Data protection is somewhat like health and safety. You know it’s there for your own protection, but it’s still about as comforting as a penitent monk’s winter underwear selection. A legal opinion published by the European Court of Justice (ECJ) yesterday means data protection could become more than just an irritation, however. It could seriously disrupt transatlantic internet services.
Yves Bot, Advocate-General (AG) of the ECJ, found that the Safe Harbour rule governing the transfer of data from the EU to the US is ‘invalid’, with potentially serious consequences for the 4,400 plus US firms that operate under that rule.
Safe Harbour allows American firms to transfer data on EU citizens to the United States, which Europe considers to have insufficiently strict data laws, by self-certifying that they do indeed live up to the EU’s higher standards.
If the court support’s Bot’s non-binding opinion – and in most cases the ECJ does listen to its AG – then firms like Facebook would effectively be unable to send certain types of data on its users to the US, potentially having to build duplicate data centres over here at significant cost.
The opinion represents a provisional victory for privacy campaigner Max Schrems, who has been taking Facebook to task since the Snowden revelations for exposing EU citizens to surveillance by American intelligence agencies – something the social network denies but the European courts consider a matter of fact.
‘This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies, including EU subsidiaries of US companies,’ said Schrems, who pointed out that Safe Harbour doesn’t govern such day to day things as emails or bank transfers.
The internet won’t come to juddering halt if the ECJ backs Bot’s opinion later this year, then. But the consequences could still be far reaching, particularly for the big US tech firms. It’s not that Facebook or Google can’t afford to build new data centres and hire more data protection officers in Europe. Rather, they face the unenviable prospect of being stuck between two bickering trade superblocs, each with the power to issue substantial fines.
What does a company do when US law requires it to hand over data and EU law forbids it? ‘One could almost feel bad for multinational [sic] being trapped between the different laws, if they wouldn’t have developed these structures with the main aim of using differences in national laws to pay almost no taxes,’ said Schrems. Would anyone like a slice of schadenfreude with their court victory?
Perhaps more worryingly for the British economy, the extra costs associated with the possible end of the Safe Harbour rules could create a barrier to entry for younger US firms wanting to expand here, slowing the eastward stream of tech American innovation.
Anthony Walker of industry group Tech UK told the BBC that the end of Safe Harbour would also ‘impact the global ambitions of data-driven companies in the UK and right across Europe’.
There’s no need to start stockpiling the baked beans and condensed milk quite yet of course. Whatever the ECJ decides, it won’t break the internet, even if it does have negative effects on businesses on both sides of the Atlantic.
But it should advance the conversation about how society should adapt to the new possibilities and threats from rapidly evolving technologies, just as the EU's battle with Google over its dominance of the search business is. With the outcomes ranging from stifling bureaucracy to a wild west of data, it’s a conversation in which the voice of business needs to be heard.