A major agreement governing the transfer of EU citizens’ data to the United States has been struck down by the European Court of Justice (ECJ).
The EU-US Privacy Shield let companies sign up to higher privacy standards, before transferring data to the US.
But a privacy advocate challenged the agreement, arguing that US national security laws did not protect EU citizens from government snooping.
Max Schrems, the Austrian behind the case, called it a win for privacy.
“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market,” he said.
The EU-US Privacy Shield system “underpins transatlantic digital trade” for more than 5,000 companies. About 65% of them are small-medium enterprises (SMEs) or start-ups, according to UCL’s European Institute.
Affected companies will now have to sign standard contractual clauses, non-negotiable legal contracts drawn up by Europe, which are used in other countries besides the US.
Mr Schrems had also challenged these, but the ECJ chose not to abolish them.
But it also warned that those contracts should be suspended by data protection watchdogs, if the guarantees in them are not upheld.
US Secretary of Commerce Wilbur Ross said his department was “deeply disappointed” by the decision.
He said he hoped to “limit the negative consequences” to transatlantic trade worth $7.1 trillion (£5.6tn).
European data protection law says data can only be transferred out of the EU – to the United States or elsewhere – if appropriate safeguards are in place.
But the ECJ said US “surveillance programmes… are not limited to what is strictly necessary”.
“The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred,” it said.
“The limitations on the protection of personal data arising from the domestic law of the United States… are not circumscribed in a way that satisfies requirements.”
“This is a bold move by Europe,” Jonathan Kewley, co-head of technology at law firm Clifford Chance, said.
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot.”
He also warned that standard contractual clauses (SCCs) will be much more closely scrutinised from now on.
Data protection expert Tim Turner agreed, saying the ECJ’s warning over the standard clauses could spell further trouble for US companies.
“If the law in the relevant country – let’s say the USA – could override what the contract says, they don’t work,” he said.
“I don’t know how much appetite they have to do this, but it’s hard to imagine that any European regulator would say that SCCs work for the US, and the pressure will pile on for them to make the assessment.
“I don’t think SCCs escaped the court’s judgement – for some key countries, it’s probably just a stay of execution.”
Mr Schrems lodged a complaint against Facebook transferring data to the US in 2013, after leaks by ex-CIA contractor Edward Snowden revealed the extent of US surveillance.
His first case ended in 2015, with the ECJ overturning the long-standing Safe Harbour arrangement.
Privacy Shield and SCCs were created as alternatives.