Safe Harbor 2.0 Dealdine Looms
A case brought against Facebook by Austrian data activist Max Schrems, shown here talking to the media in 2015, led to the European Court of Justice striking down the Safe Harbor agreement. Reuters

LONDON -- Imagine each country with its own Internet, gated off legally and governed by its own privacy laws. That's the concern some have raised in the wake of the E.U.'s Tuesday ruling on the Safe Harbor agreement that will force companies like Google, Facebook, Microsoft, Twitter and many others to contend with local laws -- and store data individually -- in the European countries where they have users.

“It concerns me that we may be moving to a balkanized era, where data has to be held in a country very specifically across many different jurisdictions," Jimmy Wales, founder of Wikipedia, said at a London technology conference on Wednesday.

Wales added that such a move to create a siloed Internet would, from a purely technological point of view, be “annoying and complicated” and would result in a poorer experience for the consumer. “If I’m in Europe I hope they are near me on a server in Europe, but other than that I want them to provide the best technical experience for me. And if they suddenly have all those requirements and have to keep certain pictures in certain places, it just sounds like a nightmare, so I like the idea of uniformity in the law so that we can all not worry about it,” he told CNBC.

On Tuesday Europe’s top court, the Court of Justice of the European Union (CJEU), ruled that the 15-year-old facility to transfer data from Europe to the U.S. -- known as the Safe Harbor agreement -- was invalid and that each country within the European Union will now have to decide for itself if the transferring of their citizens' data to the U.S. by companies is safe.

While each country can come to its own conclusion, it is widely expected that national courts will follow the ruling, which says "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the [Charter of Fundamental Rights of the EU].”

Business As Usual?

But big tech giants have reacted to the decision with a collective "whatever," saying they anticipated the ruling and have plans in place to comply. Facebook told International Business Times that it's business as usual; Microsoft already has provisions in place to limit the impact of the ruling, and Google says it welcomes the decision and the ensuing debate.

To date, over 4,000 U.S. companies have taken advantage of the Safe Harbor agreement and in the wake of the ruling, questions are being asked about just what this will mean for tech companies doing business in Europe. “For companies like Facebook, the implications are incredibly complex. The whole point of Facebook is sharing data across many jurisdictions, so how are they even going to cope with that,” Wales said, while claiming that Wikipedia, which has no legal presence in Europe, would be completely unaffected.

Facebook is at the center of this case after Max Schrems, an Austrian student and Facebook user since 2008, lodged a complaint with the Irish Data Commissioner (Facebook’s European operation is based in Ireland) after the revelations of NSA whistleblower Edward Snowden in 2013, claiming, “The law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country.”

The CJEU explicitly states that Facebook has not been found guilty of any wrongdoing, but like Wales, many people have suggested that the ruling could cause major disruption for the social network.

Facebook
An old Facebook post about privacy changes has gained momentum once more. Getty Images

Facebook, however, disagrees. It says there are other processes in place allowing it to legally transfer data from Europe to the U.S. and as a result will continue to operate normally.

“Facebook, like many thousands of European companies, relies on a number of the methods prescribed by E.U. law to legally transfer data to the U.S. from Europe, aside from Safe Harbor. It is imperative that E.U. and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” a Facebook spokesperson told International Business Times.

Google, another company that transfers data from Europe to the U.S., has not commented officially on the ruling, but the head of Google’s cloud platform in the U.K., Matt McNeill, told IBT: “I think if you take the big picture around the [Safe Harbor ruling], I think it’s actually a really good thing that’s happening, that people care about it.” McNeill added that it was good to have a discussion now about this from both an industry and political point of view.

Microsoft has also said it will continue to operate as normal. Brad Smith, the company’s lead legal counsel said its customers can continue to transfer data by relying on additional steps and legal safeguards it has put in place on the basis that this outcome was expected: "We don’t believe [the] ruling has a significant impact on our consumer services. Our terms of use make clear that to provide these services, we transfer data between users, which occurs for example, when one user sends email or other online content to another user. We also have data centers in many countries and regions, including several located in Europe."

A Balkanized Internet

This is not the first time that a potentially balkanized Internet has been proposed as a result of the increased awareness of the NSA’s spying capabilities. Back in 2013, it was revealed that the NSA had been monitoring the emails and phone calls of Brazilian President Dilma Rousseff, as well as those of Brazil’s biggest oil company and the communications of millions of its citizens. It was proposed that U.S. companies like Facebook and Google would store information on Brazilian citizens on servers only based within the country. We have also seen similar proposals in Russia and South Korea in recent years.

The question is, can a balkanized Internet work on a practical level?

One of the people involved in negotiating the Safe Harbor agreement on behalf of the U.S. Department of Commerce, Brian Hengesbaugh, does not believe it’s possible. “Given the close economic integration between Europe and the United States, where thousands of companies have employees and operations on both sides of the Atlantic, it is difficult to imagine that a truly divided Internet would arise where European data stays in Europe and U.S. data stays in the U.S."

Mark Thompson, privacy practice leader at KPMG, agreed with Hengesbaugh that the task of restructuring the Internet on such a huge scale would be almost impossible: “Whilst it is a possibility that personal information will be required to remain within the geographical borders of some jurisdictions, to do this on a global scale it would be a monumental task for an organization and the practicalities and costs involved would be immense. It would also likely be prohibitive to global trade, innovation and result in high costs of products and services to the end consumer, thus while possible we believe it would be unlikely.”

However, Stuart Buglass, an international business expert at Radius, thinks there is a danger of such a split happening: “Balkanization is definitely a risk if there is no joined-up thinking on how national security requirements and individual data privacy rights can coexist. Big players such as Amazon have already taken a localized approach to its data centers, ensuring that data does not transfer, so we have already gone some way toward a balkanized approach -- to stop proceeding any further down this path requires individual nations to adopt best practice data privacy regimes, make concessions on national security and agree on trade deals.”

Smaller Companies Burdened

The truth is that companies like Facebook, Google, Apple and Twitter have known this ruling is likely for some time and have been putting systems in place to make sure their operations are not disrupted. These include doing transfers that can be legitimized by using model data transfer contracts (so-called E.U. Model Clauses), which is effectively a standard contract approved by the European Commission that contractually binds the overseas data receiver to E.U. data standards.

For internal transfers of data within an organization, there is also the option of Binding Corporate Rules -- internal company standards of data privacy that are required to be approved by an E.U. data privacy regulator.

While companies like Twitter have been rolling out separate privacy policies for users in the U.S. and users everywhere else in the world -- apparently in response to the Safe Harbor ruling -- other bigger companies seem confident that the change in the law will not dramatically impact their business in the short term.

Thousands of companies that rely on Safe Harbor don't have the resources -- unlike Facebook, Google and Microsoft -- to create alternative and comprehensive corporate legal structures for the transfer of data. They may bear the brunt of this and will be left in limbo until each country rules on the Safe Harbor agreement.