The European Court of Justice has just struck down the EU-US Privacy Sheild agreement, which has allowed US companies to transfer EU user data to USA, on the condition that the data would be dealt with to the same standard of required by the GDPR in Europe.
“The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield,” the court wrote in a statement, saying that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that the methods put in place to protect EU citizen’s data in US, such as n ombudsperson role to handle EU citizens’ complaints did not meet the required legal standard of ‘essential equivalence’ with EU law.
Microsoft has responded with a statement of its own, reassuring European end-users that business would largely continue as usual, at least in the short term, saying:
Today the Court of Justice of the European Union has issued a judgment relating to a case examining data transfers from the EU.
We want to clarify the impact of this decision for our customers.
We confirm that all our customers can continue to use Microsoft services, in full compliance with European law. The court ruling does not change the ability to transfer data between the EU and the United States using the Microsoft cloud.
For years, Microsoft has provided customers with high levels of protection for both the Standard Contractual Clauses (SCC) and the Privacy Shield for all data transfers. Although today’s ruling invalidated the use of the Privacy Shield, the SCCs remain valid. Our customers are already protected by SCCs for using the Microsoft cloud and related data transfers.
Furthermore, today’s ruling does not change the data flows of our services to Consumers. We transfer data between users, for example, when a person sends email or other online content to another person. We will continue to do so in accordance with today’s decision and with future and further guidelines from the EU data protection authorities and the European Data Protection Board.
In addition to supporting customers who transfer data between the EU and the United States, we will continue to work proactively with the European Commission and the United States government to address the issues raised by the ruling. The Court raised some important arguments that Governments must consider when establishing a data transfer policy between countries. We will continue to do our part by committing ourselves to work with European and American governments and regulators to address these issues. We are confident that the European Commission and the United States government will also work to address these issues and we are grateful that they are actively involved in finding solutions.
We have always worked to improve the level of protection for our customers. We were the first cloud company to work with European data protection authorities for Model Clauses approval in Europe and the first company to adopt new technical standards for the Privacy of Cloud services. We have accepted the Privacy Shield as a successor to Safe Harbor after the cancellation of this model and we have extended the GDPR key rights to our Customers all over the world.
Finally, we will continue to take measures to defend the rights of our customers. We filed a lawsuit to challenge orders that required access to people’s data or to protect our ability to inform users of pending requests, bringing the case to the United States Supreme Court . Thanks to our actions, we have guaranteed greater transparency for our customers, through an agreement that has allowed us to disclose reports on the number of orders required by the United States national security. In addition to establishing new policies within the United States government that limit the use of secrecy orders.
Privacy is a continuous journey, and today’s sentence is not the last word. Our customers can be confident that we will strive to ensure that their data can continue to move through our services. They can also count on the fact that we will continue our work to provide them with greater protection based on the issues raised in today’s ruling and that we will collaborate with governments and those responsible for privacy policies, following the evolution of future decisions.
Microsoft has been working harder than most in trying to meet GDPR requirements in the EU, including setting up local data centres and are likely we placed to weather the changes which will result from the new ruling.