EU Court Says Data-Transfer Pact With U.S. Violates Privacy
Decision will affect about 4,500 companies that move, store personal data
The European Union’s highest court on Tuesday struck down a trans-Atlantic pact used by thousands of companies to transfer Europeans’ personal information to the U.S., throwing into jeopardy data traffic that underpins the world’s largest trading relationship.
In a victory for privacy advocates, the European Court of Justice ruled that national regulators in the EU can override the 15-year-old “Safe Harbor” pact used by about 4,500 companies, including AppleInc. and Alphabet Inc.’s Google, because it violates the privacy rights of Europeans by exposing them to allegedly indiscriminate surveillance by the U.S. government.
The decision now sets off a costly effort by companies and privacy lawyers to preserve companies’ ability to transfer Europeans’ personal data to the U.S. before regulators move in with fines or orders to suspend data flows. Hanging in the balance is billions of dollars of trade in the online advertising business, as well as more quotidian tasks such as storing human-resources documents about European colleagues.
U.S. and European regulators are negotiating an updated Safe Harbor agreement, but the timetable is unclear.
Many large technology companies, including Alphabet Inc., Amazon.com Inc., Facebook Inc. and Microsoft Corp. say they already have set up backup legal mechanisms in a bid to avoid clashes with regulators.
For instance, Alphabet’s Google is expanding the size of its data center in Belgium and is building one in the Netherlands that should come online in the first quarter of 2016. It also has data centers in Finland and Ireland.
However, smaller companies may find it prohibitively expensive to build their own European facilities or pay companies that already have them, said Chris Babel, chief executive of TRUSTe, which advises startups on data-protection laws. Setting up servers in Europe could double operations costs, he said.
EU law provides for other ways to transfer personal data legally. Among them are so-called model contracts, which use language published by European officials. A spokeswoman for Amazon said in a statement that Amazon Web Services, the retailer’s cloud-computing division, had already obtained approval from the EU for model contracts.
Another option would require companies to appeal to individual national regulators in Europe, a process that could take years, said Harriet Pearson, a partner at law firm Hogan Lovells and a former chief privacy officer for IBM.
“Losing Safe Harbor would be hugely disruptive to all sorts of businesses,” said an official at a U.S.-based tech company that provides cloud services. “It would disrupt our products for customers. That’s the bottom line.”
In force since 2000, the data framework until now has allowed companies based in the U.S. to store personal data about Europeans—for instance, a social-media profile or payroll information—on U.S.-based computer servers without running afoul of Europe’s strict privacy rules. In return, the companies pledge to abide by a series of EU principles, enforced by the U.S. Federal Trade Commission.
Tuesday’s decision doesn’t order an immediate end to those personal-data transfers. It rules that national regulators have the right to investigate and suspend them if they don’t provide sufficient protections, creating new legal risks for companies.
“We are deeply disappointed in today’s decision,” said U.S. Secretary of Commerce Penny Pritzker, adding it “puts at risk the thriving trans-Atlantic digital economy.”
The court’s ruling stems from a complaint lodged in 2013 by Austrian privacy activist Max Schrems over Facebook’s compliance with EU data-privacy rules. In his charge filed to the Irish data-protection authority—the U.S. social-media company’s lead regulator in Europe—Mr. Schrems claimed allegations by former U.S. National Security Agency contractor Edward Snowden showed Facebook wasn’t sufficiently protecting users’ data because it is subject to mass surveillance in the U.S.
When the Irish data-protection authority rejected the complaint, saying it was bound by the Safe Harbor pact, Mr. Schrems appealed to an Irish court, which then asked the European Court of Justice if such a regulator has the power to ignore an EU-wide agreement. In its ruling, the court said the Irish authority not only had the right to investigate, but must do so.
The Irish Data Protection Commissioner said Tuesday it would move quickly to work with other privacy regulators to establish how to implement the ruling.
Privacy activists hailed the decision, saying that the agreement should have been scrapped long before the Snowden revelations because companies weren’t properly complying with the rules.
“The message is clear that mass surveillance isn’t possible and against fundamental rights in Europe,” Mr. Schrems said after the ruling.
Trade groups for large Internet companies said the ruling could have stiff costs. They argue that it will hit small businesses because they don’t have legal resources necessary to adopt other data-transfer methods, and fend off possible complaints that might stem from them.
“We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, [and] hurt small and medium-size enterprises, and the consumers who use their services, the most,” said Christian Borggreen, international policy director for the Computer & Communications Industry Association, which represents companies including Amazon, Facebook, Google and Microsoft.
The decision could also undermine efforts by the EU and U.S. to reach an updated data agreement to address concerns European officials raised after the 2013 claims of U.S. spying. Those officials have been toiling to reach a new accord that limits surveillance access to Europeans’ data, but now national regulators will have the ability to second-guess them.
That is already happening. Hamburg’s data-protection authority said Monday that national regulators should be involved in negotiations with the U.S., because only such cooperation could “ensure that the results will provide an adequate level for the protection of privacy and the fundamental right of data protection.”
The European Commission, the EU’s executive arm, said Tuesday that it has already started discussing the ruling with national privacy regulators in Europe. A group representing the regulators said they would also shortly meet to coordinate their response.
Ms. Pritzker, the commerce secretary, said the U.S. is prepared to work with officials to release an updated Safe Harbor agreement as soon as possible. EU officials on Tuesday, however, declined to provide a concrete time line on when a new pact could be finished.
The need for a new agreement became more urgent after a top court adviser’s nonbinding recommendation to invalidate the pact two weeks ago.
Yves Bot, an advocate general at the court, had said the agreement should be ditched because “mass, indiscriminate surveillance” by the U.S. suggests that, when Europeans’ data flows there, it isn’t sufficiently protected. Europeans’ rights to privacy and protection of personal data are written into EU law.
U.S. officials have hit back against the advocate general’s opinion for resting on what they claimed were false assumptions about American surveillance practices. Washington said the Prism program, cited in the adviser’s opinion, is geared toward specific foreign intelligence targets and isn’t used to cull data without a purpose.