back to article EU desperately pushes just-as-dodgy safe harbour alternatives

Despite EU vice president Frans Timmermans' impressive efforts at spin yesterday, the European Commission finds itself in an awkward position today after the European Court of Justice struck down the safe harbour arrangement. Safe harbour is the workaround agreement between the EU and the US that allows international companies …

  1. Vimes

    Given the amount of time it took to get to this point, wouldn't any deal - no matter how dodgy - buy the commission several years worth of breathing space?

    1. Dan 55 Silver badge

      That would be just what the US would want.

      1. James Micallef Silver badge

        "That would be just what the US would want"

        I suspect that the Commission, in whole or in part, also wants this, because the commissioners are directly appointed by EU member states and as such are more likely to be out of touch with EU citizens and their privacy demands, and more favourable to business interests that want free data movement.

        In any case, bottom line is, as long as the US Patriot Act is in place, any and all agreements that allow companies to store EU citizens' data on US soil will fall foul of the ECJs ruling. The problem isn't Safe Harbour, it's the 'secret court warrants' provision in the Patriot Act. Which, by the way, are very harmful to the US in countless ways.

  2. Doctor Syntax Silver badge

    I suppose that after a suitable period of posturing the US will have to accept one of two things. Safe harbour is dead or they will have to create a new framework in which it is actually acceptable.

    The latter alternative requires them to change their own behaviour. It's the main point at issue and there's not getting round it. No amount of model clauses or other guff is worth any more than the original agreement unless the US accepts its culpability here & deals with it.

    1. Roland6 Silver badge

      Re: I suppose ... the US will have to accept one of two things.

      No you omitted the third: Get TTIP signed and sealed complete asap with its ISDS which can overrule foreign legal systems...

      1. Pascal Monett Silver badge

        Re: "overrule foreign legal systems"

        I don't know what they're smoking, but it's gotta be good if they think that US law can be imposed outside US borders.

      2. Anonymous Coward
        Pirate

        Re: I suppose ... the US will have to accept one of two things.

        "No you omitted the third: Get TTIP signed and sealed complete asap with its ISDS which can overrule foreign non-US legal systems..."

        FTFY

        Must get the wording just right... Don't forget that even "the land of the free" could be considered "foreign" by those slippery foreigners.

    2. Pliny the Whiner

      I've lived in the Colonies all of my life, and I know this script before it's even been written. American companies will moan and groan and complain and cry and invent nonsensical arguments about "slippery slopes" and such like, but your answer to all of it must be one: "These are the EU's laws. Obey them or peddle your papers somewhere else."

      Never debate the devil, if for no other reason than the devil is a far better debater than you are.

  3. Paul Crawford Silver badge

    I suspect if this starts costing real profits in the US then the "national security" laws will be changed to have the sort of narrow focus and judicial oversight that should always have been present.

    At that point some more equitable replacement agreement should be easy.

    1. D Moss Esq

      ... if this starts costing real profits in the US then ...

      If?

      See New York Times, 21 March 2014, for example:

      “It’s clear to every single tech company that this is affecting their bottom line,” said Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who predicted that the United States cloud computing industry could lose $35 billion by 2016.

      Forrester Research, a technology research firm, said the losses could be as high as $180 billion, or 25 percent of industry revenue, based on the size of the cloud computing, web hosting and outsourcing markets and the worst case for damages.

      1. Vic

        Forrester Research, a technology research firm, said the losses could be as high as $180 billion

        Are those "street prices"? About £50, then...

        Vic.

    2. Roland6 Silver badge

      Re: change the "national security" laws

      You omitted the off-shoring of the NSA eavesdropping service - I understand Guantanamo Bay is vacant...

  4. Camilla Smythe

    I'll miss the point here...

    And a void is exactly what most businesses fear. Enormous pressure is on the European Commission to come up with a solution.

    "You have been found guilty of under age homosexual dog rape resulting in multiple deaths. It is now my duty to pass sentence. Have you anything else to say?"

