What Safe Harbor Means for American SaaS Providers in Europe
On Tuesday October 6th, the European Court of Justice (ECJ) shook the digital economy by revoking the Safe Harbor-agreement between the European Union and the United States.
As a German SaaS company the impact quickly became clear to us. Hundreds of users contacted our support to ask where our servers were located and whether they could still use Userlike. With servers in Germany we are on the safe side, but what about the US based SaaS providers in Europe?
Safe Harbor had enabled companies operating in the EU to transfer their users’ personal data to the US for over fifteen years. Businesses with servers in the US were legally safe to collect personal data of their European users. During this time, user data was for a long time handled in ways that were, to say the least, beyond European restrictions.
The NSA played the lead role here. With far-reaching authority they soaked in personal data from users of American companies in the US as well as in the EU. That's what got Edward Snowden started in the first place. He advocated for transparency and data security, against his former employer. While Snowden paved the way, Austrian law student Max Schrems walked it to the end. After years of fighting he finally received ECJ’s final answer in his favor last Tuesday.
Some argue that the ECJ has not set an example but only unveiled a long-boiling transatlantic data conflict. Even if both sides knew, they were not conscious about how differently the US and EU states think about data privacy. It's this discrepancy that now makes it so hard for enterprises to react.
The ECJ did nothing more than return to its own standards. It stressed the importance of compliance with the Charter of Fundamental Rights of the European Union. The Charter’s rules manifest in the Data Protection Directive and Binding Corporate Rules. Few American companies are up to these standards in data security. With EC's decision, European authorities can now look into any data transfer to the US and test its compliance. The results could be dramatic.
The aftermath of Safe Harbor’s revocation leaves American companies handling European users’ personal data in a huge dilemma. Their options:
- They could set up data centers on EU territory to avoid data transfer to the US altogether.A compelling option, especially for big players. The problem here is that the US government demands access to all data handled by US-based companies, even if it remains in Europe. As long as this stands, US-based companies will not obtain compliance. For European companies with data servers currently located in the US, this would however be the easiest option.
- They could ask their users to agree on handing out their personal data.Unlikely. Directly confronted like that, millions of users won’t be too keen. Truth is, even if they agreed, this wouldn’t help the companies. According to current EU regulations, not even voluntary waiver of data protection is permitted.
- They could step up encryptions.This would only work if they encrypted their users’ personal data in such a way that they themselves are not able to read it out as cleartext. This demands effort and money. For companies whose business-model focuses on selling personal data for targeted advertising (e.g. Facebook and Google?) this is not an option.
The conclusion is that for any future agreement between the US and the EU, the US government would need to restrict their own authorities’ reach. Keeping USA's reaction to Snowden’s revelations in mind, I don't see that happening. The ECJ, in turn, will strike down any agreement that doesn't include a paradigm shift.
Until courts decide differently, we can expect that the responsibility for compliance with the EU’s Data Protection Directive lies on the side of the company collecting the data. It is unlikely that the authorities will go after users of such software tools. They will head for providers. So if your business is working with an SaaS-provider whose servers lie outside the European Union, that provider now has to take special care to not risk legal prosecution.
Userlike is live chat software for websites, allowing companies to chat with their (potential) customers directly over the website. Look here for more information.