US and EU in data privacy clash: What you need to know

A key agreement that allows the transfer of European citizens' personal data from the European Union (EU) to the U.S., used by companies like Apple and Facebook, has been deemed "invalid" by Europe's top court.

The European Court of Justice (ECJ) made the landmark ruling Tuesday on the Safe Harbor agreement which has been in place since 2000.

CNBC looks at the change of heart and what it means for the tech industry.


What's the Safe Harbour agreement?

The Safe Harbor agreement allowed U.S. companies to transfer European citizens' data to America, provided where it was being sent to had privacy protections that met EU standards.

It allowed big companies like Facebook and Google, for example, to carry out a self-certification process, promising to protect EU data stored on U.S. soil.

The agreement is key for thousands of companies operating in the EU.


Why was it ruled ‘invalid’?

In the wake of the U.S. surveillance revelations by former National Security Agency (NSA) contractor Edward Snowden, Austrian student Max Schrems filed a complaint against Facebook to the Irish data protection authority.

He claimed that Snowden's leaks showed Facebook wasn't sufficiently protecting user data as the NSA was carrying out mass surveillance on technology companies.

His complaint was thrown out by the Irish data protection authority, and when Schrems appealed to an Irish court, it was sent to the ECJ. The EU's top court said the Safe Harbor agreement was invalid as U.S. public authorities could access the data and individuals had no means of redress for misused data, among several other reasons.

Facebook has repeatedly denied that it allows backdoor access of its user data to spy agencies.


What are US tech firms saying?

Major U.S. tech giants don't seem too concerned. Microsoft said in a blog post on Tuesday that its enterprise cloud customers "can continue to transfer data by relying on additional steps and legal safeguards we have put in place".

The Internet Association, an industry body that represents the likes of Amazon, Google and Netflix, said "companies have mechanisms in place to effectuate data transfers beyond the Safe Harbor", but added that it is the "smaller companies and consumers" in the U.S. and EU that could "experience significant challenges going forward".

Meanwhile, Facebook said in a statement that it "relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor".

So big firms seem to have put plans in place for this landmark ruling but it is the smaller companies might struggle.


Will it hit the economy?

Facebook user
David Paul Morris | Bloomberg | Getty Images

Some say that the ECJ ruling could hit both the U.S. and European economies given that thousands of small businesses rely on Safe Harbor for the transfer of data.

"It will disrupt not just the thousands of U.S. and European companies that currently depend on the Safe Harbor to do business across the Atlantic, but also the broader digital economy," the Information Technology and Innovation Foundation (ITIF) think tank said in a statement.

"Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to transatlantic digital commerce."


How else can companies transfer data?

As many tech companies have said, there are other ways to transfer European data to the U.S. that don't require the Safe Harbor agreement.

Two such processes are Binding Corporate Rules and Model Contract Clauses. These are essentially contracts allowing companies to transfer data out of the EU by going through different approval processes involving the European Commission and data protection authorities in the member states.

For bigger firms this will be fairly easy, but it could be difficult for the little players.

"There are alternatives to Safe Harbor in other words, but for most companies they take time and money to put in place and that will be an unwelcome distraction," Christopher Jeffery, head of U.K. IT, telecoms and competition at law firm, Taylor Wessing said in a statement.


What’s next?

The EU and U.S. are working on a new Safe Harbor agreement, which has been in the pipeline for around two years.

Europe has been trying to restrict U.S. government access to EU citizens' data and is pushing for provisions that let Europeans sue U.S. companies in their own courts if their data are misused.

The ITIF has urged the U.S. government to put in place measures to placate the EU.

"The updated agreement should reflect the EU request that a national security exception is used only to the extent that it is strictly necessary and proportionate for a given incident," the ITIF said in a statement.

But the ECJ ruling is likely to have strained tensions between the EU and U.S.