Safe Harbour struck down: Will smaller European cloud providers step into the breach?


On October 6, the European Union’s highest court struck down a transatlantic pact used by thousands of companies to transfer Europeans’ personal information to the US.

The pact known as Safe Harbour was introduced over 15 years ago and it allows companies and countries outside the EU to declare that they adhere to the stricter privacy and data protection rules set by the European Union. Striking down the Safe Harbour arrangement came in light of recent evidence that foreign entities claiming to adhere to EU standard data protection cannot actually meet the standard when it clashes with the foreign governments’ interests in national security.

This news created speculation about the methods in which the big data companies will get around this ruling. What is clear though is that the European High Court identified an adverse discrepancy in the way personal data is protected in the US versus the EU. UK customers, be they individuals or businesses, need to evaluate the importance they place on securing their data or that of their respective customers, and realise that using foreign companies, albeit large and well known international providers, is viewed by the European courts as potentially compromising that data.

We are all aware that any electronically stored information is at risk of being illegally hacked or compromised, but the court ruling was not relating to the quality of cyber security that companies employ, but to the risk posed by foreign government which may have the right to demand from data providers access to data including that of UK individuals or businesses.

A suitable analogy in the physical world might be comparing between two storage houses. Let’s say both had a burglar alarm and doors and windows secured with appropriate locks. They still both have a risk of burglary. Moreover, both centres would need to let the law enforcement agents inspect the premises if they had a proper court order given on sound grounds.

However, what if one of the centres was located in a jurisdiction where the law enforcement agents didn’t require a court order to enter, what if they just had the key and can roam around freely without even saying why there were there or indeed that they were there in the first place. Now what if the law enforcement wasn’t only the police, but a multiple of unknown government branches? Which storage house would you feel is more secure, the one that needs a court order to enter, or the one where the key is sitting with multiple government agencies?

The same comparison applies to the online world and the European court has recognised that. Storing files or using email provided by a non EU company means that the company doing so is not only breaching security, it might be welcoming the breach through an open front door.

It will now be interesting to see whether the ruling will be viewed merely as a technicality to be circumvented by big companies or will it be seen as a real warning sign and a catalyst for businesses to use smaller European cloud service providers which solely use European data centres and are subject only to European data protection laws.