EU court voids data-sharing pact with US over snooping fears

The European Court of Justice has ruled an agreement that allows thousands of companies to transfer data to the United States is invalid because its Government can snoop on people’s data.

Its decision to invalidate Privacy Shield will complicate business for some 5,000 companies and it could require regulators to vet any new data transfers to make sure Europeans’ personal information remains protected according to the EU’s stringent standards.

It will no longer simply be assumed that tech companies such as Facebook will adequately protect the privacy of its European users’ data when it sends it to the US.

Rather, the EU and US will likely have to find a new agreement that guarantees Europeans’ data is afforded the same privacy protection in the US as it is in the EU.

Privacy activists hailed the court ruling as a major victory, while business groups worried about the potential to disrupt commerce, depending on how the ruling is implemented.

Companies like Facebook routinely move such data among their servers around the world and the practice underpins billions of dollars in business.

“It is clear that the US will have to seriously change their surveillance laws if US companies want to continue to play a major role on the EU market,” said Max Schrems, an Austrian activist whose complaints about the handling of his Facebook data triggered the ruling after years of legal procedures.

He first filed a complaint in 2013 after former US National Security Agency contractor Edward Snowden revealed the US Government was snooping on people’s online data and communications.

The revelations included detail on how Facebook gave US security agencies access to the personal data of Europeans.

Though the legal case was triggered by concerns over Facebook in particular, it could have far-reaching implications not only for tech companies but also businesses in sectors like finance and the auto industry.

Things like email, flight and hotel reservations would not be affected in the short-term, experts say.

Cloud services by providers like Microsoft will also continue, pending any intervention from a regulator.

Companies use legal mechanisms called standard contractual clauses that force businesses to abide by strict EU privacy standards when transferring messages, photos and other information.

The clauses – stock terms and conditions – are used to ensure the EU rules are maintained when data leaves the bloc.

Facebook advertising campaign
Companies such as Facebook routinely move data between servers around the world (Dominic Lipinski/PA)

The court ruled on Thursday that those clauses are still valid in principle but it declared invalid the Privacy Shield agreement over concerns the US can demand access to consumer data for national security reasons.

It said that in cases when there are concerns about data privacy, EU regulators should vet, and if needed block, the transfer of data.

That raises the prospect that EU regulators will block Facebook, for example, from transferring any more European data to the US.

The European Commission said it is studying the ruling and stressed a system is needed to allow data transfers while also protecting privacy.

It said it is in touch with its counterparts in the US on how to proceed.

“I see it as an opportunity to engage in solutions that reflect the values that we share as democratic societies,” European Commission vice-president Vera Jourova said.

US Secretary of Commerce Wilbur Ross said it is “deeply disappointed” by the ruling.

Experts said the full impact on businesses will largely depend on how authorities respond.

“EU regulators will need to adopt a pragmatic approach to enforcement, allowing businesses a period of grace in which to implement alternative arrangements,” Bridget Treacy, data privacy partner at Hunton Andrews Kurth LLP in London, said.

Government surveillance of personal data is something the US in its turn accuses China of doing through tech companies like Huawei.

It highlights the growing importance of data as the basis of modern business and politics globally.

Data drives much of the world’s biggest companies, such as Facebook, Google and Amazon, and is also prized for national security to prevent extremist attacks, for example.

Mining large sets of people’s data has also become crucial to winning elections, such as the use of Facebook data for Donald Trump’s presidential victory in 2016.

Alexandre Roure, a senior manager at Computer & Communications Industry Association, said the decision “creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers”.

He added: “We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy.”