back to article Euro privacy warriors: You've got until January to fix safe harbor mess – or we unleash hell

Europe's privacy guardians, the Article 29 Working Party, has given the European Commission and US government until the new year to sort out the safe harbor shambles – or Silicon Valley faces a legal showdown. In a letter published Friday, the working party noted that this month's decision by the European Court of Justice (ECJ …

  1. Mark 85 Silver badge

    One small problem with all this....

    NSA. They and the rest of 5-eyes... oh hell.. probably anyone else, will get what they want from other countries. There's the big crux of the problem. All the various agencies slurping each other and their own people. Yes, a ban, as such, will make it a bit tougher but probably not much.

    1. Doctor Syntax Silver badge

      Re: One small problem with all this....

      One step at a time.

    2. Thought About IT

      Re: One small problem with all this....

      "transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers."

      So, that will affect any business wanting to store its data in the UK where GCHQ is a subcontractor of the NSA.

      1. WatAWorld

        Re: One small problem with all this....

        If the legislation or practices of GCHQ are as pernicious and ravenous as the NSA's are.

      2. Rol Silver badge

        Re: One small problem with all this....

        One possible solution, could be to slice and dice the data into three encrypted chunks in the country where it is collected and then scatter those chunks in separate directions to countries around the world

        So long as one of the receiving countries has either a minuscule of credibility or, and this is what I'm counting on, an utter loathing for the other receiving countries, then the three chunks could never be brought together by the intelligence agencies of any one country, or in the case of America, anyone who has a mind to.

        Each chunk of data would have a unique address, and those three address's would be stored in the country of origin so that only the country of origin could bring the three data chunks together.

        Considering the three chunks could be in any one of approaching two hundred countries, I think America would have a hard time pressurising the entire world to bow and give fealty.

        Again, this hinges on the one aspect that must be addressed. AMERICAN COMPANIES CANNOT OWN THE SERVERS THAT THEIR CUSTOMERS DATA SITS ON.

        They must buy the services of totally independent non American companies to hold the data otherwise the Patriot Act would negate everything.

        Well there's my thrupence worth into the ring. I wonder how tame the agreed solution will be in comparison? Or, perhaps, Microsoft will be allowed to win its Ireland case (for now) and make everything appear possible without resorting to the biggest server sale in history?

        1. SImon Hobson Silver badge

          Re: One small problem with all this....

          > One possible solution, could be to slice and dice the data into three encrypted chunks in the country where it is collected and ...

          The problem with that is that it only addresses storage of the data. The underlying problem is that the data is (in many cases) being exported (or at least, put "under the control" of someone who can be compelled to export it) in order to process it.

          So, taking an example someone else has raised, the school that outsources it's admin systems to a US controlled company has a problem. It's no good encrypting and then exporting part of the data - the admin software can't then do anything with it.

  2. Smooth Newt Silver badge

    EU data protection authorities are committed to take all necessary and appropriate actions

    Since they don't really have any clout, pretty well all the necessary and appropriate action they can take when the deadline expires at the end of January is to set another deadline.

    1. Doctor Syntax Silver badge

      Re: EU data protection authorities are committed to take all necessary and appropriate actions

      Data protection authorities have the clout to start prosecuting EU businesses making illegal transfers. Does the working group have the clout to make them do this?

    2. big_D Silver badge

      Re: EU data protection authorities are committed to take all necessary and appropriate actions

      The data protection authorities, at least in Germany, does have clout.

      And as a business, if you use a cloud service and they illegally move the data outside the EU borders, then the data protection authorities can prosecute - because the Safe Harbor is now nullified and the cloud providers cannot guarantee that they won't hand over the data to the US Government if requested to.

      1. Yet Another Anonymous coward Silver badge

        Re: EU data protection authorities are committed to take all necessary and appropriate actions

        Except that the German security authorities (along with the UK, French et al) have just announced that they will slurp all your data "for security reasons".

