EU rejects US data sharing agreement over privacy concerns

Handling European customer data is about to become more difficult for US businesses

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The highest court in Europe has struck down theEU-US Privacy Shieldover concerns that the agreement leaves the data of European customers too exposed to US government surveillance.

The agreement, which has been in place since 2016, allows companies operating in the EU to transfer data back to the US and over 5,000 companies currently operate under its terms.

In apress release, the Court of Justice of the European Union (CJEU) explained why it came to the decision to strike down the Privacy Shield, saying:

“In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”

Privacy Shield

Before Privacy Shield was put into effect, theSafe Harbor agreementgoverned how EU customer data was shared between Europe and the US. However, just as it did with the agreement that replaced it, the CJEU invalidated Safe Harbor in 2015 after a privacy advocate from Australia named Maximillian Schrems challenged it in court.

Now that CJEU has struck down the EU-US Privacy Shield, US companies operating in Europe or handling the data of European customers will either have to negotiate new individual sets of contractual terms and conditions called Standard Contract Clauses (SCC) with the EU or just stop moving data from European operations back to the US.

While the ruling applies to data that is moved to US servers for internal reasons, it does not affect “necessary” data transfers which occur when Europeans use online services located in the US.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

US tech giants includingMicrosoft, Facebook and others responded to CJEU’s ruling by assuring their customers that their European operations would not be significantly changed as many already use SCCs. For instance, Microsoft’s Julie Brill explained in ablog postthat commercial and public sector customers would not be affected by the fact that the Privacy Shield had been invalidated, saying:

“We want to be clear: if you are a commercial or public sector customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.”

ViaArs Technica

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case