Fingerprint-979598_1280Some years ago, I was asked by a relation, “Where’s all this data stored?” I said her question was not easy to answer. “It’s out there in the cloud somewhere. But don’t worry, it’s safe.”

Technically, her data may still be safe. She can call up her photos, her email, from computers all over the planet, and it will be quickly, reliably and correctly delivered to her. We know how to spread data across different stores so a fire or a flood won’t lose it. We know how to protect it with fancy mathematics so data errors will be found and fixed. It works well. We can cope with disasters.

But governments? That’s a harder problem.

One of the great benefits of the European Union for the private citizen has been quite strong EU law on privacy. This has been particularly driven by the experience of East Germany, where spying by the Stasi on its own citizens was wall-to-Berlin-wall, and universally hated. Now, our data can only be copied with our consent, except in very limited circumstances. Nations in the EU must enact laws to enforce this.

However, it’s hard to use data that’s stuck down a hole. If I’m in the UK trying to buy a widget from Germany, that can well all be in the EU, but the credit card data might have to go to the US, or maybe the delivery company is US-owned and using US servers to track the package. It makes for an easier life if that data can flow about as needed to deliver the goods. But we still need to maintain EU standards of privacy. So, Safe Harbour was invented, a contractual obligation for US companies to provide EU privacy standards for EU data that they needed to handle.

All very well in theory, but Safe Harbour has been looking increasingly Unsafe. The US legislature passed various laws requiring US companies to hand data over to government agencies like Homeland Security, more-or-less on demand. The US NSA has what seems to be carte blanche to subvert protections like encryption and hoover up enormous amounts of private data. This makes a mockery of Safe Harbour, but the fact has been swept under the carpet for a while, in the interests of good diplomacy and easy trade.

Enter Max Schrems, an Austrian student, and Facebook. He complained to the Irish Data Protection Authority (Facebook’s EU HQ is in Ireland) that Facebook was sending his data to the US. The DPA said it was OK, Safe Harbour was adequate. Schrems took the case to court. All the way to the European Court of Justice. The ECJ said that Safe Harbour wasn’t automatically OK, and that the DPA must consider the effect of US laws subverting Safe Harbour. It’s now apparent that US “security” law makes Safe Harbour unsafe, and we’re all just waiting for the DPA to make that formal. The European Court of Justice has stood up for the little man against the giant corporation, against mighty governments, and exposed all this for the sham that it is.

Everyone is scrabbling around for more sticky tape to patch up this data protection mess. One proposal is to have users specifically agree to a contract allowing the data transfer to the US, using “model clauses” and “Binding Corporate Rules” in Ts&Cs. However, one German court has already ruled that this isn’t good enough, and if the contract says things like “but the government can take your data and do whatever it wants with it”, many people just won’t do business. The US government could fix this by changing their law to provide EU standards of privacy for EU citizens – but they won’t. The sticky tape isn’t sticking.

For EU companies, it makes great sense to keep EU data inside the EU, on hardware on EU soil, run by EU companies. That way, one set of rules, one legal system and one concept of privacy covers everything. It might mean a business has to be more careful in its choices, but it certainly is possible.

For more information about Safe Harbour view the following articles:

Emrys Williams is Linkz Chief Technical Officer and has ensured that all Linkz servers are held within the EU.