Data Blog #3. The story of the NSA, Safe Harbour and Guinness


It has been widely acknowledged that there are stark differences the EU and US with regards to data protection and privacy issues. But imagine that a company, let’s say Google, has its data storage center in the US where it stores the data of all its users. When operating within the EU borders Google has to adhere to EU privacy laws, but a data storage center in the US is outside the jurisdiction of the EU and therefore it cannot dictate how the data is treated over there. Due to the differences between the EU and US on how this data should be protected and valued (remember the whole ‘NSA is watching you-scandal’?), the EU is very skeptical towards these data centers located in the US.

This skepticism resulted in the annulment of the EU-US Safe Harbour Decision. The Safe Harbour Decision made data transfers between the EU and US possible by stating that the US data protection was up to the 1995 EU data protection standards. This meant that US firms were allowed to collect data from citizens in the EU, transfer it to the US and store it in a data center there.

Recent NSA scandals and a subsequent suit filed by and Irish legal scholar led the European Commission and EU Court to initiate investigations into the Safe Harbour Decision. They found that, by US interpretation, US rules and regulations concerning data protection always trump the Safe Harbor Decision. This implies that when there is a conflict between the Safe Harbour Decision and US requirements, US firms had to comply to the US rules and regulations. With everything that was going on at the time (NSA surveillance programs, data breaches) the EU Court decided that allowing US companies to store data in the US was no longer an option. Actually, the EU Court stated that the way the US handled the data “compromi[zed] the essence of the fundamental right to respect for private life.” That’s a bit harsh, isn’t it? Full text click here.

Since the annulment most US companies have moved their data centers to….Ireland. Why Ireland, of all places? Perhaps they got lost and were hoping to find a Guinness brewery in the neighborhood? But alas, that does not seem to be the reason. Instead, as you have probably imagined, the reason is more sensible. US companies prefer to establish themselves (and their data centers) in Ireland due to the low corporate tax rate. Additional factors are the stable political and environmental climate resulting in a relatively risk-free investment. The well-educated and young workforce, in combination with a government that is willing to help with administrative and financial issues makes Ireland the #1 EU-place for US IT and software companies.

The data of is stored either in the Netherlands or Ireland with third party storage centers (e.g. Amazon). Since they are both in EU territory they automatically comply to EU rules and regulations concerning data protection. This also applies to the data of non-EU users. Even though our data is stored with third party storage centers, they do not have access to that data.