back to article Microsoft's top lawyer: I have a cunning plan ... to rescue sunk safe harbor agreement

Microsoft president and chief legal officer Brad Smith has presented a new safe harbor pact to replace the agreement struck down earlier this month by the European Court of Justice (ECJ). The ECJ ruled that transferring Europeans' private information in and out of America is no longer allowed because America's privacy laws …

  1. Anonymous Coward
    Unhappy

    Sounds like common sense....

    ...so bound to fail.

    1. James Micallef Silver badge
      Facepalm

      Re: Sounds like common sense....

      I'm not sure if it's common sense or not, but what this guy is describing is EXACTLY the same as safe harbour, with the difference that EU companies could process US' citizens data based on US rules.

      What this guy fails to realise (or maybe not) is that safe harbour is sunk by Patriot Act and NSA spying. As long as US gov agencies can demand data on anyone (including EU citizens) from US companies, without the data subject being notified and based on a secret court order that cannot be known about let alone challenged, there are no possible rules that can resurrect safe harbour.

      And that's just what US Gov agencies are LEGALLY allowed to do under Patriot Act. FSM only knows what how much data they're trawling 'on the side'.

      1. Aitor 1

        Re: Sounds like common sense....

        what he says is "RESPECT THE LAW", as in all laws, not just the local one.

        Won't happen, as it means US would have to repel the US unPatriot Act, among others.

        1. g e

          Re: Sounds like common sense....

          Double the infrastructure ( as it's more sensible to sandbox non-eu data from eu data) and double the lawyers as now they'd have to understand US law as well for any US-originated data that may be held.

          Also Co's would have to agree, under some circumstances, to be subject to US law wherever in the world they operated. Sounds like a jurisdictional trojan horse to me.

          Don't see everyone jumping on that bandwagon

        2. john devoy

          Re: Sounds like common sense....

          But the USA no longer feels it has to respect the laws of other countries, only its own.

      2. Danny 5

        Re: Sounds like common sense....

        Excellent post, people seem to not understand that it wasn't the rules that were problematic, it was the blatant way in which US companies broke those rules again and again and again and again.

        1. Cynical Observer

          Re: Sounds like common sense....

          @Danny 5

          .... it was the blatant way in which US companies Government Agencies broke those rules again and again and again and again.

          FTFY

      3. Dan Paul

        Re: Sounds like common sense....

        Except YOUR European spy agencies do the exact same thing as OUR spy agencies.

        Oh, and by the way the countries including yours, changed the laws so it's fully legal that European spy agencies can do what you object to US agencies doing.

        1. Mark 85 Silver badge

          Re: Sounds like common sense....

          Not sure why the downvote unless it's just pure hate. Everyone admits that everything and everyone on the Internet is fair game and data is slurped. Doesn't matter what country or who's citizens as they all do it.

          I think this is a start, but as was pointed out, getting the US Congress go along is like herding cats. I think that also goes for all the rest of the governments. That cat herd is rather large.

      4. Anonymous Coward
        Anonymous Coward

        Re: Sounds like common sense....

        Since the United States is an Oligarchy and the whole terrorism bit is signed and paid for just for the purpose to get these totalitarian powers of snooping, with a clear intent of expanding, not shrinking these powers, it won't matter. Whatever they agree to on paper, the spooks will get do whatever they want.

        Since the EU is really part of the same Club of blood sucking reptiles, it just puts them on alert, that they made a minor mistake with the setup of the EU, in spite of the Chinese style Polit-bureau and their perfect control of the mainstream media.

        .

        Lets see how they attend to this:

        Another false flag attack to get everybody to fall in line again on the needs of universal snooping? Another new war some place? An epidemic? Ahh, wait; maybe an economic collapse! That always has side benefits - every bust allows them to hoover up assets...

    2. big_D Silver badge

      Re: Sounds like common sense....

      The problem isn't the companies involved. it is US law and its steam rolling of people's rights.

      The data from the EU can only be handed over to the US Government if they have a valid EU warrant. And that is what the US agreed to, before they enacted the Patriot Act and nowadays say "ah, well, the data is on US soil, so we can ignore those pesky EU people and their silly data protection laws, just give us the data or face fines and imprisonment."

