What is Safe Harbour? All you need to know about the data transfer scheme

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Q | What exactly is the Safe Harbour scheme?

A | An agreement between the EU and the US struck in 2000, designed to provide a “streamlined and cost-effective” way for US firms to transfer data from Europe without breaching data protection laws. It allowed firms, such as Facebook, Google, Amazon and Microsoft, to “self-certify” that they will protect EU citizens’ data. It also governs cloud computing, when finance or technology firms pay service providers to host large amounts of customer data.

Q | Why has it taken so long for it to be challenged?

A | EU law forbids customer and personal data from being transferred if there are not “adequate” privacy protections in place. Campaigners have long dismissed Safe Harbour’s self-regulation provisions as far too weak, but it took until 2013 and the Edward Snowden revelations about a US National Security Agency (NSA) surveillance scheme called Prism for campaigners to have sufficient cause to challenge Safe Harbour in the courts.

Q | What happens now?

A | Following the European Court of Justice ruling, technology firms are no longer allowed to transfer data from the EU to the US solely on the basis that they are members of the Safe Harbour scheme. Instead they will have to seek specific contractual authorisation to export data. Technology firms say this will drive up cost, create delays and force them to duplicate US data servers in the EU.

Q | Will there be disruption for consumers?

A | Most of the big firms say they have already taken steps to agree the “required contract clauses” to continue sharing data, and analysts say the biggest impact will be a boost in fees for technology lawyers. But smaller firms or firms that store information in the cloud (rather than on their own servers) are likely to feel the impact. In theory, retrieving data, such as historical Facebook posts or stored images, could be slower but in reality most users won’t notice the difference.

Q | What about Facebook?

A | The ECJ court ruling means that the Irish data protection authority will now be forced to investigate and respond to Max Schrems’ demand that it audits what material Facebook may have passed on to the NSA. Facebook has repeatedly denied that it offers a “backdoor” to security services.

Q | Why do the Irish get to decide?

A | The case was initially brought by Mr Schrems, an Austrian activist, to a court in Dublin as every Facebook user outside the US and Canada technically has a contract with Facebook Ireland. It was later transferred to the European Court.

Q | Does there need to be a new Safe Harbour agreement then?

A | The EU and the US have been negotiating an updated Safe Harbour scheme for nearly two years but the fallout from the damaging Snowden revelations has delayed matters, with EU negotiators threatening to veto any future trade deals unless the US limits its access to transferred data.