July 16 (Reuters) - Europe’s top court on Thursday quashed a transatlantic data transfer deal for the second time because of U.S. surveillance concerns in a ruling that could disrupt thousands of companies that rely on the pact.
The ruling effectively ends the privileged access companies in the United States had to personal data from Europe and puts the country on the same footing as other nations outside the 27-country bloc.
Following are some responses to the ruling:
Max Schrems, Austrian privacy activist:
“One of the biggest takeaways is that we would need fundamental reform in U.S. surveillance laws if U.S. companies still want to have any kind of decent access to the European market.”
“For a lot of the companies it’s going to be a fundamental shift because they basically have to separate U.S. data processing from EU data processing.”
U.S. Commerce Secretary Wilbur Ross:
“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.”
“We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.”
“We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud,” Microsoft Chief Privacy Officer Julie Brill said in a blog.
BSA| The Software Alliance (Software industry Lobby group):
“The good news is that SCCs (Standard Contractual Clauses) remain valid. But today’s Privacy Shield decision will create challenges for more than 5,300 businesses, 70% of which are SMEs, across a range of sectors at a time when the ability to send data abroad is crucial to the economic recovery from COVID-19,” said Victoria Espinel, CEO and President.
Tanguy Van Overstraeten, Partner and Global Head of Privacy and Data Protection, at law firm Linklaters:
“For the thousands of businesses registered with the U.S. Privacy Shield, this will be groundhog day; this is the second time the FTC (Federal Trade Commission) operated scheme has been struck down after the Shield’s predecessor – the Safe Harbour – was struck down in 2015.
“Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims.”
Rafi Azim-Khan, Head of Data Privacy at Pillsbury Law:
“A real challenge is that many businesses had come to rely on the Privacy Shield with its self certification ease of use. Now it has been struck down, these firms will be forced to review all relevant contracts to make sure they are worded properly and include all the relevant EU approved clauses that allow for the international transfer of data.”
“This is a potentially huge spanner in the works. One ray of good news for businesses is that the Court did not invalidate the model contract clauses, so there is still an option for those moving data across the Pond, albeit a lot of work will need to be done reviewing and updating contracts to be sure it is lawful.”
Bridget Treacy, data privacy partner at Hunton Andrews Kurth LLP in London:
“This was an unexpected result. For businesses that transfer personal data from the EU to the US, this represents the worst of all possible outcomes.”
“SCCs, commonly utilised for transfers around the globe, will be subject to much closer scrutiny by data exporters and by EU regulators. Transfers of personal data from the EU to the U.S. will require particular care given comments made by the Court about US surveillance.” (Compiled by Keith Weir; Editing by David Clarke)