EU Court Rules Data Transfer Act Invalid

The EU’s top court has ruled that Privacy Shield, an agreement that allows thousands of companies to transfer data to the United States, is invalid because the American government can snoop on people’s data. The ruling will make doing business for around 5,000 companies more difficult, and it could require regulators to vet data transfers to make sure Europeans’ personal information remains protected according to the EU’s standards. The assumption will no longer be that tech companies adequately protect the privacy of European users’ data. The likely result is a new agreement that guarantees them the same privacy protection in the U.S. as they have in the EU. The issue began to take shape after Max Schrems, an Austrian college student, persuaded 40,000 people to join him in contacting Facebook to demand a summary of all the personal data it was holding on them. Facebook sent Schrems a computer disc containing 1,222 pages of information, which Schrems claimed showed that Facebook was routinely collecting data that he had never consented to give, including his physical location, which he assumed was determined from his computer’s unique address identifiers. Facebook was also retaining data he had deleted, Mr. Schrems said. Privacy activists celebrated the July 16 court ruling as a major victory. Businesses say it has the potential to disrupt commerce, depending on implementation. “It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market,” said Schrems.