JohanSwanepoel - Fotolia

Data-sharing agreement between EU and US called into question by European law makers

The future of the US Safe Harbour Agreement has been thrown into doubt after EU law maker claims it may not adequately protect user data

US tech giants could soon come under increased pressure to build European datacentres now the validity of the US Safe Harbour Agreement has been called into question by EU law makers.

According to Yves Bots, advocate general of the European Court of Justice (ECJ), the agreement does not provide “adequate protection” for the private information of European citizens once it reaches the US, and should therefore be considered invalid.

His opinion on the matter was prompted by a complaint made by Austrian Facebook user Max Schrems to the Irish Data Protection Authority (IDPA) about the protections afforded to his personal data once it reaches the social networking giant’s US-based servers.

In the wake of the 2013 NSA/Prism surveillance scandal, Schrems argued that it cannot be assumed any data that passes from Europe across the pond will not be subjected to the alleged surveillance activities of the US government.

The IDPA initially rejected the complaint, claiming the Safe Harbour Agreement should ensure personal data that is passed to the US will be “adequately protected”.

Schrems then went on to challenge the IDPA’s view in the Irish courts, who then referred the case on to the ECJ, who is set to make a final ruling on it later in 2015.  

Industrial impact of Safe Harbour scrappage

While Bots’s opinion on the matter is non-binding at this stage, if the 15 judges making up the ECJ back his assertions, it could seriously disrupt data transfers between the EU and US for the 4,410 companies that make use of the Safe Harbour Agreement.

These included a number of high-profile tech firms, such as Apple, Facebook, Google, IBM, Intel, Microsoft and Oracle to name a few, that will need to make alternative legal arrangements to transfer their EU users’ data.

In a statement, Schrems said this could have “major commercial downsides for the US tech industry” and result in some of them having to make costly infrastructure investments to minimise disruption to their operations.

“Companies that participate in the US mass surveillance, provide cloud services in the EU and rely on datacentres in the US may now have to invest in secure datacentres in the European Union,” said Schrems.

“Currently, this could be a major issue for Apple, Facebook, Google, Microsoft or Yahoo. All of them operate datacentres in Europe, but may need to fundamentally restructure their data storage architecture and maybe even their corporate structure.”

US cloud service providers that run services from European datacentres are often cited by users as more desirable candidates to do business with by enterprises because of compliance concerns and data sovereignty issues.

Richard Cumbley, global head of technology, media and telecommunications at legal firm Linklaters LLP, said there is a danger that invalidating the Safe Harbour Agreement could put users’ data at increased risk.

“The real issue is the huge amounts of information held about European citizens in the US, particularly by US tech companies. This demonstrates that the Snowden revelations still cast a long shadow over privacy issues,” said Cumbley.

“Perhaps the biggest question is whether invalidating Safe Harbour will really increase the protection afforded to European citizens. Are transfers of data to the US really going to stop? Do other means to justify these transfers really provide better protection? The answer is far from clear.” 

Read more about EU data protection

Read more on Software-as-a-Service (SaaS)