        So a US corporation could argue that this is nothing to do with privacy and is purely an anti-competitive move and is no different from the FAA forcing all US airlines to only use US built planes and engines "for security reasons"

        1. WatAWorld

          Re: EU data protection authorities are committed to take all necessary and appropriate actions

          But is the slurping targeted and universal, as it is in the USA, or is it limited to communications to and from specific targets?

          That is the distinction we hope there is between the NSA, FSB (and perhaps GCHQ) and the rest of the world's intelligence agencies.

          1. tom dial Silver badge

            Re: EU data protection authorities are committed to take all necessary and appropriate actions

            "But is the slurping targeted and universal, as it is in the USA, or is it limited to communications to and from specific targets?"

            I look forward to someone more knowledgeable than I providing a technical explanation of a mechanism by which the communications to and from specific targets can be obtained without capturing and examining all communications, or at least a significant sample, much like XKeyscore, for example.

        2. WatAWorld

          Re: EU data protection authorities are committed to take all necessary and appropriate actions

          "no different from the FAA forcing all US airlines to only use US built planes and engines "for security reasons""

          No, rather it would be no different than the FAA forcing all US airlines to use only planes and engines that work for their intended purpose as defined by the consumers (airlines).

          That is the thing: With the NSA apparently slurping nearly 100% our digital data the communications services are not performing their intended service as defined by the consumers (people transmitting data and their intended recipients).

  3. Anonymous Coward
    Anonymous Coward

    I think you'll find...

    That they'll be menacing Google in Dublin, not Silicon Valley.

  4. Anonymous Coward
    Anonymous Coward

    "Furthermore, as already stated, transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers."

    Well shit. That's the UK out then (just on the basis of the "cough up your encryption keys or go to prison" law). Probably everywhere else too.

    1. Voland's right hand Silver badge

      Very astute observation

      One all the cretins advocating for UK leaving Eu are missing. The moment UK leaves Eu, its legal system will be evaluated vs the Eu DPA requirements and it will be immediately prohibited as a place for Eu consumer data to travel with all the consequences for UK business.

      It is quite funny - the requirements to the UK legal system will be higher if UK leaves Eu than if it stays.

    2. Primus Secundus Tertius

      @moiety

      But those cases are different from mass surveillance: they are judicial proceedings.

    3. David Haworth 1
      Black Helicopters

      Re: Encryption keys

      They can have my encryption keys any time they like. They're publicly available on one or two keyservers.

      The decryption keys, on the other hand ...

  5. Will Godfrey Silver badge
    Happy

    terrible news!

    Oh the poor POOR POOR multinationals. However will they survive?

    1. Mad Chaz

      Re: terrible news!

      As they usually do, by using the cost of compliance as an excuse to charge all of us more for the things we need to stay alive. They will still do what ever they want, but they'll use it.

  6. Anonymous Coward
    Anonymous Coward

    Sue 'em all, god will recognise his own

    Paraphrasing the Papal Legate accompanying one of the worst cases of religious driven genocide in European history (the Albigoyan crusade): "Sue em all, god will recognize his own".

    I, for once, could not give a flying f*** about giving anyone who does not want to comply with the law half a year worth of leeway. The moment I see something going to a cloudfront address in a non-Eu zone is the moment that company gets a DPA complaint in the post. They all had plenty of time to be prepared and there is no technical reason for them to use the US AWS zones instead of, for example, the Irish one.

    1. Dr Paul Taylor

      Re: Sue 'em all, god will recognise his own

      Albigensian.

      You'll be senting DPA complaints to every website that you visit.

      Whatever the politicians do will be a fudge. What we need is to boycott Silicon Valley and start up similar or preferably superior services in our own countries or continent.

      1. WatAWorld

        Re: Sue 'em all, god will recognise his own

        "You'll be senting DPA complaints to every website that you visit."

        Contrary to American belief, there are some businesses totally located in Europe, and additional businesses whose corporate databases are totally located in Europe.

