The European Union's top court ruled on Thursday that an agreement with the US allowing for the transfer of personal data from the bloc to Washington is invalid because of surveillance concerns.
The European Court of Justice (ECJ) upheld, however, that the transfer of data to any other third country that "ensures an adequate level of data protection," is valid.
The EU Commissioner for Justice, Didier Reynders, said in a statement that the bloc needs time to "analyse the judgment in more detail and carefully assess its implications and next steps".
He added that the Commission will work with American authorities to "develop a strengthened and durable transfer mechanism".
The ECJ stressed in its ruling that personal data transferred outside the bloc must be "afforded the level of protection essentially equivalent to that guaranteed within the EU by the GDPR [General Data Protection Regulation]."
US surveillance programmes
It found that US domestic laws do not offer the same level of protection to data transferred from the bloc as required under EU law "in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary".
It also stated that non-US data subjects have no "actionable rights before the courts against the US authorities".
"On all those grounds, the Court declares Decision 2016/1250 invalid," it concluded.
Max Schrems, the Austrian activist who brought the complaint to the ECJ, said in a statement that he is "very happy about the judgment."
"You cannot just transfer data to a country where there is now surveillance and where there is no protection for Europeans in any way. For the average users that shouldn't mean all too much other than having better privacy protection," he told Euronews.
"The Court clarified for a second time now that there is a clash of EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA [the US National Security Agency], the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners," he said.
"Surveillance reform thereby becomes crucial for the business interests of Silicon Valley. This judgment is not the cause of a limit of data transfers, but the consequences of US surveillance laws," he added.
What the ruling means
The legal battle started in 2013 after Edward Snowden, a former NSA contractor, disclosed that US intelligence agencies could access the personal data of EU citizens and that more and more data was being collected by authorities from tech giants including Apple, Microsoft, Facebook and Google.
The EU has some of the world's toughest digital privacy rights which were granted in 2018 by the GDPR.
The regulation allows EU nationals to find out what personal data any company has on them and to demand it be erased. They are also entitled to stop the dissemination of their personal data by refusing companies hand it over to third parties.
It also put the onus on companies to clearly communicate on their data policy and forces them to reveal any data breach within 72 hours of becoming aware of the issue.
Failure to comply with the GDPR can result in hefty fines of up to 4 per cent of their annual global turnover or €20 million — whichever is greater.
Thursday's ruling does not, however, mean that transfer of personal data from the EU to the US will immediately stop.
Instead, US companies and EU firms outsourcing the processing of personal data to US companies will need to review if they're subject to US surveillance laws and if their transfers are encrypted to a level that makes it harder for them to be tapped.