EU Court Strikes Down US-EU Data Transfer Policy Amid Privacy Concerns

A European Union court has declared that the “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law”.

The transfer of data from the EU to a third country may take place “only if the third country in question ensures an adequate level of data protection”, and the U.S. does not meet such requirements.

This decision was provoked as an Austrian Facebook user noted how his personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States. The EU Facebook user lodged a complaint seeking to prohibit such transfers, as the “law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country”.

The EU Court of Justice agreed, stating the “level of protection [must be] essentially equivalent to that guaranteed within the EU”, or else the EU shall “suspend or prohibit a transfer of personal data to a third country” in which it is not.

Currently, the U.S. and EU are partner to a “privacy shield“, governing transatlantic data transfer, however, this decision seemingly invalidates the agreement.

U.S. Secretary of Commerce Wilbur Ross commented that the U.S. “is deeply disappointed that the court appears to have invalidated… the EU-U.S. Privacy Shield,” but the U.S. is “still studying the decision to fully understand its practical impacts”.