Europe’s highest court today struck down the agreement by which companies operating in the EU are allowed to transfer data to the United States. The court ruled that the agreement leaves European customers’ data too exposed to US government surveillance.
The agreement, known as Privacy Shield, has been in place since 2016, and more than 5,000 companies operate under its terms. Boiled down, the Court of Justice of the European Union (CJEU) basically ruled that US law is too weak to protect EU citizens’ data to the extent EU law demands. As the court put it in a press release (PDF):
The limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by US public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.
As a result of the case, US companies doing business in Europe or handling data from European clients will either have to negotiate new individual data-handling arrangements, called Standard Contract Clauses (SCC), with the EU or stop porting data from European operations into the US. The ruling applies to data that companies such as Facebook move around to US servers for internal reasons, but it does not affect “necessary” data transfers, such as take place when someone in Europe sends an email to a recipient in the US, books a flight or a hotel on a US website, or does something equally mundane.