Europe's highest court on Tuesday struck down an international agreement that had made it easy for companies to move people's digital data between the European Union and the United States.
The ruling, by the European Court of Justice, is seen making it more difficult for global technology giants -- including Amazon, Apple, Google and Facebook -- to collect and mine online information from their millions of users in the 28-member European Union.
The court declared the data-transfer agreement, which is known as Safe Harbor, immediately invalid.
Although most multinational companies have side agreements with the European Union that should allow them to continue moving data across borders for now, the court's ruling could hold significant implications down the road.
It will empower data-privacy regulators in each of the bloc's nations to evaluate how data are moved from their countries to the United States, and it will permit national authorities to impose tougher restrictions on data transfers, if they decide to.
Europe's privacy watchdogs remain divided over how to police U.S. tech companies. France and Germany, where companies such as Facebook and Google have many users and have already been subject to other privacy rulings, are among the countries that have sought more aggressive protections for their citizens' personal data. Britain and Ireland, among others, have been supportive of Safe Harbor, and many large U.S. tech companies have set up overseas headquarters in Ireland.
The European Court of Justice is the highest legal authority in the European Union, and its decision cannot be appealed.
At issue is the sort of personal data that people create when they post something on Facebook or other social media; when they do Web searches on Google; or when they order products or buy movies from Amazon or Apple. Such information is valuable to companies, which use it in a broad range of ways, including tailoring advertisements to individuals and promoting products or services based on users' online activities.
Efforts to block the movement of such data across national borders not only could impose technical complexities on technology companies but also could require those companies to rethink the ways they make money in some parts of Europe.
The U.S. government had lobbied aggressively in Brussels in recent months to keep the Safe Harbor agreement in place.
The data-transfer rules do not only apply solely to tech companies. They will affect any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online.
"This is extremely bad news for EU-U.S. trade," said Richard Cumbley, a tech lawyer at Linklaters in London. "Thousands of U.S. businesses rely on the Safe Harbor as a means of moving information. Without Safe Harbor, they will be scrambling to put replacement measures in place."
In its ruling, the court said the Safe Harbor agreement was flawed because it allowed U.S. government authorities to gain routine access to Europeans' online information. Such access infringes on Europeans' rights to privacy established under the region's tough data-protection rules, the court said.
"Legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," the European Court of Justice said in a statement Tuesday.
After the European court made its ruling, several technology executives said they were checking with their companies' legal teams to ensure users' data still could be transferred outside the bloc, based on the side agreements already in place.
Facebook said Tuesday that it was one of thousands of companies that relied heavily on the ability to share data between its European and U.S. operations.
"It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security," Sally Aldous, a Facebook spokesman, said in a statement.
The Safe Harbor data-sharing agreement has been in place since 2000, enabling U.S. tech companies to compile data generated by their European clients in Web searches, social media posts and other online activities.
Under the deal, more than 4,000 European and U.S. companies have been expected to treat the information moved outside the European Union with the same privacy protections the data had inside the region.
But European privacy campaigners have contended that U.S. rules do not offer the same data protections to individuals.
In its ruling, the European court noted that the region's 500 million citizens did not have the right to file legal cases in U.S. courts if they believed their privacy had been infringed by U.S. companies or by the U.S. government. A bill to provide this legal recourse is being debated in Congress, although analysts said it was unlikely to become law before the U.S. elections next year.
The court said Tuesday that national data protection regulators could limit data-sharing activities if they believed their citizens' data could be used in ways not guaranteed under European law, the court said. Google and Facebook might then have to store the information solely within their European operations. Those two companies already operate data centers in Europe. But smaller businesses on both sides of the Atlantic might have more trouble complying with the court order.
The ruling was foreshadowed two weeks ago, when an adviser to the court called the data pact insufficient. In anticipation of the ruling, many companies began to work on plans to continue their operations. For large tech companies, other data-transfer methods, including internal company agreements and clauses inserted into terms and conditions of service, could allow them to continue moving data to the United States.
Business on 10/07/2015