Safe Harbour: the Augean Stables of the data centre industry

Written by Max Smolaks, News Editor at Data Centre Dynamics Published 2016-05-31 10:33:46

Call it anything you want: the data sharing agreement with the United States will never work the way we want it to.

In October 2015 Max Schrems, a law student from Austria, singlehandedly brought down the Safe Harbour agreement - a legal tool that enabled personal data  exchange between servers located in the EU and those in the US.

Schrems figured out that the mass surveillance operations carried out by the American spy agencies and revealed by Edward Snowden weren't compatible with the principles outlined in Safe Harbour. He then chose a very public target and took the matter all the way to the Court of Justice of the European Union, the highest court in the land.

The CJEU was forced to admit that yes, the widely reported mass surveillance operations were indeed a terrible thing, and Facebook couldn't guarantee the safety of EU citizen data from the US government.

It invalidated the framework with immediate effect, causing chaos - did this mean that personal data transfers between London and New York were now illegal?

Almost immediately, the EU-US Working Group on Data Protection started drafting a replacement that would achieve the same result as the original, require no policy changes from the US government but would somehow comply with all of the EU rules.

Here’s the problem: an increasing number of industry experts warn that this type of framework simply cannot fulfil its mission until the White House changes its position – and that’s not likely to happen anytime soon. So moving into a data center in Europe remains by far the simplest option to comply with all of the relevant regulations.


An impossible task

The replacement for Safe Harbour, humorously named the EU-US Privacy Shield, has passed the draft stage and was recently criticised in a letter signed by 29 organizations from both sides of the Atlantic including the Electronic Frontier Foundation, La Quadrature du Net and American Civil Liberties Union.

"The Privacy Shield will put users at risk, undermine trust in the digital economy, and perpetuate the human rights violations that are already occurring as a result of surveillance programs and other activities," stated the document addressed to the Article 29 Working Party, a conclave of Europe's national data protection authorities.


Another critic of the draft is Jan Philipp Albrecht, a Member of the European Parliament for Germany and a campaigner for civil rights and data protection. "I'm not convinced that the new framework adheres to these [CJEU] requirements, because we are not changing the legal environment in the US and that's exactly what's been criticised by the court," he told me at CeBIT in March.


"Rather we are having some promises from the US administration that they will handle it better - and the laws stay like they are. It's nice, but for legal assessment, I don't think it will be sufficient."

A more recent example comes from the Netherlands, where last week the Dutch Datacenter Association said that the draft “offers none of the improvements necessary to better safeguard the privacy of European citizens.” This industry body includes some of the world’s largest players like Equinix, Interxion and Digital Realty, so their opinion will carry considerable weight.


How we got here

Safe Harbour was developed by the US Department of Commerce and adopted by the European Commission in 2000 as an alternative to a specific contractual arrangement between the two companies that exchange information across borders.

The framework outlined seven data protection principles and assumed that any organization that signed up to it would comply. It encouraged self-assessment, and self-assessment is once again the cornerstone of the EU-US Privacy Shield.

In the official 2004 review of the framework, a team of academics discovered that out of the 400 companies displayed on the Safe Harbour website, a third did not have any kind of privacy policy published online. The list of problems found with existing privacy policies was 13 pages long, and included such jewels as 'ambiguous and contradictory policies ' and ' dubious status of privacy programs' .

In 2008, research firm Galexia published its own review, and found that out of 1,597 entries on the list, only 348 organisations meet the requirement of Safe Harbour's Principle 7, which guarantees the right to enforcement and dispute resolution in data privacy matters. It also found 206 organisations that were not current members of the framework, but claimed to be part of it.

By September 2013 Safe Harbour had a membership of 3,246 companies. That year, the European Commission expressed "deep concerns about revelations of large-scale US intelligence collection programmes" and made 13 recommendations aimed at reforming the data sharing framework. Despite these efforts, two years later Safe Harbour was struck down by the CJEU.


Racks, not lawyers

Don’t get me wrong, eventually the EU-US Privacy Shield or another data sharing agreement will be passed into law. While the EU is working on a solution, the US Department of Commerce continues to administer the defunct Safe Harbour program, even processing submissions for self-certification.

But it could take months or even years until we have a working replacement, leaving businesses in legal limbo, and there’s no guarantee that the EU-US Privacy Shield will survive a court case that brought down its predecessor.

Global businesses need to exchange information, and that hasn't changed. But around the world, governments are increasingly adopting strict principles of data residency – if EU is too soft on enforcement, countries like Russia and China certainly aren’t. In this new world, executives should spend their money on racks, rather than lawyers.