back to article Safe Harbour ruled INVALID: Facebook 'n' pals' data slurp at risk

In a landmark ruling that will have far-reaching repercussions, Europe’s highest court has ruled that data sharing between the EU and US under the Safe Harbour framework is invalid. The decision in the Max Schrems case on Tuesday morning has been anticipated for months, but now legal eagles will have to work out how to manage …

  1. John Robson Silver badge

    Monolithic global companies

    Simply can't deal with multiple sets of legislation...

    When was that a surprise?

    1. Vimes

      Re: Monolithic global companies

      It would be more accurate to say they can but don't want to IMO. It would cost them more.

      1. John Robson Silver badge

        Re: Monolithic global companies

        @Vimes

        No - they cannot, see Dr Mouse's respone.

        US law directly contravenes EU law in this area - you cannot comply with both.

        MS are in court at the moment for trying to comply...

        What has the world come to - I'm supporting MS business practices?!

        1. Gordon 10 Silver badge
          Stop

          Re: Monolithic global companies

          @John Robson

          US law directly contravenes EU law in this area - you cannot comply with both.

          Its a little premature to state this pending the outcome of the MS trial. Certain branches of the America Govt would certainly like it to be the case - but it aint necessarily so yet....

          1. John Robson Silver badge

            Re: Monolithic global companies

            Maye a touch premature - but I notice in the next ElReg article on the matter:

            "No matter how much Brussels bureaucrats want their latest Safe Harbour fudge to work - the cat's out of the bag. US companies that export data are fundamentally illegal in Europe."

    2. Dr. Mouse

      Re: Monolithic global companies

      Monolithic global companies ... Simply can't deal with multiple sets of legislation

      Actually, I think you'll find it comes down to the American government can't respect the rules and laws of foreign countries.

      Facebook has probably* been complying as much as it is able to, but if the US govt says "hand over this data", they have no choice but to comply. This makes it incompatible with EU data protection laws.

      * OK, prbably to the minimum extent allowable, pushing the boundaries as far as they think they can get away with, but still probably technically in compliance except for demands from the US govt.

      1. Matt Bryant Silver badge
        Facepalm

        Re: Duh Mouse Re: Monolithic global companies

        ".....I think you'll find it comes down to the American government can't respect the rules and laws of foreign countries....." Then think again. All this brouhaha makes the flawed assumption that the EU states are not happily involved in the PRISM system and don't spy on their own (https://netzpolitik.org/2015/how-the-german-foreign-intelligence-agency-bnd-tapped-the-internet-exchange-point-de-cix-in-frankfurt-since-2009/). Whenever the NSA has needed local assistance it has been able to call on the local spooks, be they British, Irish, Fwench, German, Austrian, Danish, Dutch, Italian, Spanish, Swedish, etc., etc., if only because those local spooks need the US's help tracking international gangs and terror groups. This was shown in Snowjoke's "revelations", so if you swallow one part of Snowjoke's tale then you have to also accept the EU people now claiming they stand for civil privacy have been lying to you for years already. It is the height of opportunistic hypocrisy for the EU states to now pretend their hands are clean. For example, it was hysterically funny that the same time as Merkel and co were trying to garner votes with their faux outrage over the NSA the BND was desperately trying to get equal access to PRISM as given to the Five Eyes nations, and was sharing data from their own spying ops with the NSA (http://electrospaces.blogspot.co.uk/2015/05/new-details-about-joint-nsa-bnd.html).

        And then we have the so-called repeal of "Safe Harbour", which actually seems to be nothing more than removing the self-certification by US companies. Data going to the US or held by US companies in the EU will now have to be stored in accordance with EU guidelines, which will do absolutely zilch to protect it from either the NSA directly or from their European partners (http://electrospaces.blogspot.com/2013/11/five-eyes-9-eyes-and-many-more.html). US companies will drag in their lawyers, produce some reports, some EU functionary will rubber stamp it and business will continue as normal.

        In short, if you are championing this as a triumph for civil privacy then you have been hoodwinked twice. At best this lets the EU politicians claim to their voters that they have listened to their grievances and "tried to defend them", when the reality is the only possible good that may come out of this is some extra jobs in EU datacenters as the American companies build more in the EU (sorry European social companies but you have already lost the social media wars, Faecesbook and the like are not just going to hand over their European sheep to you). If you are actually of interest to the NSA then this new arrangement will not stop them getting what they want. But, what might help you stop shrieking and ranting is the fact that the chances of you actually being of interest to the NSA are so remote as to be inconsequential. Seriously, there are much bigger problems our EU masters seem happy to ignore in favour of these vote-chasing pronouncements.

