back to article An axe age, a sword age, Privacy Shield is riven, but what might that mean for European businesses?

On 16 July, the European Court of Justice struck down Privacy Shield, an EU-US agreement that required American companies to sign up to a higher standard of privacy to be considered, perhaps somewhat condescendingly, "adequate*" for compliance with the bloc's General Data Protection Regulations (GDPR). You will no doubt soon …

  1. Doctor Syntax Silver badge

    "When an organisation's only customer interface is via Facebook or Twitter (to name the main ones), it forces customers to agree to terms that harm their privacy in order to communicate."

    In that situation no consequences will be undeserved, regardless of how costly they are.

    1. iron

      When an organisation's only customer interface is via Facebook or Twitter I will not deal with them.

      1. SImon Hobson Bronze badge

        I'd agree, but ...

        As the article states, sometimes it's someone you "have to" deal with for one reason or another.

  2. Greybearded old scrote Silver badge
    Black Helicopters

    No Shit Sherlock

    The CLOUD act is exactly why US companies aren't adequate. If they want to do business on the right bank of the pond, they do it within the local laws. If their own stupid laws don't allow that, then what do they spend all that lobbying money for?

    1. Doctor Syntax Silver badge

      Re: No Shit Sherlock

      I've suggested previously that the way round this for a US service is to offer a franchise to a an EU business, set up under EU law with EU citizens as owners, officers and staff. The franchise pays for IP - branding and copies of S/W - from the US business. EU data is handled purely within the EU. If data, mail in the example in the article, is to be sent to a non EU, no US destination then it's not routed through the US.

      There's another option for EU businesses to use email of course - use an EU owned and based MSP. That's assuming the MSP doesn't simply resell a US-based service (Is BT still reselling Yahoo! ? Not that that matters now anyway.).

      1. Anonymous Coward
        Anonymous Coward

        Re: No Shit Sherlock

        The problem with that is that for the U.S. company, you are sharing your algorithms, data and many of your deepest secrets with an EU franchisee that is technically free to stop being your franchisee and go do something else, using a lot of the data and secrets you had to share with them. Legally, the arms-length agreement might work, but from a security standpoint it has a number of problems.

        Plus I could see issues with general data security (What happens if the franchisee has a huge IT security failure? Does the mothership have any liability?) and will the franchisee's cut of mothership revenues generated be enough to keep the franchisee operating in the marketplace?

        1. Doctor Syntax Silver badge

          Re: No Shit Sherlock

          "technically free to stop being your franchisee and go do something else"

          Only if the franchise contract allows it to do so.

          "What happens if the franchisee has a huge IT security failure? Does the mothership have any liability?"

          ROFLMAO

          The the current situation has an ongoing, built-in security failure: the CLOUD Act.

          "will the franchisee's cut of mothership revenues generated be enough to keep the franchisee operating in the marketplace?"

          Back to the contract.

        2. cdegroot

          Re: No Shit Sherlock

          I've yet to work at a tech company in the SaaS/web/... area where there was actual IP to rip off in the technology area. Frankly, often, competitors had objectively better tech than where I worked. It is mostly branding, marketing muscle, stuff like that that makes you win and I think that that's where Sillycon Valley differs from European efforts: the realization that throwing lots of money at marketing, sales and biz dev makes the difference.

          No, the franchise idea won't fly because of all the tech debt: no way that another company can host the, let's say it nicely, somewhat organically grown software that got written. Didn't MS try it with Deutsche Telekom?

    2. Anonymous Coward
      FAIL

      Re: No Shit Sherlock

      Plus, US companies, including FecesBook and Googs, have no problem complying with requirements from dictatorial countries. They have just never believed that the EU would ever stand up to them.

      I say bring it on.

  3. Glen 1

    The point of the EU

    The fundamental problem is that the EU wants privacy for its citizens, and the USA doesn't.

    If the EU doesn't enforce this (or can't or won't), the EU is shown to have no teeth. (as was the case with "safe harbour")

    If the EU *can* enforce this, the USA is shown to not be the exceptional little snowflake it thinks it is.

    Expect tantrums either way.

    1. Cederic Silver badge

      Re: The point of the EU

      We need Americans to start demanding the same protections.

      Won't help with Governmental snooping but we have that issue in the UK too.