    "No Your Honour."

    "We will adjourn."

    -

    -

    -

    "All Rise."

    "After careful consideration of the factors involved we have decided that it was not your fault and we really really have to put our heads together to find a solution to what might only be considered to be our problem. Case Dismissed."

    1. Anonymous Coward
      Pirate

      Re: I'll miss the point here...

      Meanwhile the accused is shouting "The bitch deserved it. Throw me your wallet dipshit" across the court at the judge.

      Not to worry though: Safe [sic joke] Harbor II - More of The Same starring Pinocchio and Bernie Madeoffwithallmydosh will be on general release within a week or two.

  5. D Moss Esq

    European Commission daft – official

    “Symantec believes that the recent ruling will create considerable disruption and uncertainty for those companies that have relied solely on safe harbor as a means of transferring data to the United States.”

    Who are these "companies that have relied solely on safe harbor"?

    Take for example Eventbrite, the San Francisco-based event organiser incorporated in Delaware:

    On 19 October, Minister for the Cabinet Office Matt Hancock will host the UK’s first ever Job Hack as part of the government’s commitment to ending long-term youth unemployment.

    The event will bring together a diverse group of talented and creative people who will work collaboratively to come up with solutions using data.

    We are looking for developers and designers to come and join us on the day. If you are interested in taking part, register and tell us a bit about yourself.

    So there's Mr Hancock inviting young hopefuls to a jobhack and telling them to register through Eventbrite, who tell us on their website that:
    13.1 Servers.

    If you are visiting the Services from outside the United States, please be aware that you are sending information (including Personal Data) to the United States where our servers are located. That information may then be transferred within the United States or back out of the United States depending on the type of information and how it is stored by us. We will hold and process your Personal Data in accordance with privacy laws in the United States and this Privacy Policy. Please note that privacy laws in the United States may not be the same as, and in some cases may be less protective than, the privacy laws in your country, and while in the United States Personal Data may be subject to lawful access requests by government agencies.

    13.2 Safe Harbor Frameworks.

    We participate in the US-EU & US-Swiss Safe Harbor Frameworks covering Personal Data gathered in the European Union member countries and Switzerland. Our participation means that we self certify that we adhere to the Safe Harbor principles of notice, choice, onward transfer, security, integrity, access and enforcement with respect to such personal information. For more information about these frameworks and our participation in them, please visit the US Department of Commerce’s Safe Harbor website at http://www.export.gov/safeharbor/.

    It always was daft for the Government Digital Service and others in the UK to use Eventbrite for their boondoggles. Now the European Court of Justice say that it's not just daft, the European Commission were flat wrong to say that the harbour is safe.

    1. Anonymous Coward
      Anonymous Coward

      Re: European Commission daft – official

      Who are these "companies that have relied solely on safe harbor"?

      Example - Edmodo. Processes the personal data, educational record, interaction between children and teachers for a significant percentage of UK schools. In my local authority - approaching 100%.

      Their policy has _NO_ BCRs and relies solely on safe harbor and they were so incompetent that they tried to rub it today with a marketing blurb notifying the parents with "be a good parent, everything is OK" letter to the customer specifying that you really need to worry their are bound by the safe harbor agreement and data transfer is regulated by it.

      If I start digging I will quite a few more - most of them funnily enough in local government, administration, call centers, finance, etc sectors.

      The big "cloud" players will be fine as they have policies way beyond safe harbor. All the little guys however...

      1. James Micallef Silver badge

        Re: European Commission daft – official

        "The big "cloud" players will be fine as they have policies way beyond safe harbor"

        Doesn't matter what other policies exist beyond safe harbour, they are ALL invalidated by US Patriot Act.

        The only thing that big cloud players can do to keep EU data under EU privacy law is to keep it in EU data centers.

        1. SImon Hobson Bronze badge

          Re: European Commission daft – official

          > The only thing that big cloud players can do to keep EU data under EU privacy law is to keep it in EU data centers.

