EU High Court To Review US-EU Data Safe Harbor Agreement

jfruh (300774) writes with news that a complaint in Irish Court against Facebook for possibly sharing personal data of EU citizens with the NSA has escalated to the European Court of Justice which will review the continuance of the U.S./EU Safe Harbor Framework in light of PRISM. Under European laws, personal data of EU citizens can't be transferred to countries that don't meet EU standards for data protection. The U.S. doesn't meet those standards, but American companies have worked around this by using EU standards for the data of European citizens, even that data stored on servers outside of Europe. Now the EU's highest court will decide if this workaround is good enough — especially in light of revelations of the NSA's Prism data-mining program.

It's not. But neither is the EU protection

[Opportunist]

Considering that the USA don't even need it but could essentially siphon the data directly from European countries with the aid of European governments... does it really matter?

That's essentially pondering whether the front door should be locked when the back door is opened from the inside by those we employ to guard it.

Re:

[Anonymous Coward]

> That's essentially pondering whether the front door should be locked when the back door is opened from the inside by those we employ to guard it.

"One Down and One to Go" vs "None Done and Two to Go". I vote for the first.

Re:

[Opportunist]

If one was down, I might consider thinking about pondering to agree. Even though I still follow the rule that your defense is only as good as your weakest side is. What's the worth of a castle with a missing fourth wall?

Re:It's not. But neither is the EU protection

[Luckyo]

It means you only need to build that fourth wall, instead of third and fourth.

Re:

[Opportunist]

Coulda, woulda, shoulda... all meaningless when the attack is already underway.

Re:

[Luckyo]

So in your opinion, it's best to just surrender instead of trying to build defences one by one?

Apply that in real life and kill yourself then. I'm sure there are plenty of problems you can't solve in one swoop, and clearly since solving them piece by piece is a wrong approach, you should just end it now.

Re:

[Anonymous Coward]

What does it matter?... It would basically make it impossible for facebook and google to send user data to non-EU datacenters, and that means that the company and EU-side workers will be liable if EU customer data is siphon'ed off at those non-EU datacenters. Basically they cannot longer hide behind the safe harbor framework.

About the GCHQ/etc sucking up all our data as it moves between datacenters... well that comes under the requirement that the companies keep private data safe. That's another lawsuit for

Re:It's not. But neither is the EU protection

[Xest]

Plus it seems pretty clear that GCHQ is in breach of the Data Protection Act in the UK, which makes allowance for law enforcement, but obviously by harvesting all data GCHQ goes beyond that. The specific exemptions in law are:

- the prevention or detection of crime;
- the capture or prosecution of offenders; and

Obviously harvesting data of innocent non-crime committing people achieves neither of these things. Which is why I suspect GCHQ's acts wont survive subsequent court challenges anyway - even if they succeed in national courts, they'll get slapped down at European level as whilst the creation of the UK's supreme court has created a puppet for parliament in the judiciary they still have no way of manipulating the European Court of Justice.

So it's a multi-pronged approach. Saying "Well there's no point fixing this, because that is broken" is stupid when "that" is also being targeted for fixing also. As you imply, just because there's more than one issue doesn't mean we should deal with none of them, it just means they have to be dealt with as separate cases.

Re:

[drinkypoo]

Obviously harvesting data of innocent non-crime committing people achieves neither of these things. Which is why

...governments favor excessively complicated legal codes, under which nearly everyone commits multiple crimes every day. Everyone is a criminal. Given that, they can use the 'detection' excuse readily.

Re:

[yacc143]

Worse, if the question ever ends up before the EU Court, I'm almost certain that it would not look very favourable on this "everything outside Germany is external for purposes of surveillance" idea (substitute Germany for the your favourite EU member country), considering that the "Common Market" makes exactly that thought forbidden by default. As in, you need a very very good reason, and claiming national security might not get you far in the context of an European Court.

Re:

[amias]

I see this as the EU looking to make US companies lobby their government to stop spying

the USA is not a full signatory to most international treaties which is a pisstake given its puritanical stance towards the rest of the world.

Re:

[yacc143]

Well, stopping to spy won't be enough. It's that "US security complex uber alles" tune that would need to be stopped, but D.C. seems to like that perfectly fine.

Re:

[Megol]

Yeah. Except that isn't true. Unlike in the US and most other countries the EU have strict laws about gathering and sharing information and many countries have even stricter local laws. The EU also thinks personal privacy should be protected (within reasonable limits). Some countries even require registration before storing public information into databases, that is non-sensitive, non-secret data. Why? Because using a lot of public data cross referenced with each other can be used to extract patterns hintin

Re:

[yacc143]

Actually, the US don't get the concept of privacy as it's understood in the EU.

