What is 'Safe Harbour'?
Safe Harbour was introduced in the wake of the Patriot Act following fears over data sovereignty.
It allowed American companies to host European companies data in US datacentres without it being subject to seizure. This allowed them to comply with EU data protection regulation without having to drastically change their business model, providing they were certified.
Particular beneficiaries of the policy were organisations like Microsoft, Facebook, Google and Amazon Web Services (AWS), which transfer data between global datacentres dynamically.
Why was Safe Harbour challenged in court?
Maximillian Schrems, an Austrian citizen who had been a Facebook user for seven years, launched the complaint with the Irish Data Protection Authority, as that is where Facebook's European HQ is located, in 2015 following the Snowden revelations.
Schrems argued that the activities of the US government, such at Prism, showed European citizens' data was not offered enough protection from state surveillance, despite Safe Harbour.
The Irish Data Protection Authority rejected the claim, citing the 2000 ruling by the European Commission that the Safe Harbour scheme was sufficient. However, the High Court of Ireland, before which the case was brought, sought guidance from the European Commission on whether or not it was able to overrule the 2000 decision.
Why did the judge at the European Court of Justice rule Safe Harbour is invalid?
This is where the story gets a bit technical. The European Court of Justice ruled the Commission does not have primacy over local courts, as "under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use".
It also ruled that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life".
Having found that Safe Harbour is, in the US, considered secondary national security, public interest and law enforcement regulations and can therefore be ignored when there is a conflict between the two, the European Court of Justice ruled Safe Harbour was invalid.
What happens now?
This is the million-dollar question. The immediate consequence, as the ECJ ruling states, is that "the Irish supervisory authority is required to examine Mr Schrems' complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data".
However it could have more far-reaching consequences for the tech industry in general and the cloud in particular.
Potentially, US companies will be required to hold all EU citizens' data within the borders of the EU. But even that may not be enough -- the outcome of a separate court battle between Microsoft and an unnamed US law enforcement agency could mean that, legally, the US considers any data held by an American company to be subject to US laws and warrants, even if it is held overseas.
James Henigan, COO of UK-based cloud services provider Outsourcery said: "Businesses that are concerned about data protection and privacy ... need to be aware what data transfer agreements their suppliers have in place with businesses in other countries."
"Don't forget that the Safe Harbour framework was introduced to allow US companies to self-certify that they provide 'adequate' privacy protections to citizen or customer data. If a customer is contracted with such a company, they now need to understand what the scope of this self-certification is and if they are satisfied with it. A company's data privacy is of utmost importance, so it's in their interest to fully consider the terms their provider is bound by in handling their data," he added.
-
Asus ZenScreen Fold OLED MQ17QH reviewReviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
‘Europe could do it, but it's chosen not to do it’: Eric Schmidt thinks EU regulation will stifle AI innovation – but Britain has a huge opportunityNews Former Google CEO Eric Schmidt believes EU AI regulation is hampering innovation in the region and placing enterprises at a disadvantage.
-
The EU just shelved its AI liability directiveNews The European Commission has scrapped plans to introduce the AI Liability Directive aimed at protecting consumers from harmful AI systems.
-
A big enforcement deadline for the EU AI Act just passed – here's what you need to know
News The first set of compliance deadlines for the EU AI Act passed on the 2nd of February, and enterprises are urged to ramp up preparations for future deadlines.
-
EU agrees amendments to Cyber Solidarity Act in bid to create ‘cyber shield’ for member statesNews The EU’s Cyber Solidarity Act will provide new mechanisms for authorities to bolster union-wide security practices
-
The EU's 'long-arm' regulatory approach could create frosty US environment for European tech firmsAnalysis US tech firms are throwing their toys out of the pram over the EU’s Digital Markets Act, but will this come back to bite European companies?
-
EU AI Act risks collapse if consensus not reached, experts warn
Analysis Industry stakeholders have warned the EU AI Act could stifle innovation ahead of a crunch decision
-
Three quarters of UK firms unprepared for NIS2 regulations, study findsNews Senior management can be held personally liable for non-compliance under NIS2 rules
-
US-UK data bridge: Everything you need to knowNews The US-UK data bridge will ease the complexity of transatlantic data transfers
