On Tuesday, the highest court in the European Union ended a data-transfer agreement known as the “Safe Harbor” pact after 15 years of use.
The agreement allowed tech companies to move user data from European to United States data centers if the companies offered certain privacy settings and met other minimum requirements. Eliminating the pact is a win for privacy advocates, who criticized it for potentially exposing EU user data to U.S. surveillance. But it could have ramifications for the tech industry, since companies will now have to rely on data centers that are physically in the EU or find other legal justifications to allow data to flow to the United States.
The Wall Street Journal estimates that roughly 4,500 companies, from tiny startups to tech giants, were invoking the pact in their daily operations. Some, like Microsoft and Facebook, have backup plans, but small companies with limited resources may struggle to implement new strategies. The worst-case scenario would be that European customers can’t use certain U.S. services, leading to problems for international trade.
Brian Hengesbaugh, a privacy lawyer with Baker & McKenzie in Chicago who worked on the original pact, told the New York Times, “We can’t assume that anything is now safe. … The ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat.”
The decision fits into broader discussion about how to defend users’ privacy rights at the largest scale, though. “Today’s Judgment puts people’s fundamental right to privacy before profit,” Renata Avila, the global campaign manager of the World Wide Web Foundation, said in a statement. “We hope that this EU ruling will also inspire countries around the world to review their data protection and exchange policies, and enhance the protection of their citizens.”