Analysis Today's victory by Austrian privacy advocate Max Schrems in the European Court has massive repercussions for how the superpowers make law, and how Silicon Valley conducts business. And it may only get worse for America's data processing giants, very soon. Microsoft is challenging the notion that the world's data is by default also the US's data - an idea with inconvenient repercussions for Microsoft, but perhaps more inconvenient repercussions for Microsoft's rivals.
"Safe Harbour is dead - but Safe Harbour been dead for a long time," one privacy advisor told us this morning. "It's a zombie that's put on stage when people start asking awkward questions," he says. "It's the been the big white fat elephant in Silicon Valley boardrooms for years."
Experts say that the Schrems decision nukes the uncomfortable political compromise of creating a "safe harbour" for data exports that the EU and the USA thrashed out in 2000, that became untenable after former NSA sysadmin Edward Snowden spilled the beans. No matter how much Brussels bureaucrats want their latest Safe Harbour fudge to work - the cat's out of the bag. US companies that export data are fundamentally illegal in Europe.
"The power of the European Commission has been cut significantly, and [that of] the data protection authorities increased," one industry insider told us. "It isn't difficult to imagine US companies asking 'Why would we negotiate a new Safe Harbour agreement? The Commission can't follow through'."
But it also raises profound constitutional questions for Europe. The European Parliament isn't supreme in the EU: the European Court interprets a charter of Fundamental Rights, and its rulings permit member states to chuck out European law. They've gone and done just that before - and the Schrems ruling is so emphatic that attempts to resurrect Safe Harbour are almost certain to meet the same fate. Like other problems besetting Europe, Brussels doesn't have the institutional machinery, or maybe even the brains, to fix this one.
How we got here
Continental Europe and the USA treat privacy and data protection differently, often regarding each other's cultural norms to data protection through blinking incomprehension. Just five years after the GDR's MfS, its Ministerium für Staatssicherheit, better known as the Stasi, was dismantled, the EU made data protection a fundamental right - a sign of how profoundly the subject is regarded.
Over the next few years, with the popularity of the internet, personal data began to flow across borders. Data was travelling out of the EU without the consent or supervision of Europeans. In 2000, the EU bloc and the USA thrashed out a political compromise, called Safe Harbour. (This is not to be confused with the "Safe Harbour" liabilities granted to ISPs and platforms from copyright infringement or other liabilities - that's another Harbour)
Safe Harbour allowed the EU to pretend that Europeans' data was still subject to European-standard protection, and US data processing giants like Facebook and Google to pretend they were still legal in Europe. But two factors made the pretence untenable. One was the introduction of anti-terror legislation in the USA, and the second was Edward Snowden. Peter Houppermans, a privacy advisor based in Switzerland, explains:
"Safe Harbour has been broken for years - but it’s only now visible. But really it's broken since 9-11. American legislation created so many back doors that there’s no due diligence or scrutiny of law enforcement - so any one can walk in. Safe Harbour was just a political sticking plaster. As a result there's no US entity in the world that can credibly guarantee the privacy of your information. It's legally impossible.
He illustrates with a practical example of how US companies are now in breach of EU rights.
Imagine you’re a UK resident business, and you're using Google for email. What happens when I email you? You'll receive my message on US-owned infrastructure. Before you've gained my permission, you've exported my personal data - and maybe it’s even privileged information - to a third party entity.
That's because the recipient of the email - in this case you - export the data to a third party without the sender's permission.
As Safe Harbor is dead, the receiving company may have now broken EU privacy laws.
(Houppermans explained this at length in a 2013 article for El Reg, here.)
Brussels is [full of] people lobbying to get data protection legislation watered down, and has been for years. The reason they haven't managed is Snowden. Before Snowden, the EU had no choice but to risk being blackmailed in trade talks. Now Europe has leverage, as well as local political pressure, and can hold up Snowden’s evidence of US non-compliance.
The reason Humpty can't be put back together again - and this is vital to understanding the story - is the United States' view of territoriality.
Crudely put, the US doesn't recognise an "abroad" - and fears that if it starts to do so, it will open a Pandora's Box of criminal evasion. This is being fought in Europe, where Microsoft is challenging a US Court order to access emails stored in Ireland. The DoJ fears that a future Enron would store its data offshore, and claim data protection.
Technically, it's possible to secure information, but the biggest data safe is of no use if you can legally be ordered to open it, which is what is happening in Microsoft vs DoJ. This is where encrypted platforms where the data owner holds the key are better, but that depends on whose technology you trust.
None of your business
Big Tech lobby group the Computer & Communications Industry Association warned of an apocalypse if it didn't get its way, telling the FT (behind paywall) it would harm Europe far more than it would harm Big Tech: "We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most".
But this supposes Europeans are content with US standards of privacy and data protection. Perhaps they're not. After Schrems, it's hard to see how a fudge like Safe Harbour might conceivably hold, since it's the European Court and not Eurocrats which is the arbiter of data protection. And it might become impossible after the DoJ versus Microsoft next month. Silicon Valley is in uncharted waters. ®