The recent EuGH judgment, rendering the 15 year old “Safe Harbor” regulation between the EU and the USA ineffective, has significant implications for data protection and security, digital businesses and societies.
The “Safe Harbor” regulation enabled the free exchange of data between the EU and the US, as long as IT- and Internet companies promised to comply to a minimal set of data protection standards, awarding data of EU citizens an (almost) equal protection level. This regulation, however, was now judged to have been wrong in three ways. First, it went far beyond the authority of the EU, interfering much too strongly with national and regional data protection regulation. Second, it forgot that national security regulations in the US rank higher than self-administered data protection standards of the IT- and Internet industries, rendering it effectively impossible for these companies to make any promises regarding the protection of European data. And third, “Safe Harbor” also forgot that the United States are not a constitutional state for Europeans, rendering any chance for intervention into national security processes in the US impossible, thus depriving European citizens of their basic rights on data protection and legal intervention.
The judgment is consistent with many European perspectives on the matter. And it will have numerous implications. Any non-EU company doing business (or being otherwise involved) with European personal data will have to comply to EU data protection laws or leave the European market. Given the possibility of similar national security regulations in most countries outside the EU, this can almost only be guaranteed if these companies move all respective parts of data handling and data business into Europe. US data companies may try to weasel out of this by setting according license agreements with their users, stating explicitly that users and customers agree to having their data sent to the US for analysis. But this would reduce the customer base and may even be difficult to implement. EU citizens may not be allowed to sign their basic rights away to a company in this degree, even if they want to. Further regulation may follow with this end. If moving data businesses fully into Europe will become a necessity, this will enforce a reorganization of many digital business models, providing competitive advantage to EU-based companies who already comply to European standards and who could now be in a pole position for many new opportunities coming up – including strategic partnerships with US companies.
Other implications will develop for security. The verdict makes it clear that data are not secure with US companies. Responsible European companies have to reconsider any data-heavy cooperation with US companies. This has already started since Snowden, of course, but it gains an official and more imperative weight with the EUGh judgment. Renting an efficient cloud in the US may not be an option anymore, as are digital services administered from the US including some big data models and security services. This would apply even if the mother corporation is German. Data and territory are the focal points of this judgment. And anything on US soil could be infiltrated to the disadvantage of the customer.
The reset of the “Safe Harbor” agreement back to stronger standards may also affect some existing business processes between the EU and the US, depending on the kind of data exchanged. If customers’ or employees’ data are somehow a part of those processes, it may become difficult to work with them outside the EU. International, distributed businesses may face new regulations and restrictions in the near future, imposing high costs and operative difficulties. Some of those may turn out to be unsolvable.
Many of these implications still depend on other factors and may develop in different ways. But despite some difficulties on the horizon, the judgment has important merits. Europe must claim self-determination in digital matters. The high dependence on foreign technologies and the many uncertainties accompanied by this have driven it away from core values and technical competencies, putting it into the role of an observer, a reactive critique rather than that of an actor. A situation likely to get worse with the advent of industry 4.0.
The first steps of self-determination may be painful and costly. Critics may even try to chide them as steps towards a “Balkanization” of the Internet. But right in the middle of the digital revolution, many assumptions of the early days of IT and the Internet have to face reform – technologies inasmuch as business models. Segregations will be a natural, unavoidable and in many ways a quite healthy process.
http://www.spiegel.de/netzwelt/netzpolitik/europaeischer-gerichtshof-erklaert-safe-harbor-abkommen-fuer-ungueltig-a-1056366.html