Monday's ruling by the Court of Justice of the European Union has far reaching effects on all technology companies on both sides of the Atlantic. It’s not yet clear what the implications will be by the invalidation of the “Safe Harbor” law, as the Court didn’t give a grace-period to their ruling. That essentially means that as of the ruling, European data protection regulators could start bringing suit to any company that violates European Privacy rights in regards to the transfer of European data.
When I sounded the alarm about EU’s data protection regulations back in July I had no idea that this is how it would turn out. The court, with this ruling, effectively ended a process that has steadily progressed over the last two years.
By rescinding the law, the court has put US companies on notice that privacy rights are treated as a human right in Europe. Until the revelations of Edward Snowden and the large NSA data spying came to light, no one in Europe and especially America thought much about privacy rights, but the genie is out of the bottle and the ripples will be felt.
What Does the Ruling Mean for European Tech?
As a software developer in Germany, the entire affair casts doubt on how we can do business in the future. At Lookeen, we have a website for Germany and for the US. Like most software developers, this means hosting the site in at least two languages. We host each website on local servers — that means that our .com site is located in the US and our .de site is located in Germany.
“A company in Europe may run afoul of these rules if it uses a US service provider that it sends data to, such as for email marketing. Or it might run afoul of these rules if it sends data to a US subsidiary,” says Daniel Castro of the Information Technology & Innovation Foundation.
What if we wanted to do some analysis of our customer preferences or run an email marketing campaign? We could be in violation just by transferring a customer’s email address to our own local servers in the US.
Who Wins and Who Loses?
I think that European and US small businesses and startups are the big losers. Sure, data separation will be expensive for Google and Facebook, but startups will feel biggest impact. Startups often lack the capital to invest in data centers on two continents, so will end up having to choose one market over the other. This essentially blocks potential customers from accessing their product, because the cost of compliance is too high.
Safe Harbor winners: privacy activists Losers: startups/ SMEs that can't afford local servers/ big legal teams And EU digital single market— Amir Mizroch (@Amirmizroch) October 6, 2015
Amir Mizroch, Tech Editor, Europe, the Middle East and Africa, The Wall Street Journal.
Right now it looks like it will only affect American companies or companies like ours that transfer data between our own storage facilities. While I don’t think that was the intention of the ruling, it does cause uncertainty for everyone. Another concern is that this ruling will set off a tit-for-tat reaction in the US, which would result in more trans-Atlantic separation. What if the American products that we use every day decide that they don’t want to or can’t afford to offer their services in Europe?
The good news is that the EU and the US are in talks. Hopefully there will be some clarification coming soon. In the meantime though, we're all left in the dark.