Safe Harbour: What is it, why has it gone and how does it affect you?
Yesterday, the European Court of Justice (ECJ) invalidated a legal agreement, known as the “Safe Harbour” agreement, which allowed the transfer of personal data between the EU and US for processing.
This is big news. With Google search and a Facebook feed constantly at your fingertips, it is easy to conceptualise the transfer of data as a process that transcends geographic boundaries. Suddenly, the Atlantic Ocean has become a very real chasm between EU and US data law, with the easy transfer of data no longer being so straightforward.
What does the ruling mean?
In practical terms, it means that the US will no longer be able to self-certify that they’ll protect the data of EU citizens. In grander terms, it signals a shift in the debate around privacy and surveillance, with the EU ostensibly deciding that the Safe Harbour agreement offers no real protection for the data of European citizens.
By making the ruling, the ECJ has backed up a claim made by Austrian law student Max Schrems, that “the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.” If that sounds heavy it’s because it is.
What happens next?
Schrems brought a case against Facebook in 2013, requesting that the Irish data protection commissioner investigate whether his data is adequately protected when transferred by Facebook (which has its European headquarters in Dublin) to the US.
Yesterday’s EU Court of Justice ruling means that the Irish data protection commissioner can no longer hide behind the Safe Harbour agreement, and will be pressured to launch a full investigation into Schrems’ complaint. The implications of this will be argued by lawyers for quite some time.
Is it a good thing?
There isn’t really a simple answer to that. The ruling has been welcomed by privacy groups, which hail the ECJ’s decision as a strong move against mass government surveillance. So, in terms of your privacy, yes, it is almost definitely a good thing. It will also come as good news for technology lawyers, who will see a sudden surge in demand (and can, therefore, charge more for their services).
Advertisers and businesses have been less responsive to the ruling. In a statement, Mike Zaneis, EVP and general counsel for the Interactive Advertising Bureau, said: “Today’s decision by the European Court of Justice jeopardises thousands of businesses across the Atlantic.” US tech firms like Google, Facebook and Amazon will also probably be a bit miffed, as it makes life more difficult for them. As for the NSA and other spy agencies, they’ll be shaking their fists at a map of Europe.
How will it affect me?
Big firms will already be taking steps to circumnavigate the new barriers and continue sharing data, so you shouldn’t notice any major problems when using Facebook or Google. Smaller transatlantic companies, however, are likely to face issues, and the ruling could end up having implications for remote cloud storage.
From the user end, this means loading stored photos on Facebook, which involves reaching into cloud server centres, could in theory take marginally longer. In real terms, it’ll mainly affect smaller companies that don’t have the funds Google, Facebook et al have to get contracts agreed.
In the long run, the future of your data depends on what new agreement the US and EU end up making. Safe Harbour was a pretty wobbly agreement, and the EU wants any future agreement to have a strong legal basis. Both entities have been negotiating a new contract for two years now, since Edward Snowden revealed the extent of state surveillance.
Check out our previous coverage on the likelihood of a post-Snowden EU and US deal.