EU court voids data-sharing pact with the U.S. in Facebook privacy case

A top European court ruled Thursday that companies moving personal user data from the EU to other jurisdictions will have to provide the same protections given inside the bloc.

The ruling could impact how companies transfer European users’ data to the United States and other countries, such as the U.K.

The legal battle started back in 2013, when privacy activist Max Schrems lodged a complaint with the Irish Data Protection Commissioner. He argued that,in light of the Edward Snowden revelations, U.S. law did not offer sufficient protection against surveillance by public authorities.

Schrems raised the complaint against the social network Facebook which, like many other firms, was transferring his and other user data to the States.

It reached the European Court of Justice (ECJ), which in 2015 ruled that the then Safe Harbour Agreement, which allowed European users’ data to be moved to the U.S., was not valid and did not adequately protect European citizens.

As a result, companies operating in Europe switched to Standard Contractual Clauses or SCCs, which ensured they could still move data across the Atlantic.In the meantime, the European Union and the United States developed a new agreement, the Privacy Shield framework, to replace the Safe Harbour agreement.

The ECJ ruled Thursday that these SCCs were a valid way to transfer data, but invalidated the use of the Privacy Shield framework. 

In practical terms, this means that non-EU countries, or companies looking to move European users’ data abroad, will have to ensure an equivalent level of protection to the strict European data laws. This could be a massive burden for multinationals, given they transfer huge sets of data all over the world.

“Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR (General Data Protection Regulation) concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR,” the court said Thursday.

GDPR regulation, introduced in 2018, has allowed European users to have a stronger say over how companies use their information. WATCH NOWVIDEO01:34What is GDPR?

“In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country,” the court added.

Thursday’s ruling cannot be appealed. It is unlikely to spark immediate transfers of data, but the interpretation given by the court must now be applied by the referring court and any others in Europe facing the same situation.

Why it matters for big companies?

Jonathan Kewley, co-head of technology at law firm Clifford Chance, said that the decision is a “bold move by Europe.”

“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted, but those in the U.S. cannot. We predict that the outcome could be more Europe data localisation, with more customer data staying in Europe as a result,” he added.

As well as creating further tension between the United States and Europe, the ruling has consequences for many large businesses.

Eduardo Ustaran, co-head of the global privacy and cybersecurity practice at Hogan Lovells, explained that “the big practical takeaway is that all European companies must bear in mind other countries’ powers over data when engaging in global data flows.”

Tanguy Van Overstraeten, partner at law firm Linklaters said: “This is less of a win for businesses than it appears. Large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients. The (ECJ) has made it clear companies cannot justify them using a ‘tick box’ exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed.”

He added that Thursday’s ruling could encourage other data protection regulators in Europe to assess international data transfers more “aggressively.”WATCH NOWVIDEO19:45Watch CNBC’s full interview with Facebook CEO Mark Zuckerberg

Eva Nagle, an associate general counsel for Facebook, said the tech firm welcomed the decision. 

“Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of Privacy Shield and we look forward to regulatory guidance in this regard. We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure,” Nagle said in an emailed statement to CNBC.