      Under those circumstances, there isn't much a US company can do. Until the US Government and the US Justice agree that data held under Safe Harbor is actually safe, there isn't much any company can do.

  2. DocJames
    Black Helicopters

    Trust...

    ...has been lost. Good luck getting that back in a hurry.

    1. Dick Palmer
      Pirate

      Re: Trust...

      "The US and Europe had a safe harbor pact permitting this flow of personal data over the Atlantic, but the court tore it up, which is a major problem for Silicon Valley."

      FFS, the ECJ didn't tear anything up! The US ignored their "gentleman's agreement" making a mockery of it.. and making a mockery of the Charter of Fundamental Rights of the European Union in the process.

      The ECJ had no choice but to observe that the "safe[sic] harbor" scam is a scam.

  3. alain williams Silver badge

    Won't work

    it is about companies agreeing. They can agree all that they want, this does not provide protection when:

    * government (NSA, FBI, ...) comes calling

    * the companies go bust and private data is sold off by the administrators (which has happened)

  4. Dan 55 Silver badge
    Devil

    Lawyer he speak with forked tongue!

    American firms with European customers would handle their data in compliance with EU rules and vice versa... That changes, however, if an EU citizen lives in the US or if an American moves to Europe. In that case the data rules used match the physical location of the customer.

    So US companies storing EU residents' data inside the US would have to store it under a new kind of safe harbour agreement where EU residents' data is stored following tougher EU rules inside the US which has laxer rules. Here nothing has changed.

    EU companies storing US residents' data inside the EU would be legally unable to store it under the US' laxer rules. So what he's lobbying for is the EU to nobble its own data protection laws so that EU companies can store US residents' data under the US' laxer rules and then they would promise really really hard to store EU residents' data the way it was before. We all know that's going to happen.

    Edit: And it'd also probably solve the DOJ-MS Dublin case.

    This is the man which came up with the 45-page privacy agreement and decided it was okay to make GWX hijack your Windows 7 and 8 computer and push out Windows 10-like telemetry updates to Windows 7 and 8 computers over Windows Update. Never trust the lawyer!

  5. P. Lee Silver badge

    Herding cats?

    That makes the problem sound like an organizational one. It isn't. The US tries to act like ruler of the world and will use any leverage it can to get what it wants regardless of existing laws, jurisdictions and procedures. The State sees itself as the supreme potentate answerable to no-one. Increasingly, other countries' governments are taking the same view. As the MS-Irish-US affair shows, anyone with assets in the US will be seen by that government as liable only to US law.

    Stuff 'em. If they want to act like a tin-pot dictators, surely Balkenisation is to be welcomed. If google, amazon and ms can't operate their data snarfing outside the US, the Americans have only themselves to blame. It may take a few years to polish but that opensource idea may just catch on.

    The USG is finding that playing mean results in the other kids refusing to play. Who could have predicted that?

    1. Bob Dole (tm)

      Re: Herding cats?

      >>It may take a few years to polish but that opensource idea may just catch on.

      I'm not sure how you think opensource will help in any way shape or form. The problem isn't the tech. The problem is that the US Federal Government can order a US Company to turn over all of the data it has. Further the US Federal Government can force said company to not disclose that it has turned over the data and even to force that company to deny it has turned over the data.

      That is what destroyed Safe Harbor. Sure, there are other issues, but at the end of the day that is what needs to change. Don't hold your breath.

  6. Destroy All Monsters Silver badge
    Mushroom

    LOCK AND LOAD!

    "This month the old legal system collapsed, but the foundation long ago had crumbled. In recent years it has been apparent that a new century requires a new privacy framework. It's time to go build it."

    You stupid fucks even dropped the ball on software patents back in the 90s to gain a little "Market Advantage", literally driving over people's best interests.

    Now you pretend you can create a legal Potemkin Village of the Holy Privacy Unicorn which will be respected by out-of-control superbly financed and extremely metastasized state actors?

    GO DIE IN A CORNER.

    1. WatAWorld

      Re: LOCK AND LOAD!

      This is Microsoft not Apple. It was Apple that tried to pull that stunt patenting Xerox's windows and icons concept.

