BRUSSELS (AFP/Bloomberg) - A trans-Atlantic pact that potentially allows United States spies to get their hands on European citizens' private data was declared invalid by the EU's highest court on Tuesday (Oct 6), in a ruling that threatens to plunge Internet companies into a legal limbo.
Judges at the European Union's top court struck down the so-called safe-harbour accord after an Austrian law student complained about how US security services can gain unfettered access to Facebook customer information sent to the US.
The 15-year-old agreement, which allows US companies to move commercial data back to the US, compromises the privacy of EU citizens and their right to challenge the use of their information, the EU Court of Justice said in a ruling in Luxembourg on Tuesday.
However, the EU insisted on Tuesday that Internet companies like Facebook can keep transferring personal information to the United States while the authorities work out a replacement for the deal.
"In the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law," European Commission Vice-President Frans Timmermans said.
"This judgment is a bombshell," said Ms Monika Kuschewsky, special counsel at Covington & Burling LLP in Brussels. "The EU's highest court has pulled the rug under the feet of thousands of companies that have been relying on safe harbour. All these companies are now forced to find an alternative mechanism for their data transfers to the US. And, this, basically overnight."
The EU's top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about US government surveillance activities and mass data collection.
An Irish judge last year called on the EU's tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the US
The pact, drafted in the pre-9/11 days, was designed to facilitate trade by allowing US companies with activities in Europe to shift information between their sites. It allowed companies to transfer data provided they adhered to a list of principles designed to ensure privacy isn't breached.
US legislation "permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," the EU court said in a binding ruling.
The pact "is accordingly invalid".
Austrian privacy activist Max Schrems, 28, triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the US social network company has its European base.
He alleged that Facebook's Irish unit illegally handed over data to US spies. Mr Schrems had previously filed 22 complaints against the Menlo Park, California-based company.
"The ruling won't make it very easy to repair this and a quick fix won't be possible either," Mr Schrems told reporters in Luxembourg. "But it's the first time that something actually happens in this entire mass surveillance box."
"What this ruling means is that data transfers into the US are still possible, but there's now the possibility for national data protection regulators to act against this," he said.
"That's the big news. We can no longer accept that everything the U.S. does is fine because that's what an EU decision" of 2000 says, he added.
While Tuesday's ruling will add to the clamour to negotiate safe harbor 2.0, it immediately revealed splits between EU governments.
German Justice Minister Heiko Maas described the judgment as a "strong signal" for the European Commission to "fight for our data protection standards internationally".
The British government called the ruling "disappointing", saying "there is an important principle here that companies must be able to transfer data to third-party countries with appropriate safeguards".
The urgency of the ruling was highlighted by the speed of the judgment, just days after an adviser to the EU court described the safe harbor as illegal.
"Companies have worked under this agreement for 15 years," said MR Christian Borggreen, Europe director at the Computer & Communications Industry Association, a lobby group based in Washington D.C. and Brussels.
"There's a lot of uncertainty. The first question that all companies are asking the European Commission is: 'Now what?"
The commission, the EU's executive arm, said it couldn't give an immediate response, as did the U.S. mission to the EU in Brussels.
Facebook, like other tech giants Google Inc. and Yahoo! Inc., have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don't willingly turn over data to the U.S. government.
The case concerns more than 4,000 US companies that are certified under safe harbor. Facebook said the case is about mechanisms of European law rather than individual firms.
"Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from safe harbor," it said in a statement.
"It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
Mr Peter Olson, president of DigitalEurope, a trade group with members including Google and Microsoft Corp, said the commission should "immediately issue guidance to companies operating under the safe harbor framework to ensure that essential and routine commercial activities can occur during the current legal vacuum".
The EU and the US should also, as a matter of urgency, conclude their long-running negotiations to provide a new safe harbour agreement, he said.