IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

What is Safe Harbour, and why has it been revoked?

The ECJ has ruled a key privacy framework of the cloud as invalid. We find out what this could mean for the future of cloud services

Cloud file transfer

What is 'Safe Harbour'?

Safe Harbour was introduced in the wake of the Patriot Act following fears over data sovereignty.

It allowed American companies to host European companies data in US datacentres without it being subject to seizure. This allowed them to comply with EU data protection regulation without having to drastically change their business model, providing they were certified.

Particular beneficiaries of the policy were organisations like Microsoft, Facebook, Google and Amazon Web Services (AWS), which transfer data between global datacentres dynamically.

Why was Safe Harbour challenged in court?

Maximillian Schrems, an Austrian citizen who had been a Facebook user for seven years, launched the complaint with the Irish Data Protection Authority, as that is where Facebook's European HQ is located, in 2015 following the Snowden revelations.

Schrems argued that the activities of the US government, such at Prism, showed European citizens' data was not offered enough protection from state surveillance, despite Safe Harbour.

The Irish Data Protection Authority rejected the claim, citing the 2000 ruling by the European Commission that the Safe Harbour scheme was sufficient. However, the High Court of Ireland, before which the case was brought, sought guidance from the European Commission on whether or not it was able to overrule the 2000 decision.

Why did the judge at the European Court of Justice rule Safe Harbour is invalid?

This is where the story gets a bit technical. The European Court of Justice ruled the Commission does not have primacy over local courts, as "under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use".

It also ruled that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life".

Having found that Safe Harbour is, in the US, considered secondary national security, public interest and law enforcement regulations and can therefore be ignored when there is a conflict between the two, the European Court of Justice ruled Safe Harbour was invalid.

What happens now?

This is the million-dollar question. The immediate consequence, as the ECJ ruling states, is that "the Irish supervisory authority is required to examine Mr Schrems' complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data".

However it could have more far-reaching consequences for the tech industry in general and the cloud in particular.

Potentially, US companies will be required to hold all EU citizens' data within the borders of the EU. But even that may not be enough -- the outcome of a separate court battle between Microsoft and an unnamed US law enforcement agency could mean that, legally, the US considers any data held by an American company to be subject to US laws and warrants, even if it is held overseas.

James Henigan, COO of UK-based cloud services provider Outsourcery said: "Businesses that are concerned about data protection and privacy ... need to be aware what data transfer agreements their suppliers have in place with businesses in other countries."

"Don't forget that the Safe Harbour framework was introduced to allow US companies to self-certify that they provide 'adequate' privacy protections to citizen or customer data. If a customer is contracted with such a company, they now need to understand what the scope of this self-certification is and if they are satisfied with it. A company's data privacy is of utmost importance, so it's in their interest to fully consider the terms their provider is bound by in handling their data," he added.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

What is Amazon S3?
Amazon S3

What is Amazon S3?

16 May 2022
EDB unveils world-first openly governed Kubernetes Postgres operator
Cloud

EDB unveils world-first openly governed Kubernetes Postgres operator

13 May 2022
How the cloud primed Markerstudy for an M&A spree
Cloud

How the cloud primed Markerstudy for an M&A spree

9 May 2022
Gaia-X: The last chance saloon for Europe’s visionary cloud project
Cloud

Gaia-X: The last chance saloon for Europe’s visionary cloud project

4 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022