By Sam Schechner and Valentina Pop
Thousands of companies will face restrictions on storing information about European Union residents on U.S. servers, after the bloc's top court ruled that such transfers exposed Europeans to American government surveillance without "actionable rights" to challenge it.
The surprise ruling Thursday from the European Court of Justice, which invalidates a widely used EU-U.S. data-transfer agreement known as Privacy Shield, is a victory for privacy activists who have long said the U.S.'s surveillance practices should make it ineligible to store European data.
The decision, which pits European data-privacy concerns against U.S. national-security priorities, will create legal headaches and potentially disrupt operations for thousands of multinational companies. Depending on how it is applied, the ruling could force some of them -- including tech giants such as Amazon.com Inc., Facebook Inc., Alphabet Inc. and Apple Inc. -- to decide between a costly shift toward data centers into Europe or cutting off business with the region.
Blocking data transfers could upend billions of dollars of trade from cross-border data activities, including cloud services, human resources, marketing and advertising, if they involve sending or storing information about Europeans on U.S. soil, tech advocates say.
"This decision creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers," said Alexandre Roure, senior manager of public policy at the Computer & Communications Industry Association.
The U.S.-based lobbying group, which represents Amazon, Facebook, Alphabet's Google and other tech companies, called for policy makers on both sides of the Atlantic to develop a "a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the trans-Atlantic economy."
U.S. Commerce Secretary Wilbur Ross said he was disappointed with the ruling and was in touch with his European counterparts in the hope of limiting the "negative consequences to the $7.1 trillion trans-Atlantic economic relationship that is so vital to our respective citizens, companies, and governments."
Margrethe Vestager, the top official in charge of digital policy and competition at the European Commission -- the EU's executive arm -- said the bloc would look to replace Privacy Shield.
"We will work hard to make sure that data can be transferred," Ms. Vestager said. "We are in a data-driven economy."
The EU and the U.S. implemented the Privacy Shield agreement nearly four years ago, after a prior framework, called Safe Harbor, was scrapped in 2015 over surveillance concerns. More than 5,000 companies have signed up to the newer framework, of which more than 70% are small- and medium-size businesses, according to the CCIA.
Thursday's decision is a surprise because it takes a harder line than a court adviser recommended in December. While the adviser expressed doubts about Privacy Shield, the court went further, invalidating it. It also ruled that the special contracts many companies use when sending data outside the EU are valid only if they can guarantee the data will be protected in line with the bloc's laws -- a standard it suggests transfers to the U.S. don't meet.
Tens of thousands of companies use such contracts to allow them to send Europeans' personal information outside the bloc, according to Caitlin Fennessy, research director for the International Association of Privacy Professionals, a trade group. Without either Privacy Shield or such contracts to fall back on, many companies could run afoul of the ruling. A videoconferencing provider that sets up a call between two people in Europe, for instance, could violate the law if it stores or transfers information about the participants in the U.S., Ms. Fennessy said.
"We are living our lives online and these services all rely on and require the transfer of personal information," Ms. Fennessy said.
Under Thursday's ruling, privacy regulators could block data transfers using the special contracts to other countries as well, lawyers said.
"Other jurisdictions, such as India or China, also have strong state surveillance powers so transfers to those jurisdictions may also need careful examination," said Tanguy Van Overstraeten, head of privacy and data protection at law firm Linklaters.
Thursday's decision didn't mention the U.K.'s exit from the EU. However, the ruling could complicate British efforts to ensure that companies can continue to store Europeans' personal information after it ends a transition period out of the bloc. The U.K. is seeking an EU "adequacy decision" that would allow such transfers, but the decision sets a bar that Britain may have trouble meeting, some privacy experts say.
The legal challenges that led to Thursday's opinion date to the 2013 leaks of alleged U.S. surveillance practices from former National Security Agency contractor Edward Snowden. The main plaintiff, Austrian privacy activist Max Schrems, has argued that Facebook shouldn't be allowed to transfer its European users' data to the U.S. because that information could be turned over under secret government requests.
Eva Nagle, an associate general counsel at Facebook, said the company was considering the implications of the Privacy Shield decision and would "ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure."
The U.S., which added extra oversight and disclosure after the invalidation of Safe Harbor, argued at a European Court of Justice hearing in 2019 that its surveillance practices were proportionate and targeted.
Thursday's decision delved into whether the U.S.'s new surveillance oversight gave sufficient rights to European residents to challenge American surveillance. The court ruled that it didn't, and that a new ombudsperson created as part of Privacy Shield didn't count as judicial redress under EU law either.
Write to Sam Schechner at firstname.lastname@example.org and Valentina Pop at email@example.com