Europe's highest court on Tuesday invalidated a 15-year-old agreement that enabled companies to easily transfer data about Europeans to the United States.
The court ruled that the "safe harbor" agreement doesn't adequately protect Europeans' privacy -- apparently because the U.S. allows the government to monitor communications. The decision appears to stem largely from concern over former NSA contractor Ed Snowden's revelations about mass surveillance.
"National security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements," the opinion states. "The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons."
One potential consequence is that U.S. companies -- including many Silicon Valley operations -- will have to either store data abroad or negotiate individual privacy agreements with the various EU countries.
The now-invalidated "safe harbor" agreement allowed U.S. companies to receive data about EU citizens, provided that the companies meet certain conditions. The companies had to certify with the Department of Commerce that they followed a self-regulatory group's privacy code, or otherwise followed privacy principles. Among other principles, companies were expected to notify consumers about data collection and allow them to opt out of having their personal data shared with third parties.
Until today, more than 4,000 U.S. companies relied on the safe harbors to transfer data to the country, according to the think tank Future of Privacy Forum.
Some of those businesses now likely face significant challenges, if they want to continue to collect data about EU citizens.
"Today’s decision by the European Court of Justice jeopardizes thousands of businesses across the Atlantic," Interactive Advertising Bureau general counsel Mike Zaneis said in a statement.
But privacy advocates cheered news of the decision, which they said shows the need for the U.S. to enact new protections.
"It is ... more than high time for the United States to enact a comprehensive set of data protection rules, to bring it in line with 100 plus other countries round the world. In the absence of legislation, the US cannot offer the EU any assurance that there will be adequate protection for the personal data stored or used by US companies," the privacy organization Transatlantic Consumer Dialogue said on Tuesday.
Jeff Chester, executive director of the Center for Digital Democracy, added that the U.S. risks becoming a "privacy outcast" if lawmakers don't pass new measures.
Other industry observers called for officials of the individual EU countries to continue to allow companies to operate under the 2000 safe harbor agreement.
“Today’s decision puts the Safe Harbor in the hands of individual data regulators in each country, who can now determine on their own how to proceed," Jules Polonetsky, executive director of the industry-funded think tank Future of Privacy Forum, stated. "Those regulators should understand that European employees of US companies are paid based on the ability to transfer global human resources information to the US. They should also consider that when data is transferred to the US, the Federal Trade Commission is authorized to enforce the Safe Harbor principles to protect EU consumers."
The Future of Privacy Forum noted in a 2013 report that the U.S. government will be able to obtain data about European residents regardless of the fate of the safe harbor. "US-based companies that are presented with a valid legal order from the US government for information will nonetheless be compelled to provide access to that data regardless of their membership in the Safe Harbor," that report states. "Most companies will be legally compelled to comply with US laws that authorize government access."
The EU's decision stemmed from Austrian student Max Schrems' lawsuit against Facebook. He alleged that Facebook violated the privacy rights of EU residents.
The Irish data regulator ruled against Schrems, who then appealed to Europe's highest court. The ruling issued on Tuesday returned Schrem's lawsuit to the Irish regulators, with instructions to decide whether the "transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data protection law."