In 2000 the US and EU struck a deal to provide a means for US firms to get and process data from Europe without breaking EU rules: Safe Harbor. EU regulations stipulated that no EU personal data could be transferred to and processed in other parts of the world without privacy protections that met EU standards. Safe Harbor allowed for US companies to self-certify that they met the appropriate EU standards. This opened the door to companies on both sides of the Atlantic but was hotly debated since its inception.
In 2013 Edward Snowden leaked details about a surveillance scheme operated by the National Security Agency (NSA) called Prism. Snowden alleged that Prism had gained access to data about Europeans and other foreign citizens stored by large US tech companies. Snowden’s disclosure marked the beginning of the end of Safe Harbor.
Following this, Max Schrems, an Austrian privacy campaigner, challenged Facebook that his and others data should not be transferred to the US on the grounds that the US did not have adequate level of protection for personal data. He argued that Facebook data was not adequately sheltered from surveillance. However, when he asked the Irish Data Protection Commission (IDPC) to audit what material Facebook might be passing on, the IDPC declined, arguing Facebook was covered by Safe Harbor. Schrems contested this ruling and the matter was referred the European Court of Justice.
That brings us to now.
Last week, the court ruled that a Safe Harbor Agreement does not guarantee US firms are taking adequate protection measures. While companies may respect the Safe Harbor guidelines, the US public authorities are not themselves subject to it. Therefore there is no way to guarantee EU citizens adequate protection from surveillance that, while legal in the US, is illegal in Europe.
What does this mean for US companies?
Today, more than 5,000 companies rely on Safe Harbor for transferring EU data to US servers. And while the ruling does not state that processing data in the US is illegal, no one is really sure what the implications of this decision are or what the next steps will be.
In the UK, the Information Commissioners Office, which oversees compliance to EU Privacy directives has stated “the ruling is clearly significant and it is important that regulators and legislators provide a considered and clear response … We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them.” However, we must also remember that there are 28 EU member states that will likely have differing interpretations of the ruling and its impact.
We do know this isn’t going to change things overnight. Last week’s decision doesn’t order an immediate end to EU-US data transfers, it simply gives EU regulators the right to investigate and suspend them if they don’t feel they provide sufficient protections. Further, the US and EU have already begun negotiations to update the Safe Harbor agreement. This decision will undoubtedly hasten these conversations, and we can hope that it will also expedite an agreement giving us a new EU regulation on data privacy.
In the meantime having data centers in the UK is a massive advantage regardless of the Safe Harbor ruling as European companies have always been nervous about US surveillance and the implications of the Patriot Act.
Edward Gairdner is Director of Security and Business Assurance at Huddle, where he manages development and implementation of information security, compliance, risk management and business IT.