Last week the European Court of Justice decided to annul the “Safe Harbour” regulation between the EU and the US. What does this mean for you?
What is “Safe Harbour”?
There is a European directive – Directive 95/46/EC – which protects the privacy of every European citizen. With regard to data hosting this directive actually dictates that data of European citizens have to be hosted within Europe.
The Safe Harbour regulation is an agreement between the EU and the US which makes it possible for US companies to offer services in Europe while being allowed to store data of European citizens on US servers.
This regulation implies that European citizens have to be informed, have a right to access, and that these data have to be equally protected in the US as here in Europe, …
What has changed now?
Safe Harbour dates back to before 9/11. Snowden taught us that since the US government massively intercepts and collects communication from all citizens, and therefore also from European citizens whose data are on US servers.
This was not to the liking of Maximilian Schrems, an Austrian law student and privacy activist who launched a court case against Facebook, because he was worried about what they did with his data. This case was eventually brought before the European Court of Justice, which shook up the internet with its judgment.
The Court judged that the Safe Harbour regulation is invalid. US companies are governed by US law, and therefore massive access by the US security services could not be excluded and the privacy of the European citizen could not be guaranteed.
In other words: at this moment companies like Facebook and other giants do not have permission to store and process data of their European customers outside Europe.
What are the consequences?
This will become clear in the weeks and months ahead.
In principle US companies such as Facebook, Google, Amazon, Microsoft, etc. now have to make sure to set up European servers as soon as possible for their European customers. And your guess is as good as mine if you want to know whether this will be enough to guarantee the privacy of your data. There is already a precedent in a case where Microsoft was required to pass in data from a European customer, hosted on European servers, to the US government.
New negotiations between the EU and the US will have to take place. Many a lawyer will be studying the ruling in the weeks ahead. It does not seem likely that Facebook will suddenly become unavailable to Europeans.
However, this ruling is food for thought about where your data are stored best. Your customers can hold you responsible if you store data from European citizens on a US cloud.
Through KanaalZ we have already expressed our concern about the matter:
If you do not want insecurity about responsibility, you should choose the servers at Nucleus. We commit in a contract that all data, including backups, are hosted on our own infrastructure on Belgian territory. So there will be no discussion about it at any time.
Discover more about the Nucleus cloud.