A trans-Atlantic pact that potentially allows U.S. spies to get their hands on European citizens' private data was declared invalid by the E.U.'s highest court, in a ruling that threatens to plunge Internet companies into a legal limbo.
Judges at the European Union's top court struck down the so-called safe-harbor accord after an Austrian law student complained about how U.S. security services can gain unfettered access to Facebook Inc. customer information sent to the U.S. Other U.S. companies, including Google Inc. and Yahoo! Inc., may also be effected.
The 15-year-old agreement, which allows American companies to move commercial data back to the U.S., compromises the privacy of E.U. citizens and their right to challenge the use of their information, the EU Court of Justice in Luxembourg said Tuesday.
"This judgment is a bombshell," said Monika Kuschewsky, special counsel at Covington & Burling LLP in Brussels. "The E.U.'s highest court has pulled the rug under the feet of thousands of companies that have been relying on safe harbor. All these companies are now forced to find an alternative mechanism for their data transfers to the U.S. And, this, basically overnight."
The EU's top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection. An Irish judge last year called on the E.U.'s tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the E.U. to the U.S.
The pact, drafted in the pre-9/11 days, was designed to facilitate trade by allowing U.S. companies with activities in Europe to shift information between their sites. It allowed companies to transfer data provided they adhered to a list of principles designed to ensure privacy isn't breached.
U.S. legislation "permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," the E.U. court said in a binding ruling. The pact "is accordingly invalid."
Austrian privacy activist Max Schrems, 28, triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the U.S. social network company has its European base. He alleged that Facebook's Irish unit illegally handed over data to U.S. spies. Mr. Schrems had previously filed 22 complaints against the Menlo Park, California-based company.
"The ruling won't make it very easy to repair this and a quick fix won't be possible either," Mr. Schrems told reporters in Luxembourg. "But it's the first time that something actually happens in this entire mass surveillance box."
The court's ruling wasn't surprising but could "potentially be disruptive" to U.S. companies, Michael Daniel, the White House's cybersecurity coordinator said in an interview in Washington Tuesday.
While Tuesday's ruling will add to the clamor to negotiate Safe Harbor 2.0, it immediately revealed splits between E.U. governments.
German Justice Minister Heiko Maas described the judgment as a "strong signal" for the European Commission to "fight for our data protection standards internationally."
The British government called the ruling "disappointing," saying "there is an important principle here that companies must be able to transfer data to third-party countries."
E.U. officials said their aim is step up discussions with the U.S. to reach a new Safe Harbor pact. The E.U. has "received very strong commitments from the U.S. that there will be strong monitoring" of data use under any new agreement, E.U. Justice Commissioner Vera Jourova, in charge of data protection issues at the European Commission, told reporters in Strasbourg, France.
Mr. Daniel is confident an agreement will be reached. "I am convinced that it will be in the interest of both the United States and Europe to figure out how to enable data to flow for commercial purposes across the Atlantic in either direction," he said. "Ultimately we will figure out how to do that."
The urgency of the ruling was highlighted by the speed of the judgment, just days after an adviser to the E.U. court described the safe harbor as illegal.
"Companies have worked under this agreement for 15 years," said Christian Borggreen, Europe director at the Computer & Communications Industry Association, a lobby group based in Washington D.C. and Brussels."There's a lot of uncertainty. The first question that all companies are asking the European Commission is: 'Now what?"
Facebook, like other tech giants, have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don't willingly turn over data to the U.S. government.
The case concerns more than 4,000 U.S. companies that are certified under safe harbor. Facebook said the case is about mechanisms of European law rather than individual firms.
"Facebook, like many thousands of European companies, relies on a number of the methods prescribed by E.U. law to legally transfer data to the U.S. from Europe, aside from safe harbor," it said in a statement. "It is imperative that E.U. and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
The court's decision could disrupt the ability of intelligence agencies to obtain data critical to preventing terrorist attacks, former U.S. National Security Advisor James Jones said in an interview in Washington.
"During my time in the White House, we prevented several attacks on European soil by transferring information very quickly to our friends in Europe," said Mr. Jones, who served under President Barack Obama from 2009 to 2010. Disrupting information sharing means "we're all swimming by ourselves," Jones said.
Peter Olson, president of DigitalEurope, a trade group with members including Google and Microsoft Corp. said the commission should "immediately issue guidance to companies operating under thesafe harbor framework to ensure that essential and routine commercial activities can occur during the current legal vacuum."
The E.U. and the U.S. should also, as a matter of urgency, conclude their long-running negotiations to provide a new safe harbor agreement, he said.
-- Bloomberg News