US-EU data sharing agreement struck down by the European Court of Justice

Latest privacy litigation involving Facebook and the US-EU Privacy Shield could impact global trade, lawyers say
ECJ, Kirchberg Plateau

European Court of Justice, Luxembourg Shutterstock

A bilateral agreement regarding the transfer of EU data to the US was struck down by the European Court of Justice (ECJ) last week amid concerns about the privacy of personal data that lawyers say could have implications for the future of global trade.

The much-anticipated Schrems litigation, named after the claimant Max Schrems, an Austrian privacy advocate, challenged the validity of a data processing agreement between the EU and the US, called the Privacy Shield.

The litigation, brought in Ireland against that country’s data protection authority, sought to establish what standards of privacy law should be upheld before data is transferred to the US—in this case, Schrems’ Facebook data. It follows earlier 2015 litigation brought by Schrems.

EU law allows data to be transferred to the US, but only if safeguards are in place. Schrems argued that US security laws allowed requests by that country’s intelligence agencies to take priority over fundamental EU rights to personal privacy.

He challenged both the operation of data transfer agreements—Standard Contractual Clauses (SCC) —which are used to transfer personal data to non-EU countries, as well as the bilateral US-EU Privacy Shield agreement, which covers data transfer to the US. 

SCC is used by both major technology companies and small businesses alike, affecting thousands of companies, according to a recent research paper by academics at University College London.

Schrems asked whether access to such data by US security agencies meant that such agreements were illegal under EU law. The ECJ’s response was to say SCC survived, following an earlier advisory opinion, but the Privacy Shield could not and was invalid.

This is because use of the Shield is not configured in such a way as to satisfy the EU’s General Data Protection Regulation (GDPR), in not being limited to what is strictly necessary–a key provision of the rules. 

This, said Mishcon de Reya partner Adam Rose, was “a hugely significant decision” by the EU courts, saying it could shape the future of global trade. He noted that the use of SCC were also qualified if the level of protection provided by a recipient country was inadequate.

“There must now be serious questions as to whether any transfers to the US can be valid,” he concluded.

Likewise, Huw Beverley-Smith, a partner at Faegre Drinker, called the ruling “a very significant decision, although data flows will not stop overnight.”

Businesses that had adopted a “belt and braces” approach in implementing SCC alongside Privacy Shield certification will have some relief, and if they hadn’t, they would swiftly do so, he noted.

However, Beverley-Smith added: “The same fundamental problems [such as] limited redress against access by the US government to personal data, will also apply in practice to SCC.” 

Covington & Burling lawyer Lisa Peets, whose firm appeared for the Business Software Alliance in the case, said the ECJ had struck down the Shield without hearing argument on its merits, which she called “disappointing to many,” though the use of SCC was “huge relief to companies across Europe,” she noted.

Peets said: “Data flows between Europe and the United States are an integral part of the European economy and of the day-to-day lives of millions of European consumers, and the SCCs are the backbone for many of those data transfers.”

For now, firms processing data will need to find an interim solution until EU and US officials concluded a new deal, she noted, saying the EU would “be highly focused on finding a resolution and will be actively working work with the US government to identify a path forward.”

Email your news and story ideas to: