back to article Schrems busts Privacy Shield wide open

Privacy activist and student Max Schrems has hailed an Irish Court decision today to refer cross-Atlantic data flows back to the European Court of Justice – all over again. Schrems sparked the original litigation which led to the Court throwing out the "Safe Harbor" legal framework that governed flows of European citizens’ …

  1. Cynical Observer
    Mushroom

    Put the popcorn on please

    This one is going to run and run... and run.

    Strikes me that it's analogous to a comparison between two security ethoses of years ago. The first granted pretty much full access to everything by default and then selectively removed if from those area that a user was not supposed to see. The second granted nothing by default and then opened up areas that the user was supposed to access.

    The two systems were almost fundamentally incompatible and making them work together was the mother of all bodges.

    This feels similar - the US approach demonstrates a "We'll take everything until you bitch at us" feeling, the European, "We say companies can only have the minimum that they need."

    And it's not going to be truly resolved until mindsets start to change - hopefully with a pronounced bias to the European position.

    Now - Salted or sweet popcorn? ---------------------------->

    1. Anonymous Coward
      Anonymous Coward

      Re: Put the popcorn on please

      This feels similar - the US approach demonstrates a "We'll take everything until you bitch at us"

      And keep on taking regardless how much you bitch - quoting Ant Bully: "I am Big and you are SMALL".

      1. Anonymous Coward
        Anonymous Coward

        Re: Put the popcorn on please

        http://www.outlierpress.com/kipling%20pict.htm

    2. Swarthy

      Re: Put the popcorn on please

      Now - Salted or sweet popcorn?
      Salted Caramel Corn?

    3. John Brown (no body) Silver badge

      Re: Put the popcorn on please

      "This feels similar - the US approach demonstrates a "We'll take everything until you bitch at us" feeling,"

      143 million Equifax data subjects just may start the ball rolling in the other direction. We can dream, anyway.

  2. wolfetone Silver badge
    Pint

    G'wan Schrem! Have a pint for your trouble and kick Zucks arse.

  3. Anonymous Coward
    Anonymous Coward

    The Judge however concluded that data collected under PRISM and Upstream, two Snowden revelations, showed evidence of “mass indiscriminate processing of data by the Unites States government agencies, whether this is described as mass or targeted surveillance.”

    The Judge therefore agreed with the Data Protection Commissioner raised “well founded concerns” that there is an effective remedy for European citizens under US law.

    "The introduction of the Privacy Shield Ombudsperson mechanism in the Privacy Shield decision does not eliminate those well-founded concerns. A decision of the CJEU is required to determine whether it amounts to a remedy satisfying the requirements of Article 47."

    I don't understand paragraph 2. What Data Protection Commissioner, who raised well founded concerns and what is the effective remedy that the judge agrees with? Something seems lost in the editing.

    1. Nik 2
      Pint

      Effective Remedy

      Not sure which Data Protection Commissioner, but the Effective Remedy argument, AIUI, is about whether or not a resident of the EU can lodge a complaint against the US if their data were to be illegally accessed.

      It had been argued that the Ombudsman was a process whereby a complaint could be made, but Commissioner thought it might not be, and the judge agreed.

      Hair of the Dog is the only effective remedy -->

      1. Anonymous Coward
        Anonymous Coward

        Re: Effective Remedy

        I was curious that the Judge seemed to agree with the DPC that there was an effective remedy. where as their concern was that there wasn't an effective remedy.

    2. Anonymous Coward
      Anonymous Coward

      Okay, so I found a link to the actual judgement which wasn't linked in the article.

      It seems that the case is between "the Data Protection Commissioner in Ireland" as a plaintiff and both Facebook and Schrems as defendants.

      The actual wording of the conclusion makes more sense if read in full

      "To my mind the arguments of the DPC that the laws -and indeed the practices- of the United States do not respect the essence of the right to an effective remedy before an independent tribunal as guaranteed by Article 47 of the Charter, which applies to the data of all EU data subjects transferred to the United States, are well founded. Furthermore, even if the essence of that right is respected, there are, for the reasons advanced by the DPC, well founded concerns that the limitations on the exercise of that right faced by EU data subjects in the United States are not proportionate and are not strictly necessary within the meaning of Article 52 (1) of the Charter."

    3. Remy Redert

      The judge agreed with the data protection commish (Irish I assume?) that there are legitimate concerns regarding there being an effective remedy (to private data being abused) under US law.

      And then the judge sent the whole thing on to the EU court for them to decide whether or not the Privacy Shield Ombudsperson is enough of a remedy. When the EU court decides it's not, Privacy shield is scuppered.

