Facebook dealt privacy blow as US-Europe data-sharing pact declared illegal

A ruling by Europe's highest court puts the social network and thousands of other companies in a tough spot over how they handle user data.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
3 min read

The stars of an EU court ruling have aligned to bode trouble for Facebook and many other companies. Dado Ruvic/Reuters/Corbis

The operations of Facebook and many other US-based companies in Europe could be disrupted after a 15-year pact between the two regions was declared illegal.

Europe's highest court on Tuesday ruled invalid the "Safe Harbor" agreement that governed the transatlantic transfer of data on European citizens. Reached in 2000 by the European Commission and US authorities, it allowed companies to send user data to the US without guaranteeing that the information would be protected from the eyes of the US government.

More than 4,000 US companies, including Apple, Google, Microsoft and Yahoo, that transfer user data out of the continent will be affected by the ruling. Having relied on the arrangement to do business since some of them were in their infancy, the affected companies will now need to draw up individual and complex contracts, each of which will require negotiations over the protection of user data. While some companies may have seen the ruling coming and started putting provisions in place, the verdict was delivered much more swiftly than anticipated.

The EU and US had been attempting to renegotiate Safe Harbor for two years, but failed to agree to terms, and officials won't provide a concrete date at which they hope to finalize a new pact. The EU wants Europeans to be able sue US companies in US courts if their data is misused; US negotiators seemed inclined to agree, but politicians could refuse to grant European citizens the right to sue.

Washington said it was "deeply disappointed" by the court's action. The decision "creates significant uncertainty for both US and EU companies and consumers, and puts at risk the thriving transatlantic digital economy," US Secretary of Commerce Penny Pritzker said in a statement.

The case was originally filed in Ireland, where Facebook has its European headquarters, by Austrian law student Max Schrems in a challenge to Facebook's data collection across the continent. It was later passed over to the CJEU. Schrems was moved to pursue the case following revelations made by ex-NSA contractor Edward Snowden about spying by the US and UK governments. This included accusations that Facebook and other major Web companies provide the US government with "backdoor access" to the data it has collected on users as part of the National Security Agency's mass surveillance program known as PRISM.

Facebook has consistently denied that it allows backdoor access to the US government or cooperates with any PRISM-like program. In response to the CJEU's decision, the social network was keen to point the attention away from itself and refocus the conversation on the broader issue of how data transfers would be handled in the future.

"It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers," a Facebook spokesperson said, "and resolve any issues relating to national security."

Austrian law student Max Schrems, who brought the case against Facebook. Leonhard Feoger/Reuters/Corbis

For Schrems, the decision was a victory for privacy. "This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights," said Schrems, following today's announcement.

Without an adequate pan-European data-transfer agreement in place, Tuesday's ruling by the European Court of Justice (CJEU) effectively passes the responsibility for agreeing on the legality of data-transfer partnerships to individual countries, which could prove a regulatory nightmare for US companies operating in the continent. Brian Hengesbaugh of law firm Baker & McKenzie, who originally helped to negotiate the Safe Harbor agreement, said that invalidating the pact "burdens businesses on both sides of the Atlantic."

Law firm Morrison Foerster agreed that the upcoming challenges would be tough to navigate, saying that the CJEU ruling "puts these companies in an impossible position." Affected businesses may have to choose either to violate European data protection rules or to face penalties from the US government for not sharing data. "We do not envy the data protection officers and company executives who will have to decide which law to break," Morrison Foerster said.

As part of its ruling on Safe Harbor, the European court has tasked the supervisory authority in Ireland with investigating the social network's activities. At the conclusion of the investigation it will then have to decide whether the transfer of European users' data to the US should be suspended "on the ground that the country does not afford an adequate level of protection of personal data."