BRUSSELS (Reuters) - A ruling due next week from the EU’s top court on a long-running transatlantic pact on private data could affect all legal ways of moving such data from Europe to the United States, lawyers say, potentially disrupting the everyday online transactions of thousands of companies.
Under current European privacy laws companies are forbidden from transferring European citizens’ personal data to countries deemed to have lower privacy standards - such as the United States.
However, given the sheer volume of transatlantic data traffic, the Safe Harbour framework agreement was established 15 years ago to enable companies to easily transfer personal data to the United States without having to seek prior approval, a potentially lengthy and costly process.
But the European Court of Justice (ECJ) will next Tuesday rule on the continued legality of the Safe Harbour agreement, which is now used by companies such as Facebook and MasterCard.
Last week the Court’s adviser, the Advocate General, said the agreement should be scrapped following the 2013 leaks from fugitive Edward Snowden about mass electronic surveillance programs conducted by the U.S. National Security Agency.
While it was a non-binding opinion, in most cases judges tend to follow the Advocate General’s advice.
The case before the ECJ specifically concerns whether the Safe Harbour pact is binding on the national data protection authorities in the light of Snowden’s allegations. However, lawyers say that the repercussions of a negative ruling could prove far wider, while Washington is already smarting over the Snowden allegations being deemed as fact by the Advocate General.
“The same issue would also still exist whatever other mechanism you use to transfer personal data,” said Monika Kuschewsky, a lawyer at Covington & Burling.
“None of these other mechanisms excludes U.S. intelligence services from accessing that data.”
EU officials also said that none of the other mechanisms, for example standard contractual clauses establishing privacy standards between companies, provide any stronger protection against U.S. mass surveillance than the Safe Harbour pact does.
The time frame, too, could be tight unless companies already moved to establish an alternative legal framework.
“A lot of people are worried,” Kuschewsky said.
Meanwhile, U.S. officials say that a ruling in line with the opinion would have a negative effect on transatlantic relations, just when the fall-out over Snowden was starting to dissipate.
The EU and the United States recently agreed a separate data-sharing agreement for security purposes which hinges on the U.S. Congress passing a law giving Europeans the right to sue the U.S. authorities when their data is misused.
Now, some in Congress may ask why Washington should bother.
Despite the uncertainty as to the line the Court will take, lawyers have been advising companies to put in place contingency mechanisms to ensure the everyday transfer of personal data - including employee data - can continue uninterrupted after Tuesday.
“Now is the time to take action if you are currently relying on Safe Harbour to justify transfers,” said Ross McKean, partner at law firm Olswang.
Lawyers say that the Court could leave some breathing space for businesses if it were to annul Safe Harbour by declaring it invalid from a future date.
It could also give the Commission - which is negotiating a revised Safe Harbour framework with the United States - time to address its concerns and present a strengthened system.
Additional reporting by Alastair Macdonald; Editing by Greg Mahlich