back to article When it comes to privacy, everyone says America needs a new federal law ASAP. As for mass spying, well, um… huh what’s that over there?

Everyone is in agreement: the United States needs a new federal privacy law, and it needs to be put in place in 2021. That was the main upshot of a congressional hearing on Wednesday morning looking at the death of Privacy Shield and what America needs to do about it. Privacy Shield, if you can recall, was the doomed …

  1. Doctor Syntax Silver badge

    "argued – or tried to – that actually the European Court of Justice had decided wrongly and that everything was fine"

    Why can't these people get it into their heads that it doesn't matter whether they like it? It doesn't matter if they think the court didn't get it right. It doesn't even matter if the court didn't get it right if there isn't a higher court to which they can appeal, which in this case there isn't. The court has ruled on what the law says and that's that.

    1. Throatwarbler Mangrove Silver badge
      FAIL

      "Plucky Europe has Own Government, Laws"

      The ECJ has exactly zero jurisdiction over the American Congress. What you have here is two equally-powerful (in theory) governmental structures who are at an impasse due to conflicts of interest. The ECJ can have a nice legal cakewalk right under Brandenburg Gate, and it doesn't matter one whit to the US. Anyone who thinks this is a simple issue to resolve has not been paying attention. Even if Congress were not deadlocked due to partisanship, reconciling the conflict between the spies and the businesscritters is not exactly a trivial matter. I don't see this getting solved any time soon, to be frank, and multinational corporations are just going to have to create separate internal divisions to manage data belonging to citizens from different legal jurisdictions.

      1. KittenHuffer Silver badge

        Agreed that they have zero jurisdiction over the American Congress. But they do have 100% jurisdiction over the data belonging to EU citizens, and if America is not willing to put in place laws to protect that data then the flow of that data will be stopped. </calm_mode>

        This pretty much comes down to the fact that US businesses and the US Government have been taking the piss with EU data for decades. We don't want to be spied on by either of them. And if they do not put in place laws that give EU citizens decent data protection then they will not be allowed to get their hands on the data in the first place.

        1. prh_99

          The U.S government isn't going to agree and even if they do it will be superficial at best. Doing more would mean rolling back the state secret veil , especially if Europeans want any degree of transparency into U.S surveillance.

          GAFA are just low hanging fruit. As we found out from Snowden hoarding vulnerabilities in hardware and software that can be weaponized for surveillance or electronic warfare, tapping satellite and other wireless communications and undersea cables are all things the NSA and to some extent Five eyes engage in. Heck the U.K hacked Belgacom, and NSA was intercept Cisco shipments.

          Of course China and Russia have or are developing similar capabilities.

          1. low_resolution_foxxes Silver badge

            Intercepting Cisco shipments? lol

            Yeah, they keep reflashing those backdoors into encrypted hardware and software sneakily.

            NSA is on record as having "strategic alliances". What happens to those companies that do not join the alliance? Blackberry and Huawei are on that list.

            1. Anonymous Coward
              Anonymous Coward

              As a born and raised citizen of the planet country America, I'll tell you this: It's always... ALWAYS another planet's country's fault!!

              P.S. The word "country's" looks weird, but hey, that's your fault too!!

            2. prh_99

              It was pretty well covered after it was leaked by Snowden that NSA TAO was running "Upgrade factories" for Cisco and other gear. Believe what you want about the extent Cisco was complicit, but it is accurate.

              https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

          2. Anonymous Coward
            Anonymous Coward

            @prh_99

            It's not just the evil NSA and its occasional allies in the Five Eyes. Most major European nations are complicit in what the NSA does, because they get intelligence via the NSA, just not as much as the Five Eyes members do. And the Five Eyes members are even more intimately involved and supportive of what the NSA does.

            For example, looking at the Snowden documents, we saw that the NSA provides tens of millions of dollars annually to the GCHQ in Britain, for this service or that, or this facility or that. Do you think that the GCHQ doesn't know where that money is coming from, and that they would be willing to walk away from those funds tomorrow? The GCHQ is involved up to their neck, and they have very few moral qualms about that.

