By Sam Schechner
This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (October 4, 2017).
Europe's top court will decide whether to ban a widespread legal tool that companies employ when they store data about Europeans on U.S. soil -- the latest legal skirmish over what firms can do with the vast trove of information they are collecting on users.
Two years ago, the European Union's Court of Justice struck down a popular data-transfer mechanism that allowed information on individuals to be shifted relatively easily between the U.S. and Europe. That decision sent companies scrambling to rewrite legal contracts that would keep them in compliance with the ruling, without jeopardizing revenue that relied on that data flow.
Now, the same court will hear whether the standardized language in those contracts goes far enough to protect Europeans' privacy. An Irish court Tuesday asked the high court to make the call. The referral sets up the broadest challenge yet to the practice -- common especially among big U.S. firms like Facebook Inc., Alphabet Inc. and Apple Inc. -- of storing data collected on Europeans back in the U.S. Such data includes things like web-browsing habits and geolocation records.
Privacy activists argue the U.S. government's ability to obtain legal access to personal information held by some companies in the U.S. amounts to mass surveillance that is prohibited under EU treaties. The U.S. argues its laws are proportionate and targeted.
The high court may not hear the case for more than a year, and the European Union could in the meantime beef up requirements for the contractual language, or the court could give it time to do so after a ruling. That language is now baked into data-collection contracts across a large swath of businesses, including those related to online advertising and cloud storage.
Businesses and corporate lawyers argue that invalidating the standardized contractual clauses would create huge costs for companies. BSA, a Washington, D.C.-based trade group representing the software industry, says this type of contractual language provides legal backing "for millions of daily data transfers" out of Europe. Lawyers say invalidating the current language would force companies to spend heavily to rewrite contracts. It could also stop some from transferring data altogether.
"Losing that mechanism would leave an impossibly huge black hole in the legality of international data flows," said Eduardo Ustaran, a privacy lawyer at Hogan Lovells.
Such uncertainty could also force firms to build new infrastructure in Europe, or to totally separate their businesses on either side of the Atlantic. Companies that process personal information to sell online advertising based on online behavior could be particularly hard hit. Behavioral advertising is a EUR10.6 billion ($12.5 billion) business in Europe, according to research sponsored IAB Europe, an advertiser trade group.
Facebook, whose use of the standard clauses was the basis of the case referred to the Court of Justice on Tuesday, said the clauses "are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption."
Concerns over U.S. surveillance were what led the high court in 2015 to strike down a former EU-U.S. agreement dubbed "Safe Harbor," that allowed companies to send European data to the U.S. provided the companies adhered to a set of privacy principles. After that decision, the EU and U.S. negotiated the "Privacy Shield" agreement. So far some 2,500 companies have signed up to the new pact, compared to about 4,500 for Safe Harbor. The EU is currently reviewing that agreement as part of a yearly process that allows it to be suspended, making the contractual clauses at issue in the current court case an important fallback for companies, corporate lawyers say.