If your company handles personal data, you’ve just been served a wake-up call by a Frenchman. Yves Bot, who serves as an Advocate General at the European Court of Justice, has just given an opinion – which is non-binding, but usually followed by the Court – to the effect that Facebook shouldn’t have stored an Austrian student’s data on servers in America.
This issue has been bubbling under for a while, not just in this case – which ended up at the ECJ via the Irish Data Protection Commissioner. There was the Marco Civil in Brazil, which originally proposed that data on Brazilian citizens had to be stored in Brazil; this requirement was dropped at the last minute after frantic lobbying by the major internet players. There was Angela Merkel’s call for a digital fortress Europe. All of these are reactions to the Snowden revelations of large-scale data harvesting by US security agencies with the alleged co-operation of the major internet firms and ISPs.
At issue right now is the on-going renegotiation of the “Safe Harbor” agreement, which provides a framework for European businesses to export personal data to the US, and vice-versa. Without it, storing personally-identifiable information pertaining to an EU citizen on servers in the US would be a breach of the Data Protection Act, with potentially costly consequences. If the ECJ upholds M. Bot’s opinion, it’s hard to see how a new Safe Harbor can be agreed.
Why do we care? Because cloud.
If you use Office365 or Google Docs, you too are reliant on Safe Harbor, even if you don’t realise it. Not only might your data be stored and processed in US data-centres, there will also be US staff with administrative access to it. Microsoft make explicit reliance on Safe Harbor in their admirably comprehensive compliance documentation for Office 365. Google not only rely on it, but praise it to the skies in their public policy blog.
If Safe Harbor is killed off by the ECJ, or – more likely – hamstrung with the kind of high-minded but hard-to-implement measures beloved of the European machine, there will be a scramble to repatriate data from ex-EU data centres, and a need for all cloud providers to move both primary and backup facilities into the EU. This will be messy, and expensive – albeit a shot in the arm for the EU data centre industry (it won’t surprise you that Brazil’s equivalent was pretty keen on the Marco Civil provisions).
For those of us that use, or advocate, public cloud it will mean careful reviewing of whatever revised data protection provisions emerge and an almost certain increase in cost. Since it’s pretty clear that both Office365 and Google Docs are effectively sold below cost, or at least at very low margins, as part of the ongoing cloud land-grab, the possible cost increase just from the services themselves is significant. We also risk seeing a two-tier internet developing, since it will be cheaper and easier for cloud businesses to serve the US first.
We may be facing a choice between privacy and productivity. Britain lags the US by 40% in productivity on some analyses; even Germany has lower GDP per hour worked than our transatlantic cousins. Do we really want to make it harder for UK and EU businesses to compete?