Safe Harbor Turns Choppy: Watch your data

Alan Earls headshot 130pxPrivacy and data security concerns crop up in many contexts but, especially in the post-Snowden world where national governments have been revealed as super sleuths with a penchant for rifling through electronic data streams, the matter has grown in importance.

Recently, in a court case known as Maximillian Schrems v. Data Protection Commissioner, the European Union European Court of Justice invalidated a measure generally known as Safe Harbor, which had been concocted by the US Department of Commerce and the European Union to help US entities navigate the strict privacy requirements of the EU.  In general, safe harbor had seemed like a boon to all. Its provisions were supposed to prevent accidental information disclosure or loss by US companies holding data from Europe.

shutterstock 50327821

Under long-standing privacy rules in Europe, companies weren’t permitted to send data outside of the region unless they could show that the protections of data were the same or better. Proof involved either being subject to national laws of equivalent or greater stringency as those in Europe or through other documented internal processes.  Since a July 2000 decision by the European Commission, US firms who followed those principles had been allowed to move data to and from the EU with impunity.

The lawsuit addressed the possibility that under US law, government agencies could potentially access and utilize the data, contravening European privacy laws. And that concern was enough to shift the ground under an entire slice of the economy

What are the implications for the industrial world?  Unclear but still significant.  Obviously, big tech companies such as Facebook and Google are feeling an immediate impact. They deal in lots of personal data and they work across borders. Moreover, their vast infrastructure of servers shares data freely for the sake of efficiency.  Given how crucial e-commerce has become to the global economy one would expect that bureaucrats on both sides of the Atlantic are going to be working hard to devise stopgaps and to prevent this development from becoming completely disruptive. At stake are billions of dollars.

Industrial firms are not as much on the front-line of this discussion, but they will have to be involved. Almost any firm could be at risk under the decision and the larger the firms and the greater the volume of offshore data, the more the risk. Consider all the customer-facing elements for any large organization, let alone the amount of data they share and use. And no one has given much thought, until now, about where exactly “routine” business information lives.

By one estimate, at least 5000 companies have taken advantage of the Safe Harbor “self-certification” process to nominally, at least, comply with European privacy laws. They are the ones on the front line for the moment.

Longer term, with the vast data gathering potential of the Internet of Things in general and the Industrial IoT in particular, the development could be very concerning.

The European Commissioners have indicated they will have more to say in the near future, while in the US, the Secretary of Commerce has released a statement showing how seriously the department views the situation.

While governments sort out the mess, lawyers will be working overtime to craft new solutions to this vexatious aspect of international law.


Alan R. Earls is a Boston-based writer focused on technology, business, and manufacturing — a field where he spent the earliest part of his career. He has written for publications and websites as diverse as The Boston GlobeComputerworld and Modern Infrastructure as well as Industry, The Manufacturer, and Today's Machining World and is a regular contributor to the Smart Industry Connect blog.