BRUSSELS (Reuters) - The EU’s highest court struck down a deal that allows thousands of companies to easily transfer personal data from Europe to the United States, in a landmark ruling on Tuesday that follows revelations of mass U.S. government snooping.
Many companies, both U.S. and European, use the Safe Harbour system to help them get round cumbersome checks to transfer data between offices on both sides of the Atlantic. That includes payroll and human resources information as well as lucrative data used for online advertising, which is of particular importance to tech companies.
But the decision by the Court of Justice of the European Union (ECJ) sounds the death knell for the system, set up by the European Commission 15 years ago. It is used by over 4,000 firms including IBM (IBM.N), Google (GOOGL.O) and Ericsson (ERICb.ST).
The court said Safe Harbour did not sufficiently protect EU citizens’ personal data since the requirements of American national security, public interest and law enforcement trumped the privacy safeguards contained in the framework.
In addition, EU citizens have no means of legal recourse against the misuse of their data in the United States, the court said. A bill is currently winding its way through the U.S. Congress to give Europeans the right to legal redress.
The ECJ in its ruling referred to revelations from former National Security Agency contractor Edward Snowden, which included that the Prism program allowed U.S. authorities to harvest private information directly from big tech companies such as Apple (AAPL.O), Facebook (FB.O) and Google.
The United States, which in the run up to the decision had issued strenuous defenses of its intelligence programs, said it was “deeply disappointed” by the ruling.
IBM (IBM.N) said it created commercial uncertainty and jeopardized the flow of data across borders.
“The free movement of data across borders is the foundation of the global economy, facilitating everything from financial services and manufacturing to shipping and retail,” said Christopher Padilla, Vice President of Government and Regulatory Affairs at IBM.
Any company with a centralized HR database in the United States would need to transfer personal data there, and companies that do not have data centers in Europe often ship the data from their European clients across the Atlantic, lawyers said.
However, they also said most multinationals, such as Facebook and Microsoft (MSFT.O), would probably be able to continue with business as usual as they already had alternative legal channels for transferring data to the United States.
The ECJ ruling became effective immediately and the European Commission said it would continue to work with the United States on a revamped data transfer deal to fill the void.
“In the light of the ruling, we will continue this work towards a new and safe framework for the transfer of personal data across the Atlantic,” Commission Vice President Frans Timmermans told a news conference.
Without Safe Harbour, the United States loses its status in the EU as a country that provides “adequate protection” for personal data.
The EU has granted that status to only 11 countries worldwide. For transfers to any other country, such as Japan, companies have to draw up contracts establishing privacy protections between groups or seek approval from data protection authorities, something they will now be required to do for transfers to the United States.
“The EU’s highest court has pulled the rug under the feet of thousands of companies that have been relying on Safe Harbour,” said Monika Kuschewsky, special counsel at law firm Covington. “All these companies are now forced to find an alternative mechanism for their data transfers to the U.S.”
The group of EU data protection authorities, known as the Article 29 Working Party (WP29), said it would hold discussions this week to “determine the consequences on transfers” of data and schedule an extraordinary meeting shortly.
It is too early to say whether companies left in the lurch by the annulment of Safe Harbour and without any alternatives will be given a grace period by data protection authorities, a spokeswoman for the WP29 said.
The court case stemmed from a complaint by Austrian law student Max Schrems, who challenged Facebook’s transfers of European users’ data to its American servers because of the risk of U.S. snooping, in light of Snowden’s revelations in 2013.
The European Commission separately demanded a review of Safe Harbour to ensure that U.S. authorities’ access to Europeans’ data would be proportionate and limited to what is absolutely necessary.
Washington and Brussels have been in talks for two years to strengthen Safe Harbour in a way that could allay Europe’s privacy concerns, and Tuesday’s judgment heaps pressure on the Commission to accelerate the talks.
“The Court put pretty high standards on a new Safe Harbour,” Kuschewsky said.
Schrems filed his complaint to the Irish Data Protection Commissioner, as Facebook’s European headquarters is in Ireland. The case eventually wound its way up to the Luxembourg-based ECJ, which was asked to rule on whether national data privacy watchdogs could unilaterally suspend the Safe Harbour framework if they had concerns about U.S. privacy safeguards.
“The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights,” said 28-year-old Schrems.
Additional reporting by Philip Blenkinsop, Leila Abboud in Paris, Michele Sinner in Luxembourg and Conor Humphries in Dublin; Editing by Barbara Lewis and Susan Fenton