The US could do more, but it's like pulling teeth
To encourage the US, I recommend pulling those teeth without analgesic, meaning really damaging punitive fines (GDPR anyone?).
The European Commission's (EC) third review of Privacy Shield – the legal fig leaf through which EU citizens' data can be sent to US companies for storage and processing – has found some improvements since last year, but deems the whole agreement as still resoundingly "adequate". Things looking a bit brighter this time include …
Things looking a bit brighter this time include the US Department of State's improved inspections of participating companies by conducting monthly checks to ensure compliance.
Why do I get the feeling that the US Department of State is white washing this. Can they really check every participating company properly every 30 days or is it more like them waving the EC past, like emergency services personnel at a fatal accident, saying something like "Move on, Move on. Nothing to see here".
The problem really lies on the US side (no surprise there, sorry): although the Privacy Shield agreement is mainly a tool to stop an all out trade war (or, to be precise, a mechanism by which US companies can continue to make vast profits off the private details of EU citizens), there is no actual legal match between the two entities.
US law has at federal level so many backdoors (they seem to love them over there) that privacy protection for even US citizens is but a vague and as yet unsubstantiated rumour, which is wholly at odds with the EU situation. As that gap is unlikely to be addressed (because, you know, profit), any attempt to pretend it's all fixed is just marketing and, to be frank, the same BS we were served even befoe Safe Harbor died.
European privacy campaigner Max Schrems is warning that enhancements to the EU-US Privacy Shield data-sharing arrangements might face a legal challenge if negotiators don't take a new approach.
In an open letter, Schrems – the lawyer behind the Schrems II ruling which put an end to the transatlantic data-sharing agreement – said that US assurances of EU citizens' data privacy would be insufficient to avoid another legal challenge.
"We understand that the US has rejected any material protections for non-US persons and is continuing to discriminate against non-US persons by refusing baseline protections, such as judicial approval of individual surveillance measures," the lawyer wrote.
The Austrian data protection authority has ruled that use of Google Analytics by a German company is in breach of European law in light of the Schrems II EU-US data sharing ruling.
Datenschutzbehörde, or DSB, has found that a German publisher, not named in the case, was in breach of Article 44 of the General Data Protection Regulation (GDPR) in the use and operation of Google Analytics – commonly used throughout web publishing and ecommerce – because of its movement of personal data to the United States.
In 2020, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the bloc and the US in what is now known as the Schrems II ruling, which has ramifications for US cloud providers, social media sites, and providers of online tools.
Data privacy campaign group noyb, founded by Austrian lawyer Max Schrems, has filed a complaint with the Austrian Office for the Prosecution of Corruption (WKStA) for a potential violation of Austrian criminal laws by the Irish Data Protection Commission.
Noyb claims the DPC effectively attempted to impose a "non-disclosure agreement" preventing the non-profit privacy campaign group from disclosing details relating to its 2018 complaint that Facebook had "bypassed the GDPR" by changing terms and conditions for users so that it no longer needs consent to process personal data.
A German court has ruled that sharing IP addresses with US-based servers for the purpose of cookie consent is unlawful under EU data protection law and the EU Court of Justice Schrems II ruling.
The university Hochschule RheinMain in Germany was this week prevented by Wiesbaden Administrative Court from using a cookie preference service that shares the complete IP address of the end user to the servers of a company whose headquarters are in the US.
A complainant had alleged that the CookieBot consent manager from Danish provider Cybot transmitted data such that IP addresses were shared with US-based cloud company Akamai Technologies.
The European Data Protection Board (EDPB) has finalised its guidance to businesses in how they should proceed following the Schrems II ruling which struck down the Privacy Shield data-sharing arrangement between the EU and the US.
In its final version of the recommendations [PDF] on supplementary measures to accommodate the ruling, the EDPB said the transfer of data could be impinged on if legislation in a third country allows authorities to access data transferred from the EU, even without the importer's intervention.
In the Schrems II ruling, named after Austrian privacy activist and lawyer Max Schrems, the EU Court of Justice said that Section 702 of the US Foreign Intelligence Surveillance Act together with a US presidential order and a policy directive on data collection by spies failed to meet EU data protection requirements.
Updated Microsoft has announced plans to ensure data processing of EU cloud services within the borders of the political bloc in a move that expert observers claim reveals problems with the firm's existing setup.
Those problems extend to UK public sector organisations seeking to stick within government guidance as well as a longstanding issue where personal data held in the EU can potentially be accessed via US security laws.
In a blog, Brad Smith, Microsoft’s president and chief legal officer, said the software and cloud services giant would, by the end 2022, enable EU customers of Azure, Microsoft 365, and Dynamics 365 to have all their data processed physically within the EU.
Privacy group noyb, founded by rights advocate Max Schrems, has instigated a new complaint about Google's use of the Android Advertising ID (AAID) to track users.
Last November the European group filed a complaint to the German and Spanish data protection authorities concerning Apple's IDFA (Identifier for Advertisers) on iPhones, claiming it was equivalent to a tracking cookie being placed by a website without the user's consent, which is against the EU's e-Privacy law.
The group is now taking similar action against Google, with a complaint filed with France's data protection authority. In the complaint [PDF], noyb claimed the Android Advertising ID (AAID) "is simply a tracking ID in a mobile phone instead of a tracking ID in a browser cookie," and therefore both the storage of the AAID and its access are illegal because this "should be authorized by the user through prior consent."
Privacy activist Max Schrems is back, and this time he has filed complaints against Apple for privacy violations over a cookie it places in iPhones for some advertisers.
His digital rights group Noyb has targeted the tech giant in Germany and Spain, claiming Cupertino's “Identifier for Advertisers” (IDFA) tracking ID, which is automatically generated on every iPhone during setup, allows Apple, app makers and ad networks to follow an individual user's activities and use that data to show them ads targeted at their interests.
Here's Noyb's gist of its own complaint:
Biting the hand that feeds IT © 1998–2022