Europe's Top Court to Review Privacy -- WSJ
By Sam Schechner
This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (October 4, 2017).
Europe's top court will decide whether to ban a widespread legal tool that companies employ when they store data about Europeans on U.S. soil -- the latest legal skirmish over what firms can do with the vast trove of information they are collecting on users.
Two years ago, the European Union's Court of Justice struck down a popular data-transfer mechanism that allowed information on individuals to be shifted relatively easily between the U.S. and Europe. That decision sent companies scrambling to rewrite legal contracts that would keep them in compliance with the ruling, without jeopardizing revenue that relied on that data flow.
Now, the same court will hear whether the standardized language in those contracts goes far enough to protect Europeans' privacy. An Irish court Tuesday asked the high court to make the call. The referral sets up the broadest challenge yet to the practice -- common especially among big U.S. firms like Facebook Inc., Alphabet Inc. and Apple Inc. -- of storing data collected on Europeans back in the U.S. Such data includes things like web-browsing habits and geolocation records.
Privacy activists argue the U.S. government's ability to obtain legal access to personal information held by some companies in the U.S. amounts to mass surveillance that is prohibited under EU treaties. The U.S. argues its laws are proportionate and targeted.
The high court may not hear the case for more than a year, and the European Union could in the meantime beef up requirements for the contractual language, or the court could give it time to do so after a ruling. That language is now baked into data-collection contracts across a large swath of businesses, including those related to online advertising and cloud storage.
Businesses and corporate lawyers argue that invalidating the standardized contractual clauses would create huge costs for companies. BSA, a Washington, D.C.-based trade group representing the software industry, says this type of contractual language provides legal backing "for millions of daily data transfers" out of Europe. Lawyers say invalidating the current language would force companies to spend heavily to rewrite contracts. It could also stop some from transferring data altogether.
"Losing that mechanism would leave an impossibly huge black hole in the legality of international data flows," said Eduardo Ustaran, a privacy lawyer at Hogan Lovells.