No Safe Harbor: how one court ruling has blown data protection apart

Until 6 October 2015, implementing data protection between Europe and the USA was straightforward.

Organisations which had to comply with EU data protection laws had to maintain that compliance wherever they moved protected data. Within the EU this was no problem, as all states within the EU have to conform to the same overarching directives. For the US, the European Commission had deemed that compliance with its Safe Harbor frameworks met equivalence.

Then came the Court of Justice of the EU’s judgement on Schrems -v- (the Irish) Data Protection Commissioner.

This states that the European Commission’s acceptance of Safe Harbor as an equivalent to EU law is invalid, and refers back to the Irish data protection commissioner a claim by the good Maximillian Schrems, an Austrian, that Facebook’s transfer of data to the US under Safe Harbor is a breach of data protection law, and must therefore be suspended.

On the face of it, this might be a triumph for those campaigning for better protection of privacy, particularly in Europe. Unfortunately it creates a major confrontation, in which the EU and its citizens stand to lose. Badly.

Safe Harbor

Prior to this judgement, there were three practical scenarios.

EU organisations which hold protected data have no choice but to comply with their national and EU data protection law. If they want to transfer data to the US, then Safe Harbor alone was never really sufficient to ensure compliance, and these issues have to be covered by a contract which would satisfy those enforcing the law within Europe.

Corporations and other organisations which are domiciled outside the EU and have no business unit within the EU – like Ashley Madison – can acquire data which is protected under EU law, but because they do so from outside the EU, they do not have to comply with EU legislation or Safe Harbors. I have argued that I believe that to be wrong, and that it needs to be addressed in EU legislation.

US and other organisations which have business units within the EU, including Apple, Google, Microsoft, and Facebook, have been able to move protected data from the EU provided that they complied with the Safe Harbor scheme.

Apple's Privacy Policy on Safe Harbor: now not worth the pixels on your display.
Apple’s Privacy Policy on Safe Harbor: now not worth the pixels on your display.

Anyone looking critically at the Safe Harbor scheme and EU law recognised that, at its minimum, the scheme fell well short of complying with EU law. However the scheme had taken careful negotiation, and many of its implementations are exemplary: if you have not read Apple’s Privacy Policy recently, then this might be a good time to do so.

The unsolution

Safe Harbor was a practical solution to a problem which has now been unsolved.

Instead of the EU being able to work with the US, and major holders of protected data, to develop better protection, the data protection commissioners of the states within the EU are now going to be obliged to successively force every US corporation with an EU office to suspend transferring protected data to the US.

There is neither the time nor the opportunity for either side in the conflict to do anything effective about this.

Changing Safe Harbor overnight to satisfy what the Court of Justice of the EU might require is impossible, and would certainly require a long period of delicate negotiation and concessions on the part of the EU. Negotiations already taking place between the EU and US to replace Safe Harbor with more protective arrangements are said to be “well advanced”, but are hardly going to be helped by this standoff.

Changing EU law overnight to accommodate Safe Harbor is equally impossible.

Europe wins?

Of course the major US corporations affected could threaten to do what the Court of Justice seems to want: they could turn off their European services completely. Although some of us might find life momentarily better without Google’s omnipresent advertising, think what your Mac, iPhone, and iPad would be like without the App Stores, iTunes content, Apple Music, and everything in iCloud. Or worse, think what they would be like run from servers in Europe alone. If any party is going to lose its temper and get silly over this, we in Europe do not hold any strong cards, and can only suffer the more.

Someone is going to have to come up with a compromise, and quickly.

Judging by the outcomes of past such confrontations, and knowing who holds the strong cards, I won’t be betting on the EU getting its own way.

I suspect that there will be a lot of back-pedalling among those responsible for enforcing the law in the EU, who are already saying that it will take them some weeks to come up with revised guidance on the ‘options open to EU businesses’. The Irish Data Protection Commissioner will grind slow in trying to implement the judgement of the Court of Justice, and determine whether Facebook must stop moving protected data to the US.

Finally some fudge agreed in closed meetings will be announced as the way forward, but it will not address any of the real concerns about the protection of personal data within or outside the EU. If anyone thinks that court judgements are a good way forward in improving data protection, then they have forgotten the words of Charles Dickens in Oliver Twist:
“If the law supposes that,” said Mr. Bumble, squeezing his hat emphatically in both hands, “the law is a ass — a idiot. If that’s the eye of the law, the law is a bachelor; and the worst I wish the law is, that his eye may be opened by experience — by experience.”