back to article Safe Harbor 2.0: US-Europe talks on privacy go down to the wire

United States and European Commission officials have promised they are doing everything possible to reach agreement over transatlantic data-sharing before a critical deadline at the end of this week. After the Safe Harbor agreement – put in place in 2000 – was struck down by Europe's highest court back in October due to NSA …

  1. Grikath

    simple question..

    Has the US, and their SuperSnoopers stopped as treating the whole world ( data or physical) as Theirs?

    No? Move along then...

    1. Yet Another Anonymous coward Silver badge

      Re: simple question..

      On the other hand if the commission said, nobody in europe could use Microsoft/Amazon/Google/Facebook/Netflix etc do you think people would say, thank you for protecting us from the snoopers ?

      1. Spanners
        Facepalm

        Re: Re: simple question..

        It is one thing for me to choose to put information on the internet where it may come under the view of criminal organisations like the NSA.

        It is an entirely different thing for any hospital, Doctor or NHS organisation to do so for me.

      2. Grikath

        Re: simple question.. @ YAAC

        I very much doubt they'd do anything of the sort. More likely results would be extra paperwork at the airport, regarding the waiving of your privacy rights for information provided to be able to enter... etc. The big internet outfits may have to use a splash page warning their users about the inability to guarantee privacy, unless of course the companies involved could guarantee that data would be Euro-only ( which they can't..) .

        There's a host of little things the EU could do that would push an issue that's (mostly) escaped Joe Average up until now right in his face. The EU won't ban much.. It will politely *suggest* that doing business with [x] may entail a privacy problem. Subtle-like.. It will be.. enough.. to be efficient.

        1. Yet Another Anonymous coward Silver badge

          Re: simple question.. @ YAAC

          The Eu could say "no safe harbor, separate your businesses and build data centers in the eu" and the companies could reply; "try it, ban us and see how long before the populace storms the winter palace"

          1. P. Lee

            Re: simple question.. @ YAAC

            Ban them? I don't think so.

            Do what the US does, fine them.

          2. big_D

            Re: simple question.. @ YAAC

            @Yet another Anonymous coward - Microsoft have already tried that, they have data centres in Ireland and the US Justice Department want them to hand over the data, because Microsoft Ireland is a subsidiary of Microsoft Corp. in America and therefore falls under US Law and not Irish law...

            1. Voland's right hand Silver badge

              Re: simple question.. @ YAAC

              and the US Justice Department want them to hand over the data, because Microsoft Ireland is a subsidiary of Microsoft Corp. in America and therefore falls under US Law and not Irish law...

              They went one step further - they sell a "product" which can be summarized as "Azure and operating Azure it you" to a 3rd party and 3rd party like DT runs the customer facing part of the service. AFAIK< the other services, including Office 365 are in the pipeline to join Azure

              Can't blame them, they have near-monopoly on government business in Eu with Office 365, making that an embargoed product will not go well with their bottom line. That reminds me, we are in a leap year. Does this mean that Office 365 will take a mandatory one day lie down at some point to comply with its naming?

            2. alecwood

              Re: simple question.. @ YAAC

              "falls under US Law and not Irish law..."

              Incorrect, it falls under Irish law, but it's parent falls under US law. You really think that US owned companies are immune from local laws?

              That's what makes international trade complicated, having to follow both the laws of your headquarter country and those where your subsidiaries are based

          3. Doctor Syntax Silver badge

            Re: simple question.. @ YAAC

            "try it, ban us and see how long before the populace storms the winter palace"

            Apart from the fact that many of the big players have data centres in the EU already do you really think they're as daft as you seem to be? It's business. They'll do what's needed to keep the money coming in.

        2. Doctor Syntax Silver badge

          Re: simple question.. @ YAAC

          @ Grikath

          As things stand I'd expect to be waiving pretty well any human rights to enter the US.

          For the rest, businesses may try some of the things you suggest. I doubt they'll get away with it. In particular there'll be problems for any business that tries to use US-based services for HR; you can't get people to waive legal protections as a basis for employment. And I doubt there'd be too much success for sites trying to sell stuff if they ask you to grant them a waiver before they can provide you with information. It will take a little time and some big fines but the idea of obeying the law will start to get traction.

      3. Anonymous Coward
        Anonymous Coward

        Re: simple question..

        Yes please. Kick the yanky companies out for a while, 16 weeks aught to be plenty long enough, by which time European versions of most of those would have spun up. OK Microsoft might be a problem because the product itself is a monopoly and not fungible, but wouldn't you laugh if all the Windows 10 upgrade servers were blocked?

        In the digital world of easy come, easy monopolize, protectionism actually works.

