What is Safe Harbour? All you need to know about the data transfer scheme

Scheme allowed Facebook, Google, Amazon and Microsoft to 'self-certify' that they will protect EU citizens’ data

Jamie Merrill
Tuesday 06 October 2015 19:59 BST
Comments
A Google data center in Hamina, Finland
A Google data center in Hamina, Finland (AP)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Q | What exactly is the Safe Harbour scheme?

A | An agreement between the EU and the US struck in 2000, designed to provide a “streamlined and cost-effective” way for US firms to transfer data from Europe without breaching data protection laws. It allowed firms, such as Facebook, Google, Amazon and Microsoft, to “self-certify” that they will protect EU citizens’ data. It also governs cloud computing, when finance or technology firms pay service providers to host large amounts of customer data.

Q | Why has it taken so long for it to be challenged?

A | EU law forbids customer and personal data from being transferred if there are not “adequate” privacy protections in place. Campaigners have long dismissed Safe Harbour’s self-regulation provisions as far too weak, but it took until 2013 and the Edward Snowden revelations about a US National Security Agency (NSA) surveillance scheme called Prism for campaigners to have sufficient cause to challenge Safe Harbour in the courts.

Q | What happens now?

A | Following the European Court of Justice ruling, technology firms are no longer allowed to transfer data from the EU to the US solely on the basis that they are members of the Safe Harbour scheme. Instead they will have to seek specific contractual authorisation to export data. Technology firms say this will drive up cost, create delays and force them to duplicate US data servers in the EU.

Q | Will there be disruption for consumers?

A | Most of the big firms say they have already taken steps to agree the “required contract clauses” to continue sharing data, and analysts say the biggest impact will be a boost in fees for technology lawyers. But smaller firms or firms that store information in the cloud (rather than on their own servers) are likely to feel the impact. In theory, retrieving data, such as historical Facebook posts or stored images, could be slower but in reality most users won’t notice the difference.

Q | What about Facebook?

A | The ECJ court ruling means that the Irish data protection authority will now be forced to investigate and respond to Max Schrems’ demand that it audits what material Facebook may have passed on to the NSA. Facebook has repeatedly denied that it offers a “backdoor” to security services.

Q | Why do the Irish get to decide?

A | The case was initially brought by Mr Schrems, an Austrian activist, to a court in Dublin as every Facebook user outside the US and Canada technically has a contract with Facebook Ireland. It was later transferred to the European Court.

Q | Does there need to be a new Safe Harbour agreement then?

A | The EU and the US have been negotiating an updated Safe Harbour scheme for nearly two years but the fallout from the damaging Snowden revelations has delayed matters, with EU negotiators threatening to veto any future trade deals unless the US limits its access to transferred data.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in