Safe harbour is in troubled waters

Back at the start of the noughties in 2000 the EU and the US made a deal called the Safe Harbour. The deal allows US firms to take and process data from Europe without breaking EU rules. The ruling essentially meant that personal data from the EU couldn’t be transferred or processed if it didn’t meet EU privacy protection standards. Safe Harbour allowed US firms to self-certify that they met the EU standards.

Three years down the line whistleblower Edward Snowden leaked information about the National Security Agency (NSA) surveillance scheme ‘Prism’. Prism had been gaining access to EU and other foreign data through US-based tech businesses. Safe harbour became not so safe after this revelation and more was to come.

That was in the name of Max Schrems, an Austrian privacy activist. He challenged Facebook by saying they did not fulfil an adequate level of protection for personal data and as such, shouldn’t be transferred to the US. He went to the Irish Data Protection Commission (IDPC) and asked them to audit what material Facebook passed on, but was declined. He contested the ruling which took him to the European Court of Justice (ECJ).

The court ruled that a Safe Harbour Agreement doesn’t guarantee that US firms are taking suitable security measures. However, lines get blurry as the US public authorities don’t have same restrictions. Metaphorically, US businesses could respectfully ask to milk the cow but the US authorities can just take and drink the milk on demand. This means safety is not guaranteed, as what is illegal in the European Union is legal in the United States.

 

What does this mean?

Over 5000 businesses in the US rely on the Safe Harbour Agreement for transferring European data to the US. The ruling doesn’t say transferring and processing data to the US is illegal but, it also doesn’t give any indication to the consequences of the decision or what is to follow if you do.

Deputy Commissioner David Smith from the Information Commissioner’s Office (ICO) said in a statement. “It does not mean that there is an increase in the threat to people’s personal data, but it does make clear the important obligation on organisations to protect people’s data when it leaves the UK… We will now be considering the judgement in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them.” One point to make here is that there are 28 member states all likely to have their own views and agendas from the ruling.

The decision doesn’t cease EU to US data transfers, it allows EU regulators to investigate transfers they feel don’t provide enough protection. There isn’t a solution that can be switched on easily, which is why the US and EU are in negotiations.

The UK has always been apprehensive when it comes to US surveillance. Even with the safe Harbour ruling, using UK data centres is advantageous not only for having the option to investigate your protection standards but if you don’t use an American firm then you are legally protected against US authorities transferring and processing your data. Datacentreplus will offer increased privacy over many of our competitors because we are privately owned and more importantly, British owned. Whilst many of our competitors are UK based and UK registered companies, the ownership can come into play as if they are owned by any US company then the DC is open to NSA and US government scrutiny.

We ask would you want the US authorities looking through your private data without your permission even though you run your business in an honest and professional way we aren’t sure this is morally correct.

For a secure and robust UK based data backup solution contact datacentreplus

More from Datacentreplus

"