            And further, remember when after the the Snowden disclosures came out and there was a rumor that Snowden was going from Russia to Bolivia via the Bolivian President's plane, because that president happened to be in Moscow on a state visit and was a noted socialist and opponent of U.S. influence in South America? Remember when, during President Morales' return flight from Moscow to Bolivia the French and Spanish suddenly close their airspace to President Morales' official plane, and forced it to land in Vienna, and then the Austrians wouldn't let the plane leave Vienna until they could search it to confirm that Edward Snowden was not onboard, on his way to asylum in Bolivia? So you had France (who had a socialist president at the time), Spain and Austria joining to stop and search the plane of the president of a sovereign nation. That is an incredible diplomatic event, far more rare than even one country declaring war on another. And neither France, Spain or Austria are members of the Five Eyes, and Austria in particular has been pretty much a European poster child for non-aligned status for generations.

            These nations stopped President Morales because the NSA wanted Snowden's head on a plate, which meant that the military and intelligence services in France, Spain and Austria wanted to hand him over to the Americans to keep the intelligence transfers from the NSA going, which meant that the leaders of France, Spain and Austria were onboard with stopping Morales' flight and searching his official plane. These nations might like to portray themselves as innocents when it comes to mass surveillance, but they rely on the U.S. for intelligence, and they don't want to do anything that actually stops the flow.

            1. prh_99

              Yep government's are all hypocritical. I wonder if Merkel's face turned red (I doubt it) after Der Spiegel published this, https://www.spiegel.de/international/germany/german-intelligence-also-snooped-on-white-house-a-1153592.html

      2. big_D Silver badge

        You are right, and you are wrong.

        Yes, the ECJ doens't have direct influence over the US Senate. But it does have a say about what is legal and not legal with European's data. And it has said, until the US gets its house in order, it is illegal for US companies to store data about Europeans on its servers.

        So, no, they can't tell the US Senate what to do. But, until the US Senate does something, the flow of data between the EU and US is disrupted.

        Also, it isn't about a conflict between spies and "businesscritters", as you put it. It is a conflict between spied and business weighed against an individual's right to privacy and control over their data. The EU, and especially Germany, put the individual's right to privacy above all else - even to the detriment of the authorities, for example the have to be exceptional circumstances, before the police can issue a photo of a suspect that is wanted and they can't use the persons full name either, let alone issuing private address information; for example a "Stefan Peterson, from 42 High Street, Hanover" would be "Stefan P. from Hanover" in the news and his face would be blurred out.

        It becomes comical. There was a search for a killer last year, for 3 days a blurred photo was shown on the news, then the police went to court and managed to get it cleared that his image could be shown in the press, in order to help track him down. So, for 2 days his image was then shown in the clear. He was arrested after 2 days and the press could only use the blurred out image again. Consequent, but also a little crazy.

        I am responsible for any data I have on other people, I have to ensure it is not handed to third parties without the written permission of the identifiable persons or a valid EU warrant. That means that if I store it on a US owned cloud service and they hand the data over to the NSA, FBI etc. or they sell the data to a third party, I am legally responsible for the data breach.

        That makes using any service which has a presence in the USA a non-starter. It is financial suicide, as long as the CLOUD Act, Patriot Act and FISA Courts and National Security Letters can be applied to the "European" data.

        1. Anonymous Coward
          Anonymous Coward

          Odd anonymity

          UK law can produce some odd quirks. A few years ago a teacher eloped to France with a pupil - a girl who was 15 (I think). For a day or so pictures and full names of both were in the papers, as the police appealed to find them. They were found, and he was arrested. When the case came to court, the girl could not be named for legal reasons.

          1. John Riddoch

            Re: Odd anonymity

            Yup, and you could still find her name pretty easily in online new articles from the time she was "missing" in France. There were some odd bits of reasoning in the aftermath about how much could be said.

        2. Peter2 Silver badge

          The EU, and especially Germany, put the individual's right to privacy above all else - even to the detriment of the authorities.

