Europe’s highest court just ushered in a nightmare for thousands of American companies, big and small.
Some companies now find themselves immediately unable to legally serve users in the EU. And many Big Tech titans, starting with Facebook, could soon be in the same boat.
It’s all thanks to U.S. surveillance laws, which do not give Europeans a chance to control the collection of their data by American intelligence agencies.
On Thursday morning, the Court of Justice of the European Union (CJEU) struck down a 2016 data-sharing deal between the U.S. and EU, because it could not guarantee the data-protection rights of Europeans when their data goes across the Atlantic as happens whenever they, for example, use a popular site like Facebook or Google.
The Privacy Shield deal gave American companies a relatively hassle-free way to serve EU users. Under EU law, Europeans’ personal data is only supposed to go to outside countries that have similar data protection rules to those in the EU. The U.S. lacks a strong federal privacy law and therefore doesn’t qualify—so the U.S. and EU agreed on the Privacy Shield register as a way for U.S. companies to say that they adhere to EU-grade privacy rules, even if U.S. law does not.
More than 5,000 companies had signed up to Privacy Shield, and now, with today’s ruling, it’s gone. (Confusingly, though, the U.S. Department of Commerce says it will continue to administer the program, even though it is no longer recognized from the European side.)
The now-stricken deal was itself the replacement for a very similar arrangement, Safe Harbor, that the CJEU also struck down almost five years ago, in what is essentially the same long-running case.
The man behind that case is an Austrian lawyer and activist called Max Schrems, who has been using Facebook since 2008 and is on a crusade to protect the data he gives the company. To do this, he’s had to get the privacy regulator in Ireland—where Facebook has its international headquarters—to deal with his complaint.
Schrems’ first trip to the Luxembourg-based CJEU was the result of the Irish watchdog telling him to get lost, because Facebook had signed up to the Safe Harbor register. In 2016, the court not only said the Irish Data Protection Commissioner (DPC) did have to investigate Schrems’ complaint—which was sparked by the surveillance revelations of NSA whistleblower Edward Snowden—but it unexpectedly struck down Safe Harbor with immediate effect, because the deal did not actually protect Europeans’ rights as it claimed to do.
As the U.S. and EU scrambled to come up with a replacement for Safe Harbor, Schrems went back to the Irish DPC. By this point, Facebook was taking no chances, and was relying on a separate legal mechanism to keep its data transfers legal—so-called “standard contractual clauses” or SCCs, which are a relatively expensive and time-consuming alternative to Safe Harbor.
The terms of SCCs allow a European regulator to suspend data transfers out of the EU if the destination country doesn’t adequately protect that data. But rather than taking this route, the Irish DPC decided to challenge the existence of SCCs as a whole—it essentially sued both Schrems and his nemesis, Facebook.
And that’s how the case ended up back at the CJEU.
Schrems got exactly what he wanted from the court. Privacy Shield is immediately cancelled, but standard contractual clauses are not.
On Thursday morning, the court said SCCs remain valid precisely because they allow a data protection authority to suspend data flows, if the company using the SCCs either breaches its terms or it is “impossible to honor them” because of the laws in the country to which the data is flowing.
Given that the court slammed U.S. privacy and surveillance laws when striking down Privacy Shield—it said there still weren’t enough limits on U.S. intelligence agencies’ access to Big Tech’s user data, and that Europeans didn’t have a meaningful way to complain about that access—it follows that any company relying on SCCs for their EU-to-U.S. transfers is potentially in trouble.
Without SCCs, a company like Facebook may have to set up functionally separate operations in Europe in order to keep operating there.
In Schrems’s words on Thursday, the court is “telling the Irish DPC to do its job after seven years of inaction” and stop Facebook from sending European users’ data back to the U.S. “The judgment makes it clear that companies cannot just sign the SCCs, but also have to check if they can be complied with in practice,” he said.
“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market.”
However, the effects of Thursday’s decision could have ramifications for companies in other countries, too.
Peter Swire, a senior counsel at law firm Alston & Bird and a former U.S. negotiator on data privacy with the EU, reckons the ruling “appears to put global trade at risk” where countries such as China and Russia are concerned.
“China has far fewer surveillance limitations than U.S. law,” Swire—whom Facebook called as an independent witness in this case—said. “If the data protection authorities make individual findings about difficulties in sending data to the United States, then they seem obligated under the court’s decision to similarly block transfers to most other countries in the world.”
After the Brexit transition period runs out at the end of 2020, the U.K. could find itself being one of those countries.
One peculiarity of the situation is that the EU cannot block data transfers between its own member states, whatever surveillance laws those countries have. But it can block data transfers to outside countries. After this year, the U.K. will be an outside country, and many argue that its surveillance activities will create problems.
Need for reform
Neither Facebook nor the Irish Data Protection Commissioner had yet responded to the ruling at the time of writing.
Microsoft, however, finds itself in a similar situation to Facebook, even though it had nothing to do with this case. Microsoft, like Facebook, has been using SCCs and Privacy Shield to shore up the legality of its EU-U.S. data transfers.
“We want to be clear: if you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” wrote Microsoft chief privacy officer Julie Brill in a blog post. “The court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.”
The key word in that post is “today”: Microsoft’s SCCs remain valid, but if Facebook’s SCCs fall, then Microsoft’s could soon follow.
That is, unless the U.S. changes its ways.
“U.S. surveillance violates fundamental privacy rights and continues to be a massive financial liability for U.S. companies trying to compete in a global market,” said Ashley Gorski, a senior attorney with the American Civil Liberties Union (ACLU), which testified in the case.
“Unless Congress swiftly acts to enact comprehensive surveillance reforms, U.S. businesses will continue to pay the consequences.”
“Our customers can be assured that we are committed to ensuring their data will continue to flow through our services, that we’ll continue our work to provide greater protections based on the issues raised in today’s ruling, and that we’ll work collaboratively with governments and policymakers as they shape new approaches,” Microsoft’s Brill wrote.
U.S. Commerce Secretary Wilbur Ross said in a statement that the U.S. government is studying the ruling to “fully understand its practical impacts.”
“We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments,” Ross said.
More must-read international coverage from Fortune:
- Corporate Germany has a race problem—and a lack of data is not helping
- The downfall of Wirecard is stirring an epic shareholder revolt in Germany
- “A real bind”: Banks that carry out Trump’s new sanctions could violate Hong Kong security law
- Russia’s online censorship machine is no longer running smoothly
- Wirecard shows auditing is broken. Here’s why—and how to fix it