  2. JimmyPage
    Mushroom

    So, the US *was* wrong

    the sheer nerve of the US trying to explain *our* laws to us.

    Next year, Teresa May explains to the US congress how they don't really get the US constitution.

    1. Tony S

      Re: So, the US *was* wrong

      @Jimmy Page

      "Next year, Teresa May explains to the US congress how they don't really get the US constitution"

      Based upon some of the things they've done and some of the comments of congressman, I wonder if they do...

      But yeah, Theresa May doesn't understand English Law, so it might be a tad amusing to see her pontificate on US law.

    2. Anonymous Coward
      Childcatcher

      Re: So, the US *was* wrong

      Hope she explains their second amendment to them... along with the fact that, like everything else, their constitution is imperfect (as one might have hoped would have been amply demonstrated to them by the fact they've already "amended" it twentyfuckingseven times) and is overdue for correction... and thus gets them to stop slaughtering their children.

      1. Anonymous Coward
        Anonymous Coward

        Re: So, the US *was* wrong

        Stick it.

    3. Anonymous Coward
      Anonymous Coward

      Re: So, the US *was* wrong

      Knowing the U.S. Constitution is one thing; getting the ass-clowns in the U.S. government to actually respect and abide by the U.S. Constitution is a different prospect.

  3. Jagged

    Am I the only one ...

    ... that expects business to carry on exactly as usual?

    1. h4rm0ny

      Re: Am I the only one ...

      No, but it's going to have repercussions. I was recently involved in a deal that the Safe Harbour provisions were an explicit condition of. That contract is already sealed and I don't expect it to come back across my desk because of this... However, I wouldn't bet money on it. We (well my client - I sell my services as a consultant) will still abide by the provisions and we treat customers' data protection extremely seriously. But we've just lost some assurance under law, I think. This WILL affect business deals. I know of a couple first-hand which have been lost not because of this specifically, but because of concerns about sharing data with US companies generally. And if I know of a couple first hand, there are more out there. It's definitely an issue. Though speaking as a European, I approve of this being taken seriously by our courts.

      1. Sir Runcible Spoon

        Re: Am I the only one ...

        IANAL, but I rather think this ruling, especially since these provisions were a stipulation of your contract, makes the contract null and void.

        This is going to take a while to understand the scale of the impact here.

        I'm guessing that a very fast re-negotiation will take place, and this move has strengthened the European position quite a bit.

        Nuts in a vice.

    2. Alister

      Re: Am I the only one ...

      .. that expects business to carry on exactly as usual?

      Um... well I think you may be in a minority.

      Certainly any ruling which reflects the damning statement transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data.” is going to have serious repercussions.

      My employers will definitely be looking closely at this, as we deal with a lot of data for local government, and we already have to go through a rigorous assessment of how we handle and transfer that data. This will only make things worse.

      1. h4rm0ny

        Re: Am I the only one ...

        Indeed. And I've just read that Twitter began segregating data in expectation of increasing problems like this. And Twitter aren't small. So, yes, I expect some changes resulting from this. And given how easy it is becoming to purchase a set-up from AWS or Azure and replicate your services in a different region, I can see this being a viable approach. A hassle, certainly, but hardly a show-stopper.

      2. 0laf

        Re: Am I the only one ...

        And UK gov says you must use Cloud.

        And Cabinet Office has all their data in a US Google data centre now without Safe harbour.

        And the new Data Protection directive from the EU is pending and it's significantly tougher than the old one.

        Time to buy shares in UK/EU data centres that aren't owned by a US registered company coz there is still that MS Vs US DoJ case to settle.

      3. Matt Bryant Silver badge
        Boffin

        Re: Alister Re: Am I the only one ...