          Who'd have thought a country that had the benefit of the tender affections of the SS, the SD and the Gestapo, followed by having half the country then subjected to the Stasi would have ended up with strong feelings about the individuals right to privacy being prioritsed above this inconvencing the authorities?

          1. onemark03

            the individual's right to privacy

            It was precisely BECAUSE of such tender loving care that Germany now places such importance on privacy.

            1. Claptrap314 Silver badge

              Re: the individual's right to privacy

              Proving yet again, that the troll icon is NOT optional.

      3. rg287

        Even if Congress were not deadlocked due to partisanship, reconciling the conflict between the spies and the businesscritters is not exactly a trivial matter.

        Whilst it is non-trivial, much of the issue seems to come from the Commerce groups doing an international deal, and then the spies declaring that special rules apply domestically (and in the case of the US, internationally, because they like to think that US rules apply globally) - which ultimately invalidates the terms of the international agreement.

        What needs to happen is the US and EU business critters, but also the spies sit down and hash out a commercial data-sharing agreement which also includes explicit provisions governing use of data by intelligence agencies, in much the same way as GDPR includes provisions for data processing by law enforcement and security services.

        The NSA undoubtedly won't like the concept of transparency, or writing down something that they might actually be held to - but it has to happen, or we'll just carry on the merry-go-round of successive agreements getting squashed by the courts because the other side's spooks have taken liberties.

        And in all probability they'll continue to take the piss and exceed the rules just as GCHQ/MI6 do - periodically getting caught with their hand in the cookie jar and promising to close down that particular programme (just don't mention the new one which looks an awful lot like the old one).

  2. ecofeco Silver badge

    Good luck with that

    A recent MIT report explains how your personal information is used to pigeonhole you in every conceivable way, from credit rating to housing to jobs to opportunities to college to medical care. Loss of that information would be a radical break in the America economy. And if they get that information wrong? Tough chit for you.

    You have problem with Corporate Communist Capitalism©®™, comrade?

    1. big_D Silver badge

      Re: Good luck with that

      That is the problem. The US Government is supposed to represent the people and do what is best for them, not represent big business.

      1. Potemkine! Silver badge
        Thumb Up

        Re: Good luck with that

        The US Government is supposed to represent the people and do what is best for them, not represent big business.

        The best joke of the day.

  3. prh_99

    Yeah, good luck getting various 3 letter agencies to give up their toys. As for 300 billion, I assume it's mostly Google, Apple, Amazon, and Facebook in which case f*ck them, privacy shield etc can stay dead.

    A federal privacy law would be good if they can keep lobbyists away long for it to be any good and not full of loopholes and gotcha clauses.

    1. big_D Silver badge

      It is AWS, Azure, Microsoft 365, Oracle Cloud, Google Cloud etc. as well. It is B2B services, more than social media that are the problem.

      The users of social media offer up public information - it is the tracking and sale of that information that is affected by Privacy Shield or the lack thereof.

      But businesses using cloud services are in more danger. Their data has to be legally held within the EU or in a country that has similar levels of privacy and data protection. The US doesn't fulfil those requirements and Privacy Shield was an attempt to circumvent the problem, but due to the US Government's lack of interest, it failed miserably.

      If I, as a business, store data in Microsoft 365 and Microsoft hand over that data to the NSA, FBI etc. without a valid EU warrant, which there won't be, it will be a NSL or a US warrant, then I am liable for the data breach and that will be financially ruinous (up to 24 Million Euros or 4% of international turnover).

      1. prh_99

        I don't disagree I just don't think the U.S government actually cares. Too many surveillance hawks in congress to actually reign in the NSA and CIA much less reform something so prone to abuse as NSLs. We only find about them at the government largesse or a company working it's why through the legal maze to get the gag order lifted.

      2. LDS Silver badge

        Are even data stored in EU by a US company safe after the CLOUD Act?

        I believe even storing data in EU is not enough because of the CLOUD Act. That gives US courts a power over EU citizen data EU states and citizens can't challenge in court - they may not even know the data was requested.

