A Google data center in Hamina, Finland
A Google data center in Hamina, Finland

What is Safe Harbour? All you need to know about the data transfer scheme

Scheme allowed Facebook, Google, Amazon and Microsoft to 'self-certify' that they will protect EU citizens’ data

Jamie Merrill
Tuesday 06 October 2015 19:59
Comments

Q | What exactly is the Safe Harbour scheme?

A | An agreement between the EU and the US struck in 2000, designed to provide a “streamlined and cost-effective” way for US firms to transfer data from Europe without breaching data protection laws. It allowed firms, such as Facebook, Google, Amazon and Microsoft, to “self-certify” that they will protect EU citizens’ data. It also governs cloud computing, when finance or technology firms pay service providers to host large amounts of customer data.

Q | Why has it taken so long for it to be challenged?

A | EU law forbids customer and personal data from being transferred if there are not “adequate” privacy protections in place. Campaigners have long dismissed Safe Harbour’s self-regulation provisions as far too weak, but it took until 2013 and the Edward Snowden revelations about a US National Security Agency (NSA) surveillance scheme called Prism for campaigners to have sufficient cause to challenge Safe Harbour in the courts.

Q | What happens now?

A | Following the European Court of Justice ruling, technology firms are no longer allowed to transfer data from the EU to the US solely on the basis that they are members of the Safe Harbour scheme. Instead they will have to seek specific contractual authorisation to export data. Technology firms say this will drive up cost, create delays and force them to duplicate US data servers in the EU.

Q | Will there be disruption for consumers?

A | Most of the big firms say they have already taken steps to agree the “required contract clauses” to continue sharing data, and analysts say the biggest impact will be a boost in fees for technology lawyers. But smaller firms or firms that store information in the cloud (rather than on their own servers) are likely to feel the impact. In theory, retrieving data, such as historical Facebook posts or stored images, could be slower but in reality most users won’t notice the difference.

Q | What about Facebook?

A | The ECJ court ruling means that the Irish data protection authority will now be forced to investigate and respond to Max Schrems’ demand that it audits what material Facebook may have passed on to the NSA. Facebook has repeatedly denied that it offers a “backdoor” to security services.

Q | Why do the Irish get to decide?

A | The case was initially brought by Mr Schrems, an Austrian activist, to a court in Dublin as every Facebook user outside the US and Canada technically has a contract with Facebook Ireland. It was later transferred to the European Court.

Q | Does there need to be a new Safe Harbour agreement then?

A | The EU and the US have been negotiating an updated Safe Harbour scheme for nearly two years but the fallout from the damaging Snowden revelations has delayed matters, with EU negotiators threatening to veto any future trade deals unless the US limits its access to transferred data.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in