16 July 2020 10:39
FILE PHOTO: A 3D-printed Facebook logo is seen placed on a keyboard in this illustration By Foo Yun Chee and Marine Strauss LUXEMBOURG (Reuters) - Europe's top court on Thursday rejected the validity of a mechanism used by thousands of companies to send data to the United States, backing concerns about U.S. surveillance raised by privacy activist Max Schrems in his clash with Facebook. The EU-U.S. Privacy Shield was set up in 2016 to protect the personal data of Europeans when it is transferred across the Atlantic for commercial use. The same court also rejected its predecessor, known as Safe Harbour, in 2015. "In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-U.S. persons," the EU Court of Justice said. "It looks perfect," Schrems said in a spontaneous reaction when the ruling hit headlines at his office in Vienna.
Schrems shot to fame for winning a legal battle in 2015 to overturn Safe Harbour. EU concerns about data transfers mounted after former U.S. intelligence contractor Edward Snowden's revelations in 2013 of mass U.S. surveillance. The Irish Data Protection agency, which is Facebook's lead regulator, took the case to the Irish High Court, which then sought guidance from the CJEU. Last December, a CJEU adviser said such data transfer mechanisms were legal with the caveat that they could be blocked if countries receiving such information fail to meet European data protection standards. In the EU, the General Data Protection Regulation (GDPR), introduced in 2018, seeks to increase individuals' control over their personal information. Companies that fail to comply are liable to fines of up to 4% of global annual turnover. (Reporting by Foo Yun Chee; Editing by David Clarke) EU court invalidates data-sharing pact with US A European Union high court on Wednesday, July 15, 2020 ruled in favor of technology giant Apple and Ireland in its dispute with the EU over 13 billion euros, 15 billion US dollars in back taxes. less File - In this Oct. 5, 2015 file photo, a woman walks by the entrance to the European Court of Justice in Luxembourg. A European Union high court on Wednesday, July 15, 2020 ruled in favor of technology giant... more Photo: Geert Vanden Wijngaert, AP Photo: Geert Vanden Wijngaert, AP Image 1 of / 1 Caption Close EU court invalidates data-sharing pact with US 1 / 1 Back to Gallery LONDON (AP) — The European Union's top court ruled Thursday that an agreement that allows big tech companies to transfer data to the United States is invalid, and that national regulators need to take tougher action to protect the privacy of users' data. The ruling to invalidate Privacy Shield will complicate the transfer of a lot of data outside the EU, and it could require regulators to vet any new transfers due to concerns that the U.S. government can snoop on people's data for national security reasons. It will no longer simply be assumed that tech companies like Facebook will adequately protect the privacy of its European users' data when it sends it to the U.S. Rather, the EU and U.S. will likely have to find a new agreement that guarantees that Europeans' data is afforded the same privacy protection in the U.S. as it is in the EU, which has some of the toughest standards in the world. The case began after former U.S. National Security Agency contractor Edward Snowden revealed in 2013 that the American government was snooping on people's online data and communications. The revelations included detail on how Facebook gave U.S. security agencies access to the personal data of Europeans. Austrian activist and law student Max Schrems that year filed a complaint against Facebook, which has its EU base in Ireland, arguing that personal data should not be sent to the U.S., as many companies do, because the data protection is not as strong as in Europe. Though the legal case was triggered by concerns over Facebook in particular, it could have far-reaching implications for all tech companies that move large amounts of data over the internet if regulators find that U.S. privacy protections are insufficient and block the transfers. Things like email, flight and hotel reservations would not be affected. Schrems said the ruling amounted to a victory for privacy. "The U.S. will have to engage in serious surveillance reform to get back to a 'privileged' status for US companies," he wrote on Twitter. Companies use legal mechanisms called standard contractual clauses that force businesses to abide by strict EU privacy standards when transferring messages, photos and other information. Companies like Facebook routinely move such data among its servers around the world, and the clauses — stock terms and conditions — are used to ensure the EU rules are maintained when data leaves the bloc. The Court of Justice of the EU ruled Thursday that those clauses are still valid. However, it declared invalid the umbrella agreement between the U.S. and EU on data transfers, called Privacy Shield. The court noted in its rulings that there are "limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to that third country." Alexandre Roure, a senior manager at Computer & Communications Industry Association, said the decision "creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers. "We trust that EU and U.S. decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the trans-Atlantic economy."