US-EU data sharing deal struck down by European court

EU judges have struck down the main mechanism to transfer data between the bloc and the US on surveillance concerns, landing a blow to Facebook and thousands of companies that rely on it.

In a statement on Thursday the judges expressed their concern that data transferred via a process called the Privacy Shield certification “are not limited to what is strictly necessary” when it comes to exposing EU citizens to surveillance in the US.

The European Court of Justice said that “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities (. . .) are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law”.

The ruling is a major blow to thousands of corporations — including social media companies but also banks, law firms, conglomerates and carmakers — that transfer troves of data between the US and Europe.

But while the court found the mechanisms to be illegal it also said that so-called standard contractual clauses (SCC) are valid to transfer personal information from the EU to a third country, so long as the country “ensures an adequate level of data protection.”

Thomas Boue, director-general of Europe, Middle East and Africa policy at the Business Software Alliance, which represents companies including Microsoft, Oracle and IBM, said: “We are relieved that SCCs remain valid, which is a positive outcome. But today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic.”

More to come . . .