U.S. officials and tech company executives were scrambling Tuesday to deal with the fallout from a European Court of Justice ruling that tossed out a 15-year-old regulatory workaround that let American companies store Europeans’ personal data outside the E.U.
The June 2000 U.S.-E.U. Safe Harbor Framework formed the legal basis on which thousands of American companies operate in the E.U. without falling afoul of stringent European privacy regulations, and it was unclear Tuesday how traumatic the implications would be.
“We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy,” U.S. Commerce Secretary Penny Pritzker said in a statement.
The ruling came in a case brought by an Austrian privacy activist, Max Schrems, and followed his unsuccessful attempt to get European privacy regulators to stop Facebook from moving its users’ data to the United States, where, he argued, it would be subject to mass surveillance under the National Security Agency’s PRISM program and other online snooping revealed by mega-leaker Edward Snowden in June 2013.
The Data Protection Commissioner in Ireland, where Facebook has its European headquarters, told Schrems that it couldn’t act on his complaint, because the Safe Harbor requires European regulators to treat U.S. firms that self-certify as complying with the deal as if they were following strict E.U. laws on privacy.
But Tuesday, the European Court of Justice ruled that the secret mass surveillance of the Internet by the NSA invalidates the Safe Harbor agreement, because the self-certifications by U.S. companies can’t be trusted in view of their compelled cooperation with such surveillance.
“Legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” the court said in a statement.
Privacy advocates were jubilant at the victory. “This judgement draws a clear line,” Schrems said in a statement. “It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible. The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it. This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.”
The ruling means that national data protection regulators can stop U.S. or E.U. companies moving their citizens’ data out of Europe, if they believe it might get treated in ways that violate privacy rights guaranteed under European law, the court said.
Companies might have to store the information they collect from E.U. citizens exclusively within Europe. Worse still is the prospect that different national regulators might rule differently, creating a patchwork of national regulations across the 28-member bloc that companies would have to follow.
The Article 29 Working Group, as the assembly of E.U. member state national privacy and data protection regulators is known, said it would hold immediate consultations, followed by an emergency meeting, to avoid such a contingency.
Nonetheless, industry associations were pretty unanimous in slamming the ruling. It “will negatively impact Europe’s economy, [and] hurt small and medium-size enterprises, and the consumers who use their services, the most,” said Christian Borggreen, international policy director for Computer & Communications Industry Association, which represents U.S. tech giants including Amazon, Facebook, Google and Microsoft.
Many larger U.S. tech companies have already prepared for the ruling, finding alternative ways of legalizing data transfers, but the ruling also threatened to affect nontech U.S. companies that might store human resources records outside Europe and European companies that use non-E.U. based cloud computing services.
In a statement, Facebook noted that there were “a number of … methods prescribed by EU law to legally transfer data to the U.S. from Europe, aside from Safe Harbor.” Nonetheless, the company said it was “imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers.”
That call was echoed by DigitalEurope, a trade association that represents European and U.S. tech firms. “We urgently call on the European Commission and the United States government to conclude their long-running negotiations to provide a new Safe Harbor agreement as soon as possible,” said Peter Olson, DigitalEurope’s president.
Pritzker noted that the U.S. government and the European Commission — the executive authority of the E.U. — were working together on an updated framework.
“We are prepared to work with the European Commission to address uncertainty created by the court decision so that the thousands of U.S. and E.U. businesses that have complied in good faith with the Safe Harbor and provided robust protection of E.U. citizens’ privacy in accordance with the Framework’s principles can continue to grow the world’s digital economy,” she stated.
The Commission made a similar pledge. “In the light of the ruling, we will continue this work towards a new and safe framework for the transfer of personal data across the Atlantic,” Commission Vice President Frans Timmermans told a news conference in Brussels.