In a surprise decision that will have a major impact on trans-Atlantic data transfers, Europe’s top court ruled Thursday that a mechanism used by thousands of companies to send data to the United States is unlawful, citing concerns raised by privacy activist Max Schrems in his ongoing legal battle with Facebook over whether EU citizens’ data can be shared with U.S. authorities under the country’s surveillance laws.
The EU-U.S. Privacy Shield—scrapped as of Thursday—was set up in 2016 to protect the personal data of Europeans when it is transferred across the Atlantic for commercial use. More than 5,300 companies had signed up to the program, which allowed (on paper, at least) validated companies safe access to EU citizens’ data without fear of legal reprisals under EU privacy law.
