Europe's highest court today ruled that Facebook cannot send personal information on European users to data centers in the US, invalidating a 15-year trans-Atlantic data transfer agreement. In a decision that could have far-reaching implications for many US tech companies, the European Court of Justice said that the EU's Safe Harbor agreement with the US is "invalid" because the country does not guarantee adequate privacy protections. The agreement allows technology companies to transfer data from Europe to the US, provided that certain privacy requirements are met. According to The Wall Street Journal, today's ruling could impact around 4,500 companies that currently rely on the laws to transfer data to the US.
The case was brought before Ireland's high court by Max Schrems, an Austrian activist who argued that Facebook had violated his privacy by processing his personal data in the US, citing recent revelations about the NSA's surveillance programs. The Irish court rejected Schrems' complaint, pointing to the European Commission's Safe Harbor decision, but the European court today ruled that the agreement is invalid, and that EU regulators should be able to restrict data flows as they see fit.
In a statement, the court said that Irish authorities are now "required to examine Mr. Schrems’ complaint with all due diligence," and can decide whether "transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."
A Facebook spokesperson did not immediately respond to a request for comment.