6 Oct 2015

What is Safe Harbor?

Safe Harbor – as the spelling suggests, it’s a US-focused invention. But what on earth is it, and why does today’s European Court of Justice decision on it matter?

The Safe Harbor deal was designed to get round one of the Awkward Realities about which I blogged yesterday: the vast majority of online services we use in the UK are based in the US.

How can we be sure that American companies are going to enforce the rights and protections which European rules give us? That’s where Safe Harbor comes in: US authorities guarantee that your data is treated with the same respect when it’s stored in the US as it would if it was stored in Britain, France etc.


Then along came two people; one you’ll probably have heard of, one you may not know.

Edward Snowden showed how US tech companies had cooperated secretly with the US government to give it access to billions of users data, including EU citizens’. Suddenly the Harbor didn’t look so safe.

But even before Snowden, an Austrian chap named Max Shrems had been pursuing Facebook over its data use. And when the Snowden revelations came out, he went to the Irish data protection watchdog and claimed Facebook was breaching his right to privacy by sharing data with America’s National Security Agency.

The Irish authority told Shrems that Safe Harbor protected his rights. He appealed to the ECJ, and today they agreed with him.

So what happens now? Well I offer you one prediction, one intended effect, and one unintended effect:

I predict that Facebook, Google, Twitter, Snapchat, WhatsApp and countless other services we use daily will have to make some major changes. At the moment when you use these services your data flies all over the world, residing on different computer servers, many of which are American. Changing that system won’t be easy: rejigging the internet so that Europeans’ data stays inside Europe is like doing open heart surgery on Mo Farah as he nears the finish line.

Here’s an intended effect: forcing US companies to store Europeans’ data inside the EU could kick start a lucrative data storage industry on the continent. When we interviewed the Estonian president a few years back I suspected he was hinting at this.

But here’s unintended consequence. Any business that operates transatlantically could face a massive headache: overnight, they could be stopped from transferring data that’s critical to running the company. If you have a dozen British employees but you get your payroll done by a US company, then you’ve potentially got a big problem.

Of course, today’s decision involves not only European bureaucracy, but American tech giants and also the US government. Therefore it’s going to be years before the full ramifications hit home. But it’s yet another example of how fast-moving tech is leapfrogging 20th century government.