European Safe Harbour Fig Leaf falls

Posted on September 24, 2015


The European Safe Harbour regulations intended to protect the data of European citizens from predatory US practices have been in question for some time. Facebook is still in court over this with a ruling pending and Googles convenient misinterpretation of Safe Harbour and modification of European Model clauses is well known.

The Snowden revelations have been instrumental in pealing back the layers of obfuscation round European Safe Harbour but the final nail in the coffin could be the the opinion from the top adviser, the Advocate General Mr.Yves Bot, to the European Court of Justice (ECJ). Quote from Advocate General’s Opinion in Case C-362/14 published yesterday (23rd September 2015):

 “mass, indiscriminate surveillance” carried out by US intelligence services renders a 15-year-old ‘Safe Harbour’ agreement, which makes it easier for US companies to comply with EU data laws, invalid.”

Whilst I hasten to point out this is still an opinion NOT a ECJ ruling, the ECJ rarely ignores the Advocate Generals advice.  An opinion that will be even harder to ignore when underpinned by its members especially Germany. Member of the European Parliament (MEP) Jan Philipp Albrecht said of the Advocate General’s opinion. Quote:

“It is unacceptable that the European Commission has ignored this demand for a year and a half. It is now time for the Commission to finally suspend ‘Safe Harbour’.”

The strength of the opinion should not be understated; the Advocate General confronts the hard truth of the current system. Quote:

“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter,”

There is no obvious cosmetic remedy or quick fix. This is a core failure in the 15 year old Safe Harbour system that has allowed companies like Google, Facebook, Microsoft and Apple to self-certify their compliance with the EU’s data protection directive. This will need to be re-worked and re-negotiated. Its succeeding system, amongst other conditions will need to explicitly:

  1. Provide adequate protection of user’s data from access or surveillance by National Agencies.
  2. Impose more diligent controls that install greater independent oversight in the certification process.
  3. Accountability with ‘teeth’ for non-compliance.

The ramifications will become clear as the US tech giants review their practices in consideration of an acknowledged failing of Safe Harbour. This is unlikely to be a simple process with US companies having to clearly segregate at technical, operational and potentially corporate structural levels their current service engagements with Europe. The most telling test is likely to come from the data protection authorities in the 28 EU members. Are these independent sovereign member countries likely to allow data transfers at the whim of US companies that are subject to mass surveillance laws? I would suggest unlikely. This pulls into centre stage the Snowden NSA’s revelations on mass surveillance systems and programs such as PRISM and the coercion of its own nationals into complicit practices. The US Government agencies gung-ho thoughtlessness has dragged the reputation of some of its leading technology brands into the gutter with them, albeit going the Tech giants the benefit of the doubt that they had little legal choice. All in the cause of what, terrorism prevention? Before you let your opinions lose on this PLEASE peruse:

  1. The short Electronic Frontier Foundation (EFF) paper on ‘Busting Eight Common Excuses for NSA Mass Surveillance.
  2. The ProPublica (Journalism in the Public Interest), FAQ: ‘What You Need to Know About the NSA’s Surveillance Programs’.

There is no hard proof that this means an escalation in terrorist activities or risk to national security that many of these national agencies will vociferously proclaim anymore than would be likely as things stand today. Neither does it mean the end to the internet or a hurdle to the European Digital Single Market in Europe. The later point being peddled by the director general of technology industry association DigitalEurope. Digital Europe is meant to represent the digital technology industry whose members include and trade associations. It cannot be ignored however that this class of commentary seems to reflect the overwhelming influence of its multi-national members including Microsoft, Google and Apple. This type of scaremongering is so blatantly self serving it is an embarrassment to the industry. Sadly, it reflects the trough these global multi-nationals feed at, their succour being the data of innocent users who engage their technologies in good faith.

The truth is there are significant potential upsides from a re-setting of the rules. Apart from the short term disruption to current practices by the multi-national IT companies who may be required to commit to European inward investment in greater European centricity and separation of operations, the regional Internet Service Providers who have seen their lunch stolen by the Global players could see a resurgence of interest and opportunity in European Cloud based services and solutions. This could take many forms, from partnerships with the big global players to niche regional datacenter offerings or European versions of US centric services. Opportunity knocks for European IT Cloud Service businesses and innovation.

One final point that we must not lose sight of, in the United Kingdom we have our own National Agency challenges in the form of GCHQ (Government Communications HQ) who are complicit with the NSA. So in some worrying context this could be considered a potential backdoor into any future Safe Harbour successor if not securely closed off. Other trans-atlantic national agency relationships with European member countries also need to be kept on radar representing the same loophole.

For now we await the final ruling from the ECJ which is some weeks if not month’s away.