Under European law, service providers are legally obligated to maintain the levels of security and privacy for personal, non-public information. Because of these protections, data from European users cannot be moved to jurisdictions where the same level of protection does not exist.
Think of it as setting a minimum water level for security and privacy:
You cannot take data from a place that offers higher levels of protection and move it to a place where lower levels exist.
This set a basic set of parameters for all users inside of the EU to ensure their privacy was met the same by every online company they dealt with, no matter if the company was in France, Germany, or Poland.
Of course, this left places like the US out in the cold; after all, our data privacy laws are nearly non-existent compared to those of the EU.
Major tech companies like Google, Facebook, and Apple were faced with a decision: build data centers in Europe just for Europeans or lobby for an alternative.
Enter Article 29 and the Safe Harbor regulations, a series of laws and treaties between several parties that establish a framework of self-certification and public audit for companies in less-regulated markets to certify as being a safe place to send European data despite being outside of the EU. That worked well until October 2015, when the European Court of Justice overturned Safe Harbor as being insufficient protection of end-user personal data. Left with three months to renegotiate the treaty and pass new laws, the US and EU went to work building a new consensus.
Here we are, well past the end of the three month grace period, and a new framework for Safe Harbor still eludes negotiators.
Privacy hawks are arguing for stringent rules regarding surveillance by government agencies, while security hawks are bemoaning the use of encryption, counter-surveillance techniques, and the potential national security implications of not just implied but explicit privacy.
Just this last week, the European Commission heads of each of the data regulators of EU members met in Brussels as part of the Article 29 Working Group to come up with what they would require to reinstate Safe Harbor. They have reached several initial proposals to send to their respective governments, but there has been no final proposal drafted between parties.
Critics are already attacking the new regulations proposed by the working group, pointing out that all EU leaders seek are letters of understanding signed by high-ranking US officials and entries into the Federal Register stating that “most surveillance” will be off-limits, leaving major loopholes for a repeat before the European Court of Justice.
Without actual legislation on the US side and a firm commitment against mass surveillance and data collection, it seems a true agreement will never be reached.
Without agreement, Safe Harbor is unable to truly provide the free exchange and access of data across the Atlantic that we enjoyed up to last year, but there are alternatives. By including model clauses in contracts, ServerCentral can still meet the stringent legal guidelines of EU regulators for our customers, and they themselves can meet the requirements of their customers and end users.
Still, a framework is needed soon, or we could face the nuclear option: total cut-off of trans-Atlantic data services.
While that is the last possible outcome anyone would want, in this climate of anti-surveillance protests, who knows how the chips will land.