        1. noj

          Re: simple question..

          I agree. There are alternatives that already exist for most US-based software. And with China getting into the chip market that's a big step toward replacing hardware as well.

      4. Doctor Syntax Silver badge

        Re: simple question..

        " if the commission said, nobody in europe could use Microsoft/Amazon/Google/Facebook/Netflix etc"

        You appear not have been taking notice but a number of these large businesses have data centres in the EU already.

        There is a need for them to ensure that they conduct their operations in conformance with the law here. With a bit of effort - the amount will depend on the outcome of the current Microsoft case - they shouldn't have a problem. The real problem comes from those companies who offer online services to EU businesses to process personal data in the US and to their EU clients. They are going to have to smarten up or pay fines, the larger the better until the message gets out there - if you do business in the EU, you obey EU law.

      5. Wolfclaw

        Re: simple question..

        If this happened, the US Gov would be shitting themselves at the backlash from the megacorps at the $billions lost in revenue for all !!

        Or simple, megacorps put he US in a private internet isolated from the rest of the internet that respect privacy, soon followed by China, France, UK, Australia, Canada and all those oppressive spying regimes !

        So back to square 1 then !

        1. Anonymous Coward
          Anonymous Coward

          Re: simple question..

          Or simple, megacorps put he US in a private internet isolated from the rest of the internet that respect privacy,

          News Redmond and Cupertino campuses along with most of silicon valley businesses can now be found at 34.450288, -43.255551 due to the new laws in the USA making it impossible for them to operate there

  2. Doctor Syntax Silver badge

    "Which sounds very much like a legalistic way of saying because everybody's ignoring the law, the law is irrelevant."

    And the only thing that will earn them is another kicking in court.

    I think the best advice that could be given to any US company that wants to do EU business that goes near personal data is to structure your operations in such a way as to ensure you're not the test case by keeping that data in the EU with proper legal firewalls between it and any part of you that the your government can seize onto.

    What Max Schrems has shown us is that it doesn't matter what weasel words are agreed at political level the court will look at the reality.

    1. This post has been deleted by its author

  3. Anonymous Coward
    Headmaster

    T9 shenanigans?

    You've messed up your sub there Reg... but don't worry, I've fixed it for you:

    End-of-month deadline looms for vile data slurping pact

    0:o)

  4. allthecoolshortnamesweretaken

    Why can't I rent cloud storage space directly from the NSA?

    1. Anonymous Coward
      Anonymous Coward

      I believe you have to get it from the CIA.

    2. Graham Marsden
      Coat

      Perhaps you can get it from the Met Office?

    3. Captain DaFt

      "Why can't I rent cloud storage space directly from the NSA?"

      Dead easy. Just make your request into your phone (doesn't matter if it's even on), and within 5-10 working days you'll coincidentally receive a flyer from some random company via snail-mail offering a *special* cloud deal.

      Just call the number provided, make the deal, job done!

      1. Sanctimonious Prick
        Happy

        HaHaHaHaHaHaHaHaHaHaHaHaHaHaHaHaHaHa

        Apologies. But that made me giggle. No. Cackle! :D

  5. Anonymous Coward
    Anonymous Coward

    Nothing will change, however perception of change will

  6. Anonymous Coward
    Anonymous Coward

    The reality is that there will be no deal.

    The US government wants to slurp data secretly and across the board. The EU (in theory at least) is fundamentally against that.

    Unless one relents (which will happen when hell freezes over), there can be no deal.

    1. Gordon 10
      FAIL

      That's not entirely true. I doubt either the State or Commerce Depts give a stuff in private what the DoD and DoJ wants they may just have to toe the policy line for now.

      It's dumb to assume Govts are monolithic entities, if we fail to understand them it makes it harder to redirect them.

      1. Anonymous Coward
        FAIL

        DoJ? Where did "the DoJ" spring from? What do you suppose "the DoJ" has to do with the US government's illegal NSA mass surveillance operations? Mass surveillance which the US government has just renewed? You must be thinking of that inane pantomime which MSFT and their government are performing in their subterfuge campaign to help you forget about the facts. The tedious sideshows are absolutely irrelevant... if you're going to forget something, forget them.

    2. Kurt Meyer

      @skelband

      "The US government wants to slurp data secretly and across the board. The EU (in theory at least) is fundamentally against that."

      I believe you're correct, but I think you do not go far enough.

      EVERY government wants to slurp data secretly and across the board. The EU (in theory at least) is fundamentally against that.

      The spotlight is currently on the US government, which must be pleasing to the other governments doing the same or similar gathering of data, many of which will, sadly, make a public plea for the curtailment of such data collection, while they continue hoovering up as much as they are able to get their hands on.

