Doing business in Europe is suddenly more complicated for scores of US businesses after a court threw out existing rules allowing them to handle the personal data of European Union (EU) residents.

The Court of Justice of the European Union (CJEU) in in Luxembourg today struck down the 15-year-old Safe Harbor Framework, a set of rules that allow US companies to import European personal data while complying with strict EU privacy regulations.

The court’s decision “can definitely complicate the process” of working with personal data from the EU, said Christopher Oswald, vice president of advocacy at the Direct Marketing Association, a trade group offering a program to help members comply with the rules.

Still Assessing the Impact

The DMA on this afternoon was still assessing the impact of the court’s decision, but the ruling won’t halt data flows from Europe to the US, Oswald said.

While the Safe Harbor Framework simplified the process, US companies can deal with EU data on a case-by-case basis. At the same time, US and EU officials are negotiating changes to the Safe Harbor Framework that could fix the concerns raised in the court case, he said.

Online marketers use EU personal data in several ways, such as delivering targeted advertising to European Web users.

Many Businesses Affected

UnboundID, a vendor of identity and preference management software, warned US companies that a “wide range” of digital businesses could be affected by the court ruling.

The ruling “was prompted by Facebook’s use of data but this new ruling affects any company that transfers EU citizen data back to the US,” Steve Shoaff, UnboundID CEO, told CMSWire. “That casts a very broad net, and could affect operations for digital businesses ranging from cloud providers to social media companies to e-commerce firms and others.”

US companies need to change their mindsets about the ownership of personal data, he added.

“Businesses that assume they will have unfettered use of personal data, largely for marketing purposes, now need to understand that this data isn’t free, it doesn’t belong to them, and is not faceless,” he said.

More Attention Required

But US companies can still handle European information through internal corporate rules or through data protection clauses in contracts “between companies exchanging data across the Atlantic,” Vera Jourová, a member of the European Commission, said today.

After 2013 revelations of large-scale surveillance programs operated by the US National Security Agency, the commission had raised concerns about privacy protections in the existing Safe Harbor arrangement, Jourová said in a statement.

Those concerns have been “acknowledged by the court ruling,” she added. “Our aim is to step up discussions with the US towards a renewed and safe framework for the transfer of personal data across the Atlantic.”

Facebook Connection

The lawsuit against the Safe Harbor Framework was filed in Ireland in 2013 by Max Schrems, a graduate student at the University of Vienna. Schrems, a Facebook user, was concerned that the US National Security Agency was collecting personal information through the social network.

The CJEU, in its ruling, targeted mass surveillance by the US. “The mass and undifferentiated accessing of personal data is clearly contrary to the principle of proportionality and the fundamental values protected by the Irish Constitution,” the court wrote.

To comply with the Irish Constitution, any surveillance programs would have to “demonstrate that the interception is targeted, that the surveillance of certain persons or groups of persons is objectively justified in the interests of national security or the suppression of crime and that there are appropriate and verifiable safeguards,” the court added.

CMSWire reporter Dom Nicastro contributed to this story.