The EU Court of Justice has struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US, triggering a fresh wave of legal confusion over the transfer of EU subjects' data to America.
Austrian privacy activist Max Schrems brought the latest edition of the long-running case (informally known as Schrems II) in 2015, complaining that Ireland's data protection agency wasn't preventing Facebook Ireland Ltd (as EU representative of the Zuckerberg empire) from beaming his data to the US.
Once his data was in the US, Schrems argued, no EU-style data privacy controls were legally enforceable by him or anyone else in that situation. America's plethora of three-letter spy agencies could then help themselves to it in various legal and not-so-legal ways, at least under EU rules.
Today the EU Court of Justice ruled that the now-dead Privacy Shield arrangement – itself a replacement of Safe Harbor – "does not grant data subjects actionable rights before the courts against the US authorities," meaning EU citizens could not challenge a breach of the arrangement by a company in the US handling EU personal data.
The court said that Section 702 of the US Foreign Intelligence Surveillance Act (explained here by the Electronic Frontier Foundation), when read together with a US presidential order and a policy directive on data collection by spies, failed to meet EU data protection requirements.