        ".....any ruling which reflects the damning statement transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data.” is going to have serious repercussions....." Well, OK, let's look at that for a second. Faecesbook being the example, they have just been told they can't copy data from their EU datacenters to the US. Ever stop to think why they were copying it in the first place? They didn't go to the expense of renting cable bandwidth and putting in the transfer systems for fun. They can run analytics against it in the EU without the need to send it to the US, they only copied it to the US for backup purposes. This is a fairly common "follow-the-sun" data-protection solution; Asia-Pacific was backed up to the EU, EU was backed up to the US, US was backed up to the Asia-Pacific, and so if Faecesbook lost their systems on one continent due to a disaster there would always be another copy of the data to rebuild from. Now, all this repeal of Safe Harbour does is increase Faecesbook's backup bill as they now have to do a local backup rather than an inter-continental one. They can still analyse the data locally and send the results to the US, and the NSA can still hit that data in the US or ask one of their European partners to get the data for them. Result? Nothing changes other than some backup routines, some extra cost carried by the social media companies, and some sheeple in the EU will think they have "ensured their privacy". LMAO!

    3. John Bailey

      Re: Am I the only one ...

      "... that expects business to carry on exactly as usual?"

      No.

      But there are plenty of idiots around who think that companies are above the law. Including people running companies.

      Always entertaining to watch them discover the truth.

      1. Anonymous Coward
        Anonymous Coward

        Re: Am I the only one ...

        more entertaining to watch who pays the cost in the end. Wot, another price rise?! Must be the inflaction, eh?

      2. Matt Bryant Silver badge
        Boffin

        Re: John Bailey Re: Am I the only one ...

        "....But there are plenty of idiots around who think that companies are above the law. Including people running companies...." To be fair to companies like Faecesbook or Google, they are the ones in the middle of this - they have to comply with US laws, so when the NSA or FBI comes knocking with a FISC warrant they are pretty powerless to decline. That's if the NSA do it the polite way as Faecesbook has little chance of keeping the spooks out when they own the cable infrastructure already. The EU will come up with some list of privacy requirements, the social media companies will then enact them, and the NSA will carry on as usual.

    4. Whitter
      Thumb Up

      Re: Am I the only one ...

      Other news site have plethora of quotes along the lines of "businesses scrambling to put replacement measures in place". Which is rather pitiful: this case is rather high visibility and a clear business risk that should have been evaluated and planned for. If your company hasn't already worked out their replacement measures then that is a failing of the company's board. And if there simply aren't suitable replacement measures, then your business is (and always has been) illegal.

    5. Anonymous Coward
      Anonymous Coward

      Re: Am I the only one ...

      Not really. They cannot.

      Anyone now can nuke any company with data on US soil with a data protection compliance claim and drive it. It also entitles individuals to sue DPAs which do not enforce it.

      Some popcorn, nuts and a comfy sofa to watch the show. It will be worth watching.

      1. Anonymous Coward
        Anonymous Coward

        Re: Am I the only one ...

        Preferable not from a hospital as the US dislikes hospitals.

    6. Voland's right hand Silver badge

      Re: Am I the only one ...

      Nope you are not the only one.

      If you look at the stock prices for FB, Google, Amazon, etc - the stock market is indeed having a perception that this immaterial and nothing has happened. The ruling is in the newsfeed for the relevant stocks, but there is no stock market reaction to it.

      1. Anonymous Coward
        Anonymous Coward

        Stock market

        hasn't reacted, because it's already factored regulatory pressures into share prices.

        The lack of impact on shares is a demonstration of what happens when stockbrokers get it right.

    7. Anonymous Coward
      Anonymous Coward

      Re: Am I the only one ...

      No, you're not the only one, because only the hopelessly naive believed it ever really meant anything.

  4. Vimes

    One guess as to where the ICO host their website. And which company provides the analytic scripts they use.

    For that matter, how many other UK government websites are hosted in the US?

    1. Anonymous Coward
      Anonymous Coward

      Probably quite a few. And that's before you get into Google Analytics, Google Docs, use of US-based mailing list systems, online survey providers, collaboration tools etc etc etc. The list goes on.

      These services often get chosen before some "information governance" bureaucrat raises a red flag. Historically the stock response to such objections was "oh, it's under Safe Harbour so it's OK". Clearly just a fig leaf as El Reg says, and turns out to have been a pretty small fig leaf at that.

      The whole thing's a mess. There are some good, useful, services hosted in the US; rather than just being able to use them I predict an additional layer of information governance approval bureaucracy will now be added at the UK end. And/or government web projects will be forced to select from an EU-friendly subset of suppliers, missing out on suppliers who are potentially better or cheaper. The latter often seems to be the case with US suppliers, perhaps because hosting's cheaper across the pond.