          That alone is not sufficient.

          If the company is US based, then any data stored anywhere in data centres it has control of is "fair game" to the US authorities. Hence why the argument that Enron could have escaped having some stuff found out by hosting stuff overseas is complete rubbish - the men in crisp suits knock on the door, hand the officers a bit of paper, the officers hand over the data or go straight to jail.

          This is the basis of the Microsoft case. Here, Microsoft in the US do not directly control the data centre in Ireland - that is a separate legal entity managed by people in the EU and subject to EU law. Since Microsoft US doesn't (I assume given the effort they've put into the corporate structure) have access to the data, they can only instruct the officers of another company (albeit wholly owned) to hand it over - to which the answer is "No, it would be illegal to do so".

  6. nematoad
    Happy

    Cor.

    Timmermans was quick to point out that the “alternative mechanisms” available to companies wanting to transfer data to the US, specifically so-called “model clauses” and binding corporate rules (BCRs).

    My god that was quick.

    If the EU can side-step as well as this then they should be playing for England at the next Rugby World Cup.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cor.

      Yep.

      What he missed to explain is that the BCRs should formulate a data protection, data retention and data correctness regime which is _EQUIVALENT_ to Eu now. In the absence of a Safe Harbor you cannot just have a BCR effectively saying "I can do whatever I want". You should have a BCRs which provide an equivalent level of data protection if audited.

      Here is the rub - the first time BCR and Patriot act + FISA court orders meet in the ECJ, BCRs will be ruled null and void too. This will blow up the big guys who operate under BCRs too.

      I suspect that this is only a matter of time until this happens.

  7. The Dude

    all bad options

    "What is true of safe harbour – that US security agencies ignore it –"

    There's your problem then....

  8. Tikimon
    FAIL

    Pretty sure they'll just rewrite laws to "legalize" illegal behavior again

    Not one government I've heard of even bothers to address privacy or justice in these discussions. They natter on about "well, it's perfectly LEGAL so everything's fine, then!" Oh yah, legal according to the secret treaty worked out in secret and which makes sure nobody can talk about it.

    Hey, government dickheads (US and otherwise). It's about privacy and not data-raping everyone who uses a computer/phone/tablet. If you have to hide it, it's WRONG, okay?

  9. Anonymous Coward
    Anonymous Coward

    YOU CAN NO LONGER STAB THAT MAN WITH A KNIFE!

    US: OK, we'll use a screwdriver instead!

    Is that what's going to happen?

  10. Anonymous Coward
    Anonymous Coward

    rapid flow of information between the EU and the US depends on mutual trust

    It is beyond amazing, that Americans have KNOWINGLY broken that trust and expect everybody to pretend it didn't happen.

    Funny though, they are right. EU will huff and puff (for the sake of plebs) and it will patch something up to keep the data flowing.

    And hey, even if they were to stop it officially, they still allow our cousins to spy by other means, pretending it's not happening. I mean, have we heard about EU or EU states investigating how our US friends plug into Europe-bound cables and waves?

    1. dan1980

      Re: rapid flow of information between the EU and the US depends on mutual trust

      @AC

      This is the heart of the matter - 'Safe Harbour' essentially says that the EU trusts the US to respect EU laws and the privacy EU citizens and so handle their data accordingly.

      What is manifestly clear is that nothing of the sort is occurring. The US think their own laws and interests override those of the EU citizens it is dealing with. And, while that might be a perfectly valid, sovereign stance, it is antithetical to the concept and the basis of 'Safe Harbour'.

      The simple truth is that US laws make it impossible for any US company to offer the required level of data protection.

      There's just no getting around that so the only two ways forward are:

      • The EU make some changes to their EU data protection, watering the down by adding exceptions.
      • The US make some changes to their laws, making exceptions for overseas data.

      Of course, there's always the third option, I suppose, which is to slap a band-aid over it and just proceed as usual, hoping it will all go away until something else happens and you have to find another band-aid. That's really the most likely option in the short to medium term.

