CJEU ruling strikes down privacy agreement between EU and US

The decision  will create an enormous headache for the US government, as well as Facebook and national data-protection regulators across the globe
CJEU ruling strikes down privacy agreement between EU and US
Mac Schrems: The long-awaited decision on the privacy agreement between the US and EU is named after the Austrian privacy activist. Picture: Courtpix

A seismic decision at the Court of Justice of the European Union (CJEU) has seen the landmark privacy agreement between the US and EU struck down.

It has also called into question data transfer agreements between the European Union and all other countries throughout the world.

The long-awaited decision, colloquially known as Schrems II after Austrian privacy activist Max Schrems who took the initial action which led to this decision, will create an enormous headache as to its interpretation for the US government, Facebook, thousands of private enterprises involved in data transfer, and national data protection regulators across the globe.

Ireland’s Data Protection Commission, the effective winner in today’s case as it was its High Court challenge which had been referred to Europe for ruling upon, will be particularly heavily affected given its status as ‘one-stop-shop’ for regulating tech giants accessing the EU like Facebook, Apple, and Twitter.

The decision has, on the surface, two main strands - the invalidation of the EU’s data agreement with the US, known as Privacy Shield, and a ruling that specific individual data agreements between the EU and other countries, known as Standard Contractual Clauses (SCCs), will need to be examined individually by the world’s data authorities.

“The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law,” the European court said in its judgement.

The judgement was welcomed across the spectrum within Ireland, with the most significant statement of chagrin emanating from the US, with Secretary of State for Commerce, Wilbur Ross, professing himself “deeply disappointed” by the ruling.

“We are still studying the decision to fully understand its practical impacts,” he said. 

We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies and governments.

European Commissioner for Justice, Didier Reynders, said the EC would do “everything possible to comply” with the decision, but echoed the US view that more time is needed to consider the judgement.

Facebook said it “welcomed” the decision, saying it serves to “confirm the validity” of SCCs for transfers of data, a suggestion vigorously challenged by a euphoric Mr Schrems, who said “it seems the court has followed us in all aspects”. He said the ruling represents “a total blow to the Irish DPC and Facebook”.

Despite this, the DPC itself said it “strongly welcomes” the ruling, describing it as “firmly endorsing the substance of the concerns” it had expressed regarding the protection afforded to EU citizens when transferring data to the US.

The decision will now be referred back to the Irish High Court which will have to make its own decision on the Schrems case before it can be acted upon by data regulators. That decision is likely to be arrived at via an emergency sitting before the end of the summer legal term on July 31.

More in this section

Lunchtime News Wrap

A lunchtime summary of content highlights on the Irish Examiner website. Delivered at 1pm each day.

Sign up