      Nobody wins from this situation except perhaps the lawyers. F**k you NSA, f**k you very much.

      Anon because I work in the area, obviously.

      1. Vimes

        Nobody wins from this situation except perhaps the lawyers.

        Except perhaps EU businesses as well as the privacy of citizens, since the rest of Europe will also have to start thinking in similar terms. And if businesses over here benefit from increased business then this will in turn allow them to grow and develop in ways that weren't previously possible.

        Perhaps this would only be a good thing in the longer term as opposed to the immediate future, but it could end up being good depending on how things progress.

      2. Doctor Syntax Silver badge

        "potentially better"

        I suppose anything other than already perfect is potentially better. And when someone completely fails at a basic requirement then yes, there's maybe potential for improvement. But if they fail due to circumstances outside their control* then I'm not sure the potential really exists.

        *Other than buying themselves a better government.

    2. Tony S

      "For that matter, how many other UK government websites are hosted in the US?"

      It's not just for data centres over there; the data centre could be in Mexico or the Philippines, but if it's managed by a US company, then it's probably no different to being in one actually on US soil.

      1. Anonymous Coward
        Anonymous Coward

        "It's not just for data centres over there; the data centre could be in Mexico or the Philippines, but if it's managed by a US company, then it's probably no different to being in one actually on US soil."

        It also applies to DC's in Europe, and all US companies operating in Europe.

        For example, how could Microsoft employ a UK person without processing their PI data, which would then be subject to US law in direct conflict of Safe Harbour (which no longer exists)?

        Removing Safe Harbour without a clear path forward for all major implications is going to cause chaos.

        1. Vimes

          For example, how could Microsoft employ a UK person without processing their PI data, which would then be subject to US law in direct conflict of Safe Harbour (which no longer exists)?

          I would imagine that there would still be room for the prospective employee to agree to it. Getting rid of Safe Harbour wouldn't stop permission being given, it just wouldn't allow permission to be given automatically (or am I wrong in saying that?).

          God forbid US companies have to *ASK* before processing our personal data...

          1. Sorry, you cannot reuse an old handle.

            personal data should be just that: personal. how good would be to get a specific request from each party processing these data BEFORE they actually see the data itself and be able to decide as needed ? (think of it as app permissions on your iPhone - and now on Marshmallow too...)

        2. Julz Silver badge

          Having worked for a few USA employers, they all asked me to sign a document agreeing to my personnel and other employment data to be kept and processed wherever they saw fit. Not sure how legal that was at the time and not sure if this ruling affects that too much. It would only be tested in court if somebody had the means and motivation to do it and given that you mostly want the job and compared to the US-MegaCorp, of puny means, it's pretty unlikely to be tested. So I guess things will just carry on.

        3. James Micallef Silver badge

          "how could Microsoft employ a UK person without processing their PI data, which would then be subject to US law... "

          And that's exactly why the whole can of worms in the first place. It is Microsoft UK hiring the person, and not Microsoft parent company. But multinational companies like to see themselves as a single unit in cases such as this for data processing purposes, but as completely separate entities in other cases such as tax law. And the laws of many countries are currently written to accommodate these companies (indeed, in some cases, the laws are drafted by these companies or their lobbyists).

          It's great that finally these contradictions are coming to light, because that's the first step to getting them resolved.

        4. Anonymous Coward
          Anonymous Coward

          "Removing Safe Harbour without a clear path forward for all major implications is going to cause chaos."

          There was no "safe harbour" to remove. It was a lie. A sham. A fraud.

          "Safe harbour" has not been "removed" because "safe harbour" never existed.

          1. Anonymous Coward
            Anonymous Coward

            ""Safe harbour" has not been "removed" because "safe harbour" never existed."

            It might have been a fig leaf, but it did allow work to carry on. Now that the fig leaf is gone there is no protection (in law) - regardless of what the reality is/was.

