back to article European Commission straps on Privacy Shield

The European Commission has this morning adopted the EU-US Privacy Shield agreement, which will enter into force as soon as all member states are notified of the adequacy decision (PDF). Privacy Shield, which has been adopted after months of negotiations, is an agreement between the EU and the US which ostensibly ensures that …

  1. Mephistro
    Unhappy

    "...a short guide for citizens explaining the available remedies..."

    It'll be short, indeed!

    1. Pascal Monett Silver badge

      Indeed

      And I find laughable the idea of an Ombudsman independent of the US TLAs.

      If he is truly independent, he will have no power. If he is not independent, he will be part of the apparatus and his job will specifically be to do nothing, while appearing to do something.

      There is no reason for our data to migrate to the US. Each persons' data should be handled in that persons' country. It is the only way local law can apply.

      And don't tell me about international treaties : the US has no respect for those anymore within its borders (and sometimes even outside its borders).

  2. Anonymous Coward
    Anonymous Coward

    PRIVACY-SHIELD

    will do neither.

  3. Potemkine Silver badge

    So NSA et al. will now break new regulations instead of ancient ones?

    Can we really call that 'problem solved'?

  4. Doctor Syntax Silver badge

    Good. Bring on the ECJ challenge.

  5. Anonymous Coward
    Anonymous Coward

    "Privacy Shield now governs the transfer of data from the EU to the US."

    No. It governs precisely nothing. It wallpapers over the fact that US law-enforcement will continue doing whatever the fuck it likes and US companies will continue to do whatever the fuck they can get away with, which is almost everything.

    1. Anonymous Coward
      Anonymous Coward

      Exactly.

      Those who could use such a shield, don't care about it and those who can defend themselves, don't need it.

  6. Pseu Donyme

    re: protects EU citizens, their privacy

    Humbug. US corps, morelike, from having to give a hoot of the same.

  7. Anonymous Coward
    Anonymous Coward

    Odd.

    The moment Europeans protest against the US trying to pry into our lives and violate our privacy merely because we'd like to visit then the answer is always the same: required measures against terrorism.

    But the very moment when the EU once suggested to apply the same ruling to Americans visiting Europe all of a sudden we got an uproar because that was obviously a blatant privacy violation for no apparent reason.

    Pot and kettle much?

  8. Anonymous Coward
    Anonymous Coward

    There's as much chance of that being enforced as HSBC getting prosecuted for dodgy money laundering. Absolute zero.

  9. Thatguyfromthatforum

    Tor is now mandatory for 99% of my web experience, precisely because the TLAs can't be trusted.

    While we are on the subject it's a shame El Reg still doesn't have https by default or the ability to use tor to access it.

    1. Gotno iShit Wantno iShit

      While we are on the subject it's a shame El Reg still doesn't have https by default

      El Reg doesn't have HTTPS at all never mind default. Given the number of articles bemoaning the privacy offered by other web sites it really is a piss poor example of 'Do as I say not as I do'.

    2. Anonymous Coward
      Anonymous Coward

      While we are on the subject it's a shame El Reg still doesn't have https by default or the ability to use tor to access it.

      They also use Google Analytics and Gmail, but I must admit I find protecting my use of the Net a back to front approach. By default, I am entitled to privacy - those who want to hand it off should be made to follow the appropriate laws. There is, for instance, no earthly reason why Do Not Track cannot be followed by the likes of Google - the idiotic idea of having to install something EXTRA in order for Google not to track you is ridiculous.

      But hey, that would be using logic. Can't have that ..

      1. incloud

        Do Not Track and PrivacyShield

        The Annex || document lays out 7 principles that US companies must abide by once they agree to be covered by PrivacyShield, including Notice, Choice and Access.

        Principle 1) Notice. They have to declare who they are, including contact information, what types of data they collect, what their purposes are for collecting it, what third-parties they will share it with etc.

