The European Union’s top court ruled that an agreement that allows thousands of companies — from tech giants to small financial firms — to transfer data to the United States is invalid because the American government can snoop on people’s data, according to an AP News report. The ruling could impact how companies transfer European users’ data to the United States and other countries, such as the U.K,  and could require regulators to vet any new data transfers to make sure Europeans’ personal information remains protected according to the EU’s stringent standards, says AP News. 

Max Schrems, an Austrian activist whose complaints about the handling of his Facebook data triggered the ruling after years of legal procedures, said, “It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market.”

According to AP News, Schrems first filed a complaint in 2013, after former U.S. National Security Agency contractor Edward Snowden revealed that the American government was snooping on people’s online data and communications. The revelations included detail on how Facebook gave U.S. security agencies access to the personal data of Europeans. Though the legal case was triggered by concerns over Facebook in particular, it could have far-reaching implications not only for tech companies but also businesses in sectors like finance and the auto industry, adds AP News. 

Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management, notes, “This was always going to be a major test for the Privacy Shield. For many, it has come as no surprise that the European Court of Justice has responded in this way.  The patchwork of privacy laws that make up the various rules governing personal data in the United States ranging from the California Consumer Privacy Act (CCPA) through to failed attempts in other states such as The Washington State Privacy Act and New York Privacy Act (NYPA) which both failed to pass their legislative sessions last year, - albeit speculation remains that the NYPA may be reintroduced and it is pending in the State Senate – point to the long overdue need for a federal law on privacy that at least meets the same level of protection as the GDPR.  But will we see it?  Federal law makers have traditionally shied away from such a move preferring to hand responsibility for enforcement to state attorney generals and it is doubtful that this will change in the near term.  So where does that leave the very many businesses that had being using Privacy Shield? Well, affected companies will now have to sign "standard contractual clauses", something which some large companies have already said are in place.  Good practice will require strict adherence to the GDPR rules since without the Privacy Shield companies must adhere to the guidelines set out around its extraterritorial application.  The impact on business?  Not great.  At a time when many businesses are doing all they can to remain open and trading post pandemic as we head into one of the worst global recessions for some time, this additional compliance burden is something many could have well done without.”