(Bloomberg) -- Customers’ digital data is lifeblood for companies like Google Inc. and Facebook Inc., and the European Union’s highest court just made it more difficult for them to make money off the information.

The EU Court of Justice struck down a 15-year-old pact that allowed companies to transfer data -- such as social-network profiles -- from Europe to the U.S., where Silicon Valley analysts use it to improve products or target ads or develop marketing campaigns. With the so-called safe harbor agreement annulled, “you have to move back in time,” said Mark Thompson, head of the privacy practice at KPMG in the U.K.

While tech companies described alternative mechanisms for smooth data-transferring, Digital Europe, a trade group whose members include Microsoft Corp. and Apple Inc., said safe harbor’s demise “will cause immediate harm to Europe’s data economy and will negatively impact countless consumers, employees and employers.” The group called on the European Commission and the U.S. to negotiate new rules governing the trans-Atlantic flow of Internet users’ private information as soon as possible.

 But Facebook said in a statement that it, “like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the U.S. from Europe, aside from safe harbor.” Amazon.com Inc. and Microsoft said they also have EU-approved systems in place so that data-transfers would be uninterrupted. “Customers can continue to run their global operations,” Amazon said.

The EC allows data exporters in Europe to ship information to importers in the U.S., with a company able to send a user’s information to a data center in Ireland, for instance, and then from there to the U.S. as long as the user is properly informed this is happening, said Tanguy Van Overstraeten, a partner for Linklaters who leads the law firm’s data protection practice in Brussels.

‘Huge Impact’

Companies can also get consent from individual users to move their data between the EU and the U.S. Since this option carries the risk that customers will refuse, it’s a much more complicated and uncertain strategy, he said.

Business-software provider Salesforce.com Inc. said it’s “immediately making available a data processing addendum” that incorporates the EC’s standard contractual clauses. The company didn’t elaborate.

 While larger companies may have alternative frameworks to work around the ruling, smaller enterprises “might have no backup,” said Christian Borggreen, Europe director at the Computer & Communications Industry Association, a trade group with offices in Washington and Brussels. “While everybody focuses on the big American multinationals, the majority of the affected companies are SMEs and many are European, so there’s a huge impact to the European economy.”

Rafi Azim-Khan, head of data privacy for Europe at Pillsbury Winthrop Shaw Pittman LLP, said the consequences of the ruling were more sweeping. “It will strike fear into the heart of any U.S. companies, whether big brands or smaller enterprises, that have EU offices, customers, marketing or business partners,” he said. “They should question whether they are in fact as compliant as they think they are given the fast changing EU legal landscape.”

Microsoft tried to allay customer concerns, saying that businesses that rely on the company’s cloud services will be able to keep on transferring data “by relying on additional steps and legal safeguards we have put in place.” As for consumers, the company said the ruling won’t have a significant impact.

Trouble had been looming since Edward Snowden revealed the U.S. government’s surveillance and mass data collection practices. Austrian privacy activist Max Schrems triggered the EU case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the U.S. social network company has its European base. He alleged that Facebook’s Irish unit illegally handed over data to U.S. spies.

The safe harbor pact, drafted in pre-Sept. 11 days, was designed to facilitate trade by allowing U.S. companies with activities in Europe to shift information between their sites. It allowed companies to transfer data provided they adhered to a list of principles designed to ensure privacy wasn’t breached.

“It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” a Facebook spokeswoman said in an e-mail.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access