    2. John Jennings

      Re: The point of the EU

      The fundamental problem is that the EU wants privacy for its citizens, but the US does not want privacy for anyone who isnt a US citizen. It doesnt care so much either way about US citizens in this instance.

      It is a bit reminiscent of Rome, in terms of standards.

      I dont think that the EU CAN do a lot about this, tbh, as so much of the data which lubes up conglomerates and other big businesses transfer all over the place. SCCs might be useful - but they are going to be redrafted too. I dont think that the ECB will have the nutts to really put its foot down. I also doubt the UK would be able to follow suit at this time.

      1. SImon Hobson Bronze badge

        Re: The point of the EU

        I dont think that the EU CAN do a lot about this, tbh, as so much of the data which lubes up conglomerates and other big businesses transfer all over the place

        Well the simple answer si that it will have to change. Businesses have been happy to keep kicking the can down the road - soon they'll find out there's nowhere left to kick the can to. That's not a problem with EU privacy regulations, it's a problem with business practices and "lack of privacy laws" in some countries.

        What I do feel sorry for are the many smaller business who will get caught out and find that the assurances from their IT providers turn out to be a polished turd.

        As an example, we've seen proof that Microsoft US can dip into data centres holding client email in Ireland. The CLOUD act would appear to just legitimise that. Yes I know that some IT providers are quite happy to tell clients that it's completely safe to use Office 365 for email "because MS say it's safe". But even if your data is stored in an EU data centre, and if MS didn't have the ability to directly dip into it - access to your data is mediated by a global network of authentication servers, all of them working under a US controlled DNS zone.

    3. quxinot

      Re: The point of the EU

      >The fundamental problem is that the EU wants privacy for its citizens, and the USA doesn't.

      The USA wants privacy for its own citizens.

      Those citizens have been outbid by the usual suspects.

      1. doublelayer Silver badge

        Re: The point of the EU

        "The USA wants privacy for its own citizens."

        No, it does not. It doesn't want privacy for any other citizens either, but don't think its own citizens are getting consideration or extra things. As government policy goes, it would like for privacy to be deleted from the dictionary and everyone's brain so people stop complaining about all the violations.

        1. Anonymous Coward
          Anonymous Coward

          Re: The point of the EU

          The USA is all about making money by sending advertisements to anyone who visits a website, sends an email, or walks past a store with Bluetooth enabled on their phone.

    4. spold Silver badge

      Re: The point of the EU

      >>> EU wants privacy for its citizens, and the USA doesn't.

      A root aspect is that the US interpretation of "privacy" is more connected to things like confidentiality, data protection, encryption - data security concepts that ideally can be overridden/broken, as determined by the courts or authorities. It's about things like securing credit-card numbers.

      They don't get that in Europe privacy is about allowing citizens to maintain and exercise a fundamental human right.

  4. Rich 2 Silver badge

    SCCs

    The article repeats that SCCs are still legal. But when this story broke the other day, it seemed that that was not actually the case (the judge did not say they were ok and it was a mid-quote / wilful misunderstanding by some bod at the EU).

    So what’s the reality?

    1. Woodnag

      Reality

      Ashley Gorski (ACLU)

      @ashgorski

      Some reporting is suggesting that the SCCs will remain viable mechanisms for any EU-US transfer. Based on the court's analysis of US law, that's simply not the case. DPCs will be required to halt data flows.

      https://twitter.com/ashgorski/status/1283756155152596994

    2. eldakka

      Re: SCCs

      An SCC is a civil contract between the EU entity and the foreign entity it wants to shovel data to, that exists outside of (or hand-in-hand with) the inter-governmental Privacy Shield-type agreements. They do not depend on or require such inter-governmental agreements to function - in fact you'd use them in lieu of such inter-governmental agreement. Therefore the concept of SCCs as a civil contract was upheld (or perhaps more accurately, not overturned).

      However, the court also recognised that they are civil contracts between the business entities. As such, they are not binding on the governments (of either end), and as civil contracts they must exist within and can be overriden by local laws.