      No agreement or treaty will stop this from happening. Pronouncements will be made, papers will be flourished, and the data gathering by any government that is able to do so, will continue unabated.

      When, inevitably, the snooping is exposed, we'll be fed the usual melange of kid porn, dope, and terrorism, as sufficient reasons for doing it. This will convince a large enough percentage of the public that the surveillance is a good thing, and it will continue.

      In my opinion, nothing short of pitchforks and torches will stop this.

      I would be thrilled to be wrong.

      1. Doctor Syntax Silver badge

        Re: @skelband

        "In my opinion, nothing short of pitchforks and torches will stop this."

        Pitchforks and torches have their place when legal process fails. Legal process is slow but seems to be working. It's started with Safe Harbour. It might take another trip round the block before they decide the game's up with that one. But don't think other countries won't be challenged; HMG's latest efforts are a response to previous challenges; again they haven't got the message yet but they'll be back in court until they do.

        1. Kurt Meyer

          Re: @skelband

          @Doctor Syntax - First of all, I apologize for the poor quality of my post to which you and others have responded. The hour was late, but my heart was saying post, post, post. What little brain I possess was saying sleep, sleep, sleep.

          I do think that the legal process is at work, in individual countries, and bilaterally, as well as at a higher international level, EU, UN, and perhaps other regional associations. Your mention of efforts in the UK is a case in point.

          It is our great hope that these legal processes will succeed in curbing the voracious snooping of any country's citizenry by their own governments. There is, in my opinion, no chance of stopping international espionage by using these methods.

          Like the race between guns and armour, espionage versus counterespionage will go on and on with first one side and then the other having an advantage. It would be naive of us to believe otherwise. For the record, let me be clear that I am not accusing you of being naive, but those folk do live among us, and they'll be lulled by the weasel words emanating from their governments.

          I would very much like to share your optimism, but truly I do not. I am very pessimistic. My belief is that we'll all be left standing on the tarmac at Heston, waving an agreement, while off stage those who fancy themselves our masters carry on as before.

          Once again, I hope that I am wrong.

      2. Tomato42
        Unhappy

        Re: @skelband

        thing is, no other government spends even a tenth as much money on spies as the US does

        also, very few governments are as jingoistic as the US one (it's a single developed country like that) and as such are more interested in spying on their own citizens and foreign diplomats, not the whole world and the dog

        I can at least pretend that I can do something about it in my own country, I can do jack shit about what the US does

        finally, a defence in form "but he's also been hitting me" is applicable in a sandbox, when you're a 6 years old, not a nation aspiring to the label of "superpower"

        1. Kurt Meyer

          Re: @skelband

          @ Tomato42 - Along with Doctor Syntax, please accept my apology for failing to make my post above more clear.

          You are absolutely correct to say that the US spends vastly greater amounts of money on espionage than any other country. It is well known that the US does the same in regard to "defence" spending. The two are certainly inseparable.

          Why do they do this? In my opinion there are two reasons: First, perceived self-interest, which seems to be a trait common to both men and nations.

          Secondly, (and this I believe to be what separates the US from other nations) ability. By this I mean that they have the money and they are willing to spend it on guns and spies to an extent unparalleled in world history. It is my belief that other nations would do exactly the same if they had the means to do so.

          It is important to note here that my belief in these reasons for the conduct of the US government neither excuse nor endorse said conduct.*

          Tomato42, I believe it is the second reason given above that leads the US to spy on world+dog, not necessarily jingoism in and of itself. I'll wholeheartedly agree with you that the US has a high level of jingoistic belief in it's own primacy. Is this jingoism justified? Not in my opinion, not nearly to the level that many in the US believe.

          Jingoism, like the tides, has ebbed and flowed in many places throughout the years. You and I may differ about its extent, but as you rightly inferred in your post, it exists in many lands.

          "I can at least pretend that I can do something about it in my own country, I can do jack shit about what the US does"

          100% true, which is little consolation for you.

          I can at least pretend that I can do something about it in the US, I can do jack shit about what any other country does.

          Also 100% true, which is little consolation for me.

          'finally, a defence in form "but he's also been hitting me" is applicable in a sandbox, when you're a 6 years old, not a nation aspiring to the label of "superpower" '

          I believe we may have to disagree there. I may be guilty of misunderstanding what you mean by sandbox defence, and I will gladly hear more of your reasoning. I offer this in defence of my own position:

          If I, as First Lord of the Admiralty, look across the North Sea and observe the Hochseeflotte growing by leaps and bounds, I will certainly deplore the lack of both wisdom and necessity in that growth. I'll also ring up Armstrongs and order some new dreadnoughts.