            1. Matt Bryant Silver badge
              Boffin

              Re: AC

              ".....Now that the fig leaf is gone there is no protection (in law) - regardless of what the reality is/was." Actually, there is. Since the current "law" (Safe Harbour) has been repealed in the EU the fall-back position is that, until a new agreement is drafted, agreed and put in to service, the US companies can avoid litigation by using existing EU data protection laws. The current law is based around the EU Data Protection Directive, itself under review and due to be replaced by the General Data Protection Regulation which has been slowly dribbling through the EU bureaucracy as a draft since 2012. The EU Data Protection Directive is notoriously woolly and led to the Safe Harbour agreement in the first place as it only says personal data may only be transferred to third countries outside the EU if that country provides an adequate level of protection without actually stating in great detail what those protective measures are. This was intended to give EU companies the means to defend themselves in court against unexpected hacks so the burden of securing data did not make EU businesses uncompetitive - "M'lud, we took all reasonable precautions against our customers' data leaking but we could not be expected to protect against threats we did not even know existed", "Fair enough, not guilty, off you go then!" So, US companies can simply look at the current EU regs, add a few processes where required, and declare themselves in accordance with existing EU privacy laws. If they want some court-proof boilerplate they can get some consultants in to show how their practices are in accordance with the ISO/IEC JTC 1/SC 27 committees' recommendations and get themselves a shiny ISO plaque, none of which will keep the NSA out seeing as it has done nothing to keep the spooks out of European companies' data in the past.

      2. Anonymous Coward
        Coffee/keyboard

        We'll all have to create personal shell companies in banana republics.

    3. Anonymous Coward
      Anonymous Coward

      "For that matter, how many other UK government websites are hosted in the US?"

      Sad, isn't it? If you have a serious interest in economical growth in your own country (and a government should have that interest), you don't use foreign services, unless you absolutely have no other choice.

      This ruling is very good news for European companies, including British. And it gives new incentives to offer competing services where previously companies might have thought: "not worth doing, everybody's going to [US market leader of choice] anyway"

    4. Sorry, you cannot reuse an old handle.

      gov.uk DNS roots there so USofA might claim jurisdiction

  5. Mephistro
    Thumb Up

    Great news!

    At this pace, The USA govt will soon have to choose between almost totally dismantling several TLAs or causing many thousands of American IT and services companies to go bust. My heart bleeds for them! ;-)

    I hope they take the right decision. Crossing my fingers on that, though.

    1. Anonymous Coward
      Anonymous Coward

      Re: Great news!

      The US Gov won't do a single thing.

      Why?

      The Atlantic versino of the TTIP wil (AFAIK) give US Megacorps total freedom to slurp whatever data the want and sell it to whoever they please.

      Do we get access to their 'data'? Like hell.

      These deals are ONLY for the benefit of the US Corps who fund the US Politico's re-election campaigns to the tune of close to a $1B.

      No matter what the Euopean Courts might decide it will be the USSC that lasy down our laws in future,

      The EU will become the 51st state but with no representatives in DC. Get out while you still can.

      1. Anonymous Coward
        Anonymous Coward

        Re: Great news!

        The Atlantic versino of the TTIP wil

        As a Greek friend of mine used to say. You know what is Avrio? It is Manana without the sense of urgency.

        I want to see that ratified first _AFTER_ this decision. In fact one of the consequences of this decision is a torpedo salvo under the waterline of those negotiations.

      2. Doctor Syntax Silver badge

        Re: Great news!

        "The Atlantic versino[sic] of the TTIP wil[sic] (AFAIK) give US Megacorps total freedom to slurp whatever data the want and sell it to whoever they please."

        I think your AFAIK has just met a bit of a stumbling block.

      3. The Dude

        Re: Great news!

        "The EU will become the 51st state but..."

        Get in line. Canada is already the 51st state.

    2. Matt Bryant Silver badge
      FAIL

      Re: Mephhead Re: Great news!

      "... The USA govt will soon have to choose between almost totally dismantling several TLAs or causing many thousands of American IT and services companies to go bust....." Please do explain why you baaaahlieve so, if only for the comedy value. Please do bear in mind the current EU privacy laws that "protect" EU citizen data in Europe has provided SFA protection against the NSA mainly because the European spooks were all happily working with those American TLAs. The added burden of implementing current EU privacy laws on data imported to the US from the EU will hardly be so high as to remove the stranglehold US social media companies have on the market. You seem to have put little actual thought into your presumption, just a lot of mindless hate.

      "....My heart bleeds for them!...." IMHO it appears to be bleeding into your brain.

      1. Mephistro

        Re: Mephhead Great news!(@ Master Bollocks)

        "...the current EU privacy laws that "protect" EU citizen data in Europe has provided SFA protection against the NSA..."

