By Sam Schechner and Valentina Pop
This article is being republished as part of our daily
reproduction of WSJ.com articles that also appeared in the U.S.
print edition of The Wall Street Journal (December 20, 2019).
Companies, including U.S. tech giants, should be blocked from
transferring European users' data in some cases if they can't
guarantee it will be handled in compliance with European Union
privacy laws, an adviser to the EU's top court recommended
Thursday.
The recommendation, if followed by the EU's Court of Justice,
could unleash a series of legal challenges against companies such
as Facebook Inc., Alphabet Inc.'s Google, Amazon.com Inc. and Apple
Inc., which all have significant operations in the U.S. and Europe
-- potentially disrupting their operations.
Those companies, and thousands of others, currently transfer
data out of Europe under several different legal tools that
generally require them to comply with EU privacy principles
overseas.
In a relief for many businesses, Henrik Saugmandsgaard Øe, an
advocate general for the court, said judges shouldn't strike down
one of the more popular legal tools, called standard contractual
clauses. But he argued that data-protection authorities should
nevertheless block specific transfers made using the clauses when
other countries required companies to ignore them.
The recommendations, if followed by the court next year, could
haunt U.S. tech companies because the case stems from concerns over
whether their obligations under U.S. surveillance laws violate EU
privacy protections.
The main plaintiff in the case, privacy activist Max Schrems,
has argued that Facebook Inc. shouldn't be allowed to transfer its
users' data to the U.S., because that information could be turned
over under secret government requests.
Facebook said it was grateful for the "opinion on these complex
questions" and looks forward to the final decision. The company
didn't specifically address the recommendation that data protection
regulators block certain transfers.
Amazon declined to comment, while Apple and Google didn't
immediately respond to a request for comment.
The legal challenges that led to Thursday's opinion date to
leaks of alleged U.S. surveillance practices from former National
Security Agency contractor Edward Snowden. Privacy activists argue
the U.S. government's ability to obtain legal access to personal
information held by some companies in the U.S. amounts to mass
surveillance and should be prohibited under EU treaties and the
EU's General Data Protection Regulation.
The U.S. has argued that its surveillance practices are
proportionate and targeted. At a hearing before the ECJ in July,
Eileen Barrington, a lawyer for the U.S. government, also said the
U.S. "doesn't believe GDPR gives the EU world-wide jurisdiction to
conduct analysis of other countries' national security
practices."
Concerns over U.S. surveillance led the same court in 2015 to
strike down a former EU-U.S. agreement dubbed Safe Harbor, that
allowed companies to send European data to the U.S. provided the
companies adhered to a set of privacy principles.
After that decision, the EU and U.S. negotiated a replacement,
called Privacy Shield, to which nearly 5,100 companies have signed
up.
On Thursday, Mr. Saugmandsgaard Øe raised concerns about the
framework's validity, in light of European privacy rights. Privacy
Shield is facing separate legal challenges, and during July's
hearing, judges harshly questioned lawyers for the European
Commission, the EU's executive arm, over their approval of it.
Blocking data transfers to the U.S., for instance by suspending
Privacy Shield or the preapproved contractual clauses at issue in
Thursday's opinion, could upend billions of dollars of trade from
cross-border data activities, including cloud services, human
resources, marketing and advertising, tech advocates and privacy
lawyers say.
"The disruptive effect of a suspension of [standard contractual
clauses], even if partial and just for the U.S., is likely to be
substantial," said Luca Tosoni, a research fellow at the University
of Oslo.
Of course, the worst-case scenario may not occur. The European
Commission has already announced plans to revise its preapproved
contractual clauses, and could attempt to take into account any of
the court's complaints. In addition, Ireland's privacy regulator
has said it would attempt to exercise discretion in
enforcement.
"Nobody can guarantee a grace period but it will always be our
aim to be pragmatic," said Helen Dixon, Ireland's Data Protection
Commissioner, at an event in Brussels earlier this month.
In a separate case before the same court, one tech giant won a
victory on Thursday. Judges decided that Airbnb Inc. is an
information-society service, and therefore isn't required to
register as a real-estate broker in France under a 1970 law.
The distinction as an information-society service under EU law
could give Airbnb some ammunition in other legal fights it is
waging against what it calls disproportionate regulations. Those
battles include a separate pending case in Paris, which is suing
Airbnb to remove what it says are illegal listings.
An Airbnb spokesman said the company welcomed Thursday's
judgment, adding that company wants "to move forward and continue
working with cities on clear rules that put local families and
communities at the heart of sustainable 21st century travel."
Write to Sam Schechner at sam.schechner@wsj.com and Valentina
Pop at valentina.pop@wsj.com
(END) Dow Jones Newswires
December 20, 2019 02:47 ET (07:47 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Aug 2024 to Sep 2024
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Sep 2023 to Sep 2024