Advertisement

SKIP ADVERTISEMENT

Data Transfer Pact Between U.S. and Europe Is Ruled Invalid

Max Schrems, left, and his lawyer Herwig Hofmann after the ruling at the European Court of Justice in Luxembourg.Credit...Geert Vanden Wijngaert/Associated Press

Europe’s highest court on Tuesday struck down an international agreement that allowed companies to move digital information like people’s web search histories and social media updates between the European Union and the United States. The decision left the international operations of companies like Google and Facebook in a sort of legal limbo even as their services continued working as usual.

The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.

The court said data protection regulators in each of the European Union’s 28 countries should have oversight over how companies collect and use online information of their countries’ citizens. European countries have widely varying stances toward privacy.

Data protection advocates hailed the ruling. Industry executives and trade groups, though, said the decision left a huge amount of uncertainty for big companies, many of which rely on the easy flow of data for lucrative businesses like online advertising. They called on the European Commission to complete a new safe harbor agreement with the United States, a deal that has been negotiated for more than two years and could limit the fallout from the court’s decision.

Some European officials and many of the big technology companies, including Facebook and Microsoft, tried to play down the impact of the ruling. The companies kept their services running, saying that other agreements with the European Union should provide an adequate legal foundation.

But those other agreements are now expected to be examined and questioned by some of Europe’s national privacy watchdogs. The potential inquiries could make it hard for companies to transfer Europeans’ information overseas under the current data arrangements. And the ruling appeared to leave smaller companies with fewer legal resources vulnerable to potential privacy violations.

“We can’t assume that anything is now safe,” Brian Hengesbaugh, a privacy lawyer with Baker & McKenzie in Chicago who helped to negotiate the original safe harbor agreement. “The ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat.”

At issue is the sort of personal data that people create when they post something on Facebook or other social media; when they do web searches on Google; or when they order products or buy movies from Amazon or Apple. Such data is hugely valuable to companies, which use it in a broad range of ways, including tailoring advertisements to individuals and promoting products or services based on users’ online activities.

The data-transfer ruling does not apply solely to tech companies. It also affects any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online.

Frans Timmermans, the first vice president for the European Commission, which will be charged with carrying out the ruling, tried to ease the concerns of companies on Tuesday. He said businesses could still move European data to the United States through other existing treaties.

He added that the European Commission would work with national privacy regulators to ensure that the court’s decision was carried out in a uniform fashion across the entire region.

“Citizens need robust safeguards,” said Mr. Timmermans. “And companies need certainty.”

But it was unclear how bulletproof those treaties would be under the new ruling, which cannot be appealed and went into effect immediately. Europe’s privacy watchdogs, for example, remain divided over how to police American tech companies.

France and Germany, where companies like Facebook and Google have huge numbers of users and have already been subject to other privacy rulings, are among the countries that have sought more aggressive protections for their citizens’ personal data. Britain and Ireland, among others, have been supportive of Safe Harbor, and many large American tech companies have set up overseas headquarters in Ireland.

“For those who are willing to take on big companies, this ruling will have empowered them to act,” said Ot van Daalen, a Dutch privacy lawyer at Project Moore, who has been a vocal advocate for stricter data protection rules.

The safe harbor agreement has been in place since 2000, enabling American tech companies to compile data generated by their European clients in web searches, social media posts and other online activities.

Under the deal, more than 4,000 European and American companies had been expected to treat the information moved outside the European Union with the same privacy protections the data had inside the region. The United States government had lobbied aggressively in Brussels in recent months to keep the agreement in place.

The United States and the European Union have worked for roughly two years on a new safe harbor agreement. The court’s ruling now puts pressure on negotiators to complete an agreement, but it may also complicate matters.

Any new deal had already been expected to give Europeans greater say over how their online information is collected, transferred and managed by tech companies. But the talks have stalled over what type of access to European data American intelligence agencies should be given, according to several people with direct knowledge of the matter, who spoke on the condition of anonymity.

In addition, legal experts said that even if a new deal is reached, the court’s decision would most likely still give the national privacy regulators some say over the transfer of data.

In its ruling, the European court noted that the region’s 500 million citizens did not have the right to bring legal cases in United States courts if they believed their privacy had been infringed by American companies or by the United States government. A bill to provide this legal recourse is being debated in Congress, though analysts said it was unlikely to become law before the American elections next year.

Penny Pritzker, the American secretary of commerce, said she was disappointed about the European court’s decision, adding she would work with the European Commission to finalize the new safe harbor agreement.

The legal ruling “puts at risk the thriving trans-Atlantic digital economy,” she said in a statement on Tuesday.

The lengthy negotiations have highlighted the different approaches to online data protection. In the United States, privacy is viewed as a consumer protection issue; in Europe, privacy is almost on a par with such fundamental rights as freedom of expression. Last year, Europe’s top court ruled that anyone with connections to the region could ask search engines like Google to remove links about themselves from online results. European campaigners said this so-called right to be forgotten ruling would help protect people’s online privacy, while many in the United States said the decision would curtail online freedom of speech.

Those differences became more pronounced after Mr. Snowden revealed how American and British intelligence agencies had seemingly unfettered access to people’s online activities.

“The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons,” the judges said in a statement on Tuesday, referring to access to European data by American intelligence agencies.

The case reviewed by the European Court of Justice related to a complaint brought by Max Schrems, a 27-year-old Austrian graduate student, who argued that Europeans’ online data was misused when Facebook was said to have cooperated with the N.S.A.’s Prism program.

That program is reported to have given the American agency significant access to data collected by several American tech companies. Facebook denies that the United States government had unlimited access to its users’ data.

Mr. Snowden on Tuesday, after the court ruling, posted a message on Twitter praising Mr. Schrems: “Congratulations, @maxschrems. You’ve changed the world for the better.”

In a statement on Tuesday, Mr. Schrems, who is pursuing a separate civil class-action lawsuit against Facebook in an Austrian court, praised the decision.

“Governments and businesses cannot simply ignore our fundamental right to privacy,” he said, “but must abide by the law and enforce it.”

A version of this article appears in print on  , Section B, Page 1 of the New York edition with the headline: U.S.-Europe Data Transfer Agreement Is Ruled Invalid. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT