back to article Silicon Valley fights European Court of Justice ruling with small print

Robbed of their Safe Harbor protection, US cloud giants are taking shelter behind a new data-export and privacy fig leaf. Microsoft and Salesforce have become the first to publicly invoke “model clauses” – saying customers can continue shipping data outside the EU and onto their servers in the US despite Tuesday's ruling by …

  1. Anonymous Coward
    Big Brother

    Lot of nonsense

    My company made a decision that if GCHQ/NSA wanted to snoop they could do so at will, so why fret about emails etc. passing through US-based servers etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lot of nonsense

      If your company is handling customer data and interacts with customers via email you just worked yourself an ICO fine.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lot of nonsense

        We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California.

        1. Anonymous Coward
          Anonymous Coward

          Re: Lot of nonsense

          "We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California."

          Not being a resident of Orange County, California I have no idea what that will entail, and doubt that any sane lawyer in my country would let me sign your T&Cs.

        2. Anonymous Coward
          Anonymous Coward

          Re: Lot of nonsense

          We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California.

          Yes, that will work - if your business is in the US. Do you want it to be? If so, I have some more bad news, and it's not about tiny weaselly contractual tricks.

          1. Gordon 10

            Re: Lot of nonsense

            Yes, that will work

            Actually it may not. Contract T&C's can be superceeded by the laws of the country/region you are operating in.

        3. Irongut Silver badge

          Re: Lot of nonsense

          "We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California."

          Please tell us the name of your employer so we can add them to our 'do not do business with these weasels' blacklists.

          1. Anonymous Coward
            Anonymous Coward

            Re: Lot of nonsense

            Please tell us the name of your employer so we can add them to our 'do not do business with these weasels' blacklists.

            That is BS, because you'd be setting yourself up for a game of whack-a-mole. You should bother to simply read the Terms & Conditions, because what's not in the contract cannot be enforced. If it is written in legalese it's up to you to either get a lawyer involved or tel the company that, based on the precarious state of their T&Cs you do not feel confident the relationship is off to a good start and send them out of the door (I've done that, and it took but a week for their director to show up with a new version that was actually in language humans could read).

            This is all about risk management. If you have a requirement that can afford a data leak (like a public website), no problem. Otherwise, don't. Not even if you're in the US yourself (that's the bit they are STILL trying to distract people from).

            1. Doctor Syntax Silver badge

              Re: Lot of nonsense

              "You should bother to simply read the Terms & Conditions"

              True but he can save himself some time by not even getting as far as Carter's employer's T&Cs.

        4. Steve Davies 3 Silver badge

          Re: Lot of nonsense

          That probably makes your contract Null and void under the unfair contract laws.

          May I humbly suggest that you take legal advice in the UK and not from some Night School US Law Grad.

        5. Voland's right hand Silver badge

          Re: Lot of nonsense

          We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California.

          That is illegal in half of jurisdictions over the world and in most of the Eu this makes any contract or commercial agreement with your company unenforceable under fair contract act(s) and their equivalents. I suggest you take some legal advice from someone with some residual clue and knowledge of the contract and data protection law in the jurisdictions you operate. You may need it.

        6. John 98

          Re: Lot of nonsense

          Apple tried messing with a European court a year or two back and finally realised they were getting themselves into very deep, brown, sticky stuff. One doubts the court would consider your T & Cs valid. Just maybe if your client is a sophisticated, international organisation, but not with the average consumer. Try the same stunt on a US court, and see how far you get.

        7. x 7

          Re: Lot of nonsense

          "We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California."

          T&Cs cannot overrule national law. If you are doing business in country X, then you are subject to country X's laws, irrespective of whatever may be in your contracts. Essentially no T&Cs can protect you if you act criminally

        8. Solmyr ibn Wali Barad

          Re: Lot of nonsense

          "litigation must be commenced in Orange County, California."

          If this is one of those mandatory customs in your part of the world, then by all means, let it commence. In my neck of woods there are different pastimes, thankyouverymuch.

