Exodus to Euroland: Early Effects of the EU Safe Harbor Collapse

On October 14th we wrote about the European Court of Justice declaring the Safe Harbor provision that allowed transfer of personally identifiable data (PII) between Europe and the USA as invalid. This left a huge public policy question hanging: Is it legal for companies doing business on the web to store the PII data of European citizens on servers based in the USA? Does this ECJ decision open the door to companies getting sued by public or private entities from Europe?

There have been a few developments since our initial coverage both on the European Court of Justice front and reactions from companies. Here’s the latest update:

The European Commission (EC) has released a ‘communication’ regarding the invalidation of Safe Harbor. The communication states that considerable progress has been made on both sides of the Atlantic in coming up with Safe Harbor 2.0. Here’s a key extract from the Conclusion section:

As confirmed by the Article 29 Working Party, alternative tools authorising data flows can
still be used by companies for lawful data transfers to third countries like the United States.
However, the Commission considers that a renewed and sound framework for transfers of
personal data to the United States remains a key priority. Such a framework is the most
comprehensive solution for ensuring effective continuity of the protection of personal data of
European citizens when they are transferred to the United States. It also provides the best
solution for transatlantic trade as it offers a simpler, less burdensome and therefore less costly
transfer mechanism, in particular for SMEs.

Already in 2013, the Commission started negotiations with the U.S. government on a new
arrangement for transatlantic data transfers based on its 13 recommendations. There has
been considerable progress in bringing the views of both sides together, for example on
stronger monitoring and enforcement of the Safe Harbour Privacy Principles by, respectively,
the U.S. Department of Commerce and the U.S. Federal Trade Commission, more
transparency for consumers as to their data protection rights, easier and cheaper redress
possibilities in case of complaints, and clearer rules on onward transfers from Safe Harbour
companies to non-Safe Harbour companies (e.g., for processing or sub-processing purposes).
Now that the Safe Harbour Decision has been declared invalid, the Commission has
intensified the talks with the U.S. government to ensure that the legal requirements formulated
by the Court are complied with. The objective of the Commission is to conclude these
discussions and achieve this objective in three months.

The bottom line here is that they’ve made some progress in talks with the US government and they’ve set a timeline for 3 months to get Safe Harbor 2.0 released.

In the mean time, here in Redmond Microsoft announced today that it is opening a data center in Germany which will be owned and controlled by Deutsche Telecom, a German company. The effect of this move is that any requests to access data in this facility will have to go through Deutsche Telecom and the German government.

This move by Microsoft is in direct response to the NSA/Snowden revelations and their inability to protect customer data from US intelligence. According to Microsoft CEO Satya Nadella “We need to earn both trust of our global customers and operate globally. That’s at the cornerstone of how we’ve done business and how we will continue to do business.”.

The model that Microsoft is using is a ‘Trustee’ model whereby they appoint a foreign company to act as a trustee of user data, thereby removing their own access and ability to grant the US government access. It’s a new model, it may or may not be effective and some analysts think it may complicate US/EU negotiations for Safe Harbor 2.0.

There is an expectation in the industry that we will see a data center build-out in Europe over the coming months and other companies taking a similar approach. Companies like Syncplicity, a former EMC unit, are adding capacity in Europe to offer their customers the option to store data there.

As a WordPress publisher and a business owner who may be storing the PII of European citizens, you are still forced to take a wait and see approach while the EU and USA negotiate Safe Harbor 2.0 which will guide you on how to treat the data of EU citizens. However, options to store data in Europe are emerging now with this move by Microsoft and other companies. So if Safe Harbor 2.0 does not emerge soon enough, at least you have the option to move your hosting to Europe if you find yourself under significant pressure to do so.

We will keep you posted on developments that may affect WordPress publishers and others in our industry.

Did you enjoy this post? Share it!

Comments

8 Comments
  • Microsoft actually already opened it's first data center in the Netherlands 2 days ago and has started building a second one there, too.

  • Thank you for the update on this, it will be interesting to see how Safe Harbour 2.0 works out. I think this is really important to consider when deciding where to host PII. Thankfully we host our client websites and databases on UK based hosting.

  • According to the Microsoft representative, interviewed Sky news yesterday, the Microsoft plan to offer this European data storage facility only for their largest, select clients during 2016 and "may" roll it out to smaller companies sometime after 2016, but has no solid plans to include SME's and individuals in this project.

    CNN also covered it here:

    http://money.cnn.com/2015/11/11/technology/microsoft-germany-data-center-privacy/index.html

    Further, today's revelations that the German government routinely spied on companies and organisations worldwide, may mean that companies moving their data from the US to a European data centre may merely result in them jumping out of the pan and into the fire!

  • Europe policy makers must sit around thinking up ideas on how to annoy people and businesses around the world. For example, the cookies notice on websites hosted in Europe, its just annoying. But you know what it did do, it had website owners hiring developers which in turn paid taxes on moneys made.... you get where this is going. Europe are money hungry. So, for US companies to keep EU personal data, they need to have EU servers in EU data centers... I wonder who profits from that? This policy has nothing to do with privacy whatsoever, its all down to money. Most of the large companies like Microsoft, Google, Facebook have a strong foothold in EU, but due to tax intensives that were used to get them here, EU can't simply ask them to pay more taxes, so they have to find other ways to get money from them, and this is one of them... expect more stupid policies just like this one from EU over the coming years.

    • oh it's nice how you don't even understand the least piece of the european mentality.

      • What do you believe is the 'European mentality' on this issue?

  • In fact there is no difference for hosting at "Deutsche Telekom", as this company was the first who acted proliberately together with the BND ("Bundesnachrichtendienst"), the german equivalent of NSA, and BND and NSA are working together and sharing their datas.

  • How do these laws impact someone like myself in Australia? Say I have a small web site and sell ebooks, or people join a forum on my page, and I have people in Germany, France etc as members and customers?

    Do I need to keep data on European servers?