And basically all EU members have legislation about privacy on the books, because it's rooted in the EU data protection directive (basically, that's how the EU legal process works, and in any EU member not having legislation on the books fulfilling the requirements of the directive, the directive becomes directly applying law).

The only thing currently is that the implementation of the law and it's enforcement are done at the memb

Re:

[yacc143]

Well, first of all, it's about declaring an obvious fabrication as such (that an US company can, even they wanted to, comply with EU regulations, which US courts have ruled they are not allowed to, so it's obviously a fairy tale). That completely leaves the situation open concerning government aided spying, which by the way, European governments have been trying under cover. Well, vermin likes it dark.

On a commercial side, currently the situation is completely unsatisfactorily: European companies are forced

I can see why they didn't investigate

[Joe Gillian]

The decision by the Irish DPC not to investigate makes perfect sense - this case is essentially all politics, and nothing more. The finding is inevitably going to be that the existence of the NSA violates European data privacy laws, but there really isn't a whole lot the EU could do about it - they can't tell the US to shut down the NSA, and they can't revoke the ability of non-EU servers to host EU data without effectively creating a second Great Firewall. Nothing can ultimately be done about it, and so the only real result would be this "Europe-v-Facebook" group scoring some political points.

Re:

[yacc143]

It's not about the spy agencies.

There are many many things in the US legal environment that make it incompatible with EU privacy laws.

Re:I can see why they didn't investigate

[i kan reed]

You can punish the hell out of a perpetrator of the crime(assuming they have presence in the EU). That's what's being considered. Giving companies that have business in the EU pause about mindlessly toadying to US government organizations.

Re:I can see why they didn't investigate

[Sique]

It could give all the european intelligence agencies cold feet for cooperating with the NSA. It could give all the citizens angry about the constant surveillance and the nonchalance of their politicians about it a boost. It makes everyone liable who gives material support to the NSA from within the E.U., which in turn makes the life miserable for David Cameron and the GCHQ.

Re:

[Joe Gillian]

If that were the case, this "Europe-v-Facebook" group should have gone after GCHQ, which is in an EU member nation and which is under the jurisdiction of the EU high courts. Heck, they could even make the exact same case: GCHQ collects data on EU citizens on the grounds that if they use any service located outside of the EU it counts as foreign, and sends some of that data to the NSA, who undoubtedly do not have the required EU privacy regulations in place. The EU courts could then regulate GCHQ and other E

Re:

[Sique]

The GCHQ could claim administrative priviledge (as they actually did [privacyinternational.org], linked PDF), but if the transfer of data itself ist forbidden, they have an administrative priviledge with no one to actually priviledge on.

Re:

[yacc143]

It's not about the spy agencies. It's about US companies having a business model that is very very edge case in relationship to EU privacy laws.

Now the US companies promised to follow EU regulations voluntarily to be allowed to transfer data from the EU to the US. This guy basically has proven that Facebook (just one random example) does not even the business processes setup to to comply with EU laws. And now it has reached a new level, because they basically said that the Safe Harbour Agreement cannot work

Re:I can see why they didn't investigate

[Charliemopps]

They could fine Facebook until they hosted European data in Europe. If they refused they could seize their assets, and deny them revenue from European companies. The end result being that facebook and other companies like them would go screaming mad to congress. So yes, there's plenty that could be done.

Re:

[yacc143]

Nope, fascinatingly, this is not about the NSA as such.

The issue is that for many reasons, US companies cannot implement European standards in data privacy laws. That starts from some lowly county judge issuing subpoenas and at the other end you've got the "America uber alles" chanting federal intelligence apparatus, e.g. NSLs, all kind of regulations in the Patriot Act, giving Teleco providers retroactively immunity for cooperating with the government, and so on.

So now we've got the situation where there i

At what point

[maz2331]

When are the US-based companies going to simply shut down their satellite offices in the EU, keep all personnel in the USA, and change their TOS such that any use is under US and California law? They could simply outsource their sales operations to a third-party in foreign jurisdictions.

Re:At what point

[Sique]

To what end? That means that they can't use the irish tax havens anymore. That means that they have no footing if they want to sue. That means that even mediocre european companies will eat their marketshare because they are present in the E.U.. And if the sales company in the E.U. sues them for falsely representing the actual handling of the data, they aren't off the hook either.