          /upvote for the amusement value/

      2. Roland6 Silver badge

        Re: Lot of nonsense

        "If your company is handling customer data and interacts with customers via email you just worked yourself an ICO fine."

        Then every company that is using MS Windows 10 & Chrome under their standard EULA, for their client data entry systems are also likely to be in breech...

    2. Yet Another Anonymous coward Silver badge

      Re: Lot of nonsense

      >so why fret about emails etc. passing through US-based servers etc.

      Do you have any US based competitors?

      Do you have any staff HR records that a bank/insurer/future employer might find interesting?

      Do you want all your financial records to be made public by a foreign FOI request?

  2. The_Idiot

    "Also, the firm importing the data must agree to limit their data processing to that specific mentioned in a contract and must ensure all its stuff adopt appropriate levels of security and received appropriate training."

    Given the requirements of legislation in the Patriot Act (other countries and legislations may and probably do qualify). I don't see how a US 'data importing firm' can agree to this. Or rather, they can agree, but they know their agreement can be set aside under US law at any time, and set aside in a manner that precludes them from telling the data provider that such an event has occurred.

    I suppose there could be wording added to the contract saying something of the form 'yes, we agree you can't do anything we don't want you to with this data, but we also agree you can do anything you want with it if you are obliged to under US law, and no you don't have to tell us' - but that wouldn't be a smart contract to sign - at least in my view.

    Of course, I'm probably wrong. After all, I'm an Idiot...

    1. Paul Shirley

      Safe harbour died because US law overrides it's protections. The same argument makes this illegal, all that changed is there's no ECJ decision confirming that yet.

  3. Destroy All Monsters Silver badge
    Paris Hilton

    Makes no sense

    How can a "model clause" retroactively apply to data already shipped over earlier?

    Microsoft's Smith bloggs: "It also makes clear the need for broader reforms of digital privacy laws around the world to strike a better balance between personal privacy and public safety"

    He wants to reform the PRIVACY laws? There is some kind of "balance" that has to be "struck"? Presumably between fully out-of-control TLAs and out-of-control TLAs? And "around the world"???

    1. Disgusted of Cheltenham

      Re: Makes no sense

      Privacy is not absolute but about balance, at least as defined in the ECHR, but would these clauses be the ones including:

      Clause 5: the data importer agrees and warrants.. that he has no reason to believe that the legislation applicable to him prevents him from fulfilling his obligations...?

      Those who needed the Safe Harbor rather than any of the other exemptions can no longer do so, but presumably can now sue the Commission for any costs in relocating to Bulgaria or Argentina and losses during the transition that are directly attributable to not correctly implementing a directive. That sounds like a large bill for the Commission, or rather for EU taxpayers.

      1. Doctor Syntax Silver badge

        Re: Makes no sense

        "Clause 5: the data importer agrees and warrants.. that he has no reason to believe that the legislation applicable to him prevents him from fulfilling his obligations...?"

        If I were a US-based data importer I don't see how I could stand over that clause in an EU court*. Ignorance of the law is no excuse.

        *And in my time I've written a lot of stuff I had to be able to stand over in court.

        "Those who needed the Safe Harbor rather than any of the other exemptions can no longer do so, but presumably can now sue the Commission for any costs in relocating to Bulgaria or Argentina and losses during the transition that are directly attributable to not correctly implementing a directive."

        How so? The safe harbour provisions pre-date the PATRIOT act which has made them invalid in the eyes of the ECJ. So if anybody is responsible for compensating anybod it must be the US govt. Good luck with that.

        1. Anonymous Coward
          Anonymous Coward

          Re: Makes no sense

          Then why did this ECJ decision take over a decade?

          1. Trevor_Pott Gold badge

            Re: Makes no sense

            "Then why did this ECJ decision take over a decade?"

            Because Europeans aren't obsessed with doing things fast they're obsessed with doing the right thing.

            Americans don't even know what that is any more.