      One of the clauses of an SCC requires that the non-EU entity the agreement is with to notify its EU partner if and when the laws of the local country (that is, at time of contract signing or if the local laws later change to make it so) override any SCC contractual provisions that impact privacy of the data. In this way, a, for example, US company if served by an NSL (National Security Letter that usually have criminally enforceable secrecy) doesn't have to tell the EU partner that it has been served with such, but it does have to tell the EU entity that it cannot abide by certain clauses - or the entirety - of the SCC, thus effectively terminating the contract. Although in this example, the fact that an NSL could be served, that the law allows for such, under which a non-US (hell, even effectively US) citizen has no rights, no standing, no recourse to US courts to fight it, is grounds to invoke the clause 5 (from the decision):

      141 It follows that Clause 4(a) and Clause 5(a) and (b) in that annex oblige the controller established in the European Union and the recipient of personal data to satisfy themselves that the legislation of the third country of destination enables the recipient to comply with the standard data protection clauses in the annex to the SCC Decision, before transferring personal data to that third country.

      There were two prominent US laws (actually a law and a Presidential Executive Order(EO)) that are the prime reasons for overturning Privacy Shield, Section 702 of the FISA, E.O. 12333, and since the mere existence of that law and EO is sufficient to overturn Privacy Shield, they necessarily also nullify SCCs with US entities. This doesn't affect SCCs with non-US entities, which would be taken on a country-by-country basis.

      This is why some of the commentary says that SCCs are still valid, because they are. But they overlook the fact that SCCs with US entities are not valid.

    3. Doctor Syntax Silver badge

      Re: SCCs

      As I read it SCCs per se are legal but when applied to the US they're worthless because US legislation prevents them being honoured. If you have SCCs with a company in a country that doesn't enable its govt to override them they're OK. I've no idea if such countries exist but I suppose the countries that do override them will have to be excluded one at a time. UK next up?

    4. Anonymous Coward
      Anonymous Coward

      Re: SCCs

      The reality is that they will become as illegal as the US pretence of protecting EU data, but there is a transition period - SCCs will thus be seen as a route to keep the lights on while EU companies (that ought to have known better*) scramble to acquire EU based services providers with fewer backdoors.

      I suspect that the EU will wait a bit with enforcement, but not that long.

      * Privacy Shield made zero actual changes to the legal chasm that Facebook vs Europe made formally clear. Let's be honest, informally we've known this for years but many decided to stick their heads in the sand for the sake of cost savings which were in essence paid for by customer privacy violations.

  5. Anonymous Coward
    Anonymous Coward

    Gdpr bark is worse than its bite. As implemented in the uk almost pointless there are so many let out clauses and weak to non existent enforcement.

    1. LucreLout

      Gdpr bark is worse than its bite.

      This won't change until people are able to bring claims for breaches to the small claims track for themselves rather than the ICO for the government. You leak my data you get one claim from me for me and by me for my cut of your revenue.

      Pretty soon companies will change as coordinating all these small claims would be a nightmare for them as would the revenue implications, but as long as the ICO keeps viewing fines as a last resort rather than the default for a violation then little will change.

    2. Gwaptiva

      Go tell that to execs/shareholders of BA and Marriott... the UK ICO issued the two greatest fines under GDPR in the EU (200m and 100m, resp). Even for companies that size that's no sinecure

      1. Anonymous Coward
        Anonymous Coward

        Issued. Collected?

    3. Version 1.0 Silver badge

      It will be interesting to see how this works out, when the EU privacy rules first rolled out a lot of websites closed themselves down to foreign visitors in the US, many have since opened up to EU visitors but now it's all changed again. After January 1st a few UK sites might need to block EU visitors until they can demonstrate that they meet the data privacy requirements.

  6. x 7

    Emis GP medical records?

    Where does this leave Emis and its migration of GP medical records to the Emis-X system, based on Amazon Web Services?

    Something like 60% of UK GP records could be affected

    1. Woodnag

      Re: Emis GP medical records?

      Amazon (AWS) falls under 702 FISA, which means US government has access to the data, so AWS storage is not allowed for EU citizen's data under GDPR.

      https://noyb.eu/en/next-steps-eu-companies-faqs

      Since UK has been playing fast and loose with UK patient records to make money, this will be interesting.

      1. Anonymous Coward
        Anonymous Coward

        Re: Emis GP medical records?

        I'd also like to see how HMRC will explain itself now. I suspect the answer will be "we're waiting for Brexit", so if you want your pound of flesh there you'll have to be quick. I suspect Brexit will cause a haste rewrite of privacy laws to legalise existing UK government abuses. Police records, for example.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like