The European Court of Justice ruled that a commonly used data protection agreement known as Privacy Shield did not adequately uphold E.U. privacy law.
The decision means that many companies will have to reconsider how they store and collect the data of European customers, including potentially making a choice between setting up costly Europe-based data hubs or curtailing business in Europe altogether. U.S. and E.U. negotiators, meanwhile, will probably have to start new discussions about whether there are legal arrangements that could guarantee that data could be stored on U.S. soil but in compliance with E.U. law.
U.S. security authorities have far-reaching access to personal data stored on U.S. territory that “are not circumscribed” in a way that is equivalent to E.U. rules, the court ruled.
The court said that it was unacceptable for E.U. citizens not to have “actionable rights” to question U.S. surveillance practices.
European data privacy advocates celebrated the decision.
“A victory for personal data protection,” tweeted a Dutch member of the European Parliament, Sophie in ’t Veld, who was involved in the drafting of the powerful European data privacy law known as the General Data Protection Regulation, or GDPR, that went into effect in 2018. She said the European Commission, the E.U. body that negotiated the Privacy Shield with U.S. authorities in 2016, should have been more vigilant about protecting E.U. citizens.
More than 5,300 companies are signed up to use the Privacy Shield framework to shift data between the European Union and the United States, including giants such as Facebook, Twitter, Google and Amazon. (Amazon chief executive Jeff Bezos owns The Washington Post.)
The ruling does not affect technology corporations alone, because even a bricks-and-mortar company that occasionally sells products to a European customer needs to store that customer’s data in compliance with E.U. law.
“The Department of Commerce is deeply disappointed,” Secretary Wilbur Ross said in a statement. He said U.S. negotiators would try to work out a solution with E.U. policymakers “to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.”
The E.U. justice commissioner, Didier Reynders, also said he looked forward to addressing the situation with U.S. counterparts.
E.U. privacy advocates said the most straightforward way to resolve the situation would be for the United States to change its rules around surveillance.
“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a role on the E.U. market,” said Max Schrems, an Austrian lawyer and privacy rights activist who brought the court case that was decided Thursday.
“The court clarified for a second time now that there is a clash of E.U. privacy law and U.S. surveillance law. As the E.U. will not change its fundamental rights to please the [National Security Agency], the only way to overcome this clash is for the U.S. to introduce solid privacy rights for all people — including foreigners,” Schrems said. “Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
Businesses called on policymakers to come up with a legally viable solution, saying transatlantic commerce is imperiled in the meantime.
“This decision creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers,” Alexandre Roure, the public policy senior manager for the Computer & Communications Industry Association, one of the largest tech industry lobby groups, said in a statement.
“We trust that E.U. and U.S. decision-makers will swiftly develop a sustainable solution, in line with E.U. law, to ensure the continuation of data flows which underpins the transatlantic economy,” the statement added.
Quentin Ariès contributed to this report.