In a way, there is much for IT service providers to celebrate now that the European Union (EU) and the United States have come to terms on a Safe Harbor agreement that allows the personal data of Europeans to once again legally find its way into data centers in the U.S. After all, not only do cloud service providers and Web-scale companies routinely move personal data across the Atlantic, so does just about every U.S. company that does business in Europe.
The accord struck this week was made necessary because the European Court of Justice invalidated the previous existing Safe Harbor agreement after a graduate student in Europe filed suit over Facebook’s sharing of personal data with the National Security Agency (NSA) in the U.S. The court ruled that the information provided by Edward Snowden made it clear that European rights to privacy were being violated.
Challenges ahead for the new Safe Harbor agreement
Specifically, the court said that regulators in each of the 28 countries that make up the EU should have oversight over how companies are allowed to access data. Therein, of course, lies the rub with the new deal. For all the diplomatic celebration, the deal still has to be approved by the individual countries that make up the EU. More challenging still, each of the 28 countries still has the right to enforce the agreement, including the application of fines, as they see fit.
In addition, privacy advocates in Europe have already made it clear that they intend to challenge the legality of the new accord. How the European Court of Justice will view the agreement will most likely hinge on a diplomatic fig leaf under which the U.S. is promising not to give its intelligence agencies “indiscriminate” access to personal data of Europeans stored in U.S. data centers.
The deal also requires the U.S. State Department, rather than an independent body, to create an ombudsman that would investigate European complaints, and the provisions of the agreement are supposed to be reviewed annually. But government officials in France, Germany, and Spain have already informed companies that the accord itself is on shaky legal ground.
At the very least, EU and U.S. diplomats appear to have purchased some time to continue business as usual. Getting the deal ratified by all the countries will no doubt take time. Then there will be a round of legal challenges, and in just a few years those could bring everyone right back to where we were last October when the European Court of Justice made its initial ruling.
In the meantime, the initial court ruling provides enough wiggle room for the EU and the U.S. to at least agree to terms of a proposed accord without which the court would have terminated all data transfers effective immediately.
Ongoing privacy debate
Of course, this dispute is only the latest in a series of ongoing debates over privacy and data sovereignty. When it comes to privacy in the digital age, Europeans are leading the charge. But no matter the outcome of the Safe Harbor agreement, it's clear that more data than ever is going to be legally bound to a physical location to satisfy privacy requirements and address issues such as who has legal standing involving cases where the data at issue is stored in another country.
From a technical perspective, IT service providers might find having to manage multiple copies of the same data stored around the globe to be both frustrating and unnecessarily expensive to say the least. But then again, the more geographically distributed all that data is, the more call there is for IT services to manage it. As such, more EU enforcement of privacy and data sovereignty could wind being one of those ill winds that winds up blowing some good to IT service providers.