      1. John Brown (no body) Silver badge
        Childcatcher

        Re: rapid flow of information between the EU and the US depends on mutual trust

        "Of course, there's always the third option, I suppose, which is to slap a band-aid over it and just proceed as usual, hoping it will all go away until something else happens and you have to find another band-aid. That's really the most likely option in the short to medium term."

        And the fourth option, of course. The US eventually realises it's losing the "privacy race" and ups it's game to try and be better than everyone else, just like the arms race and the space race :-)

        Come on Team USA, you know you want to win the "race" rah! rah! rah!

        Nope. Sorry. My irony meter just exploded.

  11. Phil Endecott

    Franchises

    What happens in the Microsoft Ireland case is the next thing to watch.

    If that goes the wrong way, i.e. if the court says that Microsoft US is obliged to exfiltrate data held by MS Ireland, then these multinational US-headquartered companies will have to decouple themselves further. I see one option as a form of franchising, where e.g. Facebook EU is an entirely separate company from Facebook US, with its own shareholders, but it pays a license fee to Facebook US for the use of its brand and technology.

    Ultimately, though, the spies will continue to spy. As I read them, the Snowden revelations were suggesting that at least much of the interception was without the consent of the companies concerned. It is probably legally easier for the NSA to hack an EU company's infrastructure in the EU than it is for them to do that in the US. So this judgement may end up not increasing practical privacy at all.

  12. amanfromMars 1 Silver badge

    Ye Gods .....'Tis Practically War with Dim Global Operating Devices and SMARTR Virtual Machines*

    The trouble with government as it is, is that it doesn’t represent the people. It controls them.” ..... John Lennon

    Methinks that earlier observation and pseudo-truism from Mr Lennon, is better expressed nowadays, as governments trying increasingly unsuccessfully and badly to control peoples. As is evidenced by the delusional spin that puppet ministers and closeted and cosseted colleagues spout to mass media muppets and trivial transient moguls in relatively minor spheres of influence displaying competence without any negative consequence.

    A long time and way past their sell by dates be they indeed, and more so than in just their proposed and actioned austere deeds ....... which are bloody revolutionary and virtually treasonous too, in an Olde Worlde place and right dodgy corrupt, perverse left of centre cyber space.

    * Astute APT ACTive Class IT Vessels/ NEUKlearer HyperRadioProActive CyberSpace Command and Control Centres for Computers and Communications

    Welcome to Brave New Orderly AI World Order Programming for Dim Humans and SCADA Operating Systems.

  13. Anonymous Coward
    Anonymous Coward

    Lapse in security to come

    I'm a long way from a conspiracy theorist but I suspect there’s a perfect storm brewing here for a “preventable” attack of some sorts. The European natives, politicians and the courts are all getting restless. Russians are rising, migrants on the borders, our overlords might need to let us have a taste of what they are saving us from so we learn to not question and challenge once again. UK, France, Spain, Holland, Denmark and Belgium have all had a dose in recent times… now let us see… Germany? Italy? All it takes is a missed security alert… they wouldn’t would they? And who is the real threat to our life, liberty and freedom?

  14. Anonymous Coward
    Anonymous Coward

    It is and remains a lot of BS..

    Really, the absolute only thing that FB vs EU has done was making a problem visible that has existed for more than a decade and I, frankly, have little time for the wailing of the US that ripping off the Safe Harbor plaster hurts, nor for the EU bureaucrats stumbling that they didn't mean to, because they should have started digging under that plaster years earlier instead of pretending that Safe Harbor did anything but save their political skin.

    The frankly grotesque difference between how the US and the EU treat privacy has been a festering boil that needed lancing for year, and Silicon Vally has known this too.

    I'm glad this is now finally on the table so maybe, just maybe, the US may find itself in a position where it has to fix some of it, because it is not the EU who started to take a shortcut with Human Rights.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like