          * Christ, that sounded lawyerly.

    3. Doctor Syntax Silver badge

      "The reality is that there will be no deal."

      I believe there's an election coming up in the US. US corporations wanting to do business in the EU will buy themselves a more compliant government.

  7. Mike Echo

    "Which sounds very much like a legalistic way of saying because everybody's ignoring the law, the law is irrelevant."

    Oh well, if everyone is doing it then it must be okay.

  8. Anonymous Coward
    Anonymous Coward

    WTF?

    "renowned human rights lawyer argues that since there is "growing acceptance by governments that bulk collection of data is necessary to deal with Islamic extremist threats" that the protections in place in the United States are "essentially equivalent" to European laws "on a practical level"

    Catching T's? Oh please.... How is it economic espionage exposed by Journalists like Duncan Campbell and witch-hunts for whistleblowers, journalists, OWS protestors etc, always get overlooked???

    1. Yet Another Anonymous coward Silver badge

      Re: WTF?

      Same rules, if Ms May(and her French and German counterparts) insists that it's necessary to track all UK internet use, and hack Belgian telcos to protect us from tourists then the Eu can't claim that US monitoring is unreasonable and a violation of human rights.

      But safe harbour isn't to protect you from the spooks anyway, all the Eu inteligence agencies will happily hand over the data to the NSA in the name of cooperation.

      It is protect you from companies. It is to stop Google noticing you searching for diabetes and selling that information to your bank so they can decide if you are a good mortgage risk, or Netflix noticing you watching CageAuxFolles and selling that to grindr

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF?

        And the fundamental failure of it has been the US government policy that they would not prosecute anyone who broke it, because the potential victims were non-citizens and potential perpetrators were citizens, and therefore more important.

        1. Yet Another Anonymous coward Silver badge

          Re: WTF?

          And the UK government that didn't prosecute banks that shipped data to cheap outsourcers in India where it was stolen.

  9. Charlie Clark Silver badge

    It won't happen on time

    Any new agreement will have to be ratified by every member state and that certainly can't happen in time.

    So any noises from the negotiators are just PR showing us how hard they are working. Until the fundamental problem is resolve – the EU requires judicial oversight, which the US rejects – then this is going nowhere.

  10. Anonymous Coward
    Anonymous Coward

    Does anyone know what happens when you go roaming?

    - Lets say in a fairytale world this all works out. Does anyone know what happens when you go roaming? - A lot of people travel for work or for holidays etc, and will want to log into their home accounts back in the EU.

    - When that happens does local overseas law apply and the current IP gets snooped on, or will logging into an EU domain from overseas provide a privacy safeguard i.e. logging into a facebook.ie account from a US city will be protected from snooping?

    - If not, everyone will just get snooped eventually anyway, with all their data hoovered at that moment in time which is a farce!

    1. Anonymous Coward
      Anonymous Coward

      Re: Does anyone know what happens when you go roaming?

      You can largely forget being protected by law at the moment. If you don't want to get slurped, sort yourself out a VPN back to your kit in your own country.

      Even if a government (and particularly the US) says they'll respect your privacy, they will be lying. You won't be able to prove anything and even if you could it'd be rattling around courts for a decade; during which time your data will have escaped.

  11. Vimes

    growing acceptance by governments that bulk collection of data is necessary...

    And the public? What about them?

    Why is it the term 'stakeholder' never seems to include members of the great unwashed?

    In any case I call bullshit on this. If it were really necessary then the likes of Theresa May would not have such a big problem justifying need to spy on all of us, instead of deflecting questions with promises of written answers at some vague point in the future.

    1. Anonymous Coward
      Anonymous Coward

      I call bullshit on the guy's whole speech. For a "renowned human rights lawyer" he seems to be speaking for the wrong team. And playing the paedoterrorist card, to boot. Puh-lease.

  12. Slacker@work

    Can somebody clarify....

    Am I right in thinking that there are currently no Apple data centres in the EU, and if so all the personal data of the fanboi crowd (names, credit cards, etc) are happily, and legally as it's in the USA, in the mits of the NSA?

    1. Sebby
      Unhappy

      Re: Can somebody clarify....

      Correct, AFAIK (perhaps their third-party cloud storage providers). As a bona fide fanboy, I can assure you I'm not happy about it either.

      The best option available is to just reduce the amount of data you put up there, which Apple of course punishes you for by not supporting other, compliant services as well or at all. Then of course they add salt to the wound by not allowing you to (easily) delete data from your account, or close it.

      I will be very happy when they fall under the axe. I love the products, but not the company.