        But yes, he'll be sending a lot of DPA complaints once January rolls around.

    2. Doctor Syntax Silver badge

      Re: Sue 'em all, god will recognise his own

      Were you watching Mastermind tonight by any chance?

  7. Doctor Syntax Silver badge

    Reality

    It seems very unlikely that the US will update its legal system in that time-frame. It also seems unlikely that without such update any arrangement that transfers data to the states will be deemed legal. In reality the deadline applies to businesses to set up arrangements to host data in the EU which will withstand scrutiny. To some extent that depends on the outcome of the MS case but given the speed of the legal process it might be the more practical option to assume the worst. So what to do?

    Ensure that data is hosted within the EU in a data centre owned by an EU registered and owned company subject to EU law and staffed by EU personnel. It really shouldn't be that difficult to set up at least not for those with existing EU data centres. This is what I think the senior management of an EU subsidiary of a US company running a data centre over here could do:

    Set up a local company managed by the existing senior EU staff and owned by them or some other EU business. This EU company would lease the DC from the US parent. It would set up one or more subsidiaries to run the various lines of business using the parent's IP as franchises. The franchises would operate with contracts under EU law with clauses specifically forbidding any data transfers illegal under EU law. Any US staff remaining in the EU would be employed by the parent as liaison dealing with the local companies at arm's length. Even with a worst case outcome from the MS case there would be no company or person falling under US jurisdiction with any access to the data.

    Given that the data centre would be rented this would only require sufficient finance to cover the rent, royalties & salaries until the first franchise payments rolled in. The parent could even lend the money.

    By being first in the field they could then offer to set up similar operations for other companies, especially those with no EU presence.

    1. Yet Another Anonymous coward Silver badge

      Re: Reality

      And the US authorities will simply demand the data anyway and offer the US parent CEO a choice:

      No more government contracts, yearly tax audits until the end of time, infinite fines, or simply being declared a terrorist and sent off to Borat-istan for a game of whack-the-testicles.

      1. WatAWorld

        Re: Reality

        "And the US authorities will simply demand the data anyway and offer the US parent CEO a choice:"

        That won't work.

        Consider the current situation where the USA prohibits companies doing business in the USA from trading with Cuba.

        This was a big issue here in Canada just after that law was passed.

        That law was negated in most countries by national laws requiring companies based there from obeying foreign laws prohibiting them trading in other countries. That is how Canadian companies have managed to continue doing business with Cuba all these decades.

        Likewise many Muslim-majority countries have laws prohibiting companies doing business on their territory from trading with Israel.

        This is negated by the USA having national laws requiring companies based in the USA from obeying foreign laws prohibiting them trading in other countries.

      2. Doctor Syntax Silver badge

        Re: Reality

        "And the US authorities will simply demand the data anyway and offer the US parent CEO a choice"

        The US company is parent of nothing. The US company has no ability to obtain information from the franchisee. What's the USian for "nothing to do with me, squire."?

  8. Sotorro
    Stop

    Massive and Indiscriminate Surveillance

    I'm very happy that a judge finally has seen the light, and that "massive and indiscriminate surveillance" is now seen as an evil by the judges. And thanks to, Edward Snowden for the much needed intel, and the law student who started this case.

    What ever the political arm twisting will do, to bend over backwards to please the 1% who believe they wield the real power, the last pretense of rule by the people for the people seem to have just delivered a hammer blow to the corrupt political system pretending to be democratic.

    Yes we all have different opinions on what our society should look like, and that's a good thing, but all too often it looks like a small group of people can get away with grabbing power without oversight or control, this seems to have just been thwarted.

    FUCK YOU, NSA, KGB, EUROPOL, OR WHAT EVER THE FUCK YOU'RE CALLED !!!

    We the people do not need you to spy on innocent people, stop the "Massive and Indiscriminate Surveillance" NOW !!!