          2. Doctor Syntax Silver badge

            Re: Makes no sense

            "Then why did this ECJ decision take over a decade?"

            Like any court it can only adjudicate on cases presented to it. Up until now nobody's sent it such a case.

      2. Trevor_Pott Gold badge

        Re: Makes no sense

        "Those who needed the Safe Harbor rather than any of the other exemptions can no longer do so, but presumably can now sue the Commission for any costs in relocating to Bulgaria or Argentina and losses during the transition that are directly attributable to not correctly implementing a directive. That sounds like a large bill for the Commission, or rather for EU taxpayers."

        Only an American would be so unbelievably fucked up that they believe corporations should be allowed to sue governments for the cost of complying with the law. Your mind is fucking disgusting.

      3. Doctor Syntax Silver badge

        Re: Makes no sense

        "but presumably can now sue the Commission for any costs in relocating to Bulgaria or Argentina"

        What makes you think you can sue anybody for the costs of not breaking the law?

        Mandatory car analogy: if the police pull you up & find that there's a fault on your vehicle do you really think you could sue them for the costs of getting it fixed?

    2. nematoad Silver badge
      FAIL

      Re: Makes no sense

      Microsoft would not be drawn further on the details of its model clauses.

      What?

      Are these covered by "commercial confidentiality", the get-out-of-jail card frequently used by politicians, or is this classed as national security?

      Azure Core Services, Office 365, Dynamics CRM and Microsoft Intune all comply with model clauses the software giant said.

      If they are following the EU drafted rules, which are, presumably in the public domain, then why hide the details? Or is it a case of "We are Microsoft, you can trust us."

      This is surely not the way to assure customers that their data is safe.

  4. Anonymous Coward
    Anonymous Coward

    They are fighting it with idiocy, not small print

    I just got in duplicate a marketing blurb from Edmodo which is used by a large number of schools in the UK as a homework submission/grading platform. They were ranting about how they care about my privacy and how I should not worry about it and they keep my child data safe. So I guess the marketing counteroffensive has started.

    Quite funny:

    1. It was "safe" by USA standards with USA child age limits, etc on marketing used throughout. It was not compliant to Eu ones which are different.

    2. It was explicitly referring to Safe Harbor as the guarantee for that.

    3. All of that was being delivered out of West Coast AWS address range.

    I read it (something most parents probably did not) and lobbed a 5 liner at them via their web site with an ultimatum: You move to Europe by next week (even if it is to AWS) or I am going to lob a complaint to the ICO to enforce the ruling and thus force the schools to terminate their agreements with you.

    In any case, as per UK (and most of Eu) contract law small print which "legalizes" an illegal action makes the whole contract illegal so doing that is even more suicidal than referring to safe harbor in a privacy policy. Oh, I keep forgetting - Americans, no law but USA law exist. I bet none of these idiots checked if the new small print and marketing they are trying to shovel onto us is legal in the Eu.

    1. Anonymous Coward
      Anonymous Coward

      Re: They are fighting it with idiocy, not small print

      I am going to lob a complaint to the ICO to enforce the ruling and thus force the schools to terminate their agreements with you.

      Please follow up with this, and let us know how it goes. It'll be useful to know if the ICO is a paper tiger in this, or actually has teeth.

  5. Steve Davies 3 Silver badge

    So....?

    They can keep slurping our data without getting explicit agreement from me just because it passed through some other EU company who has one of the slightly dodgy agreements with companies like Google, sorry Alphabet?

    I can't wait for some EU company to try this with US originated data. They'll be on an unmarked LearJet heading west before their lawyers even get the phone call.

    Come all you MEP's pass a law banning ALL data going to the USA. Then you might actually earn some respect from your voters. What? you can't? Because some TLA has a few dodgy photos of you?

    [redacted]

  6. Mephistro
    Facepalm

    How long would a fig leaf...

    ... made of dry ice last?

