Geert Vanden Wijngaert AP
BRUSSELS — The European Union’s top court on Thursday threw a large portion of transatlantic digital commerce into disarray, ruling that data of E.U. citizens is not sufficiently protected from government surveillance when it is transferred to the United States.
The ruling was likely to increase transatlantic tensions at a moment when President Trump has already been threatening tariffs and retaliation against the European Union for what he says are unfair business practices. It was a victory for privacy advocates who said that E.U. citizens are not currently as protected when their information is transferred to U.S. servers as when that information stays inside Europe.
The European Court of Justice ruled that a commonly-used data protection agreement known as Privacy Shield did not adequately uphold E.U. privacy law.
The decision means that many companies will have to reconsider how they store and collect the data of European customers. U.S. and E.U. negotiators, meanwhile, will likely have to start new negotiations about whether there are legal arrangements that could guarantee that data could be stored on U.S. soil but in compliance with E.U. law.
U.S. security authorities have far-reaching access to personal data stored on U.S. territory that “are not circumscribed” in a way that is equivalent to E.U. rules, the court ruled.
European data privacy advocates celebrated the decision.
“A victory for personal data protection,” tweeted a Dutch member of European Parliament, Sophie in ’t Veld, who was involved in the drafting of the powerful European data privacy law known as the General Data Protection Regulation, or GDPR, that went into effect in 2018. She said that the European Commission, the E.U. body that negotiated the Privacy Shield with U.S. authorities in 2016, should have been more vigilant about protecting E.U. citizens.
Quentin Ariès contributed to this report.