        1. big_D Silver badge

          Re: Are even data stored in EU by a US company safe after the CLOUD Act?

          Exactly. As long as the server is owned by the US company or a local subsidiary, the US Government consider that server to be US property.

          So, servers owned by, for example Microsoft Ireland are "American" servers, because Microsoft Ireland is a subsidiary of Microsoft Corp. in Redmond. Microsoft actually fought this for several years.

          There are legal ways for the US to get the information, but they decided going through diplomatic channels and getting the Irish police to apply for a warrant on their behalf to get the information from Microsoft Ireland was too much hassle, when they could just tell Micrsoft Corp. to hand over the data.

  4. Neil Barnes Silver badge
    Big Brother

    and not read a word of the terms and conditions

    I wonder if there's an AI/ML program out there that can read these T&Cs in all their gory splendour and summarize the good and bad bits for you?

    Mind you, it might be as simple as: printf ("you're screwed").

    1. Chris G Silver badge

      Re: and not read a word of the terms and conditions

      There is no need for AI/ML or anyone/thing else to read those pages, the mere fact that someone has paid lawyers to write those multiple pages, is an assurance that there is nothing good for you in them.

      Even in Europe with GDPR, many companies on their sites still make opting out as difficult as possible, in spite of the requirements that it should be clear and simple.

      Aside from various national security issues it is obvious there is so much to be gained from hoovering personal data that commerce is against full protectiobas much as the TLAs are.

  5. Anonymous Coward
    Anonymous Coward

    USA is not a country of law

    The *requirement* to protect European privacy, is not a *right* to *waive* European privacy. There was never a right to substitute someone else regulatory system for the EU regulatory system.

    You certainly wouldn't substitute the *US* system for anything else. It has no privacy protections at all for its own citizens, let alone the EU ones.

    Lets be blunt here. They have a radical Republican president, one that the people didn't vote for, he ignores all the laws, and his AG Barr won't enforce them. He's been impeached, but his party refuses to hear evidence or witnesses because "he's learned his lesson". He has his own armed militias, a militia that kills police in false flag operations. He has a Russian propaganda unit in St Petersberg, he has Russian funding via Delware money laundering companies. He put in a Supreme Court judge that 'legalized' laundering of Russian money into his campaign. His AG dropped prosecution of that money laundering op because the court would have found them guilty. His lawyer travels to Ukraine and meets with Russian military intelligence officers. His co-conspirators tried to pressure States to simply not count votes. Now he has a bunch of radical Republicans trying to overturn democracy altogether and simply appoint him President despite the people voting against him.

    If Republicans won't even ensure the *vote* of Americans, do you think they give a toss about European *privacy*?

    Trump got only 62 million votes in 2016. His popularity has plummeted since then. Republicans ran a massive vote suppression and vote rigging effort for 2020 to try to turn it around.

    Even if Trump managed to keep 62 million voters, that means Biden's real victory would be 93 million to 62 million.

    Republicans simply didn't rig election enough. All this "its a rigged election" is projection. Republicans rigged that election. They were the ones suppressing votes, Republicans were the ones rolling out riggable paperless voting machines. Republicans suppressed the vote count. Republicans asked their Republican States to throw out whole counties.

    Go look at Texas Harris County, with its paperless voting machines that voted heavily Republican, heavily for Trump. Yet Republicans sued to suppress votes in Harris county, repeatedly, they tried to throw out drive-thru ballots, tried to throw out early voting, closed drop stations. They knew they would lose in the verifiable vote in Harris. They know damn well the voters vote Democrat in Harris. That's why all the lawsuits to suppress votes. That's why they rolled out the paperless voting machines into Harris.

    Go look at South Carolina, Republicans rolled out paperless voting machines that could not be verified for this election. Again the machine voted Republican and there's no paper trail to verify.