  13. VinceH

    "Which sounds very much like a legalistic way of saying because everybody's ignoring the law, the law is irrelevant."

    Well, what will happen when the deadline is reached and no new agreement has been made? Absolutely bugger all - things will just continue as now, which pretty much shows that at this level, the law is as good as irrelevant.

    And as far as Joe Public is concerned? Although only a vanishingly small sample, I've tried explaining the situation to friends and family both in the run up to and after the downfall of "Safe Harbor". They really don't give a flying frell, and what I've said probably just helped to secure in their minds that I'm a fully paid up member of the tinfoil hat brigade.

    The only thing that will make them sit up and take notice is if, come the deadline, the likes of Facebook et al are completely blocked in Europe, at which point they'll come back to me and ask why, having let what I said previously go in one ear and out the other, briefly triggering the "Ignore Vince, he's just paranoid" synapse en route.

    And we know damned well that a block like that won't happen: See above - both this post and further up in the comments.

    Heads the DSA* win, tails the European public lose.

    * Data Slurpers of America

    1. Sooty

      I believe that, legally speaking, you can send data to the US without a problem, you just need permission from the data subject to do so. Worst case, they'll probably just tack on an extra "you give us permission..." clause into the hundreds of pages of legalese terms and conditions all these services have hidden away and continue on as usual.

      1. Doctor Syntax Silver badge

        "Worst case, they'll probably just tack on an extra "you give us permission..." clause into the hundreds of pages of legalese terms and conditions all these services have hidden away and continue on as usual."

        Courts tend to dislike unfair contract terms. In fact, they can dislike them so much as to invalidate the whole contract, not just the unfair term.

    2. Charlie Clark Silver badge

      Well, what will happen when the deadline is reached and no new agreement has been made?

      It's likely the floodgates for civil suits will open because precedent has been established. The ECJ has declared the agreement void and the DPAs will have little choice but to enforce it. Otherwise, as Schrems has demonstrated, the courts can be used to enforce it.

  14. John 98

    Seems they have all missed something

    The bottom line is that the European equivalent of the Supreme Court has ruled that the current systems breach folks' constitutional rights in Europe. Any agreement, whether the European and US executive branches or the companies like it or not, has to address that issue to succeed.

    If the US government is saying the entire planet is, however, under American law, perhaps they should give about another seven billion people citizenship and a vote.

    And the companies - their lawyers must have seen this coming years ago and they did nothing. I guess a billion dollars a day in fines will concentrate minds wonderfully on a restructure to cover the situation. Not very difficult, European subsidiary owns servers in Europe ...

    1. Vic

      Re: Seems they have all missed something

      I guess a billion dollars a day in fines will concentrate minds wonderfully

      It'll certainly help with the deficit...

      Vic.

  15. noj

    safe harbor or not

    the US alphabet departments will continue to slurp data from all over the world. Given their actions and the complete inaction by US government to curtail their actions there will be no change.

  16. nsld

    posturing aside

    All the big players have data centres in the EU and Microsoft has even appointed a local regulator in Germany to show how serious they are.

    The stumbling block is actually that to agree that an EU data subject has certain fundamental rights that will be respected would highlight that US citizens have lesser rights. Can anyone see Donald Trump liking that?

    After all, if Cletus J Shitkicker the 3rd can't have those rights why would they give them to any dodgy foreigners?

    1. Charlie Clark Silver badge

      Re: posturing aside

      After all, if Cletus J Shitkicker the 3rd can't have those rights why would they give them to any dodgy foreigners?

      You forget: the US does give extra rights to US citizens which makes spying on them technically illegal and is one of the main reasons why GCHQ is so damned big: it is effectively outsourced spying.

      Foreigners (let's not bother to call them citizens because in US law they don't have any rights) are fair game all the time.

    2. Doctor Syntax Silver badge

      Re: posturing aside

      "After all, if Cletus J Shitkicker the 3rd can't have those rights why would they give them to any dodgy foreigners?"

      If Cletus J Shitkicker the 3rd were to move to the EU (assuming he could actually find it) he'd have those rights. It's not in the US govt's gift to decide what rights people in the EU have. The problem that needs to be solved is how to ensure that those rights are respected.

      Conversely it's no concern of the EU how US citizens might react to discovering their govt makes them second class.

  17. Anonymous Coward
    Anonymous Coward

    Not going to work and if it does it will be ripped apart by Law

    what with CISPA allowing companies to ignore anything they want and give data to the US Govt / security agencies and have a get out of jail free card. "not liable" for anything I don't see HOW the EU safe guards and ability to find out what's happening to your data can be shown to be upheld. so no safeharbour 2.0 can work without parity of Data protection legislation

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like