    1. phil dude
      Joke

      Re: Massive and Indiscriminate Surveillance

      you can thank John Oliver and his "dick pics" piece....

      P.

  9. Your alien overlord - fear me

    If the deadline passes, I take it that flying to the USA (and other non EU countries) will be halted since BA etc. can't tell the American authorities anything about me.

    1. DanielN

      "... BA etc. can't tell the American authorities anything about me."

      Exactly. Europeans like to moan about privacy -- to get attention, ironically. Calamity and woe! The NSA might spy on us! This is what psychologists call an expressed preference.

      But what they really want is if they go on holiday in foreign parts and get run over by a bus, everyone will hand over emergency contact information to the first person claiming to be a hospital clerk. This is their revealed preference. It also happens to be the way the world runs. The European privacy regulations are observed more in the breach.

      Their revealed preference also extends to wanting to complete transactions with Asia when the Euro power grids are knocked out by a solar flare, by having their entire customer database replicated in Japan and the US.

      The people in this thread also seem to have no understanding of how the United States works. It is a federal republic. There is no one authority about U.S. law. There are 50 states and half a dozen self-governing island territories. Americans will never adapt to European privacy laws, for the same reason that Brazil and Nigeria will not. There is just no way to get every independent jurisdiction to agree on anything.

      What will happen is that Europeans will have to click through privacy waivers on every website and business service they use. Every. Last. One. It will be like the American War On Drugs, except more futile and without even a pretense of Helping The Children.

      And nothing will actually change. It's not like your holiday company in the Italian Riviera is actually using hacker proof security. You might as well be scratching your personal information onto a gold ingot and shipping it direct to the mafia.

      1. Salamander

        This has already happened. The UK banks recently updated their terms and conditions to include clauses where you the customer effectively wave your data protection rights. This allows them to transfer data abroad and give it to foreign tax and legal authorities.

        Currently, for the UK at least, a foreign tax authority must go through HMRC to obtain financial information about you. For this to happen, the UK must sign an IGA to transfer the data. The banks are worried that the IGAs could be declared unlawful through a court action. So the banks have decided to hedge their bets by updating the terms and conditions of the banking services so that all customers wave their data protection rights.

        1. Yet Another Anonymous coward Silver badge

          >include clauses where you the customer effectively wave your data protection rights

          It doesn't matter what they put in their terms and conditions - the law wins.

          I can put in the small print that you waive the requirement that my medical product is approved by the FDA, and that you allow me to resolve all claims in Liberia. But the FDA are still going to come and see me - and the still carry guns.

      2. Destroy All Monsters Silver badge

        Not since Lincoln the Holy Fascist

        There is no one authority about U.S. law. There are 50 states and half a dozen self-governing island territories.

        Hey. It's 10:00 in the morning. It smells like gin in here. Who has been drinking?

      3. WatAWorld

        You've missed most of the news.

        It is not that the NSA might spy on us. That the NSA might spy on us is what we thought in the pre-Snowdon days.

        The NSA apparently analyses all digital data that makes it past national boarders, that goes between major US corporate locations, and stores copies of data that is unusually encrypted (email) or that has certain keywords.

    2. esque

      No. The Data protection laws here in Europe have exceptions regarding the transfer of data to unsafe nations for cases like these. If it is necessary for a transaction (like booking a hotel of flight outside of the EU), then the transfer is allowed.

      And, Homeland Security wanting to check out people before they enter the US is not the same as the NSA spying indiscriminately and without oversight or rights to appeal by the subjects of their spying.

      European data protection laws are not against foreign authorities using the personal data of Europeans in general, but they demand that this access is based on reasonable laws and that the people have some way to find out who accessed their data and how to appeal if necessary.

    3. tom dial Silver badge

      I just read (at //http://us.practicallaw.com/3-502-4080) that transfer of airline PNRs is covered (at least in German law, and to the US specifically) by a specific provision distinct from safe harbor. I wouldn't be surprised if that were the case elsewhere in the EU. The statement by "Your alien overlord - fear me" might be correct for some others, however.