    Consider any European company that keeps/processes customers data in the USA and has agreed to these model clauses. Do said clauses lower the European company's liability to their own customers? Obviously not.

    At that point, the European company can device a cunning plan, m'lord, to put similar model clauses in their own contracts with end customers. The problems with this approach are that: a) European courts aren't usually kind with abusive clauses in EULAs and contracts, more so when they are signed/accepted by private persons, and b) due to the growing public awareness on these issues, European companies taking this route would receive lots of bad PR and lose many customers due to the use of these clauses.

    I'd advice the USA govt. to clean up their act and stop all this spying malarkey before they find themselves up to the ears in an economic bloodbath. Actually, they should have done this years ago, and they'll pay dearly for the delay.

  7. Anonymous Coward
    Anonymous Coward

    I think we all know that they're going to keep weaselling and carry on exactly the same as before. The only other way to be sure is to avoid US-connected services.

    It does mean doing things the hard way and depriving yourself of shiny web toys, but it can be done,

    1. Ken Hagan Gold badge
      Windows

      "It does mean doing things the hard way and depriving yourself of shiny web toys, but it can be done,"

      I think you mean: "As an added bonus, you will waste less of your life and money trying to grapple with something that previously worked fine but which has now been improved to the point of exasperation.".

  8. Your alien overlord - fear me

    Desperation. That's all.

  9. Anonymous Coward
    Anonymous Coward

    The problem is

    That the same key reason why the ECJ ruled that the safe harbor provisions dont apply will also cover Binding Corporate Rules and Model Contract Clauses.

    Put simply the BCR's and the MCC's needs to guarantee the same levels of protection as the EU countries laws but no US company can do that thanks to the various NSA programmes and the Patriot Act.

    A few T's and C's are not going to sway a judge in Texas from issuing a warrant for data in Ireland.

    So, knowing that the clauses are pointless any EU company relying on those has no defence to a complaint that they knowlingly passed data to an unsafe country and equally the liability shift back to the processor is going to get bogged down in the US courts as well.

    The only sane way any EU company can operate is to have the contract with the EU version of the processor and then specifically ban them from taking the data to the US.

    1. Roland6 Silver badge

      Re: The problem is.... IPv4 and IPv6 !!!

      "then specifically ban them from taking the data to the US."

      This is another thing the developers of the Internet omitted: route barring lists! Because the only way that would permit data to be transferred over the Internet that fully satisfies this ban is for all IP packets to contain 'region' codes that denote either 'route only within this country/region' or 'avoid this country/region'.

      It is beginning to look like we do need to urgently start work on IPv8 or some other unused number (IPv7 was basically an OSI CLNP based version of IP)...

      1. Ken Hagan Gold badge

        Re: The problem is.... IPv4 and IPv6 !!!

        Actually IPv6 will work fine. The address space is easily large enough for each legal jurisdiction to have its own prefix. As a helpful side effect for most (non-business) end-users, a foreign address would then be a very powerful hint for your spam filter.

        Of course, it would need someone running the internet who actually cared about running the internet rather than simply milking it.

        1. Roland6 Silver badge

          Re: The problem is.... IPv4 and IPv6 !!!

          "Actually IPv6 will work fine. The address space is easily large enough for each legal jurisdiction to have its own prefix."

          Remember the IPv6 address space largely follows the IPv4 address structure, hence whilst it would allow the creation of geographic/legal jurisdiction subnets, as per IPv4 it doesn't (currently) have a rigid structure like the international telephone system. So a business would need multiple IP addresses (one subject to legal jurisdiction routing rules and one subject to normal routing rules). Whereas the usage of a route restriction header field would avoid this and provide a field that (with API enhancement) could be populated by an individual application.

          However, I suspect the down-voter to my original post had the right of it: If it is important that the data doesn't go outside of a particular jurisdiction then don't use the Internet, use physical private circuits.

    2. Doctor Syntax Silver badge

      Re: The problem is

      "That the same key reason why the ECJ ruled that the safe harbor provisions dont apply will also cover Binding Corporate Rules and Model Contract Clauses."

