This page has no translation in your selected language.

Safe Harbor Was Never Safe. Or: Why It Is Important Where Your Data Is Stored.

The recent ruling by the European Court of Justice that declared the safe harbor agreement between the US and the EU as invalid was a great victory for data protection. After the Snowden leaks it became clear that data stored in the US was not safe from surveillance that would be illegal in Europe.


Max Schrems, who initiated this legal investigation by suing Facebook for not adequately protecting his private data as an Austrian citizen, was very jubilant in his initial response:

He was even congratulated on his success by Edward Snowden:

In a more detailed explanation, Schrems says mass surveillance violates our fundamental rights: “This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.”

Data stored in the US is not safe from mass surveillance that would be illegal in Europe

In its ruling the Court criticized that

  • There is no general privacy law enacted in the US that could guarantee an adequate level of protection for the data of European citizens.

  • Public law enforcement authorities such as the NSA can access the data stored in the US, but are not obliged to follow the Safe Harbor rules.

  • Some agencies (referring to the NSA, of course) can even access personal data stored in the US without having any law that legitimizes their access.

Taken together this means that US national security and law enforcement interests always prevail over EU fundamental privacy rights. Even though Safe Harbor was meant to protect the data of EU citizens, it is obviously not doing its job.

”We need a new ruling that protects the Web as it should be, a secure and private space”

Renata Avila, a Human Rights Lawyer, fighting for privacy rights said: “This Judgment puts people’s fundamental right to privacy before profit. Without effective safeguards for privacy, the Web as we know it could wither and die. Following today’s ruling, new safeguards must now urgently be put in place that protect the Web as it should be, a secure and private space where people can start businesses, research confidential topics or just chat with friends without the fear of being subjected to unwarranted government snooping."

"The manner of the victory also speaks to the power of the Internet to level the playing field. That Max Schrems, a 28 year old law student, could successfully challenge a long-standing international agreement underlines why we must preserve the Web as a space for debate, dissent and progress.”

Big tech companies don’t plan on changing much

However, recent reactions from big tech companies such as Microsoft, Google and Facebook show that these companies don’t plan on changing much. Many companies say they are not bound to European data protection laws even if their customers are living in Europe.

Many companies state that they are not affected by the Safe Harbor ruling. Usually, the customer has to agree to the company’s privacy statement to be able to use their service. By doing so people give up the privacy rights they would be entitled to by law.

In addition, instead of protecting their customer’s data, American companies are already calling for a new agreement to replace Safe Harbor. They say it would be a regulatory nightmare if they had to oblige to 20 or more different European data protection laws.

Move data to countries and companies that take the right to privacy seriously

While in theory the invalidation of Safe Harbor is a great win for everybody’s right to privacy, in practice it won’t change much. Everybody – as a user – has to show the tech companies of the world that they care about privacy. They can do so by only choosing services that get privacy right and that store their user’s data in a country with strong data privacy laws.

One of the better places for storing data is Germany as the data privacy protection is very strict and there is no data retention law in place.

The best option, of course, is to use only services that store all user data encrypted. This makes it impossible for data greedy agencies to copy, store, and search everything. With our secure email service you can already get this level of protection. We store all user data encrypted on German servers, and only the user can access the data.