UNDERSTANDING THE IMPLICATIONS OF THE SAFE HARBOUR RULING

Rich Stuppy, Chief Operations Office, Kount

Introduction

“The most serious European backlash yet since the Snowden internet spying scandal.”

This is how the Financial Times, a journal not usually given to hyperbole, has described the European Court of Justice’s (ECJ) ruling on the Safe Harbour pact, declaring it invalid.

Safe Harbour was designed as a “streamlined and cost-effective” way for US firms to get data from Europe without breaking its rules. Companies in the US were able to self-certify that they had put the appropriate data privacy measures in place. In the wake of the Snowden allegations, the top European court has ruled that Safe Harbour is invalid.

The ECJ has declared the Safe Harbour pact invalid because it does not, in their judgment, provide adequate data protections under EU law.  One of the primary drivers of this judgment was the belief that United States government agencies like the National Security Agency (NSA) have the ability to access data from people in the EU with impunity.  This decision will have near term and far reaching consequences which will likely cause serious harm to the economies not only on both sides of the Atlantic but across the globe.

What the ruling means

  • Individual European countries can now set their own regulation for US companies’ handling of citizens’ data, vastly complicating the regulatory environment in Europe.
  • Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country.
  • The Irish data regulator will now examine whether Facebook offered European users adequate data protections, and it may order the suspension of Facebook’s transfer of data from Europe to the US if so.

Why the ECJ made its ruling

The ECJ struck down the agreement, which had been in place since 2000, in part due to fears of US mass surveillance. In essence, it is the European reaction to the Edward Snowdon revelations about US surveillance.

The court declared the Safe Harbour agreement invalid because it stopped Europe’s national data protection watchdogs intervening on behalf of citizens who complained their privacy had been infringed.

How has industry reacted?

Reaction from the communications industry has been a mixture of negative and cautious. Some industry spokespeople have reacted critically to the judgement, such as Chris Padilla, IBM’s vice-president of government and regulatory affairs. He said the decision “jeopardises these vital data flows” and would damage Europe’s plan for a digital single market. He added that the ruling would lead to “a highly uncoordinated approach to internet regulation in Europe,” creating significant commercial uncertainty.”[1]

Others, though, are adopting a “wait and see” approach with the Internet Association favouring this approach. President, Michael Beckerman said: “In light of this far reaching European Court of Justice ruling, the Internet Association calls on the US and EU to join forces to implement a revised Safe Harbour framework and to issue interim guidance to stakeholders pending this implementation.”[2]

What will the consequences be?

The short term consequence will be uncertainty.  This uncertainty will cause thousands of companies and millions of consumers in the US and the EU to reconsider decisions they have made about how to conduct business.  For example, companies that have mutually pledged to implement strong data protection practices will re-examine the commitments to those practices and may choose to cease transferring data to the US.  This is a real concern for all parties because the services have been duly vetted and chosen based on the economic benefits they provide.  Stopping or curtailing the use of these services is an economic loss for all sides.

The most unfortunate aspect of these losses is that the companies involved have built their businesses based on sound data protection practices. Those practices include strong controls, such as encryption strong authentication combined with progressive policies and practices about data protection and use.  Companies on both sides of the Atlantic have understood for years that data protection isn’t optional it is mandatory.  Years of work may have been shredded in the near term because of decisions made by their governments.

Mid-term consequences will be the rush for companies to utilize one of a few accepted ways to ensure adequate data protection or consent to transfer data.  These include;

  1. Unambiguous consent of the data subject;
  2. Arguments that the transfer is necessary for the performance of a contract between the end customer and the applicable merchant; or
  3. Use of model contract clauses.

To those unfamiliar with the landscape, these options might appear to be reasonably straight forward.  Yet most people who have been involved in crafting trans-Atlantic data exchange agreements would tell you they are anything but straight forward.  They are solvable, but only with time and money.

Longer term consequences may include a new type of protectionism inhibiting global trade.  This would take the form of de facto tariffs on the transfer of data. Data is the lifeblood of modern business.  It is not hard to imagine a scenario where governmental authorities dramatically increase the cost of transferring data to other countries in order to provide “unnatural” advantages to domestic industries. The overarching effect of such policies would be to create less competitive and efficient industries resulting in losses to all parties. These headwinds come at a time when success is difficult enough.

Conclusions

The ironic and sad fact is that all of the consequences, uncertainty, waste and loss associated with the ECJ decision have very little to do with the thousands of security minded and law abiding people and companies engaged in business.  Their primary driver for the decision was the revelations of rampant spying laid bare by Edward Snowden and the like.  The problem is not a commercial problem.  It is a nation state issue.  Unfortunately no court has the ability to force the national security apparatuses of their countries to engage in a dialog to fix these practices.

Yet what is critical is that any industry involved in the transfer and storage of data doesn’t panic. Yes we are working in a new landscape and yes our industry has just become far more complex.

But a cool head and a clear vision is vital if we are to navigate this new landscape successfully and forge new agreements.

There are challenges ahead but being aware of them means we will be better able to overcome them.

[1] Financial Times

[2] BBC News

Comments are closed