back to article How do you solve a problem like Privacy Shield? US and EU policymakers kick off discussions

The long-running kerfuffle over the so-called Privacy Shield EU-US data protection agreement took another lurch this week after politicos announced plans to ponder an "enhancement" to the framework. The joint statement from US Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders comes in the …

  1. DavCrav

    Why has it taken this long?

    It's absolutely clear that these two principles are incompatible:

    EU: all personal data should be held privately and the US government (for example) cannot look at it whenever it feels like it.

    US: all personal data held in the US, or by US companies, can be looked at by the US government whenever it feels like it.

    Either one of those two stances has to change, or there will always be an incompatibility.

    1. Jason Bloomberg
      Mushroom

      Re: Why has it taken this long?

      It's absolutely clear that these two principles are incompatible

      That's my view as well. It is 'unstoppable force meets immovable object' and it is not resolvable unless one side or both change their position.

      My opinion is the EU needs to stand their ground, tell the US to go fuck itself, and deal with the consequences.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why has it taken this long?

        The various US TLA's think (along with the current POTUS) that they rule the world and US Jurisdiction applies everywhere and 'Trumps' (sic) local laws.

        It is long past time that the Yanks were told to 'eff off' and then 'Go F**** yourself'.

        But other nations won't do that. The current POTUS is so deluded with power that he could very well order 'send in the Marines' and invade a current allie.

        1. Len
          Happy

          Re: Why has it taken this long?

          That ally might be Ireland then. Invading a NATO member state (which Ireland is not) would get the US thrown out of NATO, at which point we could just dub it the European Treaty Organisation or something.

          1. NetBlackOps

            Re: Why has it taken this long?

            The same NATO that still has Turkey in it no matter how vile they behave? I'll believe it when I see it.

        2. Cederic Silver badge

          Re: Why has it taken this long?

          The current POTUS that's started no wars, something unheard of from a US president in 40 years? He's going to invade an ally? Really?

          Sorry but please, step away from the keyboard, look in a mirror and feel bad about yourself.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why has it taken this long?

            Still two months to go

        3. NetBlackOps

          Re: Why has it taken this long?

          I'm not going to blame this President until he vetoes legislation that puts a leash on the TLA's. It's the prior two Presidents and a compliant Congress, which miraculously always fails by 1-2 votes in the Senate, to pass legislation that brings the TLA's to heel. Even when they outright lie to Congress, they're given a pass and whatta ya know, all their powers are renewed.

          1. big_D Silver badge

            Re: Why has it taken this long?

            Yes, the problems really started with President Shrub, after 11/09/2001. But the current presidents rhetoric makes the need for a satire account on Twitter redundant, nobody could come up with satire that is funnier/scarier than the reality.

            And, yes, Congress is equally to blame.

        4. Anonymous Coward
          Anonymous Coward

          Re: Why has it taken this long?

          He's not going to send the Marines, Tariffs and sanctions are Trumps go to. He'll probably try to punish their companies with tariffs or at worst make them leave the U.S. He could also limit U.S support for organizations and policies popular with or that benefit those countries.

          That's been his game plan so far, I see no reason would not continue. He's brash and destructive but he's also fairly predictable.

      2. codejunky Silver badge

        Re: Why has it taken this long?

        @Jason Bloomberg

        "My opinion is the EU needs to stand their ground, tell the US to go fuck itself, and deal with the consequences."

        That might be the right choice for the EU but then it would have to realise its reliance on the US and accept its dreams of being a big player are nothing but dreams. Trading with the US is worth so much that previous protection models have been used as a temporary bandage replacing a temporary bandage and the same might happen again.

        Already Germany is crying at the loss of US troops and thats just the loss of a few local troops spending. US trade is worth magnitudes more. If the EU cut its trade with the US it would be another self imposed severe blow.

    2. Anonymous Coward
      Anonymous Coward

      This is really testing the EU freedoms of thought and of speech, GDPR etc

      http://www.caef.org.uk/d119route3.html

      Is a mention of historic accuracy, suggesting that the Winston Churchill (President of honour) , Duncan Sandys (President), {et al} origin of the excellent European Commission project deserves some scrutiny, especially {et al}, in Virginia.

      There are other more academic histories, but this page has pictures

  2. Doctor Syntax Silver badge

    "Or perhaps those in the EU could be given rights to challenge US surveillance programmes before US courts?"

    Give them rights to challenge them in EU courts would be better. What a pity that for us in the UK it's all academic now.

    1. Anonymous Coward
      Headmaster

      You'll never get anywhere trying to challenge arms of the U.S. government in a foreign court for application of U.S. laws in U.S. jurisdiction. That is unconstitutional in the U.S., under article 3, section 2 of the United States Constitution.