Yes, an U.S. based company could avoid the fallout. But is it worth it?

Re:

[turp182]

One word, use tax havens in the Caribbean. Who doesn't do that?

If a company says that what you do is public, there is no recourse. As long as what they are sharing is clearly stated (how it's used, I'm not so sure). If a company says blatantly that certain information is public, then it can be so.

For a while I worked for an US based international insurance company, with several years on an underwriting project (medical record images and data). The project didn't involve business in the US, there was alr

Re:

[yacc143]

Hint, using tax heavens is not as simple.

The IRS have it's own idea what's okay or not.

Going through a number of countries, "First World" countries to be exact what makes this feasible. Because for the IRS, their "contact" is in Ireland. Ireland has a number of interesting regulations, as many other countries.

Dealing directly with a "low taxation" place is usually a no go, you invite problems, the nicest would be an extreme level of auditing from your local tax authorities. Instead you invoice stuff multipl

Re:

[bigtrike]

When the revenue of such a decision is greater than the expenses, they will do it.

Re:At what point

[Poeli]

And leave behind a 500M people market? Abandon all their current contract and cloud services? I don't think so. The EU is the second biggest market after China.

Even if they do, several European companies will quickly fill the void (like in China) and the USA based companies will have an extra couple of competitors in the world.

Re:

[Xest]

At the point they forget that that also means they can't sell ads in Europe without having a European operation such that they're shutting themselves out of the world's largest economy (the European Union) I would imagine.

So sure they could do that, but they'd rapidly lose the race to global competitors who are willing to simply play ball with privacy and data protection law in Europe and it would be goodbye silicon valley, enjoy your trip into irrelevance.

I'm not sure anyone in silicon valley actually want

Facebook broke the law.

[Anonymous Coward]

The site must be shut down and everything there destroyed (except the employees), effective IMMEDIATELY. DO IT NOW.

Stopping this would stop snooping in the UK too.

[Hammeh]

It was announced this week that GCHQ don't need permission to snoop on UK citizen's activity when the services being used are located abroad as they class it as "external communication" (for the likes of Facebook, Twitter and Google). It wouldn't surprise me in the light of recent events, if the UK government back this plan, to only turn around and say, "Yes you need to keep the data in Europe, but we don't want it here." just so they can continue to *legally* spy on the people via this "external" (overseas) communication loophole.

Re:

[stiggle]

Even if the servers were located in the UK - they would snoop on them as they'd be snooping on overseas traffic coming into the servers, or just route the traffic offshore and back again (fat pipe to the Isle of Man or Ireland?) so they can snoop it.

USA can route traffic via Canada to legally snoop on American citizens, as its being snooped in Canada.

Re:

[stenvar]

Are you kidding? Many European nations have gigantic loopholes in privacy protection when it comes to government spying on their own citizens. European governments absolutely hate your data being on US servers because, while the NSA may be able to get at it, the US won't share that data except when it serves its own interests, which is rarely. Furthermore, European nations don't have a prayer to tap data in the US by technical means.

European governments are itching to force their citizens to store their dat

Re:

[davester666]

By "external communications" GCHQ meant that the communications left a person's house, not the country. Once the signal leaves your property line, it's fair game for them, no matter what technology is used to transmit it [copper, optical cable, airwaves]

The problem with safe harbor

[L-One-L-One]

With the safe harbour agreement american companies basically "promise" to follow some rules related to privacy, which are compatible with European values. But to make such an approach effective, someone has to verify that the "promises" are real and eventually impose sanctions if they are not. That someone is -- in theory -- the FTC.

The problem with safe harbor is that it is been very weakly enforced. In the first decade since it was created, there has been no real enforcement action that I've heard of. This gives the impression that Safe Harbor is pretty toothless. FTC has only recently (2014) began to enforce this framework, because Europeans threatened to abandon it.

Re:

[Alain Williams]

The trouble is that facebook et al are subject to the patriot act - this means that all the govt of the USA needs to do is say ''give me this data'' and they have to do it. The data can be anywhere in the world, if they can access it they need to give it to the NSA/... upon demand and can be stopped from telling anyone what they have done.

This could result in these companies being put into an impossible position where they have to meet conflicting demands both of which they must absolutely obey. The only wa

Re:The problem with safe harbor

[Jahta]

The trouble is that facebook et al are subject to the patriot act - this means that all the govt of the USA needs to do is say ''give me this data'' and they have to do it. The data can be anywhere in the world, if they can access it they need to give it to the NSA/... upon demand and can be stopped from telling anyone what they have done.