        Principle 2) Choice. You must have choice over limiting use and disclosure of your personal data, usually an opt-out but there must be an opt-in for "sensitive" data. This has been diluted by obscure legalese but in the end whatever offered has to be "essentially equivalent" to the relevant requirement in EU DP law - freely given, specific, informed, unambiguous affirmatively given consent.

        Principle 6) Access. You must have access to the data the company hold about you, and be able to correct, amend or delete it. This is also a pale imitation of the EU DP rights to object, access and erase but ultimately will have to be equivalent.

        In the context of online data flows the W3C Do Not Track recommendation includes most of the building blocks needed to implement these principles. There is an extensible Tracking Status Resource that can be used to declare the notice requirements, a signal that can indicate a persons right to object to data collection, and API giving the continuous capability to register or revoke consent.

        From the outset Do Not Track was designed to give people visibility of and control over the hundreds of third-party resources embedded in many websites, even in cases where the website owner has not contracted with the third-parties or taken responsibility for their privacy practices.

        The clearest way for any US company offering third-party resources is to show their support and compliance with the PrivacyShield priciples would be to properly implement Do Not Track.

  10. Anonymous Coward
    Anonymous Coward

    Privacy shield - just like the Colgate ring of protection

    Mainly hype, otherwise imaginary.

  11. Mk4

    I humbly disagree with most of the above comments

    The "Privacy-Shield" name is as badly chosen as "GDPR". 95/46/EU and the GDPR is mostly not about protecting data, it's about protecting people from organisations who want to use our personal data. It is a small step on the path to individuals owning their personal data (which is how the world should be organised IMO). If you find that an organisation is holding data on you that is not correct - e.g. that you have county-court judgements against you when you do not - there is a legal channel to getting a copy of that data and then getting it corrected.

    Similarly Privacy-Shield is not really there to protect privacy - it's there to try and provide some kind of control over our personal data. It's not as strong as the GDPR and I imagine the main thrust of the legal challenges will be to establish if Privacy-Shield really does provide similar protections as 95/46/EU or the GDPR. This is a requirement for an EU organisation to send your data outside the EU.

    The US government can get your data where-ever it is, forget about legal restraints, there aren't any that apply to them. The Privacy-Shield agreement includes many clauses specifying all the ways that US government can get to your data, so it actually formalises these methods as permitted.

    If you give your personal data to a non-EU organisation directly e.g. filling in a form on a website hosted in the US (also the rest of the non-EU world) then your data is not covered by Privacy Shield, comes under none of the protections of and there is no recourse to authorities under Privacy Shield, 95/46/EU or the GDPR.

    Until the basic standard is that individuals have legal ownership over their personal data and misuse has a similar legal standing as (for example) taking without owners consent (TWOC) it's up to everyone individually to think about which organisations they give their data to.

  12. Doctor Syntax Silver badge

    "Similarly Privacy-Shield is not really there to protect privacy - it's there to try and provide some kind of control over our personal data."

    No it isn't. It isn't even there to look as if they're trying to protect data. At best they're trying to look as if they're trying to protect data. And as we all know they don't even look as if they're trying to look as if they're trying to protect data.

    HTH

    1. Mk4

      Some tortuous english - are you involved in the legal profession? What do you mean by "protection" - for me that is about preventing unauthorised access to the data (ref. information assurance). In any case, I don't think you have read the text of the privacy shield documentation. Yes, there are notes about protection of data but it's really about control of the data, how organisations indicate compliance with the scheme and various aspects of governance of the scheme (and, of course, all the ways the US gov. is permitted access to the data).

      You can argue that the level of protection is too low (and I would probably agree with you), but control of data and protection of data are two different things. I am discussing control of data in the sentence you cite.

      Privacy shield is better than safe harbour, under which vast amounts of data was shovelled across the Atlantic. As I noted in the original post - my position is that personal data should be the legal property of the persons to which it pertains. Every time we take a step towards that postition it is an improvement.

      1. Doctor Syntax Silver badge

        "Some tortuous english"

        Sigh. Yes Minister and Yes Prime Minister should be on the national curriculum. I think the original was one of Bernard's

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like