      1. Adam 52 Silver badge

        This is the Irish Data Protection commissioner playing games in court. She's arguing that if Facebook is wrong then every other company that does international transfers is wrong. She's taking an extreme position in the hope of being found wrong, thereby allowing Facebook to continue. The BBC has a better write-up than El Reg.

      2. Alexander Hanff 1

        Ummm no - this will have no impact on Privacy Shield (yet)...

        There seems to be some confusion here - this case has no bearing on Privacy Shield (yet) - this case is entirely related to Standard Contractual Clauses.

        The judge stated that despite the Ombudsman (which was introduced as a role under Privacy Shield and a role which has yet to even be filled) there is still no sufficient remedy under Art.47.

        When the case goes to the CJEU, they will rule solely on Standard Contractual Clauses and whether or not European Commission decisions 2991/497/EC, 2004/915/EC & 2010/87/EU are valid. These are the EU Commission decisions which make Standard Contractual Clauses a legal basis for an international transfer (and in this particular case with regards to the United States).

        It is likely they will rule against these decisions and invalidate SCC's (because if they don't they contradict their previous ruling on Safe Harbor as they are addressing identical issues) but this will not invalidate Privacy Shield (or Binding Corporate Rules, which is currently the other legal basis used by many global organisation based in the US).

        What will happen after that is another case will need to brought regarding Binding Corporate Rules and then another one regarding Privacy Shield (all on the same grounds as Safe Harbour and Standard Contractual Clauses).

        There have already been attempts to bring Privacy Shield to the CJEU by a French NGO, but they were blocked by the European Commission on the grounds that currently, organisations cannot file cases unless they are directly impacted (this changes once GDPR starts being enforced in May - as that allows organisations to file cases on behalf of citizens). This was a shitty move by the Commission because it was obviously just a stalling tactic but you can kind of understand why they did it (to try and fix Privacy Shield before May 2018 - which of course won't happen).

        TL;DR?

        This case will not invalidate Privacy Shield or Binding Corporate Rules because they are not the models on trial;

        This case is highly likely to invalidate Standard Contractual Clauses.

  4. Anonymous Coward
    Anonymous Coward

    Well, I told you so.

    I do fairly complex and high end privacy for a living, and I have posted a number of times here (from even before Edward Snowden leaked data, and before Max Schrems woke up the whole circus) that the Safe Harbor agreement is but a trade-political plaster over a very profound legal gap between Europe and the US, with Privacy Shield basically a repeat but with different excuses.

    The blunt and harsh reality is that a US company CANNOT protect you to EU standards. It's simply not possible. There are so many ways for especially government agencies to legally access US held information (both legal and on the sly) without any accountability or ability to receive compensation for this that pretending otherwise is politics, but not reality.

    How to fix this? Easy. US companies originally tried to fix this problem by seeking to weaken EU standards (hence the massive amount of US lobbyists in Brussels) but that hasn't worked, especially Snowden put quite a spike in that effort.

    Instead, they should focus their efforts on the US. After all, it's the US and they will all lose a lot of money if they don't fix it. Instead of whinging about Europe being too strong on human rights (with the usual strawmen on terrorism and crime), they should consider that there is NO conceivable reason why Americans should not have the same protection.

    That's not going to happen overnight, but if they actually want to FIX the problem, well, there's the root.

    1. Harry Stottle

      Re: Well, I told you so.

      I too bully my customers and colleagues into trying to take Privacy issues more seriously though, to date I haven't been paid (or even thanked) for my efforts.

      I'd be very interested if you could point to a more formal version of your argument which I could thrust under my resistors noses...

      1. Anonymous Coward
        Anonymous Coward

        Re: Well, I told you so.

        I'd be very interested if you could point to a more formal version of your argument which I could thrust under my resistors noses...

        The overall picture is a lot bigger than just the legal issues, but I resumed writing my book. Once that is out I suspect you'll have all the help you need. For now, read up on the GDPR and the fines that may result from getting it wrong, and how many customers you generally lose after a leak.

        1. Alexander Hanff 1

          Re: Well, I told you so.

          Oh please not another "the fines, the fines" - very few organisations will see large fines as a result of a breach under GDPR - this has been made clear over and over again by various Supervisory Authorities. Very serious cases where there was a lack of due diligence by the Data Controller will result in fines but even then, few will result in the maximum penalty.

          GDPR should not be presented as a big stick because will not make corporations behave appropriately - what companies should be doing is look at the positive things in GDPR such as creating structured business processes with accountability, security and data protection by design, transparency. Using these positives to create a competitive advantage and build trust.

