US-EU Privacy Shield data-sharing pact invalidated over surveillance fears

Europe's top court has ruled that the mechanism doesn't provide adequate protection to European citizens when their data is transferred to the US.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
2 min read

The court's decision could cause havoc for US tech companies operating in Europe.


Europe's top court struck a blow to companies that rely on transferring data between Europe and the US on Thursday by ruling the Privacy Shield data-sharing agreement invalid.

In the ruling by the European Court of Justice, judges expressed concerns that Privacy Shield certification didn't adequately protect the data of European citizens from US surveillance activities in the same way they're protected in the EU. Essentially, there's no guarantee that privacy protections provided for by law within the EU can be upheld when people's data travels to the US.

"The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent," said the judgment.

The case was brought to the CJEU by lawyer and activist Max Schrems, who has been pursuing cases related to the protection of European citizens' data ever since the Edward Snowdon revelations exposed the extent of US surveillance activities back in 2013. His cases largely pertain to data transfers by Facebook, and start at the Irish court level, as that is where the company's European headquarters are based, before being escalated up the judicial ladder. But the impact of data-sharing agreements is far-reaching, affecting not just social media companies, but banks, law firms and many other types of companies.

Schrems said in a statement that he was happy about the court's decision, and on Twitter called it a "100% win" for privacy. "It seems the court has followed us in all aspects," he said. "This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market."

Privacy Shield was supposed to replace the previous Safe Harbor agreement, which was also ruled invalid by the court back in 2015, following another case brought by Schrems. Other data-sharing mechanisms do exist, so the internet won't immediately come to a standstill, but it will disrupt the framework most companies rely on to transfer data between the US and the EU.

"It was irresponsible from the European Commission to adopt the Privacy Shield both from a legal and political perspective," said Estelle Massé, senior policy analyst at digital rights group Access Now. "From the get go, the Commission ignored the legal opinion of data protection experts and civil society, who urged against this deal's adoption.

"We hope that, this time, the European Commission draws the necessary conclusions from the ruling and works on all the necessary reforms," she added.

The European Commission is set to hold a press conference later today, during which it will respond to the court's decision.