Luxembourg: In a major blow to companies transferring data of European Union citizens to the US, Europe’s top court struck down the validity of EU-US Privacy Shield in a ruling on Thursday.
The ruling deprives these companies of one of the flagship data transfer mechanisms.
The European Court of Justice in its ruling said that the General Data Protection Regulation (GDPR) provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection.
“The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield,” said the ruling, suggesting that the protections provided under EU-US Privacy Shield are not enough to safeguard the interest of the EU citizens.
The privacy issue surrounding the case was initially raised by Maximillian Schrems, an Austrian privacy advocate, who has been a Facebook user since 2008.
As in the case of other users residing in the European Union, some or all of Schrems’s personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the US, where it undergoes processing.
Schrems claimed that the US does not offer sufficient protection of data transferred to that country.
With the the European Court of Justice now striking down the EU-US Privacy Shield, companies will now have to sign standard contractual clauses, non-negotiable legal contracts drawn up by Europe, the BBC reported.
The court was of the view that these contracts are valid.