What is Safe Harbour, and why has it been revoked?

Cloud file transfer

What is 'Safe Harbour'?

Safe Harbour was introduced in the wake of the Patriot Act following fears over data sovereignty.

It allowed American companies to host European companies data in US datacentres without it being subject to seizure. This allowed them to comply with EU data protection regulation without having to drastically change their business model, providing they were certified.

Particular beneficiaries of the policy were organisations like Microsoft, Facebook, Google and Amazon Web Services (AWS), which transfer data between global datacentres dynamically.

Why was Safe Harbour challenged in court?

Maximillian Schrems, an Austrian citizen who had been a Facebook user for seven years, launched the complaint with the Irish Data Protection Authority, as that is where Facebook's European HQ is located, in 2015 following the Snowden revelations.

Schrems argued that the activities of the US government, such at Prism, showed European citizens' data was not offered enough protection from state surveillance, despite Safe Harbour.

The Irish Data Protection Authority rejected the claim, citing the 2000 ruling by the European Commission that the Safe Harbour scheme was sufficient. However, the High Court of Ireland, before which the case was brought, sought guidance from the European Commission on whether or not it was able to overrule the 2000 decision.

Why did the judge at the European Court of Justice rule Safe Harbour is invalid?

This is where the story gets a bit technical. The European Court of Justice ruled the Commission does not have primacy over local courts, as "under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use".

It also ruled that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life".

Having found that Safe Harbour is, in the US, considered secondary national security, public interest and law enforcement regulations and can therefore be ignored when there is a conflict between the two, the European Court of Justice ruled Safe Harbour was invalid.

What happens now?

This is the million-dollar question. The immediate consequence, as the ECJ ruling states, is that "the Irish supervisory authority is required to examine Mr Schrems' complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data".

However it could have more far-reaching consequences for the tech industry in general and the cloud in particular.

Potentially, US companies will be required to hold all EU citizens' data within the borders of the EU. But even that may not be enough -- the outcome of a separate court battle between Microsoft and an unnamed US law enforcement agency could mean that, legally, the US considers any data held by an American company to be subject to US laws and warrants, even if it is held overseas.

James Henigan, COO of UK-based cloud services provider Outsourcery said: "Businesses that are concerned about data protection and privacy ... need to be aware what data transfer agreements their suppliers have in place with businesses in other countries."

"Don't forget that the Safe Harbour framework was introduced to allow US companies to self-certify that they provide 'adequate' privacy protections to citizen or customer data. If a customer is contracted with such a company, they now need to understand what the scope of this self-certification is and if they are satisfied with it. A company's data privacy is of utmost importance, so it's in their interest to fully consider the terms their provider is bound by in handling their data," he added.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.