The EU's highest court has struck down a deal that allows thousands of companies to easily transfer personal data from Europe to the United States, in a landmark ruling that followed revelations of mass surveillance by American government agencies.
Many companies, both US and European, use the Safe Harbour system to help them get round cumbersome checks to transfer data between offices on both sides of the Atlantic. That includes payroll and human resources information as well as lucrative data used for online advertising, which is of particular importance to tech companies.
Now, however, the Court of Justice of the European Union (ECJ) said Safe Harbour did not sufficiently protect EU citizens' personal data since the requirements of American national security, public interest and law enforcement trumped the privacy safeguards contained in the framework.
In addition, EU citizens have no means of legal recourse against the misuse of their data in the United States, the court said. A bill is currently winding its way through the US Congress to give Europeans the right to legal redress.
The decision sounds the death knell for the system, set up by the European Commission 15 years ago. It is used by over 4000 firms including IBM, Google and Ericsson.
In its ruling, the ECJ referred to revelations from former National Security Agency contractor Edward Snowden, which included that the Prism program allowed US authorities to harvest private information directly from big tech companies such as Apple, Facebook and Google.
The United States, which in the run up to the decision had issued strenuous defences of its intelligence programs, said it was "deeply disappointed" by the ruling.
IBM said it created commercial uncertainty and jeopardised the flow of data across borders.
"The free movement of data across borders is the foundation of the global economy, facilitating everything from financial services and manufacturing to shipping and retail," said Christopher Padilla, vice president of government and regulatory affairs at IBM.
Any company with a centralised HR database in the United States would need to transfer personal data there, and companies that do not have data centres in Europe often ship the data from their European clients across the Atlantic, lawyers said.
However, they also said most multinationals, such as Facebook and Microsoft, would probably be able to continue with business as usual as they already had alternative legal channels for transferring data to the United States.
The ECJ ruling became effective immediately and the European Commission said it would continue to work with the United States on a revamped data transfer deal to fill the void.
"In the light of the ruling, we will continue this work towards a new and safe framework for the transfer of personal data across the Atlantic," Commission vice president Frans Timmermans said.
Without Safe Harbour, the United States loses its status in the EU as a country that provides "adequate protection" for personal data.
The EU has granted that status to only 11 countries worldwide. For transfers to any other country, such as Japan, companies have to draw up contracts establishing privacy protections between groups or seek approval from data protection authorities, something they will now be required to do for transfers to the United States.
"The EU's highest court has pulled the rug under the feet of thousands of companies that have been relying on Safe Harbour," said Monika Kuschewsky, special counsel at law firm Covington.
"All these companies are now forced to find an alternative mechanism for their data transfers to the US."
The group of EU data protection authorities, known as the Article 29 Working Party (WP29), said it would hold discussions this week to "determine the consequences on transfers" of data and schedule an extraordinary meeting shortly.
It is too early to say whether companies left in the lurch by the annulment of Safe Harbour and without any alternatives will be given a grace period by data protection authorities, a spokeswoman for the WP29 said.
Student complaint triggered court ruling
The court case stemmed from a complaint by Austrian law student Max Schrems, who challenged Facebook's transfer of European users' data to its American servers because of the risk of US snooping, in light of Snowden's revelations in 2013.
The European Commission separately demanded a review of Safe Harbour to ensure that US authorities' access to Europeans' data would be proportionate and limited to what is absolutely necessary.
Washington and Brussels have been in talks for two years to strengthen Safe Harbour in a way that could allay Europe's privacy concerns, and today's judgement heaps pressure on the Commission to accelerate the talks.
"The court put pretty high standards on a new Safe Harbour," Kuschewsky said.
Schrems filed his complaint to the Irish Data Protection Commissioner, as Facebook's European headquarters is in Ireland.
The case eventually wound its way up to the Luxembourg-based ECJ, which was asked to rule on whether national data privacy watchdogs could unilaterally suspend the Safe Harbour framework if they had concerns about US privacy safeguards.
"The judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights," Schrems said.