The European Court of Justice in Luxembourg (ECJ) has issued a ruling that could threaten the transfer of data on internet users in the European Union to major media companies in the United States.
In a case brought by Austrian privacy campaigner Max Schrems, the court overturned a decision made by the European Commission in 2016, which concerned the US alone.
Schrems first brought a complaint to the data protection authority in Ireland, alleging that his personal data as a Facebook user was being transferred to Facebook in the US for processing, without there being in place sufficient protection of privacy, as demanded by the General Data Protection Regulation (GDPR), a regulation for the protection of data shared with third countries.
The data protection authority rejected his complaint based on a decision of the Commission in 2000, known as the Safe Harbour Decision, which stated that the US had provided sufficient evidence that the data of EU users was adequately protected.
However Schrems went on to bring the case to the ECJ, where the Safe Harbour Decision was annulled on the grounds that the evidence provided by the US was insufficient to reach the conclusion the Commission reached.
The Irish data protection authority then asked Schrems to reformulate his complaint in the light of that ruling, and the case came back to the Irish court and from there to the ECJ.
While that was going on, the Commission took another decision, this one known as the Privacy Shield Decision, which again singled the US out as a safe pair of hands into which to deliver the data of EU users.
Now the ECJ has overturned that decision, ruling that the protections available to users within the EU, including safeguards against misuse of personal information and availability of legal recourse in the case of disputes, are not provided by the Privacy Shield, since the EU has no means to enforce the conditions.
However the ruling against the Privacy Shield Decision does not mean the end of data transfers from the EU to the US. At the same time, the court ruled that another provision of EU law, known as standard contractual clauses, can still allow company to company transfer of data.
But the court also stressed that privacy authorities have the right to suspend or cancel such clauses if protection of the data cannot be ensured. In the case of transfers to the US, that right has fallen into disuse since the Privacy Shield Decision was adopted in 2016.
It is likely that now the Privacy Shield has been taken down, users will demand more scrutiny of contractual clauses from their national authorities.