The laws governing companies that share online customer data between Europe and the United States may soon become a lot tougher.
A legal position published in Luxembourg on Wednesday by a senior adviser to Europe’s highest court said that a trans-Atlantic “safe harbor” agreement allowing companies to ship people’s data between both regions did not provide sufficient checks on how that information may be used.
The ruling by Yves Bot, the advocate general of the European Court of Justice, could have a significant impact on companies like Facebook andGoogle, which routinely move data about people’s online activities like social media postings and online search queries outside the 28-member bloc.
“This could have a major economic impact on Europe and the U.S. if the court follows this opinion,” said Patrick van Eecke, a data protection lawyer at DLA Piper in Brussels.
Although the opinion is nonbinding, the position of the senior adviser is often followed by the court. A final judgment is expected by the end of the year, though some analysts said a decision could come as early as next month.
In his opinion, Mr. Bot said that American privacy rules did not offer European citizens enough protection, or legal recourse, against their online data being misused by companies or national governments.
He added that the potential collection of people’s online information, often without their knowledge, infringed on Europeans’ fundamental rights. An agreement between Europe and the United States that allowed companies to share data also should have been suspended, he said.
Mr. Bot also said that domestic regulators in each European country should have the right to suspend transfers of data about their citizens to the United States if the watchdogs believed that the privacy of individuals had not been guaranteed.
“The law and practice of the United States allow the large-scale collection of the personal data of citizens of the E.U. which is transferred, without those citizens benefiting from effective judicial protection,” Mr. Bot said in a statement.
“Interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance,” he added.
Many technology companies rely on transferring data between regions to power their operations, particularly for online advertising. But European privacy campaigners have balked at this because American data protection rules do not offer the same protection to individuals that is available in Europe, where privacy is viewed as a fundamental right almost on par with freedom of expression.
By suggesting that companies may not be able to move data about their European customers to the United States, the court adviser’s opinion may force companies like Google and Facebook to rely more heavily on their European operations. They might need to build new data centers in Europe to analyze people’s online activities.
Industry executives have warned that companies may not be able to offer new services to Europeans if such offerings relied on sending online data outside the 28-member bloc.
“We are concerned about the potential disruption to international data flows if the court follows today’s opinion,” John Higgins, director general of DigitalEurope, an industry trade group, said in a statement.
While the advocate general’s opinion does not have to be followed by the court, analysts say that in many cases, the judges have followed the advice.
There have been some exceptions, though.
Last year, the European Court Justice ruled that people with connections to Europe could ask that search engines like Google remove links about them from online search queries. That decision on the so-called right to be forgotten went against the advice of the court’s advocate general.
The adviser’s opinion on Wednesday is related to a case brought by Max Schrems, an Austrian graduate student, who has argued that Europeans’ online data was misused when Facebook was said to have cooperated with the National Security Agency’s Prism program.
That program, which was revealed by Edward J. Snowden, a former N.S.A. contractor, supposedly gave the agency unfettered access to data collected by several American tech companies, including Facebook and Google.
Mr. Schrems, who is pursuing a separate civil class-action lawsuit against Facebook, said the N.S.A.’s access to information on Facebook’s European users broke the region’s tough privacy rules. He has also argued that the data-sharing agreement — known as safe harbor — between Europe and the United States does not give Europeans sufficient recourse if their data is misused by companies or national governments.
“It is great to see that the advocate general has used this case to deliver a broad statement on data transfers to third countries and mass surveillance,” Mr. Schrems said in a statement.
Facebook said on Wednesday that it did not give government intelligence agencies backdoor access to customer data, and that the company complied with European privacy rules.
“Like the thousands of other companies who operate data transfers across the Atlantic, we await the full judgment,” Sally Aldous, a Facebook spokeswoman, said in a statement.
The so-called safe-harbor agreement has been in place since 2000 and enables American technology companies to compile data generated by their European clients in their web searches and other online activities.
Currently, the companies can use the data for business and marketing purposes in the United States, even though Europe’s rules governing online data privacy tend to be more stringent than American ones.
Under the agreement, more than 3,000 European and American companies are expected to treat the information with the same privacy protections as if the data had remained within the European Union. That agreement, however, is now in jeopardy after the advocate general’s legal opinion on Wednesday.
Mr. Schrems initially focused his privacy complaints against Facebook in Ireland, where the company has its non-American headquarters. But local courts there referred his case to the European Court of Justice, which now must decide whether the trans-Atlantic data-sharing rules are sufficiently rigorous.
“This case is a very big deal,” said Christopher Kuner, co-director of the Brussels Privacy Hub, a research center, at the Vrije Universiteit Brussel in Belgium. “It has the potential to be the biggest-ever data protection case in Europe.”