      "Section 2

      The Judicial Power shall extend to all Cases, in Law and Equity, arising under this Constitution, the Laws of the United States, and Treaties made, or which shall be made, under their Authority;---to all Cases affecting Ambassadors, other public Ministers and Consuls;---to all Cases of admiralty and maritime Jurisdiction;---to Controversies to which the United States shall be a Party;---to Controversies between two or more States;---between a State and Citizens of another State;---between Citizens of different States,---between Citizens of the same State claiming Lands under Grants of different States, and between a State, or the Citizens thereof, and foreign States, Citizens or Subjects."

  3. Doctor Syntax Silver badge
    Pint

    'different wallpaper, same cracks'

    A gem. Give the man a

    1. Neil Brown

      Thank you. Beer gratefully accepted :)

  4. Len
    Black Helicopters

    Store data in the EU

    I haven't had the chance to fully go through all this but at first look it seems that using the exemption to storing data of EU Citizens in the US has now been struck down. I agree with the article that Standard Contractual Clauses (SCCs) are probably next for the chop.

    Let's face, even a successor to Privacy Shield would very likely be in breach of the Charter of Fundamental Rights of the European Union that guarantees EU Citizens a whole host of rights. That successor will therefore likely be struck down too.

    As a get out clause this means that US firms could still avoid this legal head ache by storing all data of EU Citizens in the EU. That buys quite a bit more time, until a US court order instructs a company to hand this data over and a company needs to decide which law it will break. It's not perfect but it buys more time.

    1. Tomislav

      Re: Store data in the EU

      No, it does not, because CLOUD act (mentioned in the article) gives US TLAs access to all the data held by US companies anywhere in the world, including EU.

      1. Len
        Happy

        Re: Store data in the EU

        I know (though technically it doesn't give them access, it gives them power limited to US jurisdiction to instruct someone to provide access), but until the US instructs a company to hand over data the CLOUD act doesn't come into play. And obviously adhering to the CLOUD act is illegal in the EU so a company will then have to decide which law it will break.

        There have been anecdotal reports of companies only letting EU Citizens handle data in their Irish data centre to stay out of reach of the CLOUD act. At that point the issue is escalated to head office (look at the Microsoft case) and we get into the territory of how a company can be instructed to tell a subsidiary to hand over data. Microsoft, again, created some legal firewall situation for this scenario with its Office 365 hosting in Germany that is out of reach of the CLOUD act.

        This is not fool proof but until the US attempts to use the CLOUD act it is probably the safest bet. Safer than counting on Privacy Shield or SSCs.

    2. Yet Another Anonymous coward Silver badge

      Re: Store data in the EU

      Nope, a US company could already have been handed a secret US national security letter telling them to hand over Eu citizens data held in the Eu.

      Or they could have just decided to do it anyway in order to be "cooperative" and perhaps be the only approved bidder for a big DoD cloud contract.

      1. Len

        Re: Store data in the EU

        That is possible, but that US company would be breaking the law with potentially quite severe repercussions. You'd imagine a company would think twice before they take that risk.

        Besides, unless you are an American Citizen or live in the US, a National Security Letter carries no weight. You can publish it and decide to ignore its contents. Just don't ever visit the US again. It would be quite a spectacle, by the way, and I'm hoping someone high profile does this some time.

        1. alain williams Silver badge

          Re: Store data in the EU

          That is possible, but that US company would be breaking the law with potentially quite severe repercussions. You'd imagine a company would think twice before they take that risk.

          Thought 1: Will we get caught ?

          Thought 2: Has anyone else been caught ?

          1. Len
            Holmes

            Re: Store data in the EU

            On point 1, I think the chances of getting caught are pretty high.

            Let's say some crook is being prosecuted in the US but their data is stored on Microsoft servers in Ireland (to stay close to an actual event). The incriminating evidence will need to come with context to be admissible. Both the judge and the defense team will want to know how the prosecution got their hands on email XYZ. They might even ask an MS employee to testify where it came from (and a US prosecutor will probably not care about whether MS gets into trouble in some foreign jurisdiction).

            If that email was procured by breaking the law, as it will have been if it came from a server in the EU, then the defense team will be very interested in that. As will prosecutors in the EU if they get wind that Microsoft broke the law by providing access to the defendant's emails.

            If I were a big tech firm I would definitely worry about being caught. It might take a couple of years but I would put the chances of getting caught a few years after the fact at over 80%.

