Information Insecurity

Last July, the European Union’s Court of Justice struck down a 2016 agreement that made it possible to transfer personal data from Europe to the United States. The Court of Justice, unlike the more famous European Court of Human Rights, usually concerns itself with interpreting prosaic matters of European law. Perhaps because of this, the 2020 decision received little media attention, especially in the United States. Yet the ruling has potentially devastating effects on transatlantic trade, as well as serious national security and privacy implications.

EU law permits personal data to leave any of its 27 member states only under certain conditions, the most important being that the country receiving the data provides “adequate” protections for its privacy. Historically, the European Commission—the administrative arm of the EU—has been responsible for determining whether protection is adequate. But so few countries have been willing to submit their laws for review by the commission that other means of determining adequacy have assumed greater importance. One of these involves agreements between the EU and other nations; another employs “standard contractual clauses” that companies in other countries adopt. Both approaches are designed to protect the data of Europeans while in the hands of a company in a non-EU country.

In the July decision, the Court of Justice ruled that because U.S. national security laws allow broad government access to data held by private companies, the United States does not adequately protect the data of EU citizens. The order invalidated an agreement between the EU and the United States known as the Privacy Shield, under which more than 5,300 American companies transfer data every day. The court also instructed national data protection commissioners to determine whether contracts with individual U.S. companies should be invalidated for the same reason.