EU court blow to US data sharing deal raises industry fears


The European Union’s top court on Tuesday declared a data-sharing agreement with the United States invalid, arguing that it does not sufficiently protect the rights of EU citizens – creating uncertainty for the internet industry amid calls for stronger rules.

The decision could affect US internet giants such as Google and Amazon by making it harder for them to store the private data of EU citizens.

The case was brought by Austrian activist Max Schrems against the Irish data protection authority after it rejected his complaint over Facebook’s practice of storing user data in the United States. The European Court of Justice was asked to weigh in on the matter.

Schrems’ complaint came in the wake of revelations in 2013 by US whistleblower Edward Snowden that Washington had carried out mass spying on EU citizens.

“This decision is a major blow for US global surveillance that heavily relies on private partners,” Schrems’ said Tuesday, adding that it would pave the way for other legal challenges.

At issue is the Safe Harbor system, which has been in place for more than a decade to allow companies in the EU and US to exchange data, and specifying how US companies can handle the private data of European citizens.

The Luxembourg-based judges found that Safe Harbor does not offer adequate protection to EU citizens, despite claims by the European Commission to the contrary.

“National security, public interest and law enforcement requirements of the US prevail over the Safe Harbor scheme,” the court said in a statement.

“US undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements,” it added.

It also criticized the absence of channels for individuals to take legal action if their personal data is accessed, arguing that this “compromises the essence of the fundamental right to effective judicial protection.”

The Irish supervisors must now assess whether or not to suspend the transfer of European Facebook users’ data to the US in the case at hand, the court ruled. Facebook’s European operations are based in Ireland.

The ruling raises fundamental questions about Safe Harbor, even as EU and US authorities are overhauling the scheme to make it more robust.

Safe Harbor was established in 2000, after the European Commission prohibited the transfer of data to non-European countries that did not adhere to stringent criteria.

Industry groups called Tuesday for the establishment of predictable rules to prevent a disruption of data flows, warning that suspending Safe Harbor would hurt Europe’s economy. More than 4,000 European and international companies are thought to rely on the scheme.

“Today’s court judgment gives rise to great legal uncertainty that must be remedied urgently,” warned Markus Beyrer of the BusinessEurope employers’ organization.

“It is imperative that the EU does not become a disconnected island in a global digital economy,” added Christian Borggreen of the Computer & Communications Industry Association.

But others welcomed the ruling.

Monique Boyens of the European Consumer Organisation BEUC called it a “victory for the protection of European data privacy rights,” playing down fears that it could disrupt business. Firms such as Google “will just have to guarantee an adequate level of protection,” she said.

German Justice Minister Heiko Maas said the verdict is a “mandate for the European Commission to also fight internationally for our data protection standards.”

Socialist EU lawmaker Claude Moraes called for the immediate suspension of Safe Harbor, while parliamentarian Helmut Scholz of the far-left GUE/NGL group said the verdict carries consequences for the mammoth free trade deal being negotiated by the EU and the US.

Tuesday’s ruling follows the advice of an influential advisor to the court, Advocate General Yves Bot.

Ahead of the ruling, US officials had argued that Bot’s assessment was based on inaccurate assertions about Washington’s surveillance practices, arguing that access to private data is not unrestricted and is governed by stringent laws.