        So you can't see how this ruling would cause NSA's collection of European citizens private data orders of magnitude more expensive and risky. Hardly a surprise.

        "...mainly because the European spooks were all happily working with those American TLAs."

        European spooks have to answer to their respective governments, and said European governments have to answer to European citizens, so we can expect important changes in this respect. It may take time, but the tide has already changed. TTIP has received a deadly blow, public awareness of the issue has grown a lot, and American companies have now a huge incentive to put pressure on the American govt. to fix this shebang.

        "...little actual thought into your presumption, just a lot of mindless hate."

        You, accusing me of mindless hate? Oh, the irony!

        1. Matt Bryant Silver badge
          FAIL

          Re: Mephhead Great news!(@ Master Bollocks)

          "....So you can't see how this ruling would cause NSA's collection of European citizens private data orders of magnitude more expensive and risky....." Really? So how is imposing new data protection mechanisms on the social media companies adding any risk or expense to the NSA? The relatively minor legal risk and expense seems to be on the social media companies, but if you want to pretend otherwise please do supply some form of argument to support your p.o.v.

          "....European spooks have to answer to their respective governments, and said European governments have to answer to European citizens, so we can expect important changes in this respect...." Hold on a sec, I need to take a break to find my head as I just laughed it right off. Please do show me the repercussions to the BND from helping the NSA spy in Germany? Or the legal straightjacket that has been put on the GCHQ? Has Francois Hollande dismantled even one department of the DGSE's Frenchelon system? Has the Dutch AVID come out and said it doesn't want access to PRISM after all? In fact, show me one EU member state that has instructed their spooks to break off all contact with the NSA, FBI or other US TLA.

          "....You, accusing me of mindless hate?...." Well, what do you expect when you can't post any argument, just anti-Yank bile? The fact is the European governments do have to answer to their people but they also have to protect them and catch criminals, and tools like PRISM are too valuable to throw away due to mindless paranoia. Hence I comfortably predict the result will be more public posturing, a toothless Safe Harbour 2.0, and nothing will actually change in the background. You will go away claiming victory and the NSA will continue to ignore you in their search for real threats.

          1. Mephistro
            FAIL

            Re: Mephhead Great news!(@ Master Bollocks)

            "So how is imposing new data protection mechanisms on the social media companies adding any risk or expense to the NSA?"

            Perhaps you should read TFA before getting so opinionated. This ruling is about the whole Safe Harbour Agreement between Europe and the USA, not only about social media companies. I'm not sure whether your comment comes from your lack of understanding of what you read or from another of your bizarre attempts at moving the goalposts.

            Have a nice day.

            1. Matt Bryant Silver badge
              FAIL

              Re: Mephhead Re: Mephhead Great news!(@ Master Bollocks)

              "....Perhaps you should read TFA before getting so opinionated...." I did read the article, and you obviously did not. Again, please do explain your original assumption, that this will impose some market-destroying cost on US businesses to such an extent that the NSA or any other US TLA would come under threat? You stated; "....causing many thousands of American IT and services companies to go bust...." - where is your economic argument or market analysis that supports your obviously bile-enduced dribblings? Where is the political analysis that shows how the US government would then choose the security cost of disabling the NSA, FBI or any other TLA in favour of the economic cost of simply waiting for another EU fudge (Safe Harbour 2.0 - http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/)? Oh, you don't have any answers because your whole "idea" is based on bile-enduced fantasy. This is my surprised face, honest!

              The key to the issue of privacy that you have failed to grasp is that data can be annonymised. No, that doesn't mean it wears a hoodie and sits in a bedroom bragging on 4chan about how using LOIC makes it a "leet haxor". It means you separate the data from any identifying parts, such as by replacing names with unique identifiers. For example, "John Smith" becomes "1002376549874", and any search of the data for "John Smith" turns up a blank. If you had any IT experience you would know that such solutions have been in use in the US for years as a response to the HIPPA regulations.

              Now, unless you actually have a real argument to put up, kindly leave the discussion to the adults, mmmkay?

  6. Paul Smith

    NSA hurting US business interests

    This is really good news for privacy lovers everywhere, but not for the obvious reasons. Now that US business has concrete evidence that not respecting privacy affects their profit margin, they will force US politicians to clean up the NSA mess.