    Look at Georgia, the court ordered verifiable paper audit trail, and Republicans lost. Those voting machines have paper audit trails to verify, and Republicans hate those. So now the Republican Secretary of State is closing 6 of 11 early voting stations in Democrat districts to try to turn-up the voter suppression and win that way. He cannot rig the election by rigging the machines, so he tries to rig it by blocking voters from voting.

    Do you imagine that Trump hasn't been helping the other Russian puppets in the EU with all that private data? Yet look at that they're doing to voters in America.

  6. LDS Silver badge

    Companies so good at money localization...

    ... have issues with data localization?

    The crocodiles tears for SMBs could have been spared - shouldn't be "the cloud" the solution to localization issues? When your customers data are already stored in some large company system, shouldn't they be able to store data as needed?

    1. John Riddoch

      Re: Companies so good at money localization...

      There's physical location of the electrons and there's the legal ownership. Because of US legal views, anything held anywhere in the world by a US company, their subsidiaries or related companies is "US data" and subject to US warrants (cf - Microsoft in Ireland being told to give the data to US law enforcement).

      In any case, if a US company stores data on EU citizens in the EU, where is it processed and managed? If that processing is done in a way that data is sent back to the US, you still have the problem of jurisdiction. For a large company, that's probably manageable to set up an EU branch and only process EU data there, but for a smaller company it's prohibitively expensive.

      1. Claptrap314 Silver badge

        Re: Companies so good at money localization...

        If the data is by or for an EU subject, I would expect the EU courts to treat access to that data to be within their purview. If the European equivalent of Al Capone hired someone from Ecuador to be his accountant, you think the EU court would hesitate to issue a warrant for the data generated in Ecuador by that Ecuadorian for him? Of course not. Nor should they. That data was generated under contract for a European subject, and is therefor subject to the EU courts.

        The difference, of course, is that after exhausting themselves in two world wars, European governments lacked the confidence to assert their sovereignty, especially while Western Europe was rebuilding behind the shield of US military might verses the USSR. So we've evolved a situation where the US has been more energetic about asserting its sovereign jurisdiction than Europe for the last seventy five years.

        I'm not at all happy with where the lines are now, in the US. But don't demand that some magic wand be waved over my government so that it complies with your ideas about where they should be.

        That would violate the sovereignty of my government.

  7. Mike 137 Silver badge

    Actually on hardly anyone

    "very clear principles and the reality that [...] weasel words were no longer going to work has finally dawned on everyone"

    We're just finalising a report on a two year project analyzing privacy statements under the GDPR. The results are deeply disappointing, as practically none of the very large number we assessed actually complies with the requirements of the Regulation. The most common failure is addressing a superficial interpretation of each article in turn, one by one, rather than providing the required information in a manner that actually fulfils the transparency obligation. The second and almost equally common is unlawful generalisation - statements such as "including but not limited to" when describing data processed or purposes, which can effectively prevent a data subject exercising their statutory rights.

    There are some egregious cases, such as the 32,000 word "privacy policy" of a major software vendor and a single instance we found of a "privacy policy" link leading to a block of Lorem ipsum dummy body copy, but mostly it just seems to be the standard problem - "what's the least we can get away with doing to keep the regulator of our backs?". This is of course a clear indication that, although they pretend to, practically no business really gives a fetid dingo's kidneys about their customers' privacy.

    Until this pretty much universal attitude changes, creating and amending legislation will have little effect, as it will just be ignored, and only a very small proportion of offending organisations will finish up being penalised.

    1. Claptrap314 Silver badge

      Re: Actually on hardly anyone

      It is the fiduciary responsibility of the officers of a corporation to minimize spending. Absent a clear business benefit that exceeds the costs.

      That includes spending on legal compliance. The authorities need to address the cost/benefit if they want the spending to change.

  8. StrangerHereMyself Bronze badge

    Talk talk and talk

    This reminds me of the intro in the movie "Mad Max" where the words "They talked and talked and talked" are being uttered but to no avail.

    The EU can talk all it wants but the US will never agree to limiting its intelligence agencies insofar as spying and profiling of EU citizens is concerned. Foreigners don't have ANY rights in the US so all this talk is just a waste of effort.