            On point 2, not at this time, no. But do you want to be the first to get caught? The downside of being the first is that you risk being made an example. It would send a powerful message if Microsoft was fined tens of billions of euros or banned from selling their products in the world's biggest developed market for breaking EU law.

            1. Yet Another Anonymous coward Silver badge

              Re: Store data in the EU

              Hence parallel discovery

              Shady US agency automatically reads all email hosted by a US company from Eu citizens, because what else is their massive new data center for?

              They tip-off local law enforcement in the US to stop a certain citizen for a broken brake light and have a look for drugs. When does the NSA involvement come up in court?

              Or they pass on a tip to friendly agencies in Europe that somebody a bit brown is emailing somebody in Iran and the friendly country's police respond - by shooting a Brazillian

            2. Strahd Ivarius Silver badge

              Re: Store data in the EU

              Don't forget that since the CLOUD act was passed Microsoft didn't go to court to challenge any order asking for access to data it holds...

              And they also closed the specific cloud instances they had set up to comply with GDPR in Germany since it became irrelevant, even though it was operated by another company (but they kept the specific ones for US gov and China).

              If challenged, their defense will be that they had to comply with a legal order, and so they will escape any fine.

              Unless it is clearly stated that every European company using the services of a provided headquartered in the USA is by default in violation of GDPR, and so has to be fined, nothing will change...

            3. Anonymous Coward
              Anonymous Coward

              Re: Store data in the EU

              Parallel construction is their answer. They get the information through FISA and work backwards to get normal warrants so it's a legitimate investigation as far the courts and anyone without clearance to view classified information are concerned.

  5. Tomislav

    Re: Store data in the EU

    Exactly, we only know what Microsoft (and others) have released publicly. We cannot know what happened behind the scenes and how many requests they decided to silently comply with.

    1. Version 1.0 Silver badge

      Re: Store data in the EU

      If you are going to store your data in the Cloud anywhere then you are stupid a large corporation if you think that nobody else has access to it secretly, deliberately, or accidentally.

      1. Steve Davies 3 Silver badge

        Re: Store data in the Cloud

        Whilst you are correct I fear that you are talking to a stable door years after the horse has bolted.

        There are hardly any companies or indeed Guberments that are not rushing headlong into the cloud.

        I'm sire that it won't be long before a FTSE 500 company goes TITSUP because their Cloud has been hacked and all the data stolen.

  6. StrangerHereMyself Bronze badge

    Crazy thing

    The crazy thing is, I predicted this would have happen in jest. I said they'll just come up with some other willd-assed scheme and give it some crummy name and alter a few paragraphs in the previous accords. It'll take years before Schremms is able to get it voided again, and in the meantime, the U.S. tech-giants can continue pillaging our data.

    They'll continue to do this until Schremms gets the gist and gives up.

    1. Yet Another Anonymous coward Silver badge

      Re: Crazy thing

      Or until it starts to affect ordinary people - not just terrorists/drug-smugglers/bogeymen-of-the-day

      When Hans Schmidt gets rejected from a job at VW because it may involve travel to the USA and a pre-hire security check says that immigration may reject him because of his twitter following.

      Or he can't get travel insurance to holiday in Spain because of the Google searches he did for symptoms - which although illegal in Europe, his insurer is allowed to take advice from it's US parent company

    2. Phones Sheridan Bronze badge
      Black Helicopters

      Re: Crazy thing

      "They'll continue to do this until Schremms gets the gist and gives up."

      They'll continue to do this until the US decides Schremms is a problem to be solved.

      1. John Brown (no body) Silver badge

        Re: Crazy thing

        Yeah, but Max Schremms isn't just a "lone wolf". He has backing from various privacy groups.

        1. StrangerHereMyself Bronze badge

          Re: Crazy thing

          Nobody is bulletproof.

  7. ChrisElvidge

    EU data

    If an EU company owns the hardware and site - even though it uses US software. Who owns the data?

    1. Anonymous Coward
      Anonymous Coward

      Re: EU data

      If it is an EU-registered company then the EU company would own the data. I am not sure about EU-registered subsidiaries of American companies, but I imagine they would be considered U.S. companies for these purposes.

      1. Len
        Holmes

        Re: EU data

        EU registered subsidiaries of US companies are EU businesses but, being a subsidiary, their owner in the US can be put under pressure to instruct its subsidiary in the EU to hand over data. That is exactly what happened Microsoft when Microsoft Inc. was instructed to persuade Microsoft Ireland to send emails of a wanted man to head office. They fought the case all the way to US Supreme Court.

        Companies have since found new routes around this. If you work with an EU partner that you don’t legally own then an American judge can’t order the partner to hand over data.