    1. big_D Silver badge

      Re: NSA hurting US business interests

      One can hope...

      1. Sir Runcible Spoon

        Re: NSA hurting US business interests

        At this point it is looking like the path of least resistance.

        Like big_D said, one can hope...

    2. Doctor Syntax Silver badge

      Re: NSA hurting US business interests

      " but not for the obvious reasons"

      Not obvious? "Stating the bleedin' obvious" more likely.

  7. Big_Ted
    Big Brother

    Does this mean

    That Windows 10 will be banned unless MS stop uploading data from it ?

    OOooo that could be a real problem for MS couldn't it. Big fines etc etc.....

    Now wheres the popcorn ? this is going to be interesting

    1. Mark 85 Silver badge

      Re: Does this mean

      It could also mean that Facebook, etc. will have to segregate their data such that a person in, say, the UK couldn't see a profile from someone in the US and vice versa. Or that someone in the EU couldn't order something online from a country outside the EU. There's some implications here in this whole charade over "Safe Harbor" which isn't safe and never was.

      1. Matt Bryant Silver badge
        Boffin

        Re: Mark 85 Re: Does this mean

        ".....will have to segregate their data...." OK, let's then consider what is a customer's data? Say I upload a digital pic in PNG format to Faecesbook (perish the thought) of myself and an acquaintance. The "data" is what - the visual information that I know that acquaintance, or the GPS and date data added to the digital pic by the camera, or the metadata on the PC I used to upload the pic? All three are transcribed into the PNG binary file, and that is the "data", that unique binary string in that file. If Faecesbook then simply run it through a filter, say converting it from PNG to GIF format, it is no longer the same binary file so can you say it is the same data? It contains the same information - I know so-and-so and was with them at a certain time and place - but the new binary file belongs to Faecesbook seeing as Faecesbook created it. If they keep the original PNG in the EU but send the GIF to the US, have they sent the same data? To go a step further, if the NSA processes the original pic, say clips the photo to remove an empty part of the pic, the binary file is now different - is it still my data or is the new binary file now the NSA's creation and therefore "their" data? If they go a step further in the EU and translate the digital data only relating to our faces, transforming it into a digital bitmap of triangles that can be stored for facial recognition systems, is that new data and can therefore be transferred outside the EU without infringing on data protection laws? It's certainly not the original file any more.

        If you think this is far-fetched then you need to think again. The law already provides legal protection for data derived from other original data. For example, if a company takes a load of public UK data and writes a paper or book on it then that is distinct legally from the original data. Faecesbook can already analyse your EU data in the EU and send the analysis outside the country without being impeded by EU data protection laws as what they are exporting is not the original data, it is derived material and is their own data. Maybe Faecesbook will have to do more data crunching in the EU in the future, but I suspect the results will still be going off to the US unimpeded. Whether the NSA then slurps it there or in the EU they can claim they are not reading "your data".

        1. Mark 85 Silver badge

          Re: Mark 85 Does this mean

          You missed my last sentence I take it... There's some implications here in this whole charade over "Safe Harbor" which isn't safe and never was.

          I quite agree with you. Everyone and his brother slurps and shares. The politicians will now get involved and stir things up and it might be that some companies will have refuse business. We're owned... and not just by the likes of Google, et al, and TLA's.

  8. alain williams Silver badge

    So will UK gov't stop outsourcing to USA companies

    Like the processing of the last census. Inland revenue and others do as well.

    Give this business to European companies which, cynically thinking, could have been partly behind this ruling.

  9. Velv

    This is why cyberspace needs its own government and laws (perhaps owned by the UN).

    Data does not exist physically. It is an abstract item. Information is a concept.

    To maintain and share data we need physical infrastructure which unfortunately lives in the physical world. And it makes sense to spread that physical infrastructure around the globe to provide maximum resilience. But international boundaries get in the way.

    However, if the data in a data centre was protected against ANY countries individual laws then it could be maintained to international standards. I'm not suggesting anarchy, a free for all, or immunity, but a worldwide agreed standard and laws to protect each individual.

    OK, so it's not going to happen, but it's a sound concept.

    1. Doctor Syntax Silver badge

      "This is why cyberspace needs its own government and laws (perhaps owned by the UN)....a worldwide agreed standard and laws to protect each individual."

