The EU’s Court of Justice has made it very clear that they aim to protect citizen’s data at all costs, and the latest victim is the Privacy Shield data sharing framework between the EU and US.
The CJEU declared today the Privacy Shield data transfer framework invalid because they argue that US state surveillance powers are excessive, and the Privacy Shield does not provide adequate protection.
This ruling has implications for the approximately 5,300 companies who transfer data under the framework of the Privacy Shield, and who no longer have the legal basis to transfer data relating to EU citizens to any third country. The EU has shown it won’t bow to pressure from the NSA, now it is up to the NSA to change their ways.
This ruling has implications for other countries outside the EU, including the UK come Brexit. The UK’s Investigatory Powers Act 2016 for example is already undergoing amendments to bring it in line with EU law, and any future laws will also have to consider the EU’s position in order to adhere to these laws.
How will this play out? Will Privacy Shield rise from the ashes, or will companies need to re-evaluate all their EU-US transfers? Whatever happens it promises to be a fascinating tussle, so watch this space.