The efforts of one Austrian law student could provide a real boost for the EU data centre industry, as demonstrated in the European Court’s decision, affectionately dubbed Schrems v Facebook, due out on 6 October. The decision could also have far reaching implications for data privacy in the US. Issues such as location and access to power and cooling remain key considerations, but the current re-examination of the EU/US data transfer regime could provide a marketing opportunity for vendors promoting EU-located sites on the back of concerns about the scale of US surveillance.
- The original case was made out by the Austrian law student against Facebook’s transfer of data to the US under the EU/ US Safe Harbour scheme implemented in July 2000. The case has developed however into one not about Facebook per se, but more about the lack of protections for the fundamental rights to privacy afforded to EU citizens under the US privacy regime. Following Edward Snowden’s revelations, the Irish High Court found that the mass and indiscriminate review by the National Security Agency (the NSA) of EU citizens’ personal data transferred to the US under the scheme failed to meet the necessary level of protection required by EU law and referred the matter to the EU.
- The Advocate General’s opinion released on 23 September identified that the original Safe Harbour scheme needed to be monitored for continuing changes in circumstances. The NSA revelations were just such circumstances and it was now clear that the scheme did not provide EU citizens with the required safeguards. For example, the surveillance was indiscriminate, the exceptions for national security were too broad and there was a lack of an overarching supervisory body to monitor such activities and provide redress for affected individuals being critical components.
- Moves are however already afoot to correct this situation which may avert any dramatic result should the European Court follow the Advocate General. The EU Commission published a paper in 2013 (COM (2013) 846 Final) entitled “Rebuilding Trust in EU-US Data Flows” covering the issue of a lack of legal redress and the need for a strengthened regime in the US to protect EU citizens’ rights. This led to the initialling on 8 September of a draft agreement known as the Umbrella Agreement to address the perceived deficiencies in the scheme.
- This Umbrella Agreement cannot come into force until the US legislature passes its Judicial Redress Act (currently passing through the US Congress), but will at that point provide EU citizens with a right to sue the US government for breaches of privacy. This right will not apply to the UK, Ireland and Denmark until they expressly opt in.
- The US Congressional Budget Office does not appear to consider this to be a material potential liability, finding the median pay-out under such claims to be US $30,000 with less than 10 on average per year. It remains to be seen if EU privacy campaigners see such novel rights as being in need of stress testing.
THE POTENTIAL IMPLICATIONS OF THE DECISION
- Should the European Court agree with the Advocate-General, and notwithstanding that the US law is passed to reinforce the Safe Harbour scheme, there is a commercial argument that the transfer of data to the US is of itself problematic for EU citizens, due to a lack of trust. The continued risk of US authorities accessing data held in data centres operated by US companies in the EU has led to suggestions that this will, in some territories, mean that non-US owned data centres (which are not subject to such surveillance) will become a much more attractive service offering. Whether this is just scaremongering or PR in favour of EU operators, doubtless the US giants will continue to transfer data to existing sites in the US. However, with the much-anticipated Data Protection Regulation placing enhanced emphasis on the protection of privacy rights for EU citizens, whichever way the EU court goes a significant commercial opportunity to promote EU-located, locally-operated data centres has arisen.
- The counter-argument to such promotion of EU locations is that the simple fact of being outside the NSA net does not mean that under relevant national security derogations, data processed in an EU-located, locally-operated data centre is immune from surveillance. It only means that the authorities are subject to the rule of law with which you are more familiar.
- The US Government has criticised the finding of the Irish Court as regards the scale of surveillance. We can expect material diplomatic and political effort to avoid disruption to US-EU trade resulting from the possible unwelcome forced interruption to data flows which are a fundamental part of that commercial activity.
- The true implications of the decision will become much clearer on Tuesday morning.