The amazing adventures of personal data in European Union court

Yesterday The European Court of Justice ruled that the Safe Harbor agreement is invalid: what does this decision mean for your personal data?

EU Courts

Yesterday The European Court of Justice ruled that the Safe Harbor agreement, which allows American companies to store and move personal data of European users in the United States if they guarantee an “adequate level” of privacy protection, is invalid. It’s the good news and the bad news at the same time.

The good news in this is that this ruling indicates that people do care about privacy a lot, and finally recognize that their personal data is very valuable. Moreover, some of them are ready to go to the highest courts to claim their rights for their private data. In the post-Snowden era it’s not surprising: intelligence services constantly violate people’s privacy, and now it’s more obvious than ever. All in all, the level of protection can be described like ‘hardly adequate.’

With that said, the court decision is not the end of the process, it’s just the beginning of it. Irish authorities (the case was brought in Ireland, due to Facebook’s European headquarters being based in Dublin) must now examine the complaint and decide whether “transfer of the data of Facebook’s European subscribers to the United States should be suspended” as it does “not afford an adequate level of protection of personal data.”

What is also worth mentioning, that the European Court of Justice ruling is final and cannot be appealed.

This step by the European Union is not the first of its kind in regards to data privacy. In February of this year, the Russian Federation passed a law, which requires the personal data of Russian citizens must be stored locally in Russia from September 1, 2015. Unlike the EU, there was no court ruling needed as there was no Safe Harbor or similar agreement with the US.

As it always happens with swift laws like this one in Russia, the deadline was moved to January, 2016, as most of the companies making their businesses in Russia were unable to move users’ data that quickly. Some of them, like Facebook for instance, are likely to ignore the new law, preferring to pay fines (which are moderate) instead of building expensive local data centers.

The problem is, however, that people think about data like it is something substantial. ‘Hey dude, it looks like our cars are not that safe there, let’s park ’em in our driveway and nowhere else.’ But data is data, it’s ephemeral by nature. It’s easy to access it, it’s easy to transfer it, its easy to copy it. What actually is surprisingly uneasy is to completely control where the data flows geographically.

Huge companies like Google, Facebook, VISA, MasterCard, etc., who own dozens of data centers all around the world, usually don’t care, where all their users’ data is <i>actually</i> stored. It’s the Internet, baby, everything is in a couple of milliseconds from you, why bother what country is it?

It will take some time for these companies to just sort all the data and realize, what should be stored here and what should be stored there. So, the bad news is, that people from the past are trying to handle information in an old-fashioned way like they’re handling some stuff from physical world. And they are trying to build walls in the virtual world, which was designed to be continuous and borderless.

This is a dead end. Until everybody realizes that, IT companies will spend a oodles of money and effort to appease this government or that one. For a start, they will deal with European Union and Russia. Later, as other governments smell the blood in the water, they probably will torment the IT companies as well. Get your popcorn ready.

Back to above mentioned car analogy. The real question isn’t where a car is actually parked. The real questions are: How safe are door locks? or Is it legal to steal a car? or What can you do to a thief? And probably the most important question here is this one: Why on Earth does everybody own a key to MY car?