      And it will end up back in the ECJ with a similar decision.

      At the very minimum the data exporter should be liable to the EU resident, not the importer, with the case to be heard in an EU court.

      1. Anonymous Coward
        Anonymous Coward

        Re: The problem is

        "At the very minimum the data exporter should be liable to the EU resident, not the importer, with the case to be heard in an EU court."

        As the exporter is effectively the controller of the data they already carry that liability which would fall under the EU jurisdiction the customer and/or controller are in.

        For example, a UK citizien buys stuff from a UK business using a cloud based service with servers in the US. The UK citizien is the "data subject", the UK business is the "Data Controller". Its the job of the data controller to have carried out an adequate risk assessment on the use of the cloud service they buy to ensure the data processor can meet the standards previously held to by safe harbor. If they cannot show reasonable due dilligence or other accepted protections the controller is immediately in breach of the DPA.

        The reality is that Safe Harbor was on shaky ground after September the 11th 2001 and now any data controller with even half an idea will realise that shipping data to the US without the veneer of protection of safe harbor will mean a huge liability shift to the controller in the EU.

        The big players already have stuff in place, its the small to medium businesses which will get the shaft from this.

        1. Doctor Syntax Silver badge

          Re: The problem is

          "As the exporter is effectively the controller of the data they already carry that liability which would fall under the EU jurisdiction the customer and/or controller are in."

          I know. The trouble is that AFAICS the Commission is now trying to throw this over the wall. The data subject is to be able to claim from the importer.

          It's a big mess. As a data subject am I supposed to be bound by an agreement between my supplier and a third party? If the theory is that this is going to be covered by small print or by some 3 pixel high, pre-ticked, well-hidden box it's going to fail on the basis of unfair terms and/or lack of informed consent. The trouble is it's going to cost someone a lot in legal fees, time and trouble to take all this to court and get the precedents set. Possibly a data protection regulator with teeth is going to call BS on it in that the circumstances that invalidate safe harbour also apply to such clauses. Would that be the ICO?

        2. 0laf Silver badge

          Re: The problem is

          Safe Harbour was never enough on its own to prove that a US based service provider was acting in compliance with the DPA (or other EU equivalent). Anyone using it as a tick box to do what they liked should have known they were storing up trouble.

  10. W. Anderson

    typical American arrogance and stupidity

    American technology companies are naive and arrogant to think that they can subvert the ruling of a European Court of Justice, just because of some clause inked with customers, as if this overrides International governments' regulations.

    If Microsoft, Salesforce and or any other behemoth US corporations snub their noses at other countries - bodies like European Union law, they should be denied business entry into that jurisdiction. Period.

    This crass and bullying attiude is no different from US State Department telling the European Union that because the US Justice Department did not impose severe penalties on Microsoft for severe business technology infrations, then the EU therefore cannot impose "their own" laws and rulings on Microsoft operations in “their” space.

    Arrogance and stupidity are hallmarks of many USA corporations, even many millions of citizens, and they will learn - sometimes the hard way, that they do not govern or control the rest of the world - all other countries on the planet.

  11. Anonymous Coward
    Anonymous Coward

    lack of realpolitik

    Principles ought to be along line of "we [US company] will protect your (EUcitizen) data from our own employees' incompetence, dodgy marketeers, hackers (criminal, foreign states and those doing it for lols), Bob walking in off the street et al, but we can't guarantee that our own government won't look at if they put their mind to it. "

    1. Anonymous Coward
      Anonymous Coward

      Re: lack of realpolitik

      That's (part of) what Safe Harbour does. It seems the ECJ doesn't agree that your principles are adequate.

    2. Doctor Syntax Silver badge

      Re: lack of realpolitik

      but we can't guarantee that our own government won't look at if they put their mind to it so we'll undertake to compensate you if they do as we can't be arsed to set up where our government can't poke its fingers in.

      FTFY

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like