Companies, including U.S. tech giants, should be blocked from transferring European users’ data in some cases if they can’t guarantee it will be handled in compliance with European Union privacy laws, an adviser to the EU’s top court recommended Thursday.
The recommendation, if followed by the EU’s Court of Justice, could unleash a series of legal challenges against companies such as
and Apple Inc., which all have significant operations in the U.S. and Europe—potentially disrupting their operations.
Those companies, and thousands of others, currently transfer data out of Europe under several different legal tools that generally require them to comply with EU privacy principles overseas.
In a relief for many businesses, Henrik Saugmandsgaard Øe, an advocate general for the court, said judges shouldn’t strike down one of the more popular legal tools, called standard contractual clauses. But he argued that data-protection authorities should nevertheless block specific transfers made using the clauses when other countries required companies to ignore them.
SHARE YOUR THOUGHTS
Do you think the EU should block some companies from sending information about Europeans to the U.S. because of surveillance concerns? Join the conversation below.
The recommendations, if followed by the court next year, could haunt U.S. tech companies because the case stems from concerns over whether their obligations under U.S. surveillance laws violate EU privacy protections.
The main plaintiff in the case, privacy activist Max Schrems, has argued that Facebook Inc. shouldn’t be allowed to transfer its users’ data to the U.S., because that information could be turned over under secret government requests.
Facebook said it was grateful for the “opinion on these complex questions” and looks forward to the final decision. The company didn’t specifically address the recommendation that data protection regulators block certain transfers.
Amazon declined to comment, while Apple and Google didn’t immediately respond to a request for comment.
The legal challenges that led to Thursday’s opinion date to leaks of alleged U.S. surveillance practices from former National Security Agency contractor
Privacy activists argue the U.S. government’s ability to obtain legal access to personal information held by some companies in the U.S. amounts to mass surveillance and should be prohibited under EU treaties and the EU’s General Data Protection Regulation.
The U.S. has argued that its surveillance practices are proportionate and targeted. At a hearing before the ECJ in July,
a lawyer for the U.S. government, also said the U.S. “doesn’t believe GDPR gives the EU world-wide jurisdiction to conduct analysis of other countries’ national security practices.”
Concerns over U.S. surveillance led the same court in 2015 to strike down a former EU-U.S. agreement dubbed Safe Harbor, that allowed companies to send European data to the U.S. provided the companies adhered to a set of privacy principles.
After that decision, the EU and U.S. negotiated a replacement, called Privacy Shield, to which nearly 5,100 companies have signed up.
On Thursday, Mr. Saugmandsgaard Øe raised concerns about the framework’s validity, in light of European privacy rights. Privacy Shield is facing separate legal challenges, and during July’s hearing, judges harshly questioned lawyers for the European Commission, the EU’s executive arm, over their approval of it.
Blocking data transfers to the U.S., for instance by suspending Privacy Shield or the preapproved contractual clauses at issue in Thursday’s opinion, could upend billions of dollars of trade from cross-border data activities, including cloud services, human resources, marketing and advertising, tech advocates and privacy lawyers say.
“The disruptive effect of a suspension of [standard contractual clauses], even if partial and just for the U.S., is likely to be substantial,” said
a research fellow at the University of Oslo.
Of course, the worst-case scenario may not occur. The European Commission has already announced plans to revise its preapproved contractual clauses, and could attempt to take into account any of the court’s complaints. In addition, Ireland’s privacy regulator has said it would attempt to exercise discretion in enforcement.
“Nobody can guarantee a grace period but it will always be our aim to be pragmatic,” said
Ireland’s Data Protection Commissioner, at an event in Brussels earlier this month.
In a separate case before the same court, one tech giant won a victory on Thursday. Judges decided that Airbnb Inc. is an information-society service, and therefore isn’t required to register as a real-estate broker in France under a 1970 law.
The distinction as an information-society service under EU law could give Airbnb some ammunition in other legal fights it is waging against what it calls disproportionate regulations. Those battles include a separate pending case in Paris, which is suing Airbnb to remove what it says are illegal listings.
An Airbnb spokesman said the company welcomed Thursday’s judgment, adding that company wants “to move forward and continue working with cities on clear rules that put local families and communities at the heart of sustainable 21st century travel.”
Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8