      The second part is the requirement but the first part isn't the only way to achieve it. International agreements should be sufficient if (and it's a big if) governments then abided by the agreements they made.

  10. url

    Just to conflate...

    So we can now go ahead and sue the governments in lieu of the tax that their companies haven't been paying, right?

    This is the kind of thing the we signed the TPP for, right?

  11. Anonymous Coward
    Anonymous Coward

    Student

    Mr Schrems¹ is described in the media as "a law student". Out of interest, does anybody know at what level is he studying? Probably not an undergraduate by now. Just curious.

    ¹ Whose effort I appreciate immensely.

    1. Luke Worm

      Re: Student

      He's a PhD student now.

      1. Anonymous Coward
        Anonymous Coward

        Re: Student

        > He's a PhD student now.

        Cheers

        1. Slacker@work

          Re: Student

          Guessing this is part of the thesis - in which case he's now a Doctor!

  12. Anonymous Coward
    Anonymous Coward

    You know someone's up for a fight...

    ...when they give you a taste of your own medicine.

    From the Europe vs Facebook site:

    "After Facebook Ireland has argued that it does not speak German we have send the court a certified translation of the lawsuit. Unfortunately it was not possible to quickly find an Austrian court certified translator for Gaeilge, which would have been our first choice for a translation, so we had to stick to English."

    Which goes to prove that Austrians do have a sense of humour after all. :-)

  13. Anonymous Coward
    Anonymous Coward

    Safe Harbor "broken"??

    I love the statements everywhere that Safe Harbor is "broken" - that seems to imply it was ever whole in the first place. It was merely a "continue to make vast profits" card to avoid a trade war with the US, but anyone who has ever had to really protect information cannot have considered that a decent solution. At least, not if they were taking their work seriously..

  14. terry doyle

    What about BlockChain nodes?

    I wonder if this will affect Blockchain nodes and business based on the model where data is stored in the blockchain?

    I would think so ... this could get complicated!

    1. Anonymous Coward
      Anonymous Coward

      Re: What about BlockChain nodes?

      Good question. Time for a fun question by way of response: has the defence that customer data is encrypted and can thus not be provided in cleartext ever been tried in court, and, if so, was this successful?

      As far as I'm aware, the answer to that question is "no", and we're thus dealing with an uncertainty, in some circles also known as a latent risk. This story is *far* from over.

  15. Anonymous Coward
    Anonymous Coward

    prediction 1: Irish DPA will investigate FaceBook's procedures and say "thats grand"

    prediction 2: UK government will bring in 'temporary' legislation to declare that "US rules are good enough for us"

    1. Luke Worm

      That made me think: since GCHQ is just as bad as NSA, how do UK rules and practices comply with EU rules on data protection?

      1. Slacker@work

        generally its not a bad comparison between the two, albeit the upcoming EU Data Protection Directive could shake stuff up a bit - if anything more teeth are given. I particularly like the fine structure for global enterprises - €100 000 000 or 5% of global turnover (that's turnover, not profits).

  16. Bob McBob
    Stop

    The ICO will still do nothing

    From the ICO:

    “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this. "

    In other words, we'll shut our eyes and hope this goes away.

    1. Luke Worm

      Re: The ICO will still do nothing

      "in line with the law" ... which law? US?

    2. John Brown (no body) Silver badge

      Re: The ICO will still do nothing

      "We recognise that it will take them some time for them to do this."

      I still haven't quite got the hang of not driving while drunk, so I'll just carry on without fear of prosecution while I work on some new procedures which are in line with the law as it stand then, eh?

      (No I don't actually "drink and drive", the above scenario is for illustrative and entertainment purposes only)

  17. JamieL
    Megaphone

    But will they listen?

    I have spent over four years trying to explain to the bosses in our US parent company that telling our UK clients that shipping their data off to the US because it's technically convenient to do so isn't acceptable under EU laws unless the clients (and the respective data subjects) first give us consent to do so.

    The standard US response has been "but we're Safe Harbor certified so it's OK". Which bits of "we have to comply with our laws regardless of what you think" don't they understand and will this judgement make any difference? (the answer is of course not - the 'Merkins just don't get and never will get that other countries have their own laws which are preeminent in those countries).

    Jog on...

  18. a_yank_lurker Silver badge

    W10

    I wonder how this affects MicroSlurps latest and worst Windows 10 data slurpping. It appears to be illegal in the EU now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022