On October 14th we wrote about the European Court of Justice declaring the Safe Harbor provision that allowed transfer of personally identifiable data (PII) between Europe and the USA as invalid. This left a huge public policy question hanging: Is it legal for companies doing business on the web to store the PII data of European citizens on servers based in the USA? Does this ECJ decision open the door to companies getting sued by public or private entities from Europe?
There have been a few developments since our initial coverage both on the European Court of Justice front and reactions from companies. Here’s the latest update:
The European Commission (EC) has released a ‘communication’ regarding the invalidation of Safe Harbor. The communication states that considerable progress has been made on both sides of the Atlantic in coming up with Safe Harbor 2.0. Here’s a key extract from the Conclusion section:
As confirmed by the Article 29 Working Party, alternative tools authorising data flows can
still be used by companies for lawful data transfers to third countries like the United States.
However, the Commission considers that a renewed and sound framework for transfers of
personal data to the United States remains a key priority. Such a framework is the most
comprehensive solution for ensuring effective continuity of the protection of personal data of
European citizens when they are transferred to the United States. It also provides the best
solution for transatlantic trade as it offers a simpler, less burdensome and therefore less costly
transfer mechanism, in particular for SMEs.
Already in 2013, the Commission started negotiations with the U.S. government on a new
arrangement for transatlantic data transfers based on its 13 recommendations. There has
been considerable progress in bringing the views of both sides together, for example on
stronger monitoring and enforcement of the Safe Harbour Privacy Principles by, respectively,
the U.S. Department of Commerce and the U.S. Federal Trade Commission, more
transparency for consumers as to their data protection rights, easier and cheaper redress
possibilities in case of complaints, and clearer rules on onward transfers from Safe Harbour
companies to non-Safe Harbour companies (e.g., for processing or sub-processing purposes).
Now that the Safe Harbour Decision has been declared invalid, the Commission has
intensified the talks with the U.S. government to ensure that the legal requirements formulated
by the Court are complied with. The objective of the Commission is to conclude these
discussions and achieve this objective in three months.
The bottom line here is that they’ve made some progress in talks with the US government and they’ve set a timeline for 3 months to get Safe Harbor 2.0 released.
In the mean time, here in Redmond Microsoft announced today that it is opening a data center in Germany which will be owned and controlled by Deutsche Telecom, a German company. The effect of this move is that any requests to access data in this facility will have to go through Deutsche Telecom and the German government.
This move by Microsoft is in direct response to the NSA/Snowden revelations and their inability to protect customer data from US intelligence. According to Microsoft CEO Satya Nadella “We need to earn both trust of our global customers and operate globally. That’s at the cornerstone of how we’ve done business and how we will continue to do business.”.
The model that Microsoft is using is a ‘Trustee’ model whereby they appoint a foreign company to act as a trustee of user data, thereby removing their own access and ability to grant the US government access. It’s a new model, it may or may not be effective and some analysts think it may complicate US/EU negotiations for Safe Harbor 2.0.
There is an expectation in the industry that we will see a data center build-out in Europe over the coming months and other companies taking a similar approach. Companies like Syncplicity, a former EMC unit, are adding capacity in Europe to offer their customers the option to store data there.
As a WordPress publisher and a business owner who may be storing the PII of European citizens, you are still forced to take a wait and see approach while the EU and USA negotiate Safe Harbor 2.0 which will guide you on how to treat the data of EU citizens. However, options to store data in Europe are emerging now with this move by Microsoft and other companies. So if Safe Harbor 2.0 does not emerge soon enough, at least you have the option to move your hosting to Europe if you find yourself under significant pressure to do so.
We will keep you posted on developments that may affect WordPress publishers and others in our industry.