If this case succeeds, what would be the consequences for organisations using US owned cloud services? If e.g. a housing association decided to move their data to Office 365, could all their tenants claim compensation?
Facebook needs to defend Austrian privacy violation case
Privacy activist Max Schrems, leader of the “Europe-versus-Facebook” movement, has had a procedural win in Austria that means Facebook Ireland has to prep its defence. According to Reuters, Schrems says his lawsuit in Austria's Vienna Regional Court has taken a step forward, passing its first review by the court. As a result …
Friday 22nd August 2014 05:44 GMT big_D
Only if they can prove that the cloud company are providing access to their own employees or to third parties without getting permission from the account holder - and the account holder would in turn need to get permission from each affected person.
More worrying is the other case, in the USA, where the US courts are saying that it is irrelevant if the data in Outlook.com is held on servers outside US jurisdiction and the servers are owned by a company not incorporated in the USA (MS Ireland), MS USA is incorporated in America and is the parent company and "it is only data", so the USA has jurisdiction in Ireland to obtain the data with a US search warrant.
If MS lose the appeal, then it will effectively make using any cloud service with ties to the USA unusable, because you could face prosection at any time in the EU for violating the Data Protection laws, when the cloud provider hand over non-US data to the US Government without getting a valid EI warrant.
Friday 22nd August 2014 08:47 GMT Alan Brown
"If MS lose the appeal, then it will effectively make using any cloud service with ties to the USA unusable, because you could face prosection at any time in the EU for violating the Data Protection laws, when the cloud provider hand over non-US data to the US Government without getting a valid EI warrant."
Even without the New York case: MS made it abundantly clear to my employers that if the PATRIOT act is invoked they would hand over data without hesitation - and this is something that most people haven't picked up in.
The NY court argument centres on whether "national security" is the only way such data handovers can be forced.
Friday 22nd August 2014 07:56 GMT A Non e-mouse
So the crux of his argument is that Facebook transferred his data outside the EU. Surely for this to work, he has to show firstly that he had a reasonable expectation the data would be stored/processed in the EU, and then secondly, that the data was transferred outside the EU without his permission?
Friday 22nd August 2014 08:49 GMT Alan Brown
"Surely for this to work, he has to show firstly that he had a reasonable expectation the data would be stored/processed in the EU"
Yes he does - and Facebook make it clear that it will be shipped to USA servers in their T&C.
Personally I think he doesn't have a leg to stand on, but EU courts have made some odd decisions in the past.
Friday 22nd August 2014 16:28 GMT James Micallef
"he has to show firstly that he had a reasonable expectation the data would be stored/processed in the EU, and then secondly, that the data was transferred outside the EU without his permission?"
No not really. EU law allows transfer to US if US offers equivalent protection to EU. FB taking data to US, saying US offers equal protection when clearly US does not protect privacy at all,let alone to EU-required standard. So, in EU at least, he has a case.
Friday 22nd August 2014 11:35 GMT Anonymous Coward
Data wasn't transferred to the US
My problem with the legal argument is that the data was never transferred to the US. It has only ever existed in the US so it hasn't been transferred anywhere. When the user enters their details into Facebook, the data goes straight to the US and is never stored in Europe.
I totally agree that the MS issue is far more important, but we knew back in 2007 when the SWIFT scandal broke that the US could compel anyone in the US with access to data overseas to give them a copy. (http://www.theregister.co.uk/2007/02/16/swift_hm_treasury/)
Saturday 23rd August 2014 03:11 GMT stizzleswick
Re: Data wasn't transferred to the US
"[...] data was never transferred to the US. It has only ever existed in the US [...]"
Yes, the data was transferred to the U.S. When data is being accumulated by the likes of Facebook from an entity (e.g., a user) being at that time outside of the U.S. and added to a database being handled from inside the U.S., then that data is transferred. After all, Bacefook does have more than enough servers outside the U.S. to handle all data from its non-U.S. users, but prefers to collate its databases inside the U.S.
I don't blame them for that as such; after all they have to please their shareholders. But can you guess why I'm not using their services and probably never will?