EU court strikes down landmark transatlantic data privacy pact

Driving the news: The Court of Justice of the European Union Thursday morning in Brussels declared as invalid Privacy Shield, the agreement that broadly governs transatlantic data transfers for most companies.

• The court did, however, uphold the terms that tech companies sometimes put in contracts dealing with sending data out of Europe, meaning companies can still rely on such contractual language to transfer data across the Atlantic, as long as data protection authorities don't reject it.

Details: The case, known as “Schrems II,” involves Austrian privacy advocate Max Schrems, who complained that clauses in Facebook’s data contracts don't adequately protect Europeans from government surveillance in the U.S.

• The court, in striking down Privacy Shield, said such surveillance makes it impossible to ensure that Europeans' data can be sufficiently protected once it enters the U.S., as it inherently collects more data than European law permits and European citizens have no redress if the U.S. government violates their privacy.
• It's unlikely a U.S.-appointed ombudsperson, as established under Privacy Shield, could force American intelligence agencies to handle Europeans' data differently or would be sufficiently independent from U.S. government interests, the court concluded.

Yes, but: This doesn’t mean companies can’t ship data across the Atlantic ever again, but it will certainly be harder now. It signals diverging values around privacy between the U.S. and the EU, which has been critical of the U.S. over its surveillance practices and failure to pass a comprehensive data privacy law.

• Both the EU and the U.S. have maintained that Privacy Shield performs well and is supposed to be continually improved upon.
• Tech trade groups say reeling back the ability to send data internationally would disproportionately hurt small and medium-sized companies.

Flashback: Schrems launched the case that upended the previous agreement governing data flows between the U.S. and Europe, known simply as the Safe Harbor. The U.S. and Europe then came to a new agreement, 2016's Privacy Shield, which is meant to be a “living document” and reviewed yearly.

What they’re saying: "I am very happy about the judgment," Schrems said in a statement. "It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market.... As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners."

• Trade group BSA said the decision "creates a challenge for more than 5,300" firms that relied on Privacy Shield, 70% of which, it said, are small and midsized businesses. Jason Oxman, president of fellow tech trade group ITI, called it a "significant setback for all businesses and industries in the U.S. and EU who relied on Privacy Shield."
• “Today’s decision is nothing short of irresponsible” said Eline Chivot, senior policy analyst at tech policy think tank ITIF’s Center for Data Innovation. "In the midst of a global pandemic during which global data flows are more vital than ever, it puts all global data transfers from the EU at risk and wreaks havoc on the digital economy."
• Meanwhile, Microsoft sought to assure customers that there shouldn't be any disruption to their data flows since the court upheld the contractual clauses.

What’s next: U.S. and EU regulators will now be tasked with negotiating a new agreement that can withstand a legal challenge.

• That may be a tall order, given the existential issues the ruling raises with how Europeans' data gets handled once it enters the U.S.