The end of Safe Harbour means uncertainty for businesses
Negotiations are underway to redraft the Safe Harbour agreement, but in the meantime uncertainty remains among tech companies
Under current EU regulations, citizens’ personal data cannot be transferred or processed outside the 28 members states without countries applying strict privacy protections outlined by the EU.
Back in 2000, the EU and the US agreed to a deal that permitted American companies to self-certify they had put the appropriate security measures in place, streamlining data transfers between the two entities. But in 2013, NSA whistleblower Edward Snowden leaked information that suggested US security forces had abused this trust and managed to obtain access to EU citizens’ data stored by US firms – the first nail in the coffin of Safe Harbour.
Two years after those revelations, the European Court of Justice ruled the Safe Harbour agreement was invalid
Two years after those revelations, the European Court of Justice (ECJ) ruled the Safe Harbour agreement was invalid. The judgment has left many US companies fearful of facing a bureaucratic nightmare, with them forced to comply with individual member states’ data regulators until the renegotiation is completed.
Don’t worry
In the wake of the ECJ’s decision, the First Vice-President of the EU Commission, Frans Timmermans, gave some reassurance to US firms, stating in a press conference: “The court confirms the need of having robust data protection safeguards in place before transferring citizens’ data. I see this as a confirmation of the European Commission’s approach for the renegotiation of the Safe Harbour.
“We have already been working with the American authorities to make data transfers safer for European citizens. In the light of the ruling, we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic.”
The ruling, which more than 5,000 US companies rely on in order to carry out data transfers using self-certification, has been rendered illegal by the ECJ. Luckily, EU regulators are eager to rectify the situation and have granted regulators and organisations a period of grace until the end of January. Time enough, hopefully, to find a solution.
So far, both sides have reached a consensus on the basic principles of Safe Harbour 2.0, but, as Justice Commissioner Vera Jourova told lawmakers, negotiators from the EU and the US “are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the court”.
Companies respond
This positive news is reflected in many US tech companies’ sentiments on the ruling. They have, for the most part, expressed little concern about their ability to continue functioning as normal. In a blog post, Microsoft said users of its cloud services could “continue to transfer data by relying on additional steps and legal safeguards we have put in place”. The company was also optimistic the ECJ’s decision would not significantly impact its consumer services, such as Hotmail.
Facebook made it known that it too was unlikely to be drastically affected by the court’s ruling, but was hoping the reforms did not infringe data transfers. “It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security”, the social-networking company said in a statement.
Not everyone in the US tech community is upbeat about the decision, however; the chairman of Alphabet, Eric Schmidt, told an audience at the Virtuous Circle conference that it could lead to “per-country internets”, which, if allowed to happen, would see the world “lose one of the greatest achievements of humanity”.
In the end, whatever the EU and US agree upon in the coming months, the hope will be that they manage to strike the right balance between privacy and security, without removing elements that permit the fast, cost-effective transfer of data that is essential for both businesses and consumers alike.