          GDPR is not about huge fines and never has been - it is focused on trying to make companies behave more responsibly and at its very core it is build on the premise of protecting the Fundamental Rights of people living in the EU (Article 8 of the EU Charter specifically).

          I have been doing this a long long time (waay before Schrems and Snowden) and have taken on corporations many times with some very significant successes, as well as having been directly involved in the changes to EU law - and even I don't wave the 4% stick around. Ruling by fear does not work - changing minds to work in a better, more ethical and quite frankly more efficient way is how we save privacy. Please do stop trying to undo all the hard work real privacy advocates have been doing.

  5. ratfox
    Unhappy

    Waste of time

    The US are going to keep on spying, the corporations will not add strong end to end encryption, and people will keep using their products. And neither Europe nor anybody else can do anything about it.

    1. Paul Crawford Silver badge

      Re: Waste of time

      "And neither Europe nor anybody else can do anything about it."

      Don't know about that, only takes a couple of cases that show its illegal in the EU and a swarm of no-win no-fee lawyers to start suing USA corps in Europe and things might start moving.

      And before anyone says "you don't need to use Facebook" you might want to look at how so many companies are using it as their main portal / contact method to put it in to the 'effective monopoly' position that MS and Google have/are finding themselves being bothered with fines for abusing. Sure, if they have no business interest in the EU there is not much to do, but most of the big players are making money over here.

      1. Anonymous Coward
        Anonymous Coward

        Re: Waste of time

        And before anyone says "you don't need to use Facebook" you might want to look at how so many companies are using it as their main portal / contact method

        I have a feeling that that will eventually come to an end if they cannot get a decent legal framework going in the US. I don't know about other countries, but the UK has consumer protection laws which include unfair terms & conditions. Being forced to violate your privacy to communicate with the company may just be on the wrong side of the line, and I can also see this become a more interesting issue with the GDPR coming in.

        That said, a company I cannot reach via non-social media like email and phone is automatically off my personal list as well as banned by default as a viable trading partner in procurement. Anyone who wants to buy something in our company from an outfit like will have to come with very strong arguments to get an exception signed off. I can't see that happening, to be honest.

  6. Anonymous Coward
    Anonymous Coward

    Post Brexit this will happen the the UK

    UK gov is not really applying the data protection laws correctly here and when we're outside of the EU it will be easier for the EU to say so... queue movement of business to EU countries.

    1. Alexander Hanff 1

      Re: Post Brexit this will happen the the UK

      Post Brexit the UK will have to obtain an adequacy decision just the same as any other country not in the EU and given there is existing infringement proceedings against the UK for not correctly implementing 95/46/EC (the Data Protection Directive) with 7 outstanding issues that the European Commission will not disclose because they claim it would do irreparable damage to International Relations (read that as holy shit they are doing some really bad stuff at GCHQ), despite having received multiple FOI request for the details; it is HIGHLY unlikely an adequacy agreement will be forthcoming, meaning it will be illegal to send data from the EU to the UK (and actually this will be the default until an adequacy decision is made - so the day Brexit happens it will become illegal to transfer personal data to the UK).

      Unless by some miracle another arrangement is put into place prior to Brexit as part of the agreement (not bloody likely).

  7. Dan 55 Silver badge

    They've got to sit down and think about it again

    What would be a good name after Safe Harbour and Privacy Shield?

    If they can just get the name right...

    1. EnviableOne
      Coat

      Re: They've got to sit down and think about it again

      Profit Protection Plaster

    2. Trigonoceps occipitalis

      Re: They've got to sit down and think about it again

      "Pork Sword" because they're gonna screw you whatever.

    3. Queeg

      Re: They've got to sit down and think about it again

      Probably FUBAR it's just so appropriate.

      1. Captain DaFt

        Re: They've got to sit down and think about it again

        Probably FUBAR it's just so appropriate.

        Since all it is is just wind dressing to protect the status quo, How about SNAFU?

        1. Sir Runcible Spoon

          Re: They've got to sit down and think about it again

          Safe Harbour Is Turgid

  8. Nick Z

    Data exporting is a way to get around data protection laws

    One of Snowden's revelations was that USA and its allies where spying for each other on each other's citizens. This was a way for them stay legally within their law, while in practice trashing and disrespecting their law completely.

    US citizens are protected by US law from unwarranted government surveillance. But if their data happens to be in UK, then the US law doesn't apply there anymore. The UK government is free to do all the spying it wants on US citizens and then pass on that information back to the US government.