  10. Stevie Silver badge

    Bah!

    Oh noes. No cat videos for a bit.

  11. aghasee

    Yeah right.

    EU and US.

    JC Juncker will have another gin and OhBahMah will laugh his ar*e off.

    Nothing, absolutely nothing will change.

    1. Destroy All Monsters Silver badge
      Windows

      Bueno!

      Actually I hear Juncker The Forever Politician is into Fernet-Branca. I have no idea what that is.

  12. Marco van Beek
    Windows

    It's all arse about tit

    We are looking at the whole privacy thing the wrong way round. There are three main reasons for people wanting to know about me: Sales, theft and security. I believe that we should establish a theoretical value to private data, and every time my details are passed on to a third party without my explicit consent, the guilty company has to pay that fee, plus a share of any fines, to me. That in turn, may help me to cover some of the unrecoverable costs when my details reach the netherworld and somebody steals something from me. As to security, we already sold our souls decades ago. We are not going to get a refund now.

    1. Destroy All Monsters Silver badge

      Re: It's all arse about tit

      No refund? No but you can pay in bullets chambered in 5.56 or otherwise.

    2. WatAWorld

      Re: It's all arse about tit

      "There are three main reasons for people wanting to know about me: Sales, theft and security."

      For people you are correct. For governments you are missing the main point.

      Control.

      Controlling you is the most important reason for government agencies to want to know your personal data.

      Why do you think congress can no longer reign in the NSA? How do you explain someone like Diane Finestein (D Calif)? Why do you think MPs are powerless over the GCHQ? My *guess* is because we're that far down the path of spying and loosing our democratic freedom.

      Some Americans like to say, "Give me liberty of give me death." But now they know they don't have freedom they wimp out on their promise.

  13. Anonymous Coward
    Anonymous Coward

    small business

    Are those most likely to not know (or care) though they ought about this matter.

    If a company can quite happily (in ignorance - deliberate or otherwise) setup a web shop without complying with consumer protection laws (information about returns, customer rights etc) then the issue that the webshop is hosted in the US is likely to pass them by.

    Anon, cos this is an issue bit close to my own workplace.

    1. WatAWorld

      Re: small business

      Hopefully a small European company is unlikely to locate its servers in the USA.

      If the USA is a cheaper place to buy web services, then maybe we need to look at whether or not the cost of providing the service is being subsidized by the NSA in order to facilitate spying.

      1. Anonymous Coward
        Anonymous Coward

        Re: small business

        A small European company might well buy its main website hosting in Europe but there are services such as bigcommerce.com (Texas/Australia) they might bolt on as a quick solution to online sales.

        And having looked at their forums, the answer to the recently asked question "how does the safe harbor ruling affect them?" is "we don't know at the moment"

    2. Mark 85 Silver badge

      Re: small business

      That is an interesting point. I know of several smallish businesses here in the States that use web hosting over on the right side of the pond. They're not international in scope (they have few international customers) but the hosting was cheap. I can see where some of the small EU businesses might have the reverse in play.

      It seems that what all governments forget is that the Internet really has no national boundries (ok... Great Firewall of China and some of the stuff Russia is blocking aside).

      It also seems a given that all data is eventually slurped by someone's country and shared. Maybe not shared with all... But I expect that even an email I send here in the States ends up in more places than I can even think of.

  14. DaveDaveDave

    Oh, very clever

    Force everyone doing business in the EU to have their servers outside the EU, get the users to send their own data outside EU jurisdiction, end of problem, end of any EU control at all over data.

  15. Destroy All Monsters Silver badge
    FAIL

    FTFY

    The EC already knows that it has to reach agreement rapidly

    The EC already knows that it has to roll over and fudge the issue to make legal redress impossible rapidly

    1. WatAWorld

      Re: FTFY

      Yes, the EC has to make the submissive canine gesture of rolling over, raising its legs, twisting its head to expose its jugular, and peeing itself.

