Skip to content


EU needs to start enforcing data protection laws properly

After the European Court of Justice (CJEU) handed down another major judgement two weeks ago in the “Schrems 2.0” data protection case, discussion has focused primarily on its potential impact on the well-known companies that gather data and transfer it between the European Union and United States.

Top of the list is Facebook, the company at the centre of both of Max Schrems’ Irish-originating complaints that have now produced decisive and far-reaching judgements from Europe’s highest court.

But there’s a mostly-unseen, sub-universe of companies in the internet-pervasive adtech industry whose existing business model should lie in a smouldering heap after the Schrems ruling. And that’s a double-whammy for the whole structure of what author Shoshana Zuboff has called surveillance capitalism, a debilitating and surreptitious data harvesting structure that fuels the operations of so many companies.

All these pieces interlock. The CJEU ruling is a crowbar that starts to tear them apart. 

Last week, I argued that the true sweep and enormous global impact of this latest decision has yet to be fully recognised.

Much response, especially in the US, still centres on the court’s invalidation of the Privacy Shield transatlantic data transfer agreement, and if and how private data transfer contracts between parties might suffice. But the judgement makes clear that most data transfers to the US are invalid as long as the US maintains its security laws allowing security and law enforcement access to data.

It’s difficult to imagine the US, or the UK (soon to be in need of a post-Brexit EU data transfer agreement) modifying laws to ameliorate the pervasive surveillance programmes and policies revealed by Edward Snowden. Those disclosures, and the failure of the US to offer the greater transparency required in the EU, fundamentally shaped the judges’ response in both Schrems cases.

Article Source: Click Here