Staff with files from wire services
corporate risk
RISK: European authorities to review U.S. data transfers | Canadian Insurance

RISK: European authorities to review U.S. data transfers

Companies "cannot just aid foreign spies and get away with it because they fall under European jurisdiction."

The free data transfer pact between Europe and the U.S. is invalid because it doesn’t protect consumers enough, the EU’s highest court has ruled.

The decision makes it harder for European companies to do business stateside, since it allows national authorities to review what information European companies want to send the U.S. It doesn’t, though, ban data transfers outright.

Read: Microsoft blasted for automatic data collection in Windows 10

Austrian law student Max Schrems, 28, filed the complaint after Edward Snowden revealed the extent of the NSA’s surveillance program. He argued U.S. law doesn’t protect against surveillance of data transferred by Facebook to servers in the U.S.

“The message is clear–that mass surveillance is not possible and against fundamental rights in Europe,” he said.

Companies, he added, “cannot just aid foreign spies and get away with it because they fall under European jurisdiction.”

Schrems complained to the data protection authorities in Ireland, where Facebook has its European headquarters.

Read: Cyber Risk Conference: Annual risks of using Internet will outweigh benefits by 2019

Irish authorities initially rejected his complaint, pointing to a 2000 decision by the EU’s executive Commission that, under the so-called “safe harbour” agreement, the U.S. ensures adequate data protection.

The agreement has allowed for the free transfer of information by companies from the EU to U.S. It has been seen as a boost to trade since, absent such a deal, swift and smooth data exchange over the Internet would be much more difficult.

The decision by the European Court of Justice does not mean that a company like Facebook has to immediately stop transferring data to the U.S. Rather, national authorities in Europe will be allowed to review individual transfers of data. They could also be forced to if there are complaints, as in Schrems’ case.

Read: Comcast to pay $33M for publishing data it was paid to shelter

That means data transfers could face multiple legal cases and reviews, complicating business for companies.

The European Union and the U.S. are expected to go back to drawing board to put together a new data sharing pact.

In Schrems’ case, the Irish data commissioner will now be required to examine the complaint “with all due diligence.”

Once it has concluded its investigation, the authority must “decide whether … transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data,” the court said in a summary of its ruling.

In a statement, Facebook said it’s now “imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”