  7. SolidSquid

    Microsoft can agree to whatever they want, but unless Congress agrees to pass a bill supporting it (actually passing bills being something the current Congress is famous for... not doing?), this is still going to fall afoul of the ruling in German courts that US based companies can't legally guarantee protections if the government can override them, and the US companies can be held liable

  8. Adrian Midgley 1

    Two of the problems are

    that the US gov has demonstrated itself untrustworthy, and that this is proposed by Microsoft, who fall short of paragonhood of virtue in that respect as well.

    GNU Foundation ideas might get a better reception, intransigent and Idealist being exactly what is lacking.

    1. Anonymous Coward
      Anonymous Coward

      Re: Two of the problems are

      This would be the same evil Microsoft that is fighting not to give in to law enforcement over data held in a foreign country?

      1. Anonymous Coward
        Anonymous Coward

        @Lost all faith - Re: Two of the problems are

        No, it's the same Microsoft who happily sifts through a user Hotmail account to find proof he's selling counterfeit MS software. Only then it hands over that info to the police voluntarily.

        Also gave you a down-vote just for the sake of balance.

    2. Anonymous Coward
      Anonymous Coward

      Re: Two of the problems are

      1. Stupidity of Europeans that still don't recognize that their OWN spy agencies and governments do and have been doing the same thing (Or worse, but they didn't get caught yet) for 50 years as the US does. EACH of these agencies is as "untrustworthy" as any of them regardless how much you moan and complain about the US.

      2. Going on and on about "Open Source" being the panacea to solving all computing ills' when "open sores" software has as many or more bugs than any other software manufacturers product and any Linux installation on an inexperienced users PC is more likely to stay unpatched for longer than Windows as there is no automatic update method. If there is no support crew, then it is at least as dangerous as Windows.

      3. For the record, anyone who is a regular El Reg commentard that has not been able to follow the directions posted everywhere to block the Windows 10 upgrade updates and/or remove them for Win 10 isn't worth the powder to blow them to hell and sure as hell doesn't deserve the title of computer savvy.

      It's getting pretty old. There's far more to do than bashing Americans in this world. Or are you really that emotionally retarded? It's not like Britain, Germany or France have been any shining beacons of "privacy" or even competence over the last forty years. And strangely enough no European company has ever provided an operating system that even came close to the market share of Windows which makes all the complaints no more than sour grapes or anti-competitive puerile bullsh@t.

      European's collective inability to admit they are wrong about the US is ingrained in their culture. It's been going on for over 200 years. You just don't like anyone who doesn't kiss your butt and kowtow to your "superior" ways. You always seem to think you "know better" than we do. Wrong!

      Maybe you should just learn to live with the fact that we Americans aren't the same as you and we aren't going to be; as well as the fact that your Europeans aren't any better than we are either. Stop tying to act superior because you aren't.

      1. Baskitcaise

        Re: Two of the problems are

        Ah diddums, shall I pick your dummy up for you?

        X

      2. anonymous boring coward Silver badge

        Re: Two of the problems are

        Riiiight...

        So that was some Windows defence rant?

        So relevant to the question.

  9. WatAWorld

    Really? Putting servers in Europe would bring about The Dark Ages ?

    The simple solution is to put the servers in Europe and under European law.

    That will make the Europeans happy.

    Just so long as Americans are not totaly addicted to having all their data shared with government workers, Americans will be happy too.

    1. sabroni Silver badge

      Re: The simple solution is to put the servers in Europe and under European law.

      That exactly what MS's current case is about, the US demanding access to data stored on servers in Ireland. The American government doesn't care where the servers are, it demands access anyway.

    2. Anonymous Coward
      Anonymous Coward

      Re: Really? Putting servers in Europe would bring about The Dark Ages ?

      That isn't a solution as the US legal system believes it is entitled to data stored by American companies regardless of where that data is stored. While MS have decided to fight the case you'd have to wonder how many companies would of just rolled over and handed the data to the feds.

      An interesting scenario is if the UK leaves the EU what's the chances of a snowball surviving in hell that is the UK being allowed a "safe harbour" agreement with the EU?

      1. Anonymous Coward
        Anonymous Coward

        Re: Really? Putting servers in Europe would bring about The Dark Ages ?

        Since the UK already has the necessary data protection legislation in place (which Brussels must be happy with since they have not complained) then I would suggest that the odds are pretty good. However they may start to get iffy if some time-serving minister decides to curry favour with who ever is in charge in the States and tries to weaken the rules.

