Safe Harbour and The Storm That Followed

Safe Harbour and The Storm That Followed

Monday 23 November 2015 - Ammar Thair

People say the unique miracle of science is that suddenly a discovery could be made that turns the entirety of the field on its head, case in point, the discovery that neutrinos oscillate and therefore have mass, which earned both the Nobel prize, and the rewriting of Physics textbooks everywhere. However, is this kind of miracle exclusively scientific? Is the Law really that different?

Up until the 6th October 2015, there existed a data-sharing pact between companies in Europe and the USA, known as the ‘Safe Harbour’ Agreement. In essence, it allowed the transfer of EU citizens’ data to the USA, and was viewed as a “streamlined and cost-effective” method for US firms to legally obtain data from Europe. Given the contemporary issues of phone hacking and the revelatory whispers of Edward Snowden, it’s clear that concern surrounding the protection of privacy is at an all time high.

Accordingly, the veil of compliance provided by that agreement since its inception in 2,000 would have been welcomed by many, as it provided both reputational and operational cover for any company seeking to take shelter from a storm of socio-political objection. Thus, the agreement’s popularity was widespread and under this umbrella, a crowd gathered.

Having been in force for a total of 15 years it acquired the reliance of approximately 4,400 businesses, many of whom considered it integral to their operating model. Crucially, it allowed companies such as Amazon, Microsoft and Google to self-certify the protection of EU Citizens’ data, when such data would be transferred and stored within the US. Having transcended its childhood years without much problem, it appeared that the agreement would enter its adolescence in much the same way.

However, suddenly, in the conclusion of a 2-year legal challenge brought by an Austrian campaigner, the European Court of Justice declared this agreement to be invalid, citing that it did not adequately protect consumers, with concerns that American intelligence agencies could gain unlawful access. Though it is perhaps unsurprising that something of a teenage disposition would invoke the ire of the courts, the effects of the verdict were nonetheless felt far and wide.

It’s fair to say that not dissimilar to the revelatory effect upon Professors of Physics everywhere, the declaration had left lawyers from companies such as Google, Amazon and Facebook in shock, scrambling to find out what this means, and what they will have to change. The White House has itself expressed disappointment that a “critical” agreement had been ultimately negated, on the basis of “incorrect assumptions about data privacy protections in the United States”. So the big question on everyone’s minds is: what does this mean? Will US companies no longer be able to transfer data back to the mainland? Not quite.

The CJEU’s ruling does not immediately prevent the sending of data by US Companies, but rather it allows the courts of each EU Member State to rule, as the CJEU has done, that the Safe Harbour agreement is in fact illegal in their country. Furthermore, it is deemed unlikely that any national court would go against the CJEU in this particular decision. On the contrary, Ireland, which serves as both the European base of Facebook, and the country whose High Court had originally referred the case to European Court of Justice, has now said that it plans to investigate the transfer of personal data from Europe to the US, pertaining to users of Facebook.

In the wake therefore of such impending investigations, one would expect the companies, now seemingly without the shelter that provided them safe harbour, to be a little worried as to the ramifications for their business. However, in practical terms, most claim to be largely unaffected. Satya Nadella, CEO of Microsoft insisted that Microsoft “can [still] transfer data by relying on additional steps and legal safeguards [they have] put in place”, whereas Facebook also said it was unaffected practically by the ruling- though it’s important to note that both urged the need for a renegotiation of Safe Harbour to be both sensible and swift. Additionally, The Internet Association argues that small US firms could be the ones that struggle, calling for the “US and EU to join forces” and to issue “interim guidance” on a revised framework. It seems only time will tell on whether this force will truly awaken.

Clearly, the effects of this decision are impacting upon many, and regardless of whether it may be disproportionately in favour of larger US companies with existing data-sharing agreements, their calls for a swift resolution on the issue and the prospect of state investigations such as the one suggested in Ireland points to the fact that shade has disappeared for many, and the rain is falling on all.

Regardless of all else, it’s important to remember that this huge event was triggered by a single decision, affecting the previously established school of thought on an issue of contemporary significance. Moreover, inspiration can be taken in the fact that the individual, who brought about such an audacious, spirited and successful legal challenge, was none other than a law student.

Ultimately, in this world populated by heavy, spinning neutrinos, it’s clear that the Law both in its innate capacity to discover and bring about change is as miraculous as science itself. The Law may not oscillate, but it certainly has mass.

About the author

Author: Ammar Thair