The latest Safe Harbour victim looks set to be Facebook. A ruling from the European Court of Justice suggest it will no longer be allowed to routinely send European user data back to the US from its servers based in Ireland.
The Safe Harbour agreement has been in place for 15 years and effectively gave the US a free pass on privacy – they were assumed to follow European law so companies and organisations could freely send customer data to the US without further checks.
That has been blown apart by revelations from Edward Snowden, among others, that US organisations were taking liberties with supposedly private corporate information.
What this means for large companies with US operations is not yet clear.
And by ‘US operations’ we include anyone using a US cloud provider, web host or web analytics supplier – all of these effectively send customer data to the United States. US-owned companies, albeit based in Europe, are still covered by the ruling.
Safe Harbour was always a bit of a bodge job – it just assumed US firms would follow proper data protection laws, without checking that they were actually doing so. But given the differences between the two sets of data protection rules it is not clear how a similar agreement, with no actual checking or certifying, can be achieved.
For the moment it is likely that most business will carry on as usual. But any lawyers in the middle of negotiating new contracts between US and European firms are likely to be adding a few hours to their billable time.
The line from the Information Commissioner’s Office is that it understands it will take companies some time to sort this out.
Which seems only fair because at the time of writing the ICO’s website is using Google Analytics – which presumably sends data back to Mountain View and therefore relies on Safe Harbour to make it legal.
The ICO said:
“The judgment means that businesses that use Safe Harbour will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this. “
The regulator notes that there are other legal ways to transfer data to the US so organisations can look at alternatives.
Given how the internet and cloud storage work it will be very difficult for all but the smallest operator to guarantee exactly where customer data is stored. But at least in the short term they’re going to need to at least try.
But it is not impossible. A decent cloud strategy should include storing data in different countries, and on different continents, in order to avoid downtime or unavailability caused by power or environmental problems.
You’ll need to talk to your provider and start separating data according to jurisdictions.
It seems unlikely that US spooks will give up widespread collection of data. Or that the European Court of Justice will reverse its decision.
But firms across Europe will need to find a new legal fig leaf to do the job of Safe Harbour or risk adding big costs to their data protection bill.
It will also stop firms on this side of the Atlantic of using a plethora of web and cloud services – unless those individual firms accept some kind of EU audit of their data protection practises.
We’re betting something which looks, sounds and smells like Safe Harbour will appear shortly. But it will take time to pass legislation to make this happen.
Regardless of what happens to Safe Harbour this issue will not go away anytime soon – Microsoft is fighting the Department of Justice to establish the privacy of its servers in Ireland. The DOJ wants access to emails stored there. Any result is likely to mean big changes to data protection and privacy for any company using cloud services.
In the meantime UK firms could do worse than take the time to have a proper look at just where their data is going and who has access to it.