A transatlantic agreement that allows thousands of US companies to transfer personal data of European Union citizens to servers stateside became the latest casualty of the National Security Agency’s spying scandals.
The Court of Justice of the European Union (CJEU), the highest legal body on the continent, ruled Tuesday that the fifteen-year-old Safe Harbour Act is not up to snuff when it comes to assuring that EU member state citizens’ data is indeed secure while stored at US facilities.
The high court concurred with the September recommendations of its Advocate General Yves Bot had urged the body to re-examine the validity of the accord.
“It is apparent,” wrote Bot, “that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection.”
On Tuesday, the administration reacted to the decision by saying it has “a variety of concerns.”
“We believe that this decision was based on incomplete assumptions about data privacy protections in the United States,” White House Press Secretary Josh Earnest told reporters, referencing reforms passed by Congress and the intelligence community in the wake of the Edward Snowden’s revelations.
He added that the ruling also “fails to properly credit the benefits to privacy and growth that have been afforded by this framework over the last 15 years.”
Commerce Secretary Penny Pritzker also blasted the ruling in a statement.
“We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both US and EU companies and consumers, and puts at risk the thriving transatlantic digital economy,” she claimed.
The administration noted, however, that the Commerce Department “will work with the European Union to provide certainty to companies both in Europe and the United States to release an updated safe harbor framework.”
The case was brought to the EU judicial system by an Australian citizen named Maximillian Schrems. In 2014, Schrems challenged Facebook’s authority to transfer his personal information from a continental subsidiary in Ireland back to the company’s servers in the United States. He pointed to the leaks from former NSA contractor Edward Snowden as evidence that European citizens’ data in the US is vulnerable to state abuses.
The ruling could disrupt the business operations of roughly 5,000 companies that rely on the agreement to transfer data across the Atlantic. In its immediate aftermath, US companies will have to rely on alternative contracts with European nations that provide more stringent digital security assurances.
That, according to one of the most outspoken US Senator on privacy issues, could prove disastrous to American companies.
Sen. Ron Wyden (D-Ore.) likened the policy to backdoor mercantilism and claimed that the ruling “called for open season against American businesses.”
He added in a statement Tuesday that this “misguided decision amounts to nothing less than protectionism against America’s global data processing services and digital goods. It is a mistake that will wreak havoc on businesses on both sides of the Atlantic, and cost good-paying American jobs.”
Wyden also placed blame on the NSA, stating that “ineffective mass surveillance programs did nothing to make our country safer, but they did grave damage to the reputations of the American tech sector.”
Edward Snowden reacted to the CJEU decision as well, but had a different take than Wyden.
“Europe’s high court just struck down a major law routinely abused for surveillance. We are all safer as a result,” the whistleblower tweeted on Tuesday.
A new data-sharing agreement between the US and EU has been in the works for nearly two years, but they have not been able to reach a consensus. According to the BBC, EU negotiators are holding out finalizing on new pact until they are given the right to file suit against US companies that are found to be misusing their European customers’ data.
