The so-called Safe Harbor agreement that allows U.S. web firms to take on customers in the European Union is in deep trouble. EU Justice Commissioner Viviane Reding has launched a review of the deal, and on Wednesday it emerged that data protection watchdogs from around Germany have urged Chancellor Angela Merkel to push for its suspension, due to NSA surveillance fears.
According to the letter, seen by newspaper Handelsblatt, the privacy officials said there is a “high probability” that the NSA is gathering Germans’ personal data through the web services they use. It has previously emerged that the U.S. is heavily spying on Germans and, although the German government has denied knowledge of such activities, evidence continues to come out suggesting that the authorities there have indeed cooperated with the Americans on this.
(Quick note: I’m moderating what will hopefully be a terrific panel discussion on post-PRISM European cloud matters at our upcoming Structure:Europe conference in London on 18-19 September.)
The Safe Harbor agreement, which dates back to 1998, provides a way for U.S. firms to get round their country’s relatively lax data protection laws. Under EU law, Europeans’ personal data is not supposed to be processed in countries that lack EU rigor when it comes to privacy. Companies self-certifying under the Safe Harbor provision are effectively saying that they adhere to EU-grade data protection standards, even though they are sited in the U.S.
Privacy officials at the European level argued more than a year ago that self-certification was a bad way of ensuring compliance, but the PRISM scandal has, to a large extent, rendered that argument moot. As I pointed out as soon as the scandal broke:
“… Frankly it now looks like the whole system is in tatters. U.S. companies claiming Safe Harbor compliance include Google, Yahoo, Microsoft, Facebook and AOL, all of which now appear to be part (willingly or otherwise) of the NSA’s PRISM scheme.
“As EU data protection rules don’t say it’s OK for foreign military units to record or monitor the communications of European citizens – heck, even local governments aren’t supposed to be doing that – the Safe Harbor program now looks questionable to say the least.”
According to Reding, the Safe Harbor agreement “could be a loophole” for U.S. firms rather than a safety mechanism for Europeans, and the deal is likely to either be scrapped or revised to include more conditions for certification. She will propose the next step later this year.
It sounds like we can expect, at the least, a shift in the way U.S. firms handle data, if they are to continue to trade in Europe; new Facebook and Google data centers in Sweden and Finland respectively may be intended as preparation for such a shift. If the deal is scrapped outright, though, many American companies may suddenly lose access to some of their most prized markets.