Safe Harbour: Tech firms shudder as watchdogs meet

A meeting of EU data watchdogs is set to have wide-ranging ramifications for the way businesses handle data.

Regulators need to decide how to act in light of a court ruling last year that invalidated the Safe Harbour agreement with the US.
The pact made it relatively easy for companies to send personal information from Europe to data centres in the US for processing.
Lawmakers are still negotiating a replacement trade deal.
The data protection authorities are expected to make their views know on Wednesday at the end of the two-day event.
But their determination could affect tech giants including Google, Apple and Facebook – whose cloud services rely on such transfers – as well as thousands of smaller business who have outsourced payroll processing and other tasks to US-based organisations.

Remind me again, what exactly is Safe Harbour?

The EU forbids its citizens’ personal data from being sent to places that don’t guarantee “adequate” privacy protections.
In order to avoid this restriction bogging down transfers to the US, it was decided that American firms could self-certify that information sent to their data centres would be properly protected.
This Safe Harbour agreement came into force in 2000.
About 5,000 US companies took advantage of the deal to facilitate transfers.

What went wrong?

In 2013, the whistleblower Edward Snowden leaked a mass of documents detailing the US security services’ cyber-spying operations.
In light of the revelations, an Austrian privacy campaigner – Max Schrems – asked Ireland’s data regulator to audit what information Facebook might be sharing with the NSA.
It declined citing Safe Harbour, but the matter was referred up to the European Court of Justice.
Last October, the court ruled that the the decision to enable Safe Harbour was invalid, and as a consequence national data watchdogs could indeed review transfers on an individual basis.

So, did the regulators try to stop transfers straight away?

The EU and US had already been negotiating a new data transfer pact for some time, dubbed Safer Harbour.
The aim is to give European citizens greater privacy safeguards without stopping US tech firms from being innovative.
The watchdogs opted to observe a grace period in order to see if a new pact might be agreed before 31 January that would influence their decision.
Although negotiators are reported to have made progress, no new deal has yet been agreed.

Wait a minute. Didn’t several of the tech firms suggest they could carry on regardless despite the Safe Harbour ruling?

Right. Many of the firms affected initially thought the ruling would just be an inconvenience as they could get their lawyers to draw up papers known as “model contract clauses” and “binding corporate rules” to keep the transfers legal.
This might have involved a lot more work, but the companies believed that the contracts – already used to send data to other parts of the world – could also be used to authorise the use of US data centres.
However, many expect the regulators will think that would be against the spirit of the ECJ’s ruling.
“When you look at the grounds the court used to invalidate Safe Harbour, you could apply more or less verbatim the same reasons to invalidate the alternative methods,” commented Annabelle Richard, a lawyer at Pinsent Masons.
“That would make it extremely difficult to export date from the EU to the US.
“It would become almost an exception to have permission, and I don’t see how in reality that could work out because many companies depend on the transfers from an economic perspective.”
What are the tech giants saying?
The big tech firms declined to provide comment for this article, but several indicated that, at the very least, they needed clarity on what the rules now were.
“Some organisations have sought to repatriate data and minimise the number of data transfers that they have to undertake,” added Antony Walker, deputy chief executive of the lobby group TechUK.
“But other companies’ structures and processes mean that’s almost impossible to do.”

Is there a way out of this mess?

European Commission and US government negotiators could still clinch a deal.
It has emerged that the Americans have offered to appoint an ombudsman to oversee complaints and respond to inquiries about alleged privacy breaches as part of a proposed Safer Harbour deal.
The Europeans still want guarantees that such an official would have real teeth and would not stay quiet if the security services were found to have overstepped their bounds.
But the point is that if the data watchdogs believe that a deal is close they may try and fudge Wednesday’s announcement to give the talks more time.
The alternative is that the regulators do indeed try and enforce a data transfer clampdown.
One of the tech companies has suggested that if that happens there would be legal grounds to challenge the move and seek to bring the matter back before the ECJ.