Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Top Court Scraps EU-US Data Pact in New Blow to Brussels

A crucial online data arrangement between Europe and the US was invalidated on Thursday, as a top EU court decision over Facebook threw trans-Atlantic big tech into legal limbo.

The decision stemmed from a legal complaint by Austrian activist Max Schrems, who in 2015 scuppered a previous EU-US deal on which tech giants depended to do business.

A crucial online data arrangement between Europe and the US was invalidated on Thursday, as a top EU court decision over Facebook threw trans-Atlantic big tech into legal limbo.

The decision stemmed from a legal complaint by Austrian activist Max Schrems, who in 2015 scuppered a previous EU-US deal on which tech giants depended to do business.

“It seems we scored a 100 percent win,” Schrems said on Twitter.

“For our privacy, the US will have to engage in serious surveillance reform to get back to a ‘privileged’ status for US companies,” he said.

The setback comes a day after another European court invalidated a landmark tax bill from the EU against Apple, raising questions over the bloc’s long-running leadership on regulating big tech.

While disappointed, the US and the EU said they would work closely to find a solution and give companies the legal certainty they need.

Schrems’ legal assault began after revelations by Edward Snowden of mass digital spying by US agencies, which the EU court at the time said were incompatible with European norms on privacy.

The previous decision struck down a deal called “Safe Harbour” that allowed for data transfers between Europe and US servers, throwing transatlantic business into chaos. 

Advertisement. Scroll to continue reading.

EU and US officials swiftly drew up its replacement, “Privacy Shield“, which is currently used by thousands of US companies, but has now been invalidated as well.

The judges at the European Court of Justice, the EU’s top court, said that provisions of the pact “do not grant Europeans actionable rights before the courts against the US authorities.”

The court said, however, that another arrangement known as standard contractual clauses, could stand, giving companies an alternative framework.

The case decided on Thursday originally focused on these complex clauses, an EU invention in which companies outside Europe commit to meeting EU laws on data and privacy.

The court said these were backed up by GDPR, the EU’s strict rules on data privacy that can result in massive fines to companies.

These clauses are however far more legally cumbersome for companies than a bilateral deal such as “Privacy Shield” that the EU has agreed with only 11 countries, including Japan.

During the hearings, judges turned their focus to “Privacy Shield” and a legal advisor to the court warned that it was illegal and not compliant with GDPR.

– ‘Sustainable solution’ –

Schrems’ latest case began in Ireland, the hub for Facebook’s activities in the European Union. The Irish Data Protection Commission referred the complaint to Ireland’s top court, which turned it over to the judges in Luxembourg.

A top Brussels official told AFP that the EU and US would work “very closely” on trying to agree on next steps, though he did not say whether this would mean a third attempt at agreeing a pact.

“Our ambition is to respond together and figure out ways we can adapt to the decision,” the EU’s Justice Commissioner Didier Reynders said.

US Commerce Secretary Wilbur Ross said that while Washington was “deeply disappointed” by the court’s decision, the US was in close contact with the Europe to “limit the negative consequences”.

CCIA, the lobby for US big tech, criticised the decision, “which creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic”.

“We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy,” CCIA added.

Lawyers and companies said that the effects on online business would be limited, given that the contractual clauses had survived the court’s ruling.

“We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” said Julie Brill, a vice president at the US software giant.

She said Microsoft servers held “overlapping protections” using both the clauses and Privacy Shield.

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.