might be required.
For the European Commission, which backed Privacy Shield as a workable mechanism, the ruling amounts to a powerful new rebuke just one day after the EU court shot down a €13 billion tax ruling against Apple.
The demise of the agreement will also be noted in London.
Officials are scrambling to keep data flows free with the EU after Brexit. But campaigners have long questioned whether intrusive surveillance laws in the U.K. are acceptable for the EU, and the Privacy Shield judgment today raises the bar for any deal between London and Brussels.
Echoes of Snowden
Nobody will welcome the news with more enthusiasm than Max Schrems, the Austrian privacy activist who filed a case in 2013 against Facebook that lies at the heart of Thursdays ruling.
Schrems argued that revelations of widespread American snooping by whistleblower Snowden showed that EU data hoovered up by the social media company was not safe from snooping in the U.S.
The complaint led to the EUs top court in 2015 striking down a data transfer agreement between the U.S. and the EU known as Safe Harbor, which was later replaced by the Privacy Shield.
However, Schrems complained that fundamental issues with Americas surveillance regime remained even under Privacy Shield, urging regulators to veto Facebooks use of SCCs to transfer data across the Atlantic.
The case ended up in the Luxembourg-based court again after Irelands Data Protection Commission — the privacy regulator in charge of overseeing Facebook in Europe — refused to nix the social media companys data transfers.
Instead, the Irish regulator called for judges to invalidate SCCs in general, broadening out the case far beyond Facebook.
In a statement today, Schrems said he is “very happy” with the judgment. “It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to plRead More – Source