LUXEMBOURG (AP) — The European Union's highest court struck a big blow Tuesday against Facebook and other companies by ruling that a long-running pact allowing the free transfer of data to the U.S. is invalid as it does not adequately protect consumers.
The verdict could have far-reaching implications for companies operating in Europe. Though it does not ban the transfer of data, the ruling means national authorities can review what kinds of information companies want to send to the U.S., complicating business.
Max Schrems, a 28-year-old Austrian law student, brought the case in which he complained that U.S. law doesn't offer sufficient protection against surveillance of data transferred by Facebook to servers in the United States.
He filed the complaint after former U.S. National Security Agency contractor Edward Snowden revealed two year ago the extent of the NSA's surveillance programs. On Tuesday, he expressed his delight at the ruling.
"The message is clear — that mass surveillance is not possible and against fundamental rights in Europe," he said.
Companies, he added, "cannot just aid foreign spies and get away with it because they fall under European jurisdiction."
Schrems complained to the data protection authorities in Ireland, where Facebook has its European headquarters.
Irish authorities initially rejected his complaint, pointing to a 2000 decision by the EU's executive Commission that, under the so-called "safe harbor" agreement, the U.S. ensures adequate data protection.
The agreement has allowed for the free transfer of information by companies from the EU to U.S. It has been seen as a boost to trade since, absent such a deal, swift and smooth data exchange over the Internet would be much more difficult.
The decision by the European Court of Justice does not mean that a company like Facebook has to immediately stop transferring data to the U.S. Rather, national authorities in Europe will be allowed to review individual transfers of data. They could also be forced to if there are complaints, as in Schrems' case.
That means data transfers could face multiple legal cases and reviews, complicating business for companies.
The European Union and the U.S. are expected to go back to drawing board to put together a new data sharing pact.
In Schrems' case, the Irish data commissioner will now be required to examine the complaint "with all due diligence."
Once it has concluded its investigation, the authority must "decide whether ... transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data," the court said in a summary of its ruling.
In a statement, Facebook said it's now "imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
The statement noted that the ECJ's advocate general "himself said that Facebook has done nothing wrong."
Schrems insisted he was never seeking to strike a blow to Facebook.
"On the one hand you have fundamental rights which are hugely important but then you have legal certainties for companies," he said. "It's basically like the banks, they're too big to shut down."
Sophie In't Veld, a leading Liberal lawmaker in the European Parliament, welcomed the ruling and called the "safe harbor" decision "a travesty of legality."
"We need clear rules to govern the transfer of personal data to the U.S. and other non-EU countries," she said. "But they must be legally watertight, provide real and meaningful protection, and there must be proper enforcement."