EU Data Protection Event Horizon as Safe Harbour with US is ruled INVALID

Posted on October 6, 2015


Further to my earlier missive on the subject ‘European Safe Harbour Fig Leaf falls’ the European Court of Justice  (ECJ) ruling has now confirmed that ‘Safe Harbour  is INVALID.

For the full ruling please see the Court of Justice of the European Union Press Release No 117/15 .

What this means for your organisation IF you were using Safe Harbour as a convenient single standard by which you were legitimising the compliance of your transfer, storage and or sharing of consumer between the US and Europe is you will have to find another way. Safe harbour has been ruled by the highest court in the EU as no longer an option.

The immediate fall-back would be to seek consent. Seeking consent in all cases is no mean task as this has to be sought on an individual basis AND freely given. The latter point being the crux, for example:

  1. How freely given is consent where a customer may be tie into a US based services and has no means of convenient extraction?
  2. In many EU countries employees are believed NOT to have free choice when it comes to the use of their data by employers, the implication being the convention of consent cannot be relied on in an employer employee scenario.

This will for many organisations run a cart and horse through their Governance, Risk and Compliance programs. With particular concern being the current freedom of movement of employee data formerly under Safe arbour.

There is a health warning on the Consent remedy as this in itself, whilst understood to be a valid route to compliance for now, is being questioned in the EU. This is due to the nature of many online services use (or abuse) of verbose ‘Terms and Conditions’ to gain consent where in reality users are largely disregarding the T’s and C’s and simply click through them completely unaware of what they have committed to. Social Media platforms such as Facebook are the main protagonists in this, one suspects due to their motives to gain access and control over end user data. The general view (not a ruling by any means) being that this type of use of T’s and C’s is not fit for purpose. See my earlier blog on this, uncannily 5 years ago almost to the day, ‘Click through to Hell’.

Sorry I have no definitive answers for you here – It goes without saying that your first port of call will be your internal or external legal resource to clarify your position according to your own unique circumstances.

For organisations and individuals using Cloud services that could be US centric it will be advisable to seek clarity from your service providers. I suspect Facebook amongst other Social Media companies will be getting flooded. It will be interesting to see how they handle this. I am sure they will come up with some creative perspective that could tie this up in courts for years, the hope is such an action does not allow them wriggle room to continue abusing EU end user data pending a ruling.

That will start to get you straight in light of the Safe Harbour ruling but there still remains one fly in the ointment irrespective of any clarification you receive, or show of good intent by the UE to allow US/EU data sharing through the ongoing negotiations of a pending Safe harbour v2. The issue remains as to how the US is going to rule on their claim to rights over data held outside the US but under the ownership or management of US organisations.

Key to this is the current ongoing dispute over certain Dublin based emails that are believed to be hosted in Microsoft Dublin Datacentre. The US has issued a warrant to seize these emails. Microsoft does not believe (supported by almost the whole of the Internet) that the US has any jurisdiction over the data in their EU facilities. Microsoft blog by John Frank as far back as 2014 makes this crystal clear:

The Weltimmo Case, ruled on last week by the ECJ, gives a clear European perspective. Quote:

“Europe’s highest court ruled Thursday that if a company is operating in a particular country and targeting residents of that country for business, then it IS subject to that country’s data protection rules.”

The outstanding scenario remains whether the US take their own view on this. The outcome of the Microsoft Dublin email Warrant case could therefore be another pivotal moment. Assume then IF the US go against the current tied of opinion and EU rulings, then any US company could become dammed if they do by the EU and dammed if they don’t by the US! So Safe even Harbour v2 migration/evolution may still not be the panacea it could be in whatever condition it get’s agreed.

For now we will have to watch this space as it continuous to unfold.

What I can say is there will be significant upside for opportunistic EU based businesses to challenge the EU customer base of many US centric Cloud service providers AND for EU ISP’s (Internet Service Providers) to enjoy a renaissance.