        The best way to avoid all this is to a) not be headquartered in the US, b) don’t have subsidiaries in the US. If you need Northern American presence then just deal with US customers from Canada.

  8. Claptrap314 Silver badge

    Where it is stored doesn't matter?

    On which planet?

    If you are a company domiciled in jurisdiction X, you will be compelled to complied with the the law in X on pain of having all "assets" in X seized--including personnel.

    If you are a company doing business in jurisdiction X, you will be compelled to complied with the the law in X on pain of having all "assets" in X seized--including personnel.

    If you are storing data in jurisdiction X, then you are certainly doing business with whomever owns the facility in X, at least.

    If jurisdiction X and jurisdiction Y have incompatible laws you have a business decision to make. To the naive, the decision would seem to be, "Which jurisdiction do I limit all of my activities to?" The more savvy know that "Which palms do I grease?" offers more lucrative solutions.

    But I really, REALLY tire of Europeans acting as if they have a right to the innovations of American businesses without the application of American law. Make your own **** Google / Apple / Facebook / whatever. The companies are too **** powerful anyway, and need their wings clipped.

    1. Len
      Holmes

      Re: Where it is stored doesn't matter?

      Jurisdictions be very straightforward indeed. Though in cases like this there are real clashes. US law is supreme in the US and EU law is supreme in the EU. When businesses cross borders things get a bit grey, see the above discussion about subsidiaries.

      Especially internet businesses can get really complex. If I run a website offering a product or service in the UK aimed at the UK market but I don't block American visitors and an American lands on my website, am I then trading in the US? Most likely not, though American judges have been known to have trouble with understanding the concept of non-American jurisdictions. The amount of DMCA requests European companies can receive from American lawyers despite the DMCA not existing outside the US is staggering.

      It's more clear-cut for companies such as Google and Facebook. They might be American companies, they are still legally trading in other countries. A friend of mine works for Google in a relatively small country, yet the Google offices are massive with hundreds of people working there to sell Google services to the local market in the local language. There is no way Google can claim they are an American company that people just happened to have found on the internet while browsing from said country.

      It gets more difficult with some companies. TikTok is considered a Chinese company. I believe they have some physical presence in some countries but in most countries people just "happened to have found them on the internet". It's not easy to ban a company such as that from operating in your country. How would a country such as France or the UK ban TikTok? At best they can try and firewall it (through the Great British Firewall for instance), legally the routes are difficult.

    2. Len
      Happy

      Re: Where it is stored doesn't matter?

      As for your comment on Europeans using American services. I don't think I've ever met a European (and I'm European myself) who's rubbing their hands with glee thinking 'Gee, I can use this innovative American service without having had to put any work in it'. Frankly, most Americans won't have contributed to Google, Microsoft or Facebook either. They are just users.

      I'd go one step further and say that they are quite a few Europeans that are annoyed by the fact that so many tech services are American and not European. Now, I think that is sometimes exaggerated. I recently saw figures for 2019 that made clear that almost 12% of all unicorns (tech firms with a valuation over $1 billion) are European. And that figure won't include companies that were European to start with and were bought by non-Europeans, think Skype, Skyscanner or Booking.com.

      The big difference, I think, is that Americans are very good at running loss-making businesses. The US investment climate means that if you are successful, though loss-making, people will still queue up to bring you money. Case in point: Twitter. Ten years without making a profit yet Americans think 'if even the US president has an official Twitter account they must be on to something and they'll eventually find a way to become profitable.'

      That sort of stuff is practically impossible in Europe. A startup will often need to show revenue after a year and most likely a small profit after two years. Now, for most startups having revenue in year one and a small profit in year two is very doable. Where it doesn't work is the massive free services where you spend the first five years giving your service away for free before you start to think about how to monetise your hundreds of millions of users. The investment climate in Europe just doesn't really cater to that. Hence, a service like Twitter or Instagram could never come from Europe.

      And trust me, I think many Europeans find that just as frustrating as you do.

      1. julian.smith
        Facepalm

        A service like Twitter or Instagram could never come from Europe

        I'm broken hearted to hear that ... next you'll be telling me I should be grateful that the (Dis)United States "gave" me Facebook

    3. Claverhouse Silver badge

      Re: Where it is stored doesn't matter?

      But I really, REALLY tire of Europeans acting as if they have a right to the innovations of American businesses without the application of American law. Make your own **** Google / Apple / Facebook / whatever. The companies are too **** powerful anyway, and need their wings clipped.

      This is the same as the other bogus American claims of, 'We create all the medicine and European health services rip us off.' and [We defend you all and you don't spend enough on Defence.'

