People's personal Facebook data, and the data kept by thousands of other companies on them, will not be able to be transferred from Europe to America because the US government could snoop on it.
The European Court of Justice ruled the "Privacy Shield" – an agreement between the EU and the US which let companies transfer data between the regions – is invalid.
The ruling means that Europeans' data will need to have the same privacy protection in the US as it is in the EU.
The move is a boon for privacy advocates, who have hailed it as a major victory, but some 5,000 businesses could have their actions disrupted.
Email, flight, and hotel reservations would not be affected in the short term, nor will cloud services.
Under the new rules, it will no longer simply be assumed that tech companies such as Facebook will adequately protect the privacy of its European users' data when it sends it to the US.
In February, Google said it would transfer UK users’ data to the US following Brexit, as users in Britain are no longer covered by the EU’s data protection legislation and would instead be under the control of the Trump administration.
Its implications could also affect the finance sector and auto industry, too.
The Privacy Shield was set up in 2016 by Washington and Brussels to protect personal data when it is sent to the United States for commercial use after a previous agreement known as Safe Harbour was ruled invalid in 2015.
The court noted in its rulings that there are “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country”.
“One of the biggest takeaways is that we would need fundamental reform in U.S. surveillance laws if U.S. companies still want to have any kind of decent access to the European market,” said Max Schrems, an Austrian activist whose complaints about the handling of his Facebook data triggered the ruling after years of legal procedures.
Schrems filed his first complaint in 2013.
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted, but those in the U.S. cannot,” said Jonathan Kewley, co-head of technology at law firm Clifford Chance.
While many companies use the Privacy Shield to move data between the EU and the US, the court says that they could continue to do so under ‘standard contractual clauses’ (SCCs).
These are individual legal agreements covering how data is treated. Following the Brexit transition period, the UK will likely need to change its surveillance laws, although it is unclear if this will indeed happen.
“In practice, this means that unless the UK starts reforming its surveillance laws now, reaching an adequacy deal by end 2020, or any time really, will be difficult,” Estelle Masse, senior policy analyst at Access Now, told the Financial Times.
"The CJEU’s invalidation of Privacy Shield binds the UK under the terms of the EU Withdrawal Agreement. So the UK cannot do its own thing. After the end of the Transition Period, the UK and the US could agree a new Privacy Shield framework on broadly similar lines. However, it is questionable how this would play publicly if there were no substantive changes or new safeguards included in a UK-US mechanism", Huw Beverley-Smith, partner at the law firm Faegre Drinker, told The Independent.
"A new framework would potentially be open to challenge along similar lines in a UK court. While the rights contained in the Charter of Fundamental Rights were a significant reason for the legal decision in the CJEU’s decision in Schrems II, the Charter does not form part of domestic law after Exit Day. However, principles such as the respect for private and family life, the protection of personal data and the right to an effective remedy and fair trial (which were the key rights under the Charter cited in this case) are part of UK law anyway. Therefore, it would be open to a UK court to decide in the same manner as the CJEU if any new mechanism were challenged. As such, legally, the outcome may well be similar."
"Also, the practical value of a new UK-US framework would have inherent limits since it would not be able to be used in respect of personal data originating from the EU (unless approved by the EU Commission). This reflects the practical realities that many businesses will face in separating UK and EU data flows to the rest of the world. For logistical reasons, the same legal and security arrangements may need to be applied to data originating from Europe. From that point of view, it will be difficult for the UK Government to stand alone."
President Trump has said both companies poses national security concerns because of its potential to pass data to the Chinese government. Huawei and TikTok have denied this.
This ruling, however, highlights how government surveillance of personal data is something the US does in turn.
Since the revelations published by Edward Snowden, which told how the US Government was snooping on people's online data and communications, there have been concerns about how governments will keep the data of average people secure from misuse, especially when such governments benefit from access to that data.
Snowden's documents included detail on how Facebook gave US security agencies access to the personal data of Europeans.
"While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts. We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments," said US Secretary of Commerce Wilbur Ross.
"Data flows are essential not just to tech companies—but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield."
The mass amounts of data gathered are also crucial to winning elections, as demonstrated by the aftermath of the Cambridge Analytica scandal.
Additional reporting by agencies