The European Court of Justice prohibits companies from transferring personal information of EU citizens to America. The EU Commission has to improve its rules – but above all hope for the USA.

Personal data may only be transferred from Europe to the United States if it is more effectively protected there than previously against access by the American security authorities. This follows from a judgment of the European Court of Justice (ECJ) on the data transfer from the Irish Facebook subsidiary to the United States.


The CJEU contested the so-called Privacy Shield, i.e. the protective shield agreement agreed between the EU and the USA in 2016, which should serve as a guarantee for smooth data transfer. According to the ECJ, this protective shield also does not offer sufficient protection for EU citizens against surveillance – like the Safe Harbor Agreement, which the ECJ also tipped over earlier.

In both cases, the Austrian data protection activist Max Schrems had sued. It’s about programs like Prism or Upstream, made famous by Edward Snowden’s revelations. With this, US authorities are tapping into data cables and accessing both metadata and content. According to the CJEU, the corresponding US regulations do not provide EU citizens with adequate legal protection to defend themselves against surveillance measures.

With its ruling, the ECJ also ensures beyond the “Privacy Shield” that European data protection standards must be observed when transferring data from Europe to the USA. In practice, the much more important way is data transmission using so-called “standard contract clauses”. Facebook essentially relies on such clauses – a system of contractual guarantees based on a decision of the EU Commission.


“Appropriate level of protection”

The Court itself does not contest this decision. However, it also makes it clear that an “adequate level of protection” must also be ensured for this variant of data transfer, which essentially corresponds to the fundamental rights guarantees of the European Union. Because access by the US authorities to data stocks is permitted by law and can therefore hardly be excluded by contract, national data protection experts – such as the Irish data protection agency responsible for Facebook – could now stop the transfer.

The supervisory authorities are obliged to suspend the transmission if the clauses in the target country are not complied with and data protection at EU level is not guaranteed. Data transfer is still possible without a protective shield and without clauses – but under clearly restricted conditions.

The EU Commission is now apparently primarily focusing on modernizing the standard contractual clauses. Work on this has been going on for some time, said EU Justice Commissioner Didier Reynders; He did not give details. Everything will be done to fully implement the judgment. Commission Vice-President Věra Jourová did not hide the fact that she would like to see much stricter safeguards in favor of EU citizens in the USA – but the EU cannot change US laws. They are in contact with the US government.