Press play to listen to this article

Voiced by Amazon Polly

Europe has delivered a definitive rebuke of U.S. surveillance powers. Now comes the hard part: deciding how far the bloc will go to protect Europeans’ data.

On Thursday, the Court of Justice of the European Union struck down Privacy Shield, a transatlantic data protection deal that underpinned billions of euros in digital trade, due to concerns about U.S. snooping.

“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market,” said Max Schrems, the Austrian privacy activist whose legal complaints have led to the collapse of not one but two transatlantic data protection deals.

Yet the U.S., at least for now, appears unwilling to reform spying powers that have plagued transatlantic ties ever since NSA whistleblower Edward Snowden revealed wholesale spying back in 2013.

Speaking to reporters on Thursday, a senior U.S. official said it was neither “advisable nor possible” to consider an overhaul of surveillance powers in the short term.

“The European Union must not give the U.S. standards it does not apply to other countries that have no concern for protecting consumer data,” said influential U.S. lawmakers Greg Walden and Cathy McMorris Rodgers in a joint statement, calling the decision a “significant setback” to the safety of both Americans and Europeans.

That leaves the question of what to do about U.S. data transfers squarely on Europe’s doorstep. In the coming weeks, the European Commission will assess its options, including coming up with a new transatlantic deal to replace the two failed ones that came before it.

Neither Brussels nor Washington seems willing to contemplate the nuclear option: forcing companies to keep data on Europeans in the EU — although EU regulators seem keener on the idea. 

Yet any deal that fails to address deep concerns about surveillance will be seen as a capitulation of the highest order by Europe’s privacy hawks, who have long called the Privacy Shield a farce.

In what amounts to a lifeline to businesses, the EU’s top court said they could still use a legal tool to send data overseas. But it specified that this would only work if the destination country had acceptable limits on spying — which does not appear to be the case for the United States.

Grace period?

So what happens now? Europe’s data protection agencies will have to determine, in the coming days and weeks, what to do about so-called standard contractual clauses (SCCs) and how to keep data flowing across the Atlantic. So far, the mood is tense.

In a statement on Thursday, Hamburg data protection chief Johannes Caspar warned that SCCs — the legal tools that many companies, including Facebook, use to send data to the U.S. — now pose a problem.

“If the invalidity of the Privacy Shield is primarily due to the escalating secret service activities in the U.S., the same must also apply to the SCCs,” he said. “Uncertainty has increased. The [court] is passing the ball to the European supervisory authorities.”

Ireland’s Data Protection Commission, which oversees the activities of many Silicon Valley companies in Europe, struck a similar note. It called the use of SCCs “questionable” in light of the ruling, inviting other watchdogs to quickly come up with a plan.

Berlin’s regulator went further, calling for data to stay in Europe following the ruling.

“The times when personal data is transferred to the U.S. for convenience or cost savings are over after this judgment. Now is the time for Europe’s digital independence,” said the head of the regulator, Maja Smoltczyk, in a statement.

One of the first questions Europeans will grapple with is whether to implement a grace period for those who currently use the invalidated Privacy Shield.

Click Here: United Kingdom Rugby Jerseys

They did that when Safe Harbor was invalidated in 2015. But a statement by Europe’s grouping of privacy regulators following a meeting on Friday made no mention of one, and at least two regulators have indicated that a transition period isn’t a given.

“As we read and interpret the decision, there is nothing about possible grace periods or some kind of moratorium,” said the privacy chief in the German state of Schleswig-Holstein, Marit Hansen, in an email to POLITICO, while an FAQ on the website of the watchdog of the German state of Rheinland-Pfalz said “the GDPR does not provide for a transition period by the supervisory authorities.”

This article is part of POLITICO Pro’s premium coverage of Cybersecurity and Data Protection. From the emerging threats of a volatile digital world to the legislation being shaped to protect business and citizens, across sectors. For a complimentary trial email and mention Cyber.