Max Schrems has become quite the thorn in the side of United States business, and it’s just gotten worse.
The European Court of Justice today struck down the EU-US Privacy shield, one of the two primary methods by which European companies can transfer personal information of EU citizens to the United States. Otherwise, under Europe’s strict privacy laws, personal information cannot be transferred to the United States due to US laws requiring disclosure of data for civil litigation, law enforcement, and national security purposes. Those US laws conflict with the rights granted to EU citizens under the European General Data Protection Regulation (GDPR).
The alternative, standard or “model” contractual clauses, are both unwieldy and not terribly well suited to many kinds of data transfer. They also impose risks and obligations which are unpalatable to many US companies, particularly those involving large amounts of data. More importantly, those are also under fire, given that certain of the provisions in those contracts conflict with US law and are not enforceable as written.
This is the second victory for Mr. Schrems, an Austrian privacy advocate whose first lawsuit challenging the sufficiency of the Safe Harbor arrangement between the United States and the EU, was struck down in 2015.
Venus Wounded by a Rose’s Thorn by Marco Dente, Courtesy of the Cleveland Museum of Art, Public Domain