Blog post

The Great Firewall of Brussels

By Jay Heiser | October 06, 2015 | 1 Comment

risk managementpolicyCloud

Visiting Beijing last week, I found a surprisingly modern and comfortable city, but I was frustrated that I couldn’t Facebook my experiences in real time, because the government blocks access to it. In a dramatic move on the other side of the globe, the Europe’s highest court has just set the stage for what in the most extreme circumstances could conceivably result in a loss of European access to Facebook.

In a decision today, the Court of Justice of the European Union declared that the EU Commission’s US Safe Harbor approach was invalid.  Safe Harbor is a self-certification program in which approximately 4,500 US social networks, cloud service providers, and other digital services commit to following an “adequate” standard for the protection of private data.  Citing the extensive surveillance activities of the NSA and other US intelligence functions, “The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.”

The genesis of this decision was a complaint against Facebook filed with the Irish Data Commissioner by Max Schrems, an Austrian privacy advocate who became interested in the social network’s privacy implications while studying law in California.  In June 2014, his case was referred to the Court of Justice. That Court declared the EU Safe Harbor regime to be invalid, and directed the Irish authority to reexamine this complaint, and consider whether  ‘transfer of the data of Facebook’s European subscribers to the United States should be suspended.”   Wow.

The European Union has just over half a billion inhabitants.  While many of them have expressed a great deal of concern, even outrage, over the US Federal government’s surveillance activities, it remains the case that hundreds of millions of EU citizens are eagerly sharing their private data through Facebook, and are happy to do so no matter where their data might currently be stored. Given their initial response to Schrems’ complaint, one might even consider that some employees of the Irish government may be Facebook users. I’m not at all sure that popular European opinion will be happy with all the implications of this court finding.

While the specifics of this case deal with Facebook, by extension, it could potentially impact most of the public cloud. Adobe, Amazon, Box, Dropbox, Google, Microsoft, Salesforce, Workday, and 4,500 other US online services store EU customer data wholly or in part in the USA, and are currently registered within the Safe Harbor program, which the Court of Justice has just declared as invalid.

The daunting impracticality of blocking most Internet services to European use is now looming on some hypothetical horizon.  Given a choice, the majority of European citizens would prefer that the US Federal Government stop spying on them, but only a few Europeans feel so strongly about this that they entirely avoid using social networking and other forms of cloud computing.  It is uncertain how practical it would be for Facebook to stop storing European citizen data in the USA, or how eager the company would be to undertake that step.  And realistically, does anybody believe that it would slow down the NSA?  Facebook, file sharing, and Photoshop are now technically non-compliant with the EU Privacy Directive, and without significant architectural changes, it is conceivable that national Data Commissioners or the EU’s highest court, will force a decision on data location.  One can almost envision EU citizens making surreptitious visits to Switzerland and Norway to visit their American data.

Dissatisfaction with Safe Harbor is hardly new, and Gartner has already suggested that an upcoming revision to the European privacy regime may obsolete it, with a renewed emphasis on standard contract clauses.  What we had not previously considered was a total ban on US-based service provision, which would theoretically be the most extreme result of today’s court decision.  The court paints a picture of fundamental incompatibilities between the human right to privacy in the EU, and the US National Security Agency. It seems inconceivable that European Internet users would want to sever their digital ties to the USA, yet it seems unlikely that any contractual commitment to privacy practice could fully protect European rights from the reality of US surveillance.

This may well prove to be one of the most dramatic legal decisions impacting the Internet this century.  The ball has been passed back to the Irish supervisory authorities, and this game is one that is worth watching.


Comments are closed

1 Comment

  • Jay Heiser says:

    Here are some specific recommendations from Gartner on how to deal with a very ambiguous regulatory situation: