The European Court of Justice overturns a decision to protect the privacy of EU citizens. Existing protective mechanisms are sufficient.
The European Court of Justice (ECJ) has again overturned an EU data protection agreement with the USA. On Thursday, the CJEU invalidated the “Privacy Shield” decision, which is supposed to guarantee the privacy of EU citizens during data transfers. In principle, the Court had no objection to so-called standard contractual clauses for the transfer of data by companies, because adequate protection mechanisms would exist.
The decision was triggered by a legal dispute regarding the transmission of data by the online network Facebook. Austrian data protection activist Maximilian Schrems opposes Facebook in Europe, which is based in Ireland, sharing data with the parent company in the US. He, therefore, asked the Irish data protection officer to suspend all data transfers. Schrems justifies this by saying that the company in the United States is obliged to make data accessible to national authorities such as the Federal Police FBI. However, those affected could not take legal action.
The Irish Supreme Court brought the case to the ECJ. The Court, therefore, had to look again at the level of data protection when transferring data to the United States. In 2015, the Court of Justice in Luxembourg overturned the Safe Harbor Agreement, the predecessor of Privacy Shield. The agreements are designed to protect the fundamental rights of citizens and businesses whose data are exchanged between the EU and the United States.
Before the CJEU, the “Privacy Shield” decision did not last. The judges decided that the requirements for data protection equivalent to Union law would not be met. In the so-called standard contractual clauses, on the other hand, they saw protective mechanisms that “can in practice ensure that the level of protection required by Union law is observed”.