IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What is Safe Harbour, and why has it been revoked?

The ECJ has ruled a key privacy framework of the cloud as invalid. We find out what this could mean for the future of cloud services

Cloud file transfer

What is 'Safe Harbour'?

Safe Harbour was introduced in the wake of the Patriot Act following fears over data sovereignty.

It allowed American companies to host European companies data in US datacentres without it being subject to seizure. This allowed them to comply with EU data protection regulation without having to drastically change their business model, providing they were certified.

Particular beneficiaries of the policy were organisations like Microsoft, Facebook, Google and Amazon Web Services (AWS), which transfer data between global datacentres dynamically.

Why was Safe Harbour challenged in court?

Maximillian Schrems, an Austrian citizen who had been a Facebook user for seven years, launched the complaint with the Irish Data Protection Authority, as that is where Facebook's European HQ is located, in 2015 following the Snowden revelations.

Schrems argued that the activities of the US government, such at Prism, showed European citizens' data was not offered enough protection from state surveillance, despite Safe Harbour.

The Irish Data Protection Authority rejected the claim, citing the 2000 ruling by the European Commission that the Safe Harbour scheme was sufficient. However, the High Court of Ireland, before which the case was brought, sought guidance from the European Commission on whether or not it was able to overrule the 2000 decision.

Why did the judge at the European Court of Justice rule Safe Harbour is invalid?

This is where the story gets a bit technical. The European Court of Justice ruled the Commission does not have primacy over local courts, as "under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use".

It also ruled that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life".

Having found that Safe Harbour is, in the US, considered secondary national security, public interest and law enforcement regulations and can therefore be ignored when there is a conflict between the two, the European Court of Justice ruled Safe Harbour was invalid.

What happens now?

This is the million-dollar question. The immediate consequence, as the ECJ ruling states, is that "the Irish supervisory authority is required to examine Mr Schrems' complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data".

However it could have more far-reaching consequences for the tech industry in general and the cloud in particular.

Potentially, US companies will be required to hold all EU citizens' data within the borders of the EU. But even that may not be enough -- the outcome of a separate court battle between Microsoft and an unnamed US law enforcement agency could mean that, legally, the US considers any data held by an American company to be subject to US laws and warrants, even if it is held overseas.

James Henigan, COO of UK-based cloud services provider Outsourcery said: "Businesses that are concerned about data protection and privacy ... need to be aware what data transfer agreements their suppliers have in place with businesses in other countries."

"Don't forget that the Safe Harbour framework was introduced to allow US companies to self-certify that they provide 'adequate' privacy protections to citizen or customer data. If a customer is contracted with such a company, they now need to understand what the scope of this self-certification is and if they are satisfied with it. A company's data privacy is of utmost importance, so it's in their interest to fully consider the terms their provider is bound by in handling their data," he added.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download


What is SMAC?
digital transformation

What is SMAC?

30 Jun 2022
HPE upgrades GreenLake with Private Cloud Enterprise

HPE upgrades GreenLake with Private Cloud Enterprise

28 Jun 2022
What is metaverse security?

What is metaverse security?

9 Jun 2022
What is Amazon S3?
Amazon S3

What is Amazon S3?

16 May 2022

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Xerox CEO John Visentin dies unexpectedly aged 59
Careers & training

Xerox CEO John Visentin dies unexpectedly aged 59

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022