By Sam Schechner and Valentina Pop
Thousands of companies will face restrictions on storing information about European Union residents on U.S. servers, after the bloc's top court ruled that such transfers exposed Europeans to American government surveillance without "actionable rights" to challenge it.
The surprise ruling Thursday from the European Court of Justice, which invalidates a widely used EU-U.S. data-transfer agreement known as Privacy Shield, is a victory for privacy activists who have long said that the U.S.'s surveillance practices should make it ineligible to store European data.
The decision, which pits European data-privacy concerns against U.S. national-security priorities, will create legal headaches and potentially disrupt operations for thousands of multinational companies. Depending on how it is applied, the ruling could force some of them -- including tech giants like Amazon.com Inc., Facebook Inc., Alphabet Inc. and Apple Inc. -- to decide between a costly shift toward data centers into Europe or cutting off business with the region.
Blocking data transfers to the U.S. could upend billions of dollars of trade from cross-border data activities, including cloud services, human resources, marketing and advertising, tech advocates say.
"This decision creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers," said Alexandre Roure, senior manager of public policy at the Computer & Communications Industry Association.
The U.S.-based lobbying group, which represents Amazon, Facebook, Alphabet's Google and other tech companies, called for policy makers on both sides of the Atlantic to develop a "a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the trans-Atlantic economy."
The European Commission, the EU's executive arm, said it would study the judgment to decide how to replace Privacy Shield.
"As of today, I will reach out to my U.S. counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism," said EU Commissioner for Justice Didier Reynders.
Thursday's decision is a surprise because it takes a harder line than a court adviser recommended in a nonbinding opinion in December. The adviser said that data-protection officials should be able to investigate and block specific companies from sending certain information under a particular type of contract -- a much narrower restriction. The European Court of Justice typically sides with such advice, but not always.
The EU and the U.S. implemented the Privacy Shield agreement nearly four years ago, after a prior framework, called Safe Harbor, was scrapped in 2015 by the same court over surveillance concerns. More than 5,000 companies have signed up to the framework, of which more than 70% are small- and medium-size businesses, according to the CCIA.
Thursday's decision may have a broader impact than the one that scrapped Safe Harbor. After the 2015 decision, many companies were able to fall back on alternative legal mechanisms that permitted them to send data to the U.S., including a special type of contract that promises to protect users' data. The new decision says that such contracts remain valid, but regulators can challenge data transfers that use them if companies can't guarantee the data will be protected in compliance with EU privacy laws.
That raises the possibility that regulators could block data transfers using such contracts to other countries, lawyers said.
"Other jurisdictions, such as India or China, also have strong state surveillance powers so transfers to those jurisdictions may also need careful examination," said Tanguy Van Overstraeten, head of privacy and data protection at law firm Linklaters.
Thursday's decision didn't mention the U.K.'s exit from the EU. However, the ruling could complicate British efforts to ensure that companies can continue to store Europeans' personal information in the country after it ends a transition period out of the bloc slated for the end of 2020. The U.K. is seeking an EU "adequacy decision" that would allow such transfers, but it isn't clear whether its surveillance practices would pass muster under similar scrutiny.
There are other exceptions and legal frameworks that could permit some data transfers to the U.S., but privacy lawyers say they can be cumbersome or impractical to use in many circumstances.
The legal challenges that led to Thursday's opinion date to the 2013 leaks of alleged U.S. surveillance practices from former National Security Agency contractor Edward Snowden. Privacy activists argue that the U.S. government's ability to obtain legal access to personal information held by some companies amounts to mass surveillance and should be prohibited under the EU's treaties and its General Data Protection Regulation.
The main plaintiff in the case, Austrian privacy activist Max Schrems, has argued in ongoing lawsuits that Facebook shouldn't be allowed to transfer its European users' data to the U.S., because that information could be turned over under secret government requests.
The U.S., which added some additional oversight and disclosure after the invalidation of Safe Harbor, argued that its surveillance practices were proportionate and targeted. At a European Court of Justice hearing in 2019, Eileen Barrington, a lawyer for the U.S. government, said that America "doesn't believe GDPR gives the EU world-wide jurisdiction to conduct analysis of other countries' national security practices."
Thursday's decision delved into whether the U.S.'s new surveillance oversight gave sufficient rights to European residents to challenge American surveillance. The court ruled that it didn't, and that a new ombudsperson created as part of Privacy Shield didn't count as judicial redress under EU law either.
Write to Sam Schechner at firstname.lastname@example.org and Valentina Pop at email@example.com