The European Union's highest court ruled Tuesday that an agreement that allows companies to freely transfer data to the U.S. is invalid as it does not adequately protect consumers. The verdict could have far-reaching implications for companies operating in Europe. It does not ban the transfer of data but will allow national authorities to review what kinds of information companies want to send to the U.S., possibly complicating business.
The ruling comes from a case that Austrian law student Max Schrems brought following revelations two years ago by former U.S. National Security Agency contractor Edward Snowden about the NSA's surveillance programs.
Schrems complained to the data protection commissioner in Ireland, where Facebook has its European headquarters, that U.S. law doesn't offer sufficient protection against surveillance of data transferred by the social media company to servers in the United States.
Irish authorities initially rejected his complaint, pointing to a 2000 decision by the EU's executive Commission that, under the so-called "safe harbor" agreement, the U.S. ensures adequate data protection.
The agreement has allowed for the free transfer of information by companies from the EU to U.S. It has been seen as a boost to trade since, absent such a deal, swift and smooth data exchange over the Internet would be much more difficult.
On Tuesday, the European Court of Justice ruled that the data sharing pact is invalid. It said that the "safe harbor" deal enables interference by U.S. authorities with fundamental rights and contains no reference either to U.S. rules to limit any such interference or to effective legal protection against it.
The court said the effect of the ruling is that the Irish data commissioner will now be required to examine Schrems' complaint "with all due diligence."
Once it has concluded its investigation, the authority must "decide whether ... transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data," the court said in a summary of its ruling.
In a new statement, the European Commission's first vp Frans Timmermans said the ruling "confirms the need of having robust data protection safeguards in place before transferring citizens' data."
He added, "We have already been working with the American authorities to make data transfers safer for European citizens. In the light of the ruling, we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic. In the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law."
After the ruling a Facebook spokesperson said, "This case is not about Facebook," adding, "It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
Schrems said he hoped the ruling will be a milestone for online privacy.
"This decision is a major blow for U.S. global surveillance that heavily relies on private partners," Schrems said in a statement. "The judgement makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights."
However, he noted that the ruling doesn't bar data transfers from the EU to the U.S., but rather allows national data protection authorities to review individual transfers.
"Despite some alarmist comments I don't think that we will see major disruptions in practice," Schrems said.
The American Chamber of Commerce’s EU managing director Susan Danger is one of those alarmists, warning in a statement that the decision would jeopardize the free flow of data and, worse, "compromise the EU economic recovery and negatively impact the Commission’s goal to create a Digital Single Market.”
Danger added, "US and EU global companies depend on communications networks to deliver services to customers, manage global supply chains and run their operations. By immediately invalidating Safe Harbor, international business could be severely disrupted unless the EU Institutions and Data Protection Authorities offer alternative mechanisms and a reasonable transition period. Otherwise, the judgement could have far-reaching repercussions for consumers, employers and employees.”
Sophie In't Veld, a leading Liberal lawmaker in the European Parliament, welcomed the ruling and called the "safe harbor" decision "a travesty of legality."
"We need clear rules to govern the transfer of personal data to the U.S. and other non-EU countries," she said. "But they must be legally watertight, provide real and meaningful protection, and there must be proper enforcement."