Safe Harbour with US

Update on October 6, 2015: As expected, the European Court of Justice ruled the Safe Harbour agreement does not eliminate the need for local privacy watchdogs to check whether US firms were taking adequate data protection measures. This is in line with CJEU Advocate General Yves bot’s opinion. Individual countries of the EU can now decide for themselves whether the US meets Safe Harbour standards.

The Safe Harbour framework legally ensures that transfers of data maintain a standard of privacy and security agreed upon by all countries involved. For instance, if a person uploads photos to their Facebook account in Germany, those photos can be stored on servers in the UK and expect the same level of privacy as in their country of origin.

The two biggest benefactors of Safe Harbour framework are the United States and the European Union, which regularly pass private data back and forth. Now, more than two years after Edward Snowden revealed the US National Security Agency had been performing mass surveillance on citizens and companies of dozens of countries, the relationship has landed on shaky ground.

The European Commission declared that the United States met Safe Harbour standards back in 2000. Even after Snowden in 2013, that decision remained in place, and no single European country could argue otherwise. Recently, however, Court of Justice of the European Union (CJEU) Advocate General Yves Bot called the ruling invalid. He wrote an official opinion (PDF) saying the Commission’s decision regarding the US should have been suspended in the wake of Snowden. Bot argues that the Commission’s decision can not prevent individual countries in the EU from performing their own due diligence and deciding for themselves whether or not to allow data transfers with the US.

“In other words, the Commission is not empowered to restrict the powers of the national supervisory authorities,” the opinion states.

A final ruling from the CJEU is expected in the coming weeks. The case stems from a single complaint by a Austrian man whose data was transferred from Facebook’s Irish subsidiary to the United States. “Mr. Schrems lodged a complaint with the Irish data protection authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency ‘the NSA’), the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country,” reads Bot’s opinion.

Bot goes on to say, “individual European countries must be able to take the measures necessary to safeguard the fundamental rights.” That means if the court follows Bot’s opinion, European countries could enact laws and policies on an individual basis rather than as a collective bloc, fragmenting how the EU conducts business online.

Backlash from businesses

The opinion spooked many multinational companies who rely on freely transferring customer data between the EU and the US. DigitalEurope posted a response saying 4,500 businesses rely on Safe Harbour. “In addition to the disruption a Court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU.” posted a similar response:

“Disruption to international data flows could hurt the UK’s digital economy. The approach that Europe takes to how data flows in and out of the EU will impact the global ambitions of data-driven companies in the UK and right across Europe. Thousands of companies, employing tens of thousands of people in the UK alone, rely upon Safe Harbour every day, for example to move HR data between their European and US operations. President Juncker’s ambition to achieve a true Digital Single Market for growth and jobs will be underpinned or undermined by the EU’s approach to data.”

If Bot were to get his way, he says it wouldn’t extinguish all online business between the US and EU. “The end of this privileged status [Safe Harbour] would not mean that personal data cannot be transferred between the EU and the US,” he later clarified. “Most transfers of personal data between the EU and the US, like communication, hotel bookings, bank transfers and almost all other forms of necessary data transfers, are always possible under a long list of exceptions in the current EU law.”

Consequences for cloud backup

Besides social media, another sector Bot’s opinion could seriously affect is cloud backup and storage. Backup and storage providers often only operate data centers in a single country. If the United States loses its Safe Harbour status, backup and storage providers could be forced to either invest in new data centers in the EU or else lose a significant portion of their overseas business.

Backup companies who rely on virtual providers like Amazon, Google, and Rackspace could find themselves scrambling to move customers’ data into the appropriate regions. Cloud services could be fragmented by country much in the same way that telcos and internet service providers are now. Besides the US, overruling the Commission’s decision could set a precedent for blocking data transfers between other countries as well.

Bot argues European citizens have no say in how their data is handled once it’s transferred to the US, which interferes with their right to an effective remedy. The Court of Justice of the European Union tends to align itself with Bot when handing down its decisions.