The EU Commission has suffered a defeat for the second time. The European Court of Justice (ECJ) has overturned the data protection agreement “Privacy Shield” between the EU and the USA, which should regulate the data exchange since 2016 with legal certainty. Five years after the end of the Safe Harbor data protection agreement, his successor suffered the same fate. The CJEU again reminded the EU Commission that it was unable to protect the data of European internet users from being monitored by US secret services. With regard to the authorities’ access options, the data protection requirements are not guaranteed, the judges said. At least since Edward Snowden’s revelations in 2013, it has been clear that secret services like the NSA monitor internet users and skim off massive amounts of data.

The decision of the Luxembourg judges is correct, it strengthens the digital fundamental rights of the citizens and sets clear limits for the surveillance practice of the USA. It is only logical that the data protection shield was declared holey and thus invalid. Because it does not keep what the name promises. In some cases, paragraphs from Safe Harbor were taken over word for word and given a different heading. Privacy Shield does indeed have some improvements over its predecessor. For example, an ombudsman office has been set up, which EU citizens can also turn to when US companies sell their personal data, for example. However, the judges at the ECJ are also not convinced of this measure. They doubt that the watchdogs have enough influence to stand up for the rights of Europeans. This shows the powerlessness of the EU. Data protection law is worth nothing in the United States, and there is no interest in ombudsman agencies that were created only to reassure citizens.


As in the case of Safe Harbor, it was data protection activist Max Schrems who taught the EU Commission this defeat. Schrems first filed a complaint with the Irish data protection authority seven years ago because he wanted to prevent Facebook from sending Ireland to the parent company in California, where the company has its European headquarters.

The EU cannot really be criticized for not caring about the privacy of its citizens. The General Data Protection Regulation (GDPR) has been in effect for two years. Among other things, it regulates that personal data may only be transferred to a third country if the country in question guarantees an adequate level of protection for the data. The GDPR prohibits what Privacy Shield allows. The judges have now clarified that this is not possible. However, the Commission could have come up with it itself, because in 2016 it still stated that it wanted to continuously check and improve Privacy Shield. Apparently that did not happen and there is now a receipt for it.

The EU must act now. You could make a new deal with the United States. However, this only makes sense and, above all, is legally secure if the country changes its surveillance legislation. The United States must ensure data protection for all citizens, not just their own.