Europe's top court on Thursday struck down a data privacy pact that had allowed companies to transfer private user data between servers in Europe and the United States. However, EU citizens' data can still be sent to the US and other countries under a separate, existing mechanism.
In a case brought against internet giant Facebook, the European Court of Justice in Luxembourg ruled that the data transfer agreement "Privacy Shield" failed to adequately protect Europeans' data from US surveillance and security laws and was therefore invalid.
Judges said while the deal had required US companies to comply with EU privacy laws, its provisions "do not grant Europeans actionable rights before the courts against the US authorities."
Data transfers out of the EU will, however, be allowed to continue under another legal mechanism called contractual clauses, an EU provision in which companies outside of Europe commit to EU data and privacy laws.
Such transfers are now likely to come under greater scrutiny and the EU and US may work towards a new arrangement that guarantees privacy protection for European internet users in the US.
Victory for privacy activist
Plaintiff Maximilian Schrems welcomed the ruling. "It seems we scored a 100% win," he wrote on Twitter following the verdict.
The Austrian privacy activist was also responsible for bringing about the end of Privacy Shield's predecessor, "Safe Harbor," following revelations of mass digital spying by US agencies uncovered by Edward Snowden.
In the latest case, Schrems had argued that it was unlawful for his data, compiled by Facebook Ireland, to be transferred to the company's US branch without his permission.
Because US intelligence agencies can access EU Facebook users' private data, it meant that EU citizens' data were not sufficiently protected. There is also no means to appeal this transfer, he said.
The Irish Data Protection Commissioner filed a case before the High Court of Ireland, which referred it to the European Court of Justice.
Existing pact catches court's interest
The case had originally focused on contractual clauses before judges took an interest in Privacy Shield.
The now-invalidated pact had laid out data transfer policy for over 5,000 US companies.
Privacy shield supporters had argued that while the deal is used by tech powerhouses, it also allows smaller US companies to provide services in Europe.
The contractual clauses upon which companies will now rely are much more legally cumbersome than a bilateral deal like Privacy Shield.
Brussels cheers, big tech boos
US big tech lobby the Computer and Communications Industry Association (CCIA) criticized the Thursday decision saying it "creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic."
"We trust that EU and US decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the transatlantic economy," CCIA said.
Brussels, however, welcomed the verdict.
The ECJ ruling is an "an earthquake for international data sharing," EU parliamentarian Moritz Körner said. "Thanks to the judges' ruling, US data snooping in the EU may no longer be ignored or accepted," the politician said in a statement.
"It is sad that this could only be achieved by a complaint from the private individual Schrems," he added.