The European Union’s highest court struck down a deal that allows thousands of companies to easily transfer personal data from Europe to the United States, Reuters reported.
The landmark ruling follows revelations of mass US government snooping.
Many companies, both US and European, use the Safe Harbour system to help them get round cumbersome checks to transfer data between offices on both sides of the Atlantic.
That includes payroll and human resources information as well as lucrative data used for online advertising, which is of particular importance to tech companies.
But the decision by the EU Court of Justice on Tuesday sounds the death knell for the system, set up by the European Commission 15 years ago. It is used by over 4,000 firms including IBM, Google and Ericsson.
The court said Safe Harbour did not sufficiently protect EU citizens’ personal data since the requirements of American national security, public interest and law enforcement trumped the privacy safeguards contained in the framework.
In addition, EU citizens have no means of legal recourse against the misuse of their data in the US, the court said.
A bill is currently winding its way through the US Congress to give Europeans the right to legal redress.
The court ruling referred to revelations from former National Security Agency contractor Edward Snowden, which included that the Prism program allowed US authorities to harvest private information directly from big tech companies such as Apple, Facebook and Google.
The US, which in the run up to the decision had issued strenuous defenses of its intelligence programs, said it was “deeply disappointed” by the ruling.
IBM said it created commercial uncertainty and jeopardized the flow of data across borders.
“The free movement of data across borders is the foundation of the global economy, facilitating everything from financial services and manufacturing to shipping and retail,” said Christopher Padilla, vice president of government and regulatory affairs at IBM.
Any company with a centralized human resources database in the US would need to transfer personal data there, and companies that do not have data centers in Europe often ship the data from their European clients across the Atlantic, lawyers said.
However, they also said most multinationals, such as Facebook and Microsoft, would probably be able to continue with business as usual as they already had alternative legal channels for transferring data to the US.
The ruling took effect immediately and the European Commission said it would continue to work with the US on a revamped data transfer deal to fill the void.
“In the light of the ruling, we will continue this work towards a new and safe framework for the transfer of personal data across the Atlantic,” EC vice president Frans Timmermans told a news conference.
Without Safe Harbour, the US loses its status in the EU as a country that provides “adequate protection” for personal data.
The EU has granted that status to only 11 countries worldwide. For transfers to any other country, such as Japan, companies have to draw up contracts establishing privacy protections between groups or seek approval from data protection authorities, something they will now be required to do for transfers to the US.
– Contact us at [email protected]