BRUSSELS (Reuters) - The EU's highest court struck down a deal that allows thousands of companies to easily transfer personal data from Europe to the United States, in a landmark ruling on Tuesday that follows revelations of mass U.S. government snooping.
Many companies, both U.S. and European, use the Safe Harbor system to help them get around cumbersome checks to transfer data between offices on both sides of the Atlantic. That includes payroll and human resources information as well as lucrative data used for online advertising, which is of particular importance to tech companies.
But the decision by the Court of Justice of the European Union (ECJ) sounds the death knell for the system, set up by the European Commission 15 years ago. It is used by over 4,000 firms including IBM (IBM.N), Google (GOOGL.O) and Ericsson (ERICb.ST).
The court said Safe Harbor did not sufficiently protect EU citizens' personal data since the requirements of American national security, public interest and law enforcement trumped the privacy safeguards contained in the framework.
In addition, EU citizens have no means of legal recourse against the misuse of their data in the United States, the court said. A bill is currently winding its way through the U.S. Congress to give Europeans the right to legal redress.
The ECJ in its ruling referred to revelations from former National Security Agency contractor Edward Snowden, which included that the Prism program allowed U.S. authorities to harvest private information directly from big tech companies such as Apple (AAPL.O), Facebook (FB.O) and Google.
The United States, which in the run up to the decision had issued strenuous defences of its intelligence program, said it was "deeply disappointed" by the ruling.
IBM (IBM.N) said it created commercial uncertainty and jeopardized the flow of data across borders.
"The free movement of data across borders is the foundation of the global economy, facilitating everything from financial services and manufacturing to shipping and retail," said Christopher Padilla, Vice President of Government and Regulatory Affairs at IBM.
Any company with a centralized HR database in the United States would need to transfer personal data there, and companies that do not have data centers in Europe often ship the data from their European clients across the Atlantic, lawyers said.
However, they also said most multinationals, such as Facebook and Microsoft (MSFT.O), would probably be able to continue with business as usual as they already had alternative legal channels for transferring data to the United States.
Small- and medium-sized companies, however, face high costs to set up new agreements, which may deter many. U.S. data service and storage companies that work for larger multinationals are especially concerned that they will be replaced by European companies if U.S. multinationals cannot transfer their data, according to the Software Alliance, a trade group also known as BSA, that advocates for software companies.
The ECJ ruling became effective immediately and the European Commission said it would continue to work with the United States on a revamped data transfer deal to fill the void.
"In the light of the ruling, we will continue this work towards a new and safe framework for the transfer of personal data across the Atlantic," Commission Vice President Frans Timmermans told a news conference.
Without Safe Harbor, the United States loses its status in the EU as a country that provides "adequate protection" for personal data.
The EU has granted that status to only 11 countries worldwide. For transfers to any other country, such as Japan, companies have to draw up contracts establishing privacy protections between groups or seek approval from data protection authorities, something they will now be required to do for transfers to the United States.
"The EU's highest court has pulled the rug under the feet of thousands of companies that have been relying on Safe Harbor," said Monika Kuschewsky, special counsel at law firm Covington. "All these companies are now forced to find an alternative mechanism for their data transfers to the U.S."
The group of EU data protection authorities, known as the Article 29 Working Party (WP29), said it would hold discussions this week to "determine the consequences on transfers" of data and schedule an extraordinary meeting shortly.
It is too early to say whether companies left in the lurch by the annulment of Safe Harbor and without any alternatives will be given a grace period by data protection authorities, a spokeswoman for the WP29 said.
The court case stemmed from a complaint by Austrian law student Max Schrems, who challenged Facebook's transfers of European users' data to its American servers because of the risk of U.S. snooping, in light of Snowden's revelations in 2013.
The European Commission separately demanded a review of Safe Harbor to ensure that U.S. authorities' access to Europeans' data would be proportionate and limited to what is absolutely necessary.
Washington and Brussels have been in talks for two years to strengthen Safe Harbor in a way that could allay Europe's privacy concerns, and Tuesday's judgment heaps pressure on the Commission to accelerate the talks.
"The Court put pretty high standards on a new Safe Harbor," Kuschewsky said.
Schrems filed his complaint to the Irish Data Protection Commissioner, as Facebook's European headquarters is in Ireland. The case eventually wound its way up to the Luxembourg-based ECJ, which was asked to rule on whether national data privacy watchdogs could unilaterally suspend the Safe Harbor framework if they had concerns about U.S. privacy safeguards.
"The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights," said 28-year-old Schrems.
Additional reporting by Philip Blenkinsop, Leila Abboud in Paris, Michele Sinner in Luxembourg, Conor Humphries in Dublin and Yasmeen Abutaleb in San Francisco; Editing by Susan Fenton and Tom Brown