Europe's Safe Harbor ruling makes life less safe for the US cloud industry

Well, that’s torn it. In a move that’s going to do nothing to improve relations between the European Commission and the US cloud industry, a leading European judge has basically decided that the Safe Harbor agreement isn’t particularly safe.

Well, not remotely safe actually, a party line that to date has only been articulated for political gain by the likes of the former EU Justice Commissioner Viviene Reding, who’s been peddling that pitch since the Edward Snowden revelations first broke.

But while her political posturing can be dismissed now that she’s no longer in her role, yesterday’s ruling is going to be harder to ignore.

The European Court of Justice’s Advocate-General Yves Bot has declared that national authorities across the European Union should be allowed to suspend data about their citizens being transferred to the US under the Safe Harbor rules.

Safe Harbor is a data sharing agreement reached in 2000 between the European Commission, US and Switzerland that is used by US cloud companies to reassure customers that their data will be safe in data centers situated outside of the EU data protection boundaries. It is used by about 4,500 companies to transfer a wide range of commercial data, such as payroll and customer data, and all seemed fine until the NSA snooping revelations by Edward Snowden were exposed.

Now in a post-Snowden world, the ECJ statement from the Advocate General reads:

Given the doubts expressed during the present proceedings as to the validity of Decision 2000/520 [Safe Harbour], the Advocate General considers that the Court should determine this issue and he comes to the conclusion that the [2000] decision is invalid…the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection…

The Advocate General considers furthermore that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter. Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter.

The statement from Bot is only a recommendation and has no regulatory authority. But what should be worrying to US cloud firms doing business in Europe is that:

1. The Advocate-General is very rarely over-ruled by the ECJ, so the opinion will almost certainly lead to a formal legal ruling.
2. His judgment will be leapt upon by those within the Commission hellbent on beefing up data protection regulation as a protectionist     defence against the US tech industry.

Bot’s statement also actually only relates to one company and one incident. Max Schrems, an Austrian law student and long-term activist against Facebook’s data collection practices in Europe, demanded that the Irish Data Protection Commissioner challenge Facebook’s compliance with EU law. Facebook has its EU HQ in Ireland and as such falls under the Irish data protection regulator’s remit.

The Irish government, in no hurry to antagonise US firms wanting to set up shop on Irish soil, has used the existence of Safe Harbor to deny Schrems his day in court. But when this was challenged in the Irish High Court, it ended up being passed to the ECJ and the Advocate General and a predictable response. This, remember, is the court that endorsed the controversial Right to be Forgotten.

The reaction

It is a major victory for Schrems who declares:

After an initial review of the advocate general’s opinion of more than 40 pages it seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the advocate general’s opinion in principle.

Not everyone agrees. John Higgins, director general of DigitalEurope, which lobbies for tech firms in Brussels, including Oracle, Google, Microsoft and SAP, warns:

We are concerned about the potential disruption to international data flows if the Court follows today’s opinion. In addition to the disruption a Court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU.

The disruption to international data flows could be felt far beyond the transfers to the US under Safe Harbor. Other similar instruments – such as model contract clauses and adequacy decisions – that underpin data transfers to many third countries may also be impacted if the Court follows the Opinion of its Advocate General.

Meanwhile Antony Walker, Deputy CEO of techUK, a UK-based trade lobby group, echoes these warnings:

Disruption to international data flows could hurt the UK's digital economy. The approach that Europe takes to how data flows in and out of the EU will impact the global ambitions of data-driven companies in the UK and right across Europe.

Thousands of companies, employing tens of thousands of people in the UK alone, rely upon Safe Harbour every day, for example to move HR data between their European and US operations. President Juncker's ambition to achieve a true Digital Single Market for growth and jobs will be underpinned or undermined by the EU's approach to data.

From a legal perspective, Frank Jennings, partner at law firm Wallace LLP and an expert on cloud-related law, believes:

The Advocate General's opinion puts further pressure on the current renegotiations of the Safe Harbor scheme.

The timing is crucial. If the full court follows this opinion and issues its ruling before the conclusion of the renegotiations, US cloud providers will effectively lose their Safe Harbour protection and their customers will likely want to review their contracts with the providers to ensure there are sufficient contractual safeguards to protect data.

The US government will not be unaware of the impact this would have on US / EU cloud business and it will want to conclude the renegotiations first. It should also ensure it provides comfort over the ability of US law to grant access to data held by US owned providers in Dublin and elsewhere in the EU.

The best bet now is to try to beef up the existing Safe Harbor regulations in a bid to appease the court. Commissioner Reding at one point in her sabre-rattling threatened to do away with Safe Harbor altogether. Her successor Vera Jourova, the current European commissioner for justice, consumers and gender equality, takes a more low-key line for now:

My aim is to ensure that European consumers' personal data is effectively protected in practice. A strengthened Safe Harbor will restore trust in EU-US data flows. I am confident that we will be able to soon conclude our work on strengthening the Safe Harbor arrangement.

My take

Washington and Brussels have been negotiating for nearly two years to update Safe Harbor. 

They just ran out of time for any more prevaricating.

US cloud firms need to look at this long and hard and make their views heard. Ending Safe Harbor would mean budgeting for a lot more data centers in Europe. While the likes of Oracle and Salesforce have taken action on this front already, others would be left playing catch-up or even abandoning European expansion plans - which would of course potentially leave European companies in the global cloud slow-lane. Nice work European legislators!