EU bans key data transfer pact in rebuke to US surveillance

LUXEMBOURG • The European Union’s (EU) top court issued a stinging rebuke of potential US surveillance, striking down the so-called Privacy Shield, a key method to transfer data across the Atlantic.

Yesterday’s landmark decision means thousands of companies that ship commercial data across the Atlantic risk turmoil in their day to day activities.

Still, the court did approve another system to transfer data known as called Standard Contractual Clauses.

“The limitations on the protection of personal data arising from the domestic law of the US on the access and use by US public authorities such data transferred from the EU” mean EU citizens data isn’t safe, the EU Court of Justice said in a decision yesterday. The ruling can’t be appealed.

The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the US National Security Agency (NSA).

Privacy campaigner Max Schrems has been challenging Facebook Inc in the Irish courts — where the social media company has its European base — arguing that EU citizens’ data is at risk the moment it gets transferred to the US.

“This decision is based on overreaching US surveillance laws that only protect US persons, but not foreigners,” Schrems’ group NOYB (acronym for “None of your business”) said in statement after the decision.

“These US laws allow the NSA to access personal data transferred from the EU to US tech companies without any individual judicial approval or redress options for non-US users.”

The EU top court in surprise decision in 2015 struck down an earlier trans-Atlantic data transfer system, called Safe Harbor, over concerns that US spies could get unfettered access to EU data.

Facebook warned ahead of yesterday’s ruling that similar economic turmoil would be in store if the court does the same.

What’s changed since the EU court’s 2015 ruling is that the bloc has passed one of the strictest data protection laws, the General Data Protection Regulation.

This gives watchdogs unprecedented powers, raising potential fines for companies to as much as 4% of global annual sales. The Privacy Shield is also subjected to annual EU-US reviews. — Bloomberg