In October 2015, the European Court of Justice ruled that the 15 year old “Safe Harbor” provision that governed data sharing between the European Union and the US was invalid.
The decision stems from a complaint filed by Austrian student Max Schrems against Facebook. He cited Snowden’s leaks to argue that Facebook could not protect private data while the NSA was carrying out mass surveillance programs. The resulting decision to no longer accept safe harbor as a guarantee of data-protection levels makes a strong statement that US firms acting within US legal boundaries are not deemed trustworthy by the EU.
As an EU company Wire is not affected by this legal challenge. As a global advocate for user privacy, we welcome these developments to protect EU citizens’ data wherever it is stored.
The US-EU Safe Harbor Framework refers to an agreement that was established in 2000 and provided a mechanism for US firms to move, store, and process personal data (e.g. names, credit card numbers, addresses, ID numbers, and other information) belonging to EU citizens within the US.
Under the rules of Safe Harbor, the 4,500+ participating US firms “self-certify” that they are taking appropriate measures to protect the data while it is in the US. It is essentially a loophole in the EU code for Privacy and Data Protection.
Without Safe Harbor, the 28 EU Data Protection Agencies still retain their existing powers and responsibility to regulate any data transfers. The focus of the news coverage so far has been on the new bureaucratic burden, confusion, and cost this will impose on US firms.
Since this agreement was brought into question, EU and US politicians have been working to create a new alternative to Safe Harbor which has come to be known as the EU-US Privacy Shield, however, as of mid-April this too has challenged and shows no signs of being resolved.
With regulatory groups in the EU stating that is not robust enough, and fails to protect users properly, or guarantee the independence and powers of an ombudsman who could oversee complaints from EU citizens in US Court. With the fate of this regulation being uncertain, many US companies are still unsure about the future of data storage and their customers privacy.
What does this mean for Wire and its users?
As a European company operating under Swiss jurisdiction we applaud the decision made by the EU Courts. It is good to see EU privacy laws fully enforced and the same levels of protection provided for all EU citizens’ data, regardless of where it is stored. This ruling, regardless of how it develops is unlikely to affect Wire, as we designed our structure specifically to afford our users EU privacy standards. All of our data processing and storage is exclusively in the EU — no matter where you are from.
However, this announcement is still vitally important to us as part of the global communications industry. The amount of personal data that is shared through communications global across the world is immense, and the importance of it being properly protected cannot be understated. People’s privacy and data should remain protected wherever this data is managed or stored. We are proud of the EU’s strong position on this matter, and hope that through repeated negotiations the US will embrace some of the same protections that we in the EU enjoy.
Though if they cannot come to an agreement the straight forward answer is this:
“Of course, keeping the data within the EU would be the safest way to ensure respect of EU law under current circumstances.” — David Martin Ruiz, senior legal officer at consumer rights advocacy BEUC.
— Alan Duric, co-founder, CTO