      Both favourites of Trump, although that is not a political point, since the others do exactly the same when in power. Europe initially created most of modern science, and whilst it's outlier, America, does progress a lot of stuff, so does Europe and the Asian countries. [ And if the NHS forces a better deal for American drugs than America's health companies do that just shows how inept the latter are, that they can't bargain for a better price in their own country. ]

      As for Defence, this is just a ploy to make the World keep the US Defence Industry wealthy. Apart from the fact we don't need protecting by foreigners --- except from the USA.

      .

      Many computing innovations are created by non-Americans, including Linux, the WWW, Skype etc.; and the USA can keep Facebook and Twitter wholly their own for all I care.

    4. John Brown (no body) Silver badge

      Re: Where it is stored doesn't matter?

      "But I really, REALLY tire of Europeans acting as if they have a right to the innovations of American businesses without the application of American law. Make your own **** Google / Apple / Facebook / whatever. The companies are too **** powerful anyway, and need their wings clipped."

      Not all of the "innovations" of Google, Facebook et al are their own innovations. In some case, they bought up other companies from around the world and, at least in Googles case, frequently closed them down once they had the IP. Secondly, Europeans pay for those services in exactly the same way Americans do. I.e., private users get it "free" at point of use, paying through being fed adverts and having their data scraped. Commercial users pay for what they use in the same way US commercial users do. Thirdly, there are companies offering similar services in the EU but then sheer size of the US conglomerates makes it hard to compete against them, especially when it comes to running costs as the EU companies have to pay their taxes in the EU while non-EU companies claim they aren't in the EU for tax purposes or keep shifting their "registered office". eg Google UK, despite having many, many staff and big offices claim that all the sales leads they generate are actually transacted over the Irish sea at Google Ireland HQ. That's a lot more difficult for "local" companies to do. I'm sure you see the same thing within the US where, for example, so many companies are incorporated in Delaware for tax reasons so "local" companies in other states find it harder to compete against your national companies using the protections of DE.

    5. Outski Silver badge

      Re: Where it is stored doesn't matter?

      But I really, REALLY tire of Europeans acting as if they have a right to the innovations of American businesses without the application of American law.

      You want to operate a business anywhere, you obey the local laws, whether it's the US, France, Germany, Malaysia, wherever. In France, Germany, et al, the applicable law is subordinate to laws promulgated by the EU. Don't like the laws? Lobby to change them, and obey them until they cease to be in force. You cannot pretend they don't exist.

      1. Claptrap314 Silver badge

        Re: Where it is stored doesn't matter?

        That IS what I said earlier in the post. Did you read that part? But these American companies are going to comply with American law. Kick them out, it's fine by me. Grow your own competition--I'm all for that. But use them & complain? Grow up.

  9. HildyJ Silver badge
    Big Brother

    No hope

    In the old days, prior to FISA, prior to GDPR, the Five Eyes TLAs would routinely spy on citizens of citizens of the other Five Eyes countries and then exchange the data, thereby being able to claim that they weren't breaking laws about spying on their own citizens.

    Nowadays, at least in the US, the secret FISA court issues secret warrants which can't be challenged and which are illegal to disclose. The challenges you hear about (like Microsoft's and Apple's) are from police departments.

    There is not now, and will not be, anyway to show that any data in the US has or hasn't already been accessed or ensure that it will not be accessed.

    The semi-overt operations of the TLAs are only subject to the laws they wrote to facilitate their operations and if they ever feel constrained by them they still have their black ops covert departments to fall back on.

  10. Glen 1

    gimlet gaze

    "gimlet gaze"

    'You mean like that Dwarf who runs the delicatessen on Cable Street?'

    - Feet of Clay, PTerry

    1. Glen 1

      Re: gimlet gaze

      *double checks*

      Nope, It was Reaper Man. My bad.

  11. Anonymous Coward
    Anonymous Coward

    I'd say there almost no chance the U.S is going to poke holes in it's heavily classified surveillance programs, at least not with current make up of the government, way too pro surveillance.

  12. Mike 137 Silver badge

    Valid but not sufficient?

    'Decoded's Brown told The Register: "The court is clear that, in themselves, the SCCs remain valid."'

    Despite this? The SCCs were created so long ago that they are apparently not fully compliant with the GDPR. That means that as well as including them in processing contracts you have to add additional clauses to cover the omissions.

  13. naive

    Maybe it is easier to slove than most think

    If both parties agree that information which is covered by the GDPR is not admissible as evidence in a court of law, Europeans are protected against prosecution in the US. It would leave open options for dragnet surveillance, which is needed to catch terrorists who need to be caught before they do what they are planning.

    District Attorneys would careful to bring evidence, since it would blow their case in court.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022