Not so safe harbour - The European Court of Justice Ruling

Not so safe harbour - The European Court of Justice Ruling

Nov 09 2015 | by JON FLETCHER

Every now and then something comes along that people don’t really want to talk about as the implications are so far reaching that it’s in everyone's interests to whistle a happy tune and get on with something else.

The Internet is famously not a great respecter of borders, sovereignty and the sort of control that you used to have with paper based information. It is common practice for data to be moved around the world depending on the best location for data centres. The best location can be dictated by staffing availability, cost, infrastructure, outside temperature (server farms need a great deal of cooling) and a host of other considerations. It really makes no difference to the end user where that CRM database sits as long as they can get hold of their data when they want.

As a result data is physically stored in a complex web of remote server farms for many companies and individuals. Indeed it is a very good idea to spread your data storage and processing across this world wide web so that should one part fail for some catastrophic reason you are still able to carry on as normal.

However… national legal systems have not really caught up with this new reality. A recent revelation by a certain Mr Snowden taught us that data stored on American servers isn’t quite as private as the European Court of Justice would like, forcing a number of people to stop whistling and take a look at the situation.

In order to allow the export of data from the EU, a ‘patch’ was applied to allow American companies to self-certify as a ‘Safe Harbour’. Up until now this has been generally accepted as making America as good as the EU when it comes to protecting data and accepting the location of the servers your service provider is using.

However, as a result of a recent ruling by the ECJ, the Safe Harbour is now not safe (at least not in the eyes of the ECJ!) The ruling came in the case of a law student who was concerned about American security services having access to his European/Facebook data.

So are you sending data across the pond to a server in the States, relying on Safe Harbour, and if so, what are the implications?, a site helping American companies to do business in Europe has the following guidance:

“In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework.  If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.”

So, basically, they haven’t a clue and indeed who can blame them. America allows far more in the name of national security that we do in Europe and this is where the problem lies. If your data moves to America then it is governed by American Law. Interestingly there is another court case involving Microsoft and an unnamed US law enforcement agency that has at its centre the proposition that any data stored by an American company, no matter where, is subject to American Law.

If you use the services of any company that stores or processes your data or that of your customers on a server in the States what should you do?

Quite clearly you should “contact the European Commission, the appropriate European national data protection authority, or legal counsel.” Or just whistle a happy tune until someone sorts things out. We’ll keep an eye on this and pass on any clarity we see.

If you would like to discuss this or any other matter related to digital marketing please feel free to get in touch.

Jon Fletcher

Not so safe harbour - The European Court of Justice Ruling