No, the trouble is that the jurisdiction of the Patriot Act (and all other US laws) ends at the US border; regardless of what agencies like the NSA like to believe. If US companies won't (or feel they can't) abide by the laws of the foreign countries in which they trade, then they'll just have to stop trading in those countries.

The economic impact on US tech companies of Prism, the Patriot Act, etc. is not exactly news; NSA's Prism Could Cost U.S. Cloud Companies $45 Billion - InformationWeek [informationweek.com].

Re:

[CrimsonAvenger]

No, the trouble is that the jurisdiction of the Patriot Act (and all other US laws) ends at the US border; regardless of what agencies like the NSA like to believe.

Got bad news for you. It is NOT illegal for the NSA to spy on foreigners.

Any more than it is illegal for the espionage agencies in your country to spy on foreigners.

That is, in fact, what espionage agencies are for - to spy on people.

Re:The problem with safe harbor

[Jahta]

No, the trouble is that the jurisdiction of the Patriot Act (and all other US laws) ends at the US border; regardless of what agencies like the NSA like to believe.

Got bad news for you. It is NOT illegal for the NSA to spy on foreigners.

Any more than it is illegal for the espionage agencies in your country to spy on foreigners.

That is, in fact, what espionage agencies are for - to spy on people.

Got bad news for you. While the activities of the NSA may be technically legal *inside* the US, they are certainly not legal anywhere *outside* the US. The same is true in reverse; the US certainly doesn't operate a "live and let live" policy towards foreign espionage agencies operating inside its borders.

In any event, the point here is that US companies operating in foreign countries can't use the Patriot Act (or any other US law) as an excuse for flouting local laws. The personal data of EU citizens is protected under EU law. If US companies want to do business in Europe then they must abide by those laws.

The US wouldn't tolerate foreign companies breaking US law in America. What makes you think other countries should tolerate US companies breaking their laws?

Re:

[drinkypoo]

Got bad news for you. It is NOT illegal for the NSA to spy on foreigners.

Not in this country. If they take actions in other countries, those actions can be violations of the laws of those countries. There used to be a spying agreement between the US and Germany but it was dropped. I read something about talks about a new anti-spying treaty agreement, but I didn't go into it.

Re:

[yacc143]

Got even worse news, yes it's illegal, just not by US laws. And if they do it outside of the US, it becomes illegal, if the local laws don't have loophole. In many cases such loopholes might exist, but in some, where in the past the NSA and local buddies relied more on secrecy, it might be actually criminal.

The question is of enforcing stuff, which funnily, the EU High Court is probably one of the places where this might hurt even the US (basically, even US-friendly Politicians that like to snoop on their o

Re:

[stenvar]

The trouble is that facebook et al are subject to the patriot act

And in Europe, E-mail providers are subject to European data protection laws, which are generally weak when it comes to government spying and police action.

Relying on laws to protect your data is futile. What you can rely on is government enmities and obstacles. Put your data on US servers, and the NSA may read it, but the UK government won't unless they have evidence that you're a terrorist. Put your data on a UK server, and chances are the U

Ummm

[Ryanrule]

Most of the euro governments willingly handed over information to the NSA so they could stick their fingers in the big ass pie the US was baking.
UK, Germany, France, all complicit.
Clean your own house europe.

Re:

[dave420]

This is what's happening. It's strange you acted so very defensively when criticism of the US was made. You do realise that attitudes such as yours guarantees that the US's own house isn't cleaned, right?

Re:

[yacc143]

Well, it's about US companies not following EU laws. It's not about spying agencies.

Europe Needs To Spy Hard

[Jim Sadler]

Considering that terror attacks in Europe have been far more frequent and ongoing the various nations need to collect information and share it to an even greater level than the US. Most people will never make note that revolutions occur across cultures. For example France, England and the US had revolutions close in time to each other. We are almost one culture and share a common majority race. Right now revolutions are in progress in the Arab nations. The cultures of Arab nations vary a bi

Re:

[stenvar]

Your posting is proof that any sufficiently advanced sarcasm is indistinguishable from stupidity.

translation

[stenvar]

The translation of all this is: "build more data centers in Europe; we need the jobs, and our governments want to have easier access to the data directly on European soil".

But they don't care

[viperidaenz]

Because the UK GCSB still intercepts the data without a warrant.