      The only alternative, unthinkable that it is, would for the US government, US agencies, and US bureaucrats to obey the US Constitution and The Bill of Rights -- and at this point it is too late for that.

  16. WatAWorld

    Simply move or consolidate the servers to Europe

    The Americans don't seem worried about privacy, so rather than shelling out tens of millions of dollars in lawyers fees (and settlements that end up 50% lawyers fees), why not simply consolidate the servers onto European soil?

    Or store European accounts on European located servers, although might not be sufficient for something like Facebook where account info is shared between users on different continents.

    So simply move the servers to Europe. Keep the developers and sales people where they are, and shift the servers to Europe.

    1. Yet Another Anonymous coward Silver badge

      Re: Simply move or consolidate the servers to Europe

      But then how do you sell the information to US advertisers?

      But it doesn't help if the US govt can order the US parent corp to hand over the data held by european subsiduaries

      1. Doctor Syntax Silver badge

        Re: Simply move or consolidate the servers to Europe

        "But then how do you sell the information to US advertisers?"

        There's no problem selling info on US residents to US advertisers. There's nothing in the DPA that offers out of country data subjects greater protection than they'd have at home.

        "But it doesn't help if the US govt can order the US parent corp to hand over the data held by european subsiduaries"

        It might need a more effective firewall than that. Not EU subsidiaries but EU franchisees with strict contract terms. Alternatively a new Safe Harbour framework might require the US to warrant that it will not make such demands on subsidiaries but go through the appropriate legal procedure in the country in which the data is held. I suspect the latter would have to have some pretty effective guarantees built in to avoid being beat up by the ECJ. A good gesture to make right now would be to drop the MS case and seek a warrant in Ireland.

        At some point the posturing will stop - and the sooner the better - and a practical solution will be worked out that satisfies EU data protection principles. I'm sure a solution will be found PDQ; I understand there's an election coming up in the US & there'll be candidates looking for contributions.

    2. DaveDaveDave

      Re: Simply move or consolidate the servers to Europe

      "why not simply consolidate the servers onto European soil?"

      No, that's the wrong way around. Just have everything outside the EU, and then when customers send you their data, they're the ones doing the exporting. It's not like anyone bar a few crypto-geeks and similar actually cares about this stuff.

  17. Anonymous Coward
    Anonymous Coward

    Register Whip Around

    Lets have a whip around and fund an orbiting datacentre.

    To save money all data has to be sent back to earth using printed out PGP messages fashioned into paper aeroplanes.

    Its a crude version of UDP but its secure.

    Commentard Hosting: Slow, Inconvenient, Expensive...Secure!

    Either that or we store all sensitive information on a USB drive guarded by a loyal 7 foot pipe wielding simpleton (of mice and men levels of daft) with a learning difficulty given instructions to smash the drive if anyone he doesnt know tries to get access.

    This is by far the most cost effective method. A USB drive and a steady flow of Beano comics and we're sorted.

  18. dan1980

    Okay, so let me get this straight . . .

    The courts have ruled that it is ILLEGAL to store this data in the US but this illegal activity continues until a solution can be found.

    Is that right?

    Now, I fully understand that these changes cannot happen overnight and it won't help to tell the affected companies that they can no longer service requests from EU citizens, effective immediately. BUT, what's to stop another (otherwise identical) case being lodged right now? The operation of these services is illegal.

    My question is: how is it up to the politicians to set deadlines? Surely the court should be doing this as, in the absence of some ruling that says the behaviour will be temporarily allowed, what's to stop further lawsuits being brought?

    I am not a legal scholar in any sense so excuse the naivety but surely the best course of action would be for the court to decide on a deadline? It can't continue indefinitely, right?

    P.S. - I don't mean that the courts should rule on a deadline for amended legislation, as it's not their business to make law. I mean a deadline for when the operation of these companies must comply with the law - whatever that is.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020