Data protection: No safe harbour

 Murad Ahmed, Richard Waters and Duncan Robinson

“The approach from most people is that you can’t take on the big companies because they will always win because they have more money,” he said, laughing. “But they didn’t have the law on their side.”

Mr Schrems’s legal victory — which earned him a herogram from Edward Snowden — has become a watershed moment in the transatlantic digital relationship. Since the Snowden revelations about online surveillance by US security services, that alliance has been under strain. Now, one of the props that supported the free flow of data across the Atlantic has been kicked away.

On Tuesday, Europe’s highest court invalidated a 15-year pact between the US and the EU that made it easy for American tech companies to ship personal information about European citizens to their home bases — even though US privacy regulations are viewed by critics as weaker than those on the other side of the Atlantic.

The stuff that fuels everyday digital life for millions of Europeans — their Facebook posts, Gmail messages and tweets — has been available for export to data centres in the US, where the contents can be stored, processed and re-exported without the formal regulatory protections they would get at home.

In a complaint against Facebook to data regulators in Ireland, where the social networking company has its European base, Mr Schrems argued that letting so much data flow to the US has exposed Europeans to American spying. By backing that claim, the European Court of Justice has whipped the rug from under thousands of companies that relied on the treaty’s protection to send information wholesale to the US, and left them scrambling to find a new legal foundation for their handling of cross-border data shipments.

The scrapping of this so-called Safe Harbour clause fits a recent pattern of European resistance to the global march of Silicon Valley. Fed by anger at the Snowden revelations and deepening worries about the threat digital upstarts pose to the continent’s industries, a backlash has been building.

Exasperated, US tech groups warn that Europe risks cutting itself off from the digital revolution. According to this view, at the very moment that Europe is trying to forge a single continent-wide market to foster its own digital industries, it is putting up barriers that will block open competition.

“We’ve hit a moment of truth,” a senior executive at a Silicon Valley company said of the court ruling. “The politicians have to ask, do we really want to end up with Fortress Europe?”

Until it was invalidated this week, Safe Harbour was a particularly sore point in the transatlantic digital alliance. It was a loophole that allowed US companies to bypass European privacy laws: all they needed to do was agree to seven principles on how they would handle Europeans’ personal data, such as keeping it secure and giving individuals the right to opt out of having their information sent to third parties.

“It was a ‘get out of jail free’ card,” says Rajiv Gupta, chief executive officer of Skyhigh Networks, a US internet security company. “It was reassuringly simple to make that claim.”

“It’s hard to say if Safe Harbour was abused,” Mr Gupta says, though he adds that US companies have used the concession “perhaps a little too liberally”.

The agreement, which was hammered out without legislative oversight in 2000, became a vital artery for business worth billions. Despite its importance, few paid attention beyond privacy advocates who argued that it was inadequate. By this week, some 4,400 companies were covered by exemption, a 37 per cent jump in barely 18 months.

The liberal regime that has let so much private information pour across the Atlantic with such little constraint also suited the interests of the US intelligence services. Among the Snowden leaks was an acknowledgment that having “home field advantage” — housing much of the world’s internet infrastructure and having so many leading tech companies on their own soil — has made it easier for US agencies to tap into the world’s data flows.

It took a private individual to successfully challenge a key part of this regime. Mr Schrems, who had already won some prominence with a one-man pressure group called Europe v Facebook that he started in 2011, took up the Safe Harbour cause after deciding that official responses to Snowden were inadequate.

“It’s like with the banking crisis, there was outrage and then we all keep on walking by,” he says. “Letters went sent, words were said. The usual drill. But there was not really any change.”

Mr Schrems says many data protection lawyers declined to represent him, apparently for fear of losing the business of more moneyed corporate clients. But he was able to fight the case after securing €65,000 in small donations from “concerned citizens” and forging a small team of European law experts and academics.

But critics warn that these workarounds are weaker than they appear and might now be shot down by privacy watchdogs. As Oliver Yaros, senior associate at law firm Mayer Brown points out: “If Safe Harbour can be challenged, what is there to stop someone else challenging those decisions as well?”

As a result, Mr Schrems’s success is likely to accelerate a shift that was already under way, with US companies housing more European data locally. Big companies such as Microsoft and IBM have long kept networks of data centers around the world, but “cloud” services companies like Salesforce and Amazon Web Service — the internet retailer’s IT arm — are racing to set up local facilities.

But smaller companies that lack extensive infrastructure could be left behind by this spreading localisation. The pressure will be eased by the fact that many small tech companies themselves rely on companies like Amazon Web Services — though that is likely to drive more business to tech giants and make it harder for newcomers to take them on, says Sean Gourley, co-founder of Quid, a US data analytics company.

The legal change could also hit companies in Europe. Jan Rezab, founder of Socialbakers, a Prague-based social analytics company, says the ECJ’s ruling could cost his company millions as it goes through the strenuous task of shifting data held on American computing infrastructure back to Europe, or securing the technical legal agreements to satisfy the new data protection regime.

There have also been warnings that the more restrictive rules will hamper the spread of digital innovation and hurt European consumers.

“It will put off early stage tech companies from expanding into Europe,” says Hiroki Takeuchi, chief executive of GoCardless, a London-based financial technology start up. “Airbnb could handle this ruling fine now, but could it have handled it when they first started in Europe? Maybe not. Maybe it would have gone to Asia first.”

Forcing more data to be stored and processed in Europe, meanwhile, could end up having strong commercial as well as political consequences.

Some groups, such as CNIL, the French privacy watchdog, argue that increased activism on data protection could help European start-ups by forcing international companies to comply with Europe’s higher privacy standards — removing one of the advantages that has favoured US internet companies.

The fight over trade in data is no different from battles in other sectors , says Mr Gourley — and the Europeans “are a long way behind the Americans”. Of the online data storage business, he adds: “It’s likely to be a $50-$100bn industry in the next three or four years — Europe wantssome of that.”

Exactly how hard the ECJ’s decision bites will depend a lot on the political fallout from the case. It comes after months of transatlantic prevarication, with the US and EU gridlocked in talks over how to tighten the Safe Harbour to meet European concerns. The European Commission’s demands are brief, filling less than a single side of A4 paper. What Brussels wants is simple but difficult to give: guarantees about when and how US intelligence agencies are able to examine data from EU citizens.

If this week’s court ruling makes it more difficult to reach a new one, then the intrepid Mr Schrems will have gone a long way to resetting digital relations across the Atlantic. While the tech industry waits for the outcome, there is growing dread that the world is sleepwalking towards the Balkanisation of the internet, with cyber space increasingly split along national boundaries.

“It depends on how extreme it gets,” said Armin Ronacher, a software engineer who splits his time between the UK and Austria. “If the US and Europe both want the data of the citizens held in their countries, it’s the end of the global internet.” /The Financial Times