Why you can trust us

Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

Europe's top court kills Privacy Shield that allowed US data sharing

It said the law won't protect EU citizens from mass US surveillance.

Marvel Studios

The EU just threw a wrench into transatlantic e-commerce by blocking a key agreement between Europe and the US. Europe’s top court announced that it has effectively invalidated the Privacy Shield that just went into force, saying it won’t adequately protect EU citizens from mass US surveillance.

“The limitations on the protection of personal data arising from the domestic law of the United States... are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” the court wrote. Put more succinctly, the law wouldn’t work because the US allows mass surveillance while the EU favors personal privacy.

The decision affects thousands of companies doing business in Europe, ranging from banks to social media companies like Facebook. They may have to either set up European data hubs or stop doing business in the bloc altogether, pending any renegotiation. However, the ruling only applies to specific types of data and won’t affect “necessary” data transfers like emails, vacation bookings and news site access.

US commerce secretary Wilbur Ross gave a statement saying, in essence, that the US will study the ruling but is simply going to ignore it for now.

We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship. The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.

The decision was not a huge surprise, as many players felt the new privacy shield was full of holes that could easily be attacked in court. In Europe, privacy activists see the ruling as a victory. It’s known as Schrems II after EU lawyer Max Schrems who helped kill the previous EU/US arrangement known as Safe Harbor, and Schrems himself weighed in.

“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market,” he said. “As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”

Businesses, understandably, aren’t so happy. “This decision creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers,” said Alexandre Roure from the CCIA tech lobby group. “We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy.”