European regulators blocked a key pipeline on Tuesday that tech companies use to shuttle data across the Atlantic. It’s an annoyance for Silicon Valley giants, like Google, Apple and Facebook. But it’s a much bigger deal for smaller tech companies that rely on that data for their business.
The so-called “Safe Harbor” agreement, the longtime arrangement that allowed American companies to pass data gathered in Europe back to the United States, was invalidated Tuesday by the European Court of Justice, Europe’s highest court. At issue was whether, in light of the disclosures by former NSA contractor Edward Snowden, the agreement sufficiently protected the privacy of European users’ data.
In theory, the ruling hurts companies that depend on personal data for their central business — namely, those that use that data to help sell advertising. (Looking at you, Facebook and Google.) It also marks another round of animosity from Europe, which has challenged U.S. tech firms on privacy and competition in recent years.
In reality, though, dissolving the Safe Harbor agreement won’t actually have much of an impact — at least for established tech players. It’s the leaner ones that are just beginning to reach consumers in Europe that may be in trouble.
Most of the tech giants that participate in Safe Harbor already share data back and forth in a number of other ways, including Binding Corporate Rules and Model Contractual Clauses, both of which enable the international transfer of personal data. Other companies, like Microsoft, have massive data centers in Europe, which means some of the data never even leaves. Google is planning to expand its data center in Belgium, as first reported in the Wall Street Journal.
“We don’t believe today’s ruling has a significant impact on our consumer services,” Microsoft Chief Legal Officer Brad Smith wrote in a blog post. Facebook also told Re/code it will be able to operate its business as usual. Google declined to comment.
Where Safe Harbor will have an impact is with small and medium-size businesses that haven’t implemented these other methods. Legally, they could face fines or penalties imposed by individual EU member states, which now have more authority to dictate how data collected in their countries is shared.
Big tech companies may strike agreeable deals with individual EU nations, said Geoffrey Manne, executive director of the International Center for Law and Economics. “The real issue is smaller companies that can’t afford to negotiate such agreements, or that don’t even bother to try,” he added.
That’s likely a worst-case scenario, however. Many are now calling on the United States and the EU to rewrite the Safe Harbor agreement — in essence, establish Safe Harbor 2.0. The hope is that the two sides can come to some temporary agreement so that small businesses, many of which have operated under this agreement for years, can continue to do business until something more formal is established.
The Internet Association, a D.C.-based advocacy organization with tech members that include Amazon, Facebook, Google and Yahoo, is among those calling for change. “In light of this far-reaching European Court of Justice ruling, the Internet Association calls on the U.S. and EU to join forces to implement a revised Safe Harbor framework and to issue interim guidance to stakeholders pending this implementation,” the organization wrote in a statement on its website Tuesday.
Added Facebook: “It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”
This article originally appeared on Recode.net.