JohanSwanepoel - Fotolia
US tech giants could soon come under increased pressure to build European datacentres now the validity of the US Safe Harbour Agreement has been called into question by EU law makers.
According to Yves Bots, advocate general of the European Court of Justice (ECJ), the agreement does not provide “adequate protection” for the private information of European citizens once it reaches the US, and should therefore be considered invalid.
His opinion on the matter was prompted by a complaint made by Austrian Facebook user Max Schrems to the Irish Data Protection Authority (IDPA) about the protections afforded to his personal data once it reaches the social networking giant’s US-based servers.
In the wake of the 2013 NSA/Prism surveillance scandal, Schrems argued that it cannot be assumed any data that passes from Europe across the pond will not be subjected to the alleged surveillance activities of the US government.
The IDPA initially rejected the complaint, claiming the Safe Harbour Agreement should ensure personal data that is passed to the US will be “adequately protected”.
Schrems then went on to challenge the IDPA’s view in the Irish courts, who then referred the case on to the ECJ, who is set to make a final ruling on it later in 2015.
Industrial impact of Safe Harbour scrappage
While Bots’s opinion on the matter is non-binding at this stage, if the 15 judges making up the ECJ back his assertions, it could seriously disrupt data transfers between the EU and US for the 4,410 companies that make use of the Safe Harbour Agreement.
These included a number of high-profile tech firms, such as Apple, Facebook, Google, IBM, Intel, Microsoft and Oracle to name a few, that will need to make alternative legal arrangements to transfer their EU users’ data.
In a statement, Schrems said this could have “major commercial downsides for the US tech industry” and result in some of them having to make costly infrastructure investments to minimise disruption to their operations.
“Companies that participate in the US mass surveillance, provide cloud services in the EU and rely on datacentres in the US may now have to invest in secure datacentres in the European Union,” said Schrems.
“Currently, this could be a major issue for Apple, Facebook, Google, Microsoft or Yahoo. All of them operate datacentres in Europe, but may need to fundamentally restructure their data storage architecture and maybe even their corporate structure.”
US cloud service providers that run services from European datacentres are often cited by users as more desirable candidates to do business with by enterprises because of compliance concerns and data sovereignty issues.
Richard Cumbley, global head of technology, media and telecommunications at legal firm Linklaters LLP, said there is a danger that invalidating the Safe Harbour Agreement could put users’ data at increased risk.
“The real issue is the huge amounts of information held about European citizens in the US, particularly by US tech companies. This demonstrates that the Snowden revelations still cast a long shadow over privacy issues,” said Cumbley.
“Perhaps the biggest question is whether invalidating Safe Harbour will really increase the protection afforded to European citizens. Are transfers of data to the US really going to stop? Do other means to justify these transfers really provide better protection? The answer is far from clear.”
Read more about EU data protection
- Belgian Privacy Commission data protection watchdog likens Facebook’s data handling processes to those of the US National Security Agency.
- Government transfers responsibility for data protection policy and ICO oversight from Ministry of Justice to Department for Culture, Media and Sport.
Read more on Software-as-a-Service (SaaS)
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
EU and US start discussions on ‘enhanced’ Privacy Shield data-sharing agreement
European court to decide legality of EU-US data sharing in dispute between Schrems and Facebook
EU court opinion finds EU-US data transfers lawful but raises questions over Privacy Shield