Hamburg’s way or the high way
29 October 2015 | 0
It seems that German data protection authorities have thrown a spanner in the works of efforts by the EU to mitigate the European Court of Justice’s (CJEU) recent ruling which ripped up the Safe Harbour data sharing agreement.
European Commission officials sought to fill the legal vacuum with a reminder of the legal alternatives available and promises of coordinated action by national privacy regulators, but German data protection registrars at the state level disputed many of the points agreed on by the national regulators.
A position paper published by Hamburg’s data protection registrar with other state regulators makes clear they will block any data transfers outside the EU that they discover are relying on Safe Harbour for their legal justification.
The state regulators were sceptical that alternatives proposed by the EU, such as binding corporate rules and model contract clauses, provided sufficient privacy guarantees under EU law. They stressed they would not grant new approvals for data transfers under these mechanisms.
The implications are significant because the German position essentially means that, in the words of Hamburg’s Commissioner for Data Protection and Freedom of Information Johannes Caspar “anyone who wants to escape the legal and political implications of the CJEU judgment should in future consider storing personal data only on servers within the EU.”
The German response would appear to leave companies with little option but to store European citizens’ data in Europe.
Needless to say DigitalEurope, an industry lobby group that represents a number of technology companies, quite a few of which appear to originate outside the EU, was not impressed. Director general John Higgins, argued the statement by the data protection authorities was in “direct contradiction to the coordinated approach between Member State authorities that we were expecting”.
He warned “the decision of the German data protection authorities to refuse to issue any new authorisations of alternative transfer mechanisms will lead to unnecessary market volatility”.
To be fair, it was the CJEU ruling that did that. In any case, this issue is not confined to the EU. Microsoft is currently embroiled in a legal challenge to a ruling by a US judge that it should hand over data stored on its servers in Ireland to US law enforcement agencies. The implications for cloud computing if it loses are profound.
We could have a situation where not only does the demise of Safe Harbour encourage EU citizens to store their data in the EU but a ruling by the US courts making data stored on US companies’ servers in Europe open to scrutiny by the US authorities makes it a necessity.
Is that such a bad thing? If you go back a few years and imagine someone telling you that a foreign government could read your mail with impunity and without your knowledge because one of its companies helped to deliver the mail, would you find that acceptable?
Then there’s the issue of cold hard cash. We have a bizarre situation where companies are all too aware of the value of the data they hold and yet ordinary people are encouraged to sign their data rights away as if they were of no value at all. More data may help businesses to ‘better serve’ their customers but it also helps them to make more money through better targeting and marketing.
It’s a shame that no one has authoritatively attached a value to that data from a citizen’s perspective. Although, to be fair, we’re still waiting to find out how much that data is worth to businesses. One measure will be to see if technology companies from outside the EU think it is valuable enough to justify the cost of hosting it in EU countries if they can’t export it to other territories.