Harbouring a grudge
Safe Harbour may have been toppled by one Austrian law student. Jack Pusey examines the channel implications
If Edward Snowden showed the huge impact a person from an unlikely field can have on the global technology scene, an Austrian named Maximillian Schrems is proving that point for a second time.
Tech giants have been holding and processing the personal data of European citizens for years, despite the fact that the alleged surveillance practices of the US intelligence services would seem to be at odds with EU legislation.
Multinational companies, primarily in the social media and data-hosting sectors, have done this in their thousands under Safe Harbour, a deal struck up between the EU and the US back in 2000 to provide a cheap and simple way for US firms to transfer data from Europe in accordance with EU privacy legislation.
To honour the agreement, all firms had to do was self-certify that they would protect EU citizens' data with "adequate" privacy protection, a process that campaigners have long since challenged as insufficient - to no effect.
Until Schrems got involved.
The Austrian law student decided back in 2013 that the Safe Harbour agreement was actually hampering the Irish Data Protection Commissioner (DPC) from protecting the data of EU citizens, which he claimed was being exported by Facebook and subsequently screened by US intelligence.
His objection came in light of Edward Snowden's revelations about the National Security Agency's (NSA) extensive data-surveillance activities and he challenged the Irish DPC to reassess the legal validity of its practices.
The Irish DPC, which had been allowing Facebook to transfer data from its Irish offices to its US headquarters since the social media site was established, rejected Schrems' call for an investigation, only to feel the full force of his wrath when he elevated his concerns to the European Court of Justice (ECJ).
On 6 October 2015, after comprehensive processing, the ECJ ruled that the IDPC was indeed failing to protect EU citizens by enabling Facebook to act under the Safe Harbour agreement. So it declared the agreement invalid. As such, swathes of tech companies sharing personal data with the US could now have to completely reassess their business protocol.
"They will need to consider their strategies around data transfers; if they have been relying on Safe Harbour to justify them, then they will need to think of privacy-friendly methods to do so, which are compliant with the data-protection directive," explained Robert Lands, head of intellectual property at law firm Howard Kennedy. "Obtaining explicit consent to justify transfers and creating new agreements between companies that share data may be further ways of meeting the requirements."
Both Google and Facebook declined to comment when asked how they intended to accommodate the ruling. Amazon Web Services did not respond to our enquiries.
Cloudy outlook
Others in the cloud space have put forward a more optimistic take on the ruling's commercial ramifications. Some argued that they were completely unaffected by the collapse of Safe Harbour on a territorial basis.
"There are very many European cloud providers which operate solely within the bounds of the European Union, or even within a single jurisdiction within Europe, therefore the complex challenges of the Safe Harbour agreement simply don't apply," said Nicky Stewart, commercial director of Skyscape Cloud Services.
Others professed that their strict adherence to privacy legislation meant that business would continue as usual.
"We make it clear to our customers where their data will be processed and stored, ensuring full transparency at every stage," asserted James Henigan, chief operating officer at Outsourcery.
Going forward, The EU and US will seemingly have to establish an alternative agreement that balances the commercial benefits of transatlantic data transfers with EU citizens' rights to privacy. It will ultimately be down to Brussels and Washington to negotiate a successor to Safe Harbour, a process that analysts fear could complicate ongoing talks about a transatlantic trade agreement and provoke diplomatic chaos.
According to Ashley Winton, UK head of data protection and privacy at Paul Hastings, Schrems' case should not be analysed in isolation and could be the first of many.
"There are currently no rules limiting individuals bringing complaints regarding data protection across multiple jurisdictions simultaneously, so we may now see these complaints springing up from every direction, where data is being shared around the world," he noted.
Dai Davis, solicitor at Percy Crow Davis & Co, agreed that the coming months would be full of "subsequent legal argument", but challenged the idea that a plethora of similar cases would surface.
"Whether anyone else has the time, money or inclination to take up such arguments against the large US social media companies remains to be seen," he concluded.
But if the adage that "the bigger they are, the harder they fall" rings true, then Facebook and friends could be in for a bumpy ride.