  10. WatAWorld

    Is this Microsoft person totally ignorant of US law and US politics?

    Is this Microsoft person totally ignorant of US law and US politics?

    Under US law foreigners living abroad are not entitled to human rights. And US politics goes even further than that.

    "Microsoft's plan is ridiculously straight forward: a new legal framework for handling data, where blocs on both sides of the Atlantic agree to play by each other's rules. American firms with European customers would handle their data in compliance with EU rules and vice versa."

    Once the data is in the USA, as it enters the USA (and probably as it passes through the UK), the data will cease to be secure, the data will be spied upon and potentially copies made, retained and circulated, by US (and probably UK) government workers.

    And once it is in the USA, no surveillance court judge is going to refuse to rubber stamp a warrant to seize the data just because the data is on some foreigner.

  11. Steve Davies 3 Silver badge

    Since when did MS move South?

    Redmond, (last time I looked) was a good few hundred miles north of silicon valley.

    Even their notional Tax HQ is in Nevada.

    Not all US data slurping companies are built on top of a number of Geological fault zones.

    Perhaps the best we can hope for is 'The big One' to hit and swallow them up whole but that still leaves Ms 'up north'.

    1. kain preacher

      Re: Since when did MS move South?

      Um Any wear in west coast of North America is in a fault zone. From Alaska to Mexico.

  12. Avatar of They
    Mushroom

    Erm....

    Man responsible for allowing the biggest malware peddling data trawl in history (MS windows 10 worldwide security and cloud model) thinks we should follow his efforts.

    Bell End.

    1. dogged

      Re: Erm....

      >Bell End

      It's quite unusual to sign forum comments. And take a look at the actual data W10 sends home. I have. I think you'd be surprised ( or from your post and signature, perhaps disappointed) how little there is. In tests, I found the OS sent fewer packets to Redmond than Chrome sends to Google.

      1. anonymous boring coward Silver badge

        Re: Erm....

        Oh, yes! And the best thing is that this is guaranteed never to change!

  13. Mage Silver badge

    Internet faces 'digital dark ages' if nothing is done

    Total FUD.

    It inconveniences rapacious megacorps and foolish SMEs out sourcing.

    At present level of world politics, privacy, spying and commercial exploitation:

    * Should be illegal for ANY one anywhere to send or store other people's personal data outside the country of person, without clear informed consent.

    * Servers and regional HQ should be in same country

    * Outsourcing of HR, Payroll etc outside the country were the employee works should be illegal

    * No selling or transfer of personal details to 3rd parties for benefit of third party.

    * No automatic opt in to anything.

    It's complicated when website has server only in one country and then person in random 3rd country signs up. In that case they shouldn't keep any personal data. If it's online shop, it should be like buying stuff in a local shop, with cash. Don't keep the details once it's shipped. Don't keep the credit card details at all once paid. Makes all those mega credit card thefts impossible.

    Loyalty cards on physical shops are an issue. People do not realise this is to personally track them and often to supply info to 3rd parties. Only anonymous "loyalty" cards should be allowed!

    1. Yet Another Anonymous coward Silver badge

      Re: Internet faces 'digital dark ages' if nothing is done

      You have heard of the european union and the free movement of goods and services?

      Try writing the same thing with "cars being made"

  14. Anonymous Coward
    Anonymous Coward

    If the UK votes to leave the EU...

    and you live in the UK it will be open season on your data. You won't be protected by EU laws, and the US doesn't care about foreign laws anyway. Cameron and his cronies, particualrly May, want to do away with your human rights and right to any kind of digital privacy anyway. Leaving the EU will mean there wil be no higher court of appeal when (for example) they decide to sell all your health data to the highest bidder to help generate a "budget surplus".

    The rest of Europe will be happy but it will be the UK in the digital dark ages, no-one will trust us with their data. Just another sector that will move out of the UK if the UK is stupid enough to leave.

    1. Anonymous Coward
      Anonymous Coward

      Re: If the UK votes to leave the EU...

      If the UK votes to leave the EU...and you live in the UK it will be open season on your data.

