What the European Safe Harbor Ruling Means for Data Centers

A court ruling striking down rules for data transfer between the U.S. and Europe will create short-term uncertainty for data center service providers, but isn’t likely to “wreak havoc on global digital commerce,” as suggested by one industry group.

That’s the analysis from David Snead, the Vice Chairman and co-founder of the Internet Infrastructure Coalition, a trade group advocating for the data center and hosting communities.

The court case illustrates how covert intelligence gathering by the National Security Agency (NSA) is creating challenges for U.S. Internet companies and service providers, even as cloud computing technologies provide tools to rapidly build global business platforms.

Snead says that Tuesday’s ruling by the European Court of Justice, which set aside a “safe harbor” framework to protect customer data, may cause confusion until the US and European Commission can finish negotiations on a new agreement. That creates a headache for data center providers, who must now monitor the efforts to craft new guidelines, and may need to discuss alternate approaches to data security as they negotiate deals with European customers. Some providers are announcing new data centers in Europe to address concerns about data jurisdiction.

“In the short term, there is no impact,” said Snead. “However, in the medium term, data centers should start looking at the model contract clauses and binding corporate rules (BCRs),” he said, noting two alternatives to using the Safe Harbor framework.

Why Safe Harbor Matters

The Safe Harbor agreement, which was negotiated between the US and European Union in 2000, addressed the European Union’s Data Protection Directive of 1995, which prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an “adequate level” of privacy protection. The agreement provided a framework for companies like Google and Facebook to use data centers in both regions to support service delivery.

Following Edward Snowden’s disclosures about NSA surveillance programs, Austrian law student Max Schrems filed a legal complaint, saying Facebook couldn’t provide adequate protection of his information when data moved between its operations in Ireland and the US, exposing his information to surveillance by the NSA (Facebook is not a party to the suit). On Monday, the ECJ agreed.[clickToTweet tweet=”David Snead: Providers that do business in Europe should prepare for questions from customers.” quote=”David Snead: Providers that do business in Europe should prepare for questions from customers.”]

“The ECJ decision is a direct reaction to U.S. government overreach in surveillance activities,” said Snead. “While that’s troubling, it should at least reassure US companies that their corporate practices aren’t the cause of the decision.”

Snead predicted that “data center providers that do business in Europe should be prepared for questions from customers.”

A Boost For European Data Centers?

Some companies are already taking steps to reassure European customers. Cloud service provider NetSuite today announced the launch of two new data centers in Dublin and Amsterdam, which will open before the end of 2015.

“The two data centres will support NetSuite’s growth in Europe and meet the needs of the increasing number of European companies that are adopting NetSuite’s cloud business management platform to more efficiently manage and transform their businesses,” the company said.

Among the cloud builders, Google, Microsoft and Amazon operate major data centers in Dublin, and Facebook and Apple have announced plans to build major server farms in Ireland. Google also operates data centers in Finland, Belgium and Amsterdam, while Apple has also announced plans for a major cloud campus in Denmark.

Some industry observers say the Snowden disclosures have had a chilling effect on growth by American cloud platforms, and will lead enterprises and service providers to house more data in overseas markets. This could provide a boost to data center providers with facilities in Europe, who can offer local solutions in which user data does not transit to the United States.

Schrems, the plaintiff in the ECJ case, has noted this possibility.

“This could be a major issue for Apple, Facebook, Google, Microsoft or Yahoo,” he wrote. “All of them operate data centers in Europe, but may need to fundamentally restructure their data storage architecture and maybe even their corporate structure. If these providers cannot ensure an ‘adequate protection’ through other legal instruments, European business customers would also need to transfer their processing operations to providers that ensure the full protection of hosted personal data.”

Short-Term and Long-Term Solutions

Schrems said that the concerns raised by his lawsuit can be addressed in new agreements. “There are still a number of alternative options to transfer data from the EU to the US,” he said. “Despite some alarmist comments, I don’t think that we will see major disruptions in practice. The average consumer will not see any restrictions in daily use, but will hopefully soon be able to use online services without potentially being subject to mass surveillance.”

Snead said there are two alternate approaches companies can use to address data protection for European citizens:

• Binding Corporate Rules (BCRs): These agreements define data safeguards, but are implemented through agreements with Data Protection Authorities (DPAs) in each country rather than through a broader deal with the EU.
•  Model Rules & Standard Clauses: The European Commission has provided model clauses that can be incorporated into business contracts to address adequate protection of the transferred personal data.

A number of corporate law firms have offered commentary on options for American companies that relied upon Safe Harbor. Here are links to those analyses:

• US-EU Safe Harbor Framework Invalidated by European Court of Justice – What Now? (Mintz Levin)
• EU-US Safe Harbor declared invalid by EU court (Dechert LLP)
• Day-after-Safe Harbor action plan (Norton Rose Fulbright)

The baseline challenge, as noted by Susan Foster and Cynthia Larose of Mintz Levin, is whether these alternate approaches can satisfy European concerns about future NSA surveillance.

They write: “If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.”

Snead and the Internet Infrastructure Coalition say the best solution is one that addresses the surveillance issue.

“It is important to focus on the reason for the ECJ decision: U.S. government overreach, and not the actions of infrastructure providers,” the coalition said in a statement. “For that reason, the I2Coalition has supported the Judicial Redress Act, a bill that would provide European citizens with the same privacy protections given to U.S. citizens under U.S. law. Passage of this bill is a key requirement for implementation of the ‘umbrella agreement’ on privacy between the U.S. and E.U. that will enhance privacy on both sides of the Atlantic.”

The View From Europe

In Ireland, the top European cloud market and the country where the Schrems case, Data Protection Commissioner Helen Dixon noted that the issues dealt with by the ECJ judgement are complex. “While they will require careful consideration, what is immediately clear is that the Court has reiterated the fundamental impoirtance attached to the right of individuals to protect their personal data,” said Dixon. “That is very much to be welcomed.

“In declaring the old ‘safe harbour’ rules invalid, however, the significance of the judgment extends far beyond the case presently pending in Ireland,” Dixon added. “My office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, particularly insofar as it impacts EU/US data transfers.”

Snead said the best way to monitor the next steps is to watch the action of the European Commission, which offered several comments following the ruling. [clickToTweet tweet=”EC: It is important that transatlantic data flows continue, as they are the backbone of our economy.” quote=”EC Commissioner Vera Jourova: It is important that transatlantic data flows continue, as they are the backbone of our economy.”]

“We have already been working with the American authorities to make data transfers safer for European citizens,” said EC First Vice-President Frans Timmermans. “In the light of the ruling, we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic.”

“We have three priorities,” said European Commission member Vera Jourova. “First, we have to guarantee that EU citizens’ data are protected by sufficient safeguards when they are transferred.  Then, it is important that transatlantic data flows can continue, as they are the backbone of our economy. Finally, we will work together guidance with national Data Protection Authorities to ensure a coordinated response on alternative ways to transfer data. This is important for European businesses.”