Schrems strikes again: The European Court of Justice declares EU-US Privacy Shield illegal


In a very recent ruling it was held that tech firms like Facebook must change how they send data from the EU to the US. This legal ruling has been dragged out for several years, beginning back in 2014 after Maxmillian Schrems (Schrems), an Austrian Data Privacy Activist, voiced his concerns following the Snowden revelations.

Edward Snowden, an American whistle blower and ex-subcontractor for the Central Intelligence Agency (CIA) made a series of revelations unmasking the different ways in which the US National Security Agency (NSA) was spying on its citizens. One of the revelations included the existence of PRISM, which was a program allowing the NSA to access data stored by Facebook, Google and several other major companies. Data which belonged to not only the US citizens, but also EU.

 After the initial arrangement, Safe Harbor Privacy Principles were declared invalid, the EU- US Privacy shield was adopted to enable transatlantic exchange of data between EU and US for commercial purposes. It  claimed to comply with the  EU data protection law.  

Schrems argued that the privacy of EU citizens could not be guaranteed when their personal information was sent to the US, and that the US legal system only protected the rights of US citizens. Yesterday, the Court declared the tool invalid and said that “The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,”. Simply put, the mass surveillance by the US public authorities such as NSA means that the data cannot be protected as the EU law requires it to be.

As a result of the complaints made and the recent ruling in the European Court of Justice, the US will be forced to consider a change if they want to continue to play a significant role in the EU market. The US will have to introduce measures to ensure compliance with the Data Protection Law. It is definitely worth saying that it this has not halted the relations between the EU and US in data terms. There are some contracts known as “standard contractual clauses” (SCCs) signed between the EU and the US which have not been outlawed. Microsoft is one of the companies already operating under a SCC, and has confirmed being unaffected by the ruling yesterday. 

The flow of data and personal information is essential and an integral part of the relations between the US and EU, so it is in the best interest of all parties to find a positive path forward. The UK should pay close attention to the path taken as they could find themselves in a similar position come the beginning of 2021, after the end of transition period.

This article is intended for guidance only and must not be relied upon for specific advice.