U.S. companies will face restrictions on transferring and storing information about European residents after the European Court of Justice ruled that such transfers exposed Europeans to American government surveillance without actionable rights to challenge it.

The Court’s July 16, 2020 ruling invalidates a widely used E.U.-U.S. data-transfer agreement known as Privacy Shield. The ruling has the support of privacy activists who have long argued that U.S. surveillance practices should make the U.S. and by extension U.S. companies ineligible to store European data.

The E.U. and the U.S. implemented the Privacy Shield agreement nearly four years ago, after a prior framework, called Safe Harbor, was scrapped in 2015 over surveillance concerns. More than 5,000 companies have signed up to the newer framework, of which more than 70% are small- and medium-sized businesses.

This decision will create legal headaches and potentially disrupt operations for thousands of multinational companies. Depending on how it is applied, companies will have to decide between a costly shift toward data centers into Europe or restricted data transfers from the region.

Blocking data transfers could upend the operations of several types of business that rely on cross-border data activities and information services, including:

• cloud service providers,
• technology developers,
• human resources service providers,
• digital marketing and advertising providers,
• data storage service providers, and others.

The Court’s ruling also addresses the use of Standard Contractual Clauses. The Standard Contractual Clauses are adopted by the European Commission and are a set of terms and conditions for transfers outside of the E.U. or European Economic Area. They set sufficient safeguards for data to be transferred to areas outside the E.U. that are deemed to not have adequate protection for processing personal data.

Companies often enter into agreement containing these clauses in connection with cross-border data transfers. Under the Court’s ruling, even Standard Contractual Clauses will only be valid if they can guarantee the data will be protected in line with E.U. data protection laws.

Without either Privacy Shield or Standard Contractual Clauses to fall back on, many companies could run afoul of the High Court’s ruling. Due to this ruling, companies will need to re-examine compliance measures and contractual data protection and disclosure obligations with more scrutiny.

While individual E.U. data protection authorities retain discretion on enforcement of data privacy transfers, individuals retain private rights of action to enforce transfer violations. This means that individuals who are damaged by future international data transfers that rely on the Privacy Shield could bring privacy rights violation claims against the parties involved in such transfers.

The U.S. Department of Commerce issued a statement on the heels of the decision noting both that it will continue to administer the program, but also that Privacy Shield certified companies remain responsible for Privacy Shield program obligations.