As the dust settles after the European Court of Justice (ECJ) ruling in the Max Schrems case last Tuesday (6th October), we are all left wondering what exactly are the implications for the global IT market and the European data centre market in particular.
One thing for is sure: the Snowden revelations still have a long way to play out. People were – and, to a large degree, still are – genuinely uncertain about the degree to which communication was being eavesdropped.
Will that change now a high court judge has found that the US is engaged in the surveillance of European citizens?
Do we care?
While, in the wake of Snowden’s revelations, some consumers moved to encrypted mail services like Lavaboom, Protonmail and Tutanota, they represent only a tiny percentage of internet users. On a personal level there is still a great deal of ambivalence, suggesting the majority of people take the view that if the NSA looks at their data it is not of huge relevance.
But of course, this can’t be translated into the commercial space. Companies hold increasing amounts of data on many, many individuals and one thing the Max Schrems case does clearly illustrate is that not all of their customers are so sanguine about the NSA’s mass surveillance schemes.
Enough people are unhappy enough to make a difference: Max Schrems crowdfunded his legal challenge to the ‘Safe Harbour’ Agreement – the agreement that effectively allowed US tech companies to self-certify their compliance with EU data regulations – and demonstrated the possibilities when individuals and corporations mobilise politically to influence the shape of legislation.
The Irish data commissioner initially rejected Schrems’ complaint (that challenged Facebook’s process of exporting his data to the USA and thereby exposing it to NSA spying) as ‘frivolous’. Now the ECJ ruling has demanded that the Irish courts reconsider his complaint with due diligence, effectively invalidating safe harbour as it did so.
For the moment, national data protection authorities will now have to review each individual case concerning data transfers to the US. Meanwhile, Schrems has started a similar action against Facebook in his native Austria. The ruling opens the doors for more challenges to be lodged with the local supervisory bodies in each member state.
The major US tech companies report they already have ‘work arounds’ but, of course, these will be open to scrutiny in each European country.
And, since the export of data to the US can no longer be justified under safe harbour, such data exports will require ‘model contract clauses’ to be negotiated which clearly set out the US provider’s privacy obligations.
At first glance, it would seem that there is an opportunity for European IaaS vendors here, as US businesses seek to reconfigure their network architecture so that European customer data stays within Europe. Although, inevitably this will be greeted in some quarters as a step closer to the ‘balkanisation’ of the internet that commentators have long been warning about.
But, as the Microsoft data sovereignty case illustrates, simply holding data in European doesn’t guarantee it is subject to EU data protection standards if you’re using a US provider
So perhaps there is also an opportunity for European SaaS vendors too – if European businesses respond by bringing data back to Europe, then migrating to European service providers could be a potentially less painful and more effective way to ensure EU data protection standards are applied.
The discovery that it is a very large proportion, if not the bulk, of everything that’s being circulated that’s being monitored does change the game quite a lot.
Security agencies are somewhat reluctantly beginning to realise that they have probably gone beyond what was envisioned of the legal frameworks in which they are operating. Technology is rapidly evolving and the law must evolve just as rapidly.
It’s evolving and it’s complicated. And, to some extent, the full implications will only become clear when local privacy and data regulators make their judgements.
General Data Protection Regulation
In the meantime, the EU Council of Ministers is working to get agreement across all 28 member states on the General Data Protection Regulation (GDPR). As a regulation, rather than a directive, it doesn’t require further legislation by national governments to become law and if European leaders can agree on the GDPR’s ‘one stop shop’ then this will have the effect of simplifying the situation across Europe again, although likely with more stringent requirements, and effectively throwing all the dust back up into the air again.