      Sorry to burst your bubble, but it's already open season on UK citizens data, because GCHQ get all the powers they want, have zero accountability, and no need under UK law to get warrants. In the the highly unlikely event that GCHQ can't help themselves to your data they'll outsource the job to NSA and their mates, under the reciprocal Five Spies umbrella.

      No matter what the EU say about data protection, and the supposed "rights" you have, successive UK home secretaries have worked ceaselessly to ensure that your data is readily accessible to the stasi. Your optimism in the benefits of EU membership is quite touching, though.

  15. Pascal Monett Silver badge

    "the dangers of a Balkanized internet"

    Dangers ? What dangers ?

    I see no problem in Euro TCP-IP traffic staying in Europe instead of being routed through California (or wherever) and coming back. Nor do I have any issue with Euro citizen data being stored in Europe and not being sent anywhere without consent.

    Of course, today the situation is that everything is sent to the US and the US is taking advantage of that to liberally peruse anything they want. So yeah, the US is in danger of not having such easy access to other people's private lives, but that ship actually sailed with Snowden and won't be coming back, so it's no use complaining about it now.

    I see no danger to people with a "balkanized" Internet security scheme. I do understand that the US government doesn't like the idea, but I couldn't care less about that. As far as I'm concerned, the White House has no right to look at me when I'm not on American soil or declaring my intention to go there.

  16. Anonymous Coward
    Anonymous Coward

    A cunning plan?

    A plan so cunning you could put a tail on it and call it a weasel? A plan so cunning you could brush your teeth with it? I think I can see where this is going....

  17. Anonymous Coward
    Anonymous Coward

    The nerve of a Microsoftie to preach against digital dark ages

    Remember Microsoft vs Netscape? IE6 with bugs galore, couldn't render web pages properly and couldn't even pass the Acid test? "Best viewed on Internet Explorer" banners on websites everywhere?

    Bad things inevitably happen if you let Microsoft dominate and have its own way.

    1. dogged

      Re: The nerve of a Microsoftie to preach against digital dark ages

      Wait, Netscape was way worse than IE.

      That's why people stopped using it.

  18. James 51

    Or the US could adopt EU privacy law as it's own and it's law enforcement agencies could obey the law. Novel concepts I know and it will never happen but would solve the safe harbour issue.

    1. Zippy's Sausage Factory
      Devil

      "law enforcement agencies could obey the law".

      Ah dear, that'll never happen... best laugh I've had all week...

      1. Anonymous Coward
        Anonymous Coward

        I'm curious to see how this progresses. I too don't see the US changing their privacy laws as they see it as a matter of national security, everyone else be damned. Plus they have additional "incentives" for the Europeans to turn around. The only way Washington will pay serious attention is if countries go "nuclear" and declare Americans personae non gratae. If a major European country officially decides to suspend diplomatic relations, pull out all their visitors, close their land to Americans, and stubbornly "go it alone" for any crisis that comes their way, then Washington will have no more way to bargain with them: forcing the decision into an all-or-nothing, either capitulate and change the law or double down and go without them.

        1. Anonymous Coward
          Anonymous Coward

          @AC and I'm curious how you think you'll do on your own...

          because that will be the end of most tourism dollars for your countries, the end of any aid you get sent, the end of any economic cooperation, the end of many raw materials and the beginning of an economic downturn so great that the Great Depression will look like a fart in the wind.

          Please go ahead... when you are bankrupt and starving don't forget you asked for it. I won't care.

          1. Anonymous Coward
            Anonymous Coward

            Re: @AC and I'm curious how you think you'll do on your own...

            If you're talking TOWARDS the US, they won't care. They get plenty of tourists internally and from Asia. There's a big self-sufficiency push as well, so cutting off will just motivate them. Imagine if a Kennedy-like figure starts a nationalistic push towards true energy independence within a term. This bit about Safe Harbour means economic cooperation is at a standstill anyway, so they could just switch gears to Asia.

            If you're talking towards the other country, the US would be happy to just say, "Good Luck...you'll need it" and watch to see if they come crawling back.

            1. James 51

              Re: @AC and I'm curious how you think you'll do on your own...

              You do realise that the EU is the biggest ecomonic block in the world?

              1. Anonymous Coward
                Anonymous Coward

                Re: @AC and I'm curious how you think you'll do on your own...

