Looking for a Safe Harbour in a data storm?

It is a general rule that as the importance of a resource grows so too does the interest those in power have in it. Data is becoming one of the world’s most important commodities.

Its new found position has brought it under the scrutiny of regulators across the world. In Europe, a raft of judicial decisions is coming ashore that could fundamentally change how data is collected, managed and used by businesses and individuals.

The latest judicial milestone, courtesy of the European Court of Justice, is a ruling against Safe Harbour. In a nutshell, Safe Harbour is a data share transfer agreement between the US and EU.

Critics have argued that because the US did not have to meet EU data protection requirements it provided insufficient protection for EU citizens. With the agreement, which was created in 1999, now annulled there are big question marks as to how US tech companies will need to respond.

The immediate consequence appears to be that US companies that deal with personal data about people living within the EU will have to keep that data in Europe.

Practically, this means many more new data centres will need to be built to store this information and data management procedures will need to change. For big tech companies like Google and Facebook, the ruling is a nuisance, but as many of them already have significant data management infrastructure in countries like the Republic of Ireland, it won’t be a complete game-changer.

It’s smaller, data-intensive American tech companies who lack significant resources in the EU will be the most severely affected.

The Safe Harbour judgement follows another decision last week, also by the ECJ, involving a Hungarian online advertising company that transferred data to a debt collection agency.

The ECJ decided that if a company has a website translated into another language – i.e. targets consumers in another member state – it will have to comply with the data protection rules that govern that country.

This creates a headache for businesses that operate in multiple European companies. Previously, a company residing in the UK only had to pay attention to UK data laws. Now, many businesses both within and outside the EU will need to review and update their data compliance procedures to observe several different sets of rules.

Adding another layer of complication is the pan-European data protection directive which is due to hit sometime next year.

On paper, the directive should homogenise rules thus making life simpler for businesses. However, the latest draft of the directive contains multiple flexible provisions that can be interpreted in different ways by each member state. There are also several passages that contain unsettlingly vague phrases. For example, there’s a rule that allows companies to change how and what they do with data if they can show ‘legitimate interest’. Just what constitutes a ‘legitimate interest’ is anyone’s guess.

The changing environment in relation to data protection isn’t confined to Europe. In the US, another case relating to whether the US Government can access information stored in a data centre in the Republic of Ireland will undoubtedly cause a stir when the judgement is handed down.

Undoubtedly, the Edward Snowden affair has coloured some of the argument in Europe in relation to data protection. Few people could argue convincingly that there is currently enough transparency or protection for consumers. However, my fear is that the volume of changes coming down the track is creating a more complicated and dangerous environment.

Many of the online services we all enjoy are dependent on the global free flow of data. Much of the innovation currently taking place in areas such as wearable technology, smart cities and the Internet of Things is also heavily data dependent. Unilateral action by the EU or other countries risks creating a protectionist legislative arms race which will ultimately harm consumers.

A better strategy would be to take a more conciliatory approach to data protection that is grounded in ethical usage and transparency. By working closely with other nations and businesses, we can create a global solution that offers a level playing field for tech companies, while also giving consumers adequate protection. This would obviously require a lot of cooperation, however, maintaining trust in how data is collected, stored and analysed is in all our interests.

Mike Weston is CEO of data science consultancy Profusion