    And of course, it was done the other way too, where the US government spied on UK citizens for the UK government.

    Exporting data outside of legal jurisdiction is basically exporting it outside the law. It's literally a way to get around the law and disregard it completely, as if the law doesn't even exist.

    1. Anonymous Coward
      Anonymous Coward

      Re: Data exporting is a way to get around data protection laws

      US citizens are protected by US law from unwarranted government surveillance.

      You'd think so, but that "protection" is undermined at federal law level. Besides, that doesn't help the US held data of foreigners (which is what we're talking about here), a position undermined by even more federal laws.

      But if their data happens to be in UK, then the US law doesn't apply there anymore.

      That depends. The problem is that US ownership can be used as legal leverage in the US, that's what happened in the Microsoft Ireland vs DoJ case (which, by the way, would have been MUCH better served by filing an international request for collaboration with Irish police, so it is my firm belief that real aim of that case was establishing more precedent). By the way, just hosting abroad does not always mean your data then gets the benefit of its new jurisdiction, it's a bit more complicated than that or criminals and dodgy companies would do this all the time.

      The UK government is free to do all the spying it wants on US citizens and then pass on that information back to the US government.

      There is that too, I think that's about the only value left for the UK for the US.

      Well, that and hosting part of ECHELON near Europe, of course..

      1. Alexander Hanff 1

        Re: Data exporting is a way to get around data protection laws

        Actually it rarely means that your data is safe (I have written on this many times) - if the data center is owned by a US corporation or even if they set up a subsidiary (such as Twitter, Facebook etc.) then it is all fair under US law because these subsidiaries are owned by the US corps and as an asset of the corps they and any tangible things they have (such as data) can be seized under US law (no matter where they are located in the world).

        The DOJ actually screwed up in the Microsoft case - they used the wrong law to try to obtain the emails (Stored Communications Act if I remember correctly) - there are multiple other instruments they could have used which would have been more effective (such as FISAAA and at the time PATRIOT or even an NSL) because they were complacent and figured they wouldn't be challenged.

        With regards to the UK spying on US citizens and then sending that back tot he US - no you are mistaken in thinking that is legal it is not, it is surveillance by proxy and both Congress and the Senate have already stated this is not legal.

        The biggest issue US citizens have is that companies are not protected by the 4th Amendment leaving them wide open to s215 of PATRIOT until 2015 at which time it was not renewed - however FISA has since been amended under Title 1 - Business Records to provide similar access to 'tangible things' relating to US citizens (the entire thing is currently a mess that Trump is certainly not coherent enough or interested enough to fix).

        So it is a little more complex than most people might think...

  9. Anonymous Coward
    Anonymous Coward

    Leaving aside the government snoping and going back to data protection...

    How would all this apply in the recent Equifax data loss. It looked to me like the data lost on UK customers was hardly considered atall and I have a clue what rights they have if any.

  10. Anonymous Coward
    Anonymous Coward

    So Much for EU Data Privacy

    I find it odd that EU citizens complain about US spying when their own governments do just as much. The issue is that Snowden made it impossible for the world to ignore what the US government digs up, but not what other governments do (though some of it did point to snooping by the other 4 of the 5 eyes). If you think ticking a box (or not ticking a box) will prevent you from having the UK, German or French governments snoop on you, then I have a bridge I own that you might like to purchase.

    1. EnviableOne

      Re: So Much for EU Data Privacy

      The germans are carefull about it, as they really dont want to get caught "being the Gestapo/Stasi"

      the french dont really care and havent been caught

      snowden disclosed The FIVE EYES agreement, and it's one of the concerns WP29 has over UK implementation of 95/46/EC (the orgional data protection directive,) ther are 4 of them

      Basically FIVE EYES Inteligence sharing between English speaking countries (UK|US|CAN|AUS|NZ)

      but this is the mechanism by we'll spy on yours, if you spy on ours works.

      the only solution is to come to an international convention on data subject rights, and while we are at it, we could define Cyber warfare too.

    2. Alexander Hanff 1

      Re: So Much for EU Data Privacy

      The difference is we have an "effective remedy" - in other words we can take our governments to court and win (lots of case law on this in ECtHR) and EU governments can be forced to change their laws (see RIPA in the UK, Data Retention Directive etc. - again lots of case law).

      There is no dispute that EU governments spy - but if they break the rules and you find out about it, you can (in theory) take them to court and win.

      The Law has never been about being able to stop people doing bad things - nothing will ever stop that. The Law is about providing effective means of redress (effective remedy) when bad things are done.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like