- The Court held that data privacy "must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR."
- One of the most important legal problems in this field is the cross-border nature of the Internet.
- Sharmes also filed a lawsuit against the previous US-EU privacy agreement, known as Safe Harbor, invalidating it.
On Thursday, the European Court of Justice in Luxembourg struck down the EU-US “Privacy Shield” agreement. The ECJ ruled Thursday that Standard Contractual Clauses, used by companies operating in Europe, were a valid way to transfer data, but invalidated the use of the Privacy Shield framework.
“Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR [General Data Protection Regulation] concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”
Applicants for personal information must adhere to a set of rules and ensure that this information will not be used for purposes other than the intended purpose. Following the revelations of Edward Snowden, a former US National Security Agency employee, about the agency’s misuse of Internet data around the world, strict regulations were imposed on US government officials and public confidence in US security officials was eroded.
The court added:
“In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.”
Lawyer as a Private Plaintiff
One of the most important legal problems in this field is the cross-border nature of the Internet. For example, an Internet company based in the United States can set up its own servers abroad. That is why the private plaintiff in the “Privacy Shield” case, an Austrian lawyer named Max Schrems, first filed a lawsuit in an Irish court.
He suggested that Facebook Ireland collected his personal information and sent it to the parent company in the United States. The company is required to provide personal data of its users to the US security services.
The Irish High Court has left it to the European Court of Human Rights to consider whether the “privacy shield” complies with European law. In 2015, Sharmes also filed a lawsuit against the previous US-EU privacy agreement, known as Safe Harbor, invalidating it.
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted, but those in the U.S. cannot. We predict that the outcome could be more Europe data localization, with more customer data staying in Europe as a result,” said Jonathan Kewley, co-head of technology at law firm Clifford Chance.