E.U. Court Strikes Down ‘Privacy Shield’ Data Transfer Pact

LONDON — Europe’s top court on Thursday struck down a trans-Atlantic agreement that allows scores of companies to move data between the European Union and the United States, causing uncertainty for businesses who rely on moving digital information seamlessly around the world.

The European Court of Justice in Luxembourg ruled that the agreement, known as Privacy Shield, did not comply with European privacy rights. Privacy Shield, created in 2016, allows businesses in the European Union and the United States to move data more easily between the two regions. More than 5,000 companies use the system.

The decision is the latest twist in a long-running campaign by privacy-rights activists in Europe who want to prevent companies from moving their personal information to countries with looser data protection rules. The efforts stem from revelations in 2013 by the American former intelligence contractor Edward Snowden about how U.S. government surveillance programs collected electronic communications from private businesses.

The overall effect of the court’s decision was not immediately clear beyond creating a dizzying amount of new work for corporate legal departments. Few expect a sudden disruption for moving data between Europe and the United States. Before the decision was announced, European officials played down the potential fallout, saying plans were in place to ensure commerce would not be interrupted. American and European officials will now attempt to negotiate a new deal for transferring digital information.

The court said that some alternative data-transfer contracts struck between organizations were acceptable, though it cautioned that companies must be sure that a government outside Europe — in the United States or elsewhere — meet European privacy standards. Some companies may respond by storing more data inside the European Union.

The ruling affects big tech companies like Facebook and Google, as well as thousands of other multinational businesses. Lawyers said the data subject to transfer rules could include communications like emails and social media posts, financial records, business files, human resources materials about employees, marketing databases, and customer records.

Business groups have called for a grace period that would allow companies to find new legal mechanisms to continue moving data.

“This decision cuts off legal means to transfer personal data to the United States and will demand immediate attention by policymakers and U.S. companies doing business in Europe,” said Caitlin Fennessy, research director at the International Association of Privacy Professionals, an industry group based in New Hampshire.

Seven years after Mr. Snowden disclosed the existence of the bulk surveillance programs, the case is an example of the lingering conflict that exists between European privacy rights and American surveillance laws. In the European Union, the protection of personal data is enshrined in the Charter of Fundamental Rights, alongside civil rights like freedom of expression.

The protections are further supported by the European Union’s landmark privacy law enacted in 2018, the General Data Protection Regulation.

The case started when an Austrian data-protection campaigner, Max Schrems, filed a complaint against Facebook, arguing that his privacy rights were violated once his data was transferred to the United States, where it be would be vulnerable to American snooping. The case became a broader referendum on the validity of data-transfer agreements when information leaves the European Union.

Mr. Schrems, who now runs a privacy-rights group called NOYB — taken from the phrase “none of your business” — released a statement after the ruling. “It is clear that the U.S. will have to seriously change their surveillance laws if U.S. companies want to continue to play a role on the E.U. market,” the statement said.

The decision is the second time Mr. Schrems has successfully overturned an E.U.-U.S. data-sharing pact. In 2015, he fought to have the court invalidate the predecessor to Privacy Shield over concerns that American spy agencies could access data coming from the European Union.

Privacy Shield was meant to address those issues, providing new safeguards to Europeans, including more control over how their information is used and the right to go to American courts if they thought that a company or the United States government had misused their data. The deal included an American guarantee that government could not collect data without sufficient cause.

Wilbur Ross, the U.S. secretary of commerce, said in a statement that the United States was “deeply disappointed” by the ruling, but that it would work with European officials to “limit the negative consequences to the $7.1 trillion trans-Atlantic economic relationship that is so vital to our respective citizens, companies, and governments.”

United States representatives participated in arguments for the case last year, an unusual step that signaled the importance of the case. American officials argued that government surveillance programs were narrowly targeted and provided sufficient data-access protections, and that European privacy rights could not dictate the national security policy of a foreign government.

European officials expressed optimism about finding a solution.

“Today’s judgment is another steppingstone in our commitment to ensuring that personal data is fully protected in the E.U. and its transfers outside of the E.U.,” said Didier Reynders, European commissioner for justice. “I will reach out to my U.S. counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism.”

Eduardo Ustaran, a lawyer specializing in privacy and cybersecurity at the law firm Hogan Lovells in London, said that while average people were unlikely to notice any major changes as a result of the decision, it left thousands of companies in legal limbo.

“The practical effect is actually huge,” he said. “Any company that wants to transfer data overseas must now check the powers of other countries to have access to that data.”