The Grand Chamber at the European Court of Justice
Wolfgang Von Brauchitsch | Bloomberg | Getty Images
A top European court ruled Thursday that companies moving personal user data from the EU to other jurisdictions will have to provide the same protections given inside the bloc.
The ruling could impact how companies transfer European users’ data to the United States and other countries, such as the U.K.
The legal battle started back in 2013, when privacy activist Max Schrems lodged a complaint with the Irish Data Protection Commissioner. He argued that, in light of the Edward Snowden revelations, U.S. law did not offer sufficient protection against surveillance by public authorities.
Schrems raised the complaint against the social network Facebook which, like many other firms, was transferring his and other user data to the States.
It reached the European Court of Justice (ECJ), which in 2015 ruled that the then Safe Harbour Agreement, which allowed European users’ data to be moved to the U.S., was not valid and did not adequately protect European citizens.
As a result, companies operating in Europe switched to Standard Contractual Clauses or SCCs, which ensured they could still move data across the Atlantic. In the meantime, the European Union and the United States developed a new agreement, the Privacy Shield framework, to replace the Safe Harbour agreement.
The ECJ ruled Thursday that these SCCs were a valid way to transfer data, but invalidated the use of the Privacy Shield framework.
In practical terms, this means that non-EU countries, or companies looking to move European users’ data abroad, will have to ensure an equivalent level of protection to the strict European data laws.
“Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR (General Data Protection Regulation) concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR,” the court said Thursday.
GDPR regulation, introduced in 2018, has allowed European users to have a stronger say over how companies use their information.
“In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country,” the court added.