The not-so safe harbor
I was contacted by Cinco Días, one of Spain’s leading financial newspapers, to give my opinion on the European Court of Justice’s decision to annul the so-called safe harbor agreements that regulated the exchange of data belonging to EU citizens with US companies. The story, in Spanish, is here: “El tribunal de la UE pone en jaque la economía digital trasatlántica” (pdf).
Basically, the European Court of Justice has said is something we have known since Edward Snowden’s decision to sacrifice his career to provide the world with proof that our data was being monitored by US government agencies without our knowledge: the safe harbor agreements have been systematically abused, and quite simply, the United States is not a safe harbor. This means that anybody in Europe can lodge a complaint that their data is being exported to the United States by a company, and that this, given that the safe harbor agreements are effectively invalid, breaches EU law.
The court’s decision will have consequences: the US administration is unlikely to take on the National Security Agency, meaning that US companies will have to leave processing of European data to Europe, something that Twitter has already announced, in April this year.
It won’t be the end of the world for companies that undoubtedly have the resources to implement these kinds of changes, but it certainly underscores the growing divergence between how the United States and Europe see the issue of data protection.
Below, the full text of my interview with Cinco Días:
Q. What are the likely consequences of Brussels’ decision for Facebook, Google, and Apple’s business models?
A. The consequences for US companies will be both complex and heterogeneous: on the one hand, there are companies like Google and Facebook, which use their clients’ data as part of their business model, and that need a detailed breakdown of the data so they can use it to make money from advertising that is worth more when it is highly segmented. For these companies, storing information in one place or another is a complex business, because it obliges them to set up transaction rules that increase costs, reduces their economies of scale in processing data, or in the use of their data centers, and also requires more supervision. But for Apple and Twitter, it’s not so expensive: Apple’s strategy in recent years has been to establish strict data privacy procedures: (“We sell products, we don’t sell our customers’ data”). Apple will emerge from this a winner, and be seen as working in favor of its customers. For its part, Twitter has also been aware of this issue for some time, separating its operations for US and European customers, announcing that the latter’s data will be process in Ireland, theoretically protecting it from the prying eyes and ears of the US government and its spying agencies. Other companies, such as Microsoft, have shown themselves to be on the right side by denying the US government access to clients’ data abroad, despite the White House’s determination to be globocop, and that might have had something to do with the way this story has worked out.
Q. The agreement that existed between the EU and the United States means that there is a de facto single legislation, but this ruling creates two sets of rules. Do you think it will make doing business on the internet more difficult?
A. Fragmentation will make things more difficult in an environment that will require greater supervision, creating opportunities for companies that decide to operate on one side or the other. There seems little chance of persuading the US security agencies to be less absolutist about this, and in the wake of the Snowden revelations will have minimal credibility. The other possibility is to oblige US companies to process their data in Europe, which seems like the simplest answer, but will involve costs and other problems. What’s more, by this stage in the game, most Europeans have lost all trust in both the US government and US companies that have shown they cannot protect their customers’ data. On the other hand, and on a more positive note, this could create opportunities to create European infrastructure and jobs.
Q. Do these companies have the resources to run their businesses in Europe? Are there enough data centers?
A. Data center infrastructure is essentially global: data is moved around using protocols that involve routine duplication on several servers to avoid disaster, to the “follow the moon” approach used to saved costs by using night tariffs. Putting borders on these protocols increase the complexity of management, but it’s not impossible, just difficult, but not as difficult as managing data that affects different jurisdictions, or people who are constantly traveling. However, this is not a problem we can’t solve.
Q. Will this ruling concern only tech companies, or will all companies that transfer data within the EU, such as banks, phone companies etc, be affected?
A. It will affect all data exchange between the two territories concerned. In any event, we are talking about interaction between one jurisdiction where it has been clearly shown that a government exceeded its monitoring procedures, and another where we simply haven’t produced a hero worthy of the Nobel Peace Prize like Edward Snowden prepared to sacrifice his freedom to prove the same. It is very likely that the same abuses are taking place as in the United States and that we are refusing to contemplate such a possibility in our supposedly safe Europe. Are Europeans really that much better protected than Americans when it comes to data privacy? We shouldn’t forget that US law also includes transparency procedures and mechanisms to watch the watchers that EU lacks. Time, and the appearance of another Edward Snowden will tell whether Europe’s supposedly inflexible position is real, a new level of hypocrisy, or simply the lack of any controls.
(En español, aquí)