                I thought that was Asia. China and India alone comprise some 2 1/2 billion people, plenty of natural resources, and ambitious to move on up. Plus the US, even if not at the top, comprise nearly 400 million people in themselves, a growing oil reserve and a lot of agricultural resources, which means they still have some sway in global economics.

                1. James 51

                  Re: @AC and I'm curious how you think you'll do on your own...

                  Take it with a pinch of salt but:

                  The economy of the European Union generates a GDP (nominal) of about €14.303 trillion (US$18.451 trillion in 2014) and a GDP (PPP) of about €12.710 trillion (US$16.773 trillion in 2014) according to International Monetary Fund,[1] which makes it the largest or second largest economy in the world respectively if treated as the economy of a single country depending on a source used.

                  https://en.wikipedia.org/wiki/Economy_of_the_European_Union

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: @AC and I'm curious how you think you'll do on your own...

                    If you're going to treat all of Europe as a bloc, then you'll need to treat North America as a bloc, and Asia, too (lumping together China, India, South Korea, and Japan). How does Europe stack up on a bloc-by-bloc comparison?

        2. Mark 85 Silver badge

          Balkanize and the US will just increase it's spying efforts... Russia and China are getting there and I'm pretty certain the push is on to get inside and stay inside their borders. If anything, this type of thing will increase everyone's paranoia. By everyone, I mean "governments". People.. not so much as they will still give data and info to any website that asks.... Look to FB and Google as a prime example.

  19. Wommit

    So...

    " American firms with European customers would handle their data in compliance with EU rules and vice versa."

    Then the EU companies could freely spaff the US citizens data about. That'd work.

  20. Anonymous Coward
    Anonymous Coward

    MS have a cunning plan ...

    They will issue a stealth update to European legislation on Tuesday night so that by Wednesday morning [following a quick reboot] we will all be living in the WinX world of rainbows and unicorns.

  21. Bladeforce

    The main problem here is...

    the EU is adapting its laws whereas American law is stuck in the 1800's

  22. Doctor Syntax Silver badge

    Not what I'd expected from the headline

    It seems as if his new safe harbour is just like the old one except that authorities are allowed to get at US data subjects' data when held in the EU.. I'm surprised. Under the circumstances I'd have expected him to argue that, if EU data subjects' data is kept by a US company's EU subsidiary in the EU, safe harbour would be the US barring itself from any attempt to get at it except by due process of law in the country in which it's held. It makes Microsoft's position in the email case the odd man out in that it seems to be the only example of them trying to do the right thing.

  23. Anonymous Coward
    Anonymous Coward

    An

    An internet dark ages or an internet renaissance? While no doubt there would be some chaos but that would just be an engine for innovation?

    Course wont happen, a new bodge will be found,

  24. A Long Fellow

    In case you thought this was functionally simple...

    At least one of the complications is that large-scale services such as social networks will store information (or copies thereof) as locally as possible -- either in part or in whole.

    What happens when Brussels Bill and California Carl become Facebook friends? I don't know FB's data architecture, but I can guess that at least some of Bill's data is going to be replicated in California, while some of Carl's data will be replicated in Brussels. When the cops come knocking in California, the server should cough up only data on Carl, while keeping schtum on Bill?

    On a much smaller scale, what would this mean for a small business owner who has customers or clients worldwide? Whether I'm using a cloud CRM or a desktop database, I am bound to be breaking the law.

    Even under Safe Harbour, this was problematical, insofar as an undertaking to uphold _either_ US or Euro standard would place me into averred conflict with the other -- and we can thank Schrems for forcing the conflict into the open.

    1. Doctor Syntax Silver badge

      Re: In case you thought this was functionally simple...

      As regards social networks this is something the Irish DPC has to consider - remember the immediate outcome of this case is that they can now go ahead and investigate the complaint. They may still decide that some or all of the complaints aren't justified but if they are justified the networks don't have Safe Harbour to hide behind.

      As regards international trade your customers would be sending their data to you and if you're in the EU you need to handle it in accordance with the EU's requirements. The problem comes if you then send it to a cloud CRM in the US because you can't be sure about it's handling. If you have a desktop database instead then the data doesn't leave the EU.

  25. sisk

    Getting the US Congress to act is nothing at all like herding cats. It's much, much harder.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020