    As far as Americans is concerned the only way to regain their privacy is to repeal the Patriot Act, simple as that. US intelligence agencies are forbidden by law to spy on Americans, but the Patriot Act put an end to that.

    1. This post has been deleted by its author

      1. This post has been deleted by its author

      2. StrangerHereMyself Bronze badge

        Re: Talk talk and talk

        Yes, but not on US citizens. Europeans have no right to privacy in the US.

    2. Claptrap314 Silver badge

      Re: Talk talk and talk

      This is a common misconception.

      The amendment requiring a fair trial is not limited to citizens, and that includes the process of arrest and detention.

      Moreover, if you contract with a US "person", you will normally be able to take that person to court in the US with no problems at all.

      Yes, there is a substantial group (including myself) that believe that we need an abbreviated process for handling the case where persons intentionally flout our immigration laws. But that really is a special case.

  9. Potemkine! Silver badge
    Holmes

    "data localization “would be bad.” "

    Maybe it would be bad for US companies, but not so sure for EU companies and EU citizens.

    The first consequences would be the creation of many datacenters in the EU, so more investments and more jobs. Next, data in the EU would be safer (if possible) from US peeping toms.

    1. Claptrap314 Silver badge

      Re: "data localization “would be bad.” "

      There are some important economics of scale. It is also really hard to have a "follow the sun" on call rotation.

  10. teknopaul Silver badge

    On paper a balkanised Internet sounds bad but if governments can't stop themselves spying (and they can't) I'm all for blocking Facebook and WhatsApp in Europe building our own, and opening up bridges between the systems (gates to the walled gardens) to talk across the pond to NSAs turf.

    who loses in that situation?

  11. Dinanziame Silver badge
    Stop

    I don't buy the argument that it's impossibly expensive for companies to store the data of EU citizens in EU and US citizens in the US. If there is a market for it, cloud providers will provide turnkey solution at competitive prices.

    1. SImon Hobson

      Yes, it's trivially easy to store different classes of data in different places - but that offers zero help to the fundamental problem. If a business has a US presence, then the US authorities can tell that business to hand over any data held anywhere - and that includes the data held in (e.g.) the EU.

      The Microsoft case demonstrated that perfectly - once the cloud act was passed, MS just handed over the data stored in Ireland and proved beyond doubt that MS services are not GDPR compliant<period> Yes you can specify that your O365 data is stored and process in the EU - but MS demonstrated that the US parent company has access ot the data, therefore it's not safe, therefore anyone using O365 cannot be GDPR compliant. Something that I think will catch people out when they find out the truth - because MS are busy selling it as GDPR compliant, and resellers are selling it as GDPR compliant, but the small businesses buying it don't have the tech nouse to know how vulnerable they are. In fact, due to the convoluted way the DNS works to prop up O365, even if the data centres were truly out of reach of MS US, the data would not be safe.

      The ONLY way for a US based business to legally operate with EU citizens data is for them to operate an EU presence over which they have no technical control. So when the US TLAs ask for information, the US business has to ask the EU business for it (they cannot access it directly by any means) - and the EU business will turn round and tell them they can't have it. The risk there is that the US authorities then label the managers of the EU business as criminals who then cannot ever visit any US territory (or friendly nation) without fear of arrest.

  12. Paul Hovnanian Silver badge
    Big Brother

    Senate Commerce Committee

    Heard from five experts. I see nobody from the NSA was present. Although I'm sure they are aware of everything said in that hearing.

  13. Claptrap314 Silver badge

    I keep saying this.

    Operate in EU territory? Subject to EU law. Hold assets in the EU? Subject to EU law. Create something in the EU? Subject to EU law. Contract with someone in the EU? Subject to EU law. Same for the US. Same for China. Same for any government of any size anywhere.

    Companies must comply with the law wherever they operate. But understand. Five years ago, I purchased a product from an Israeli company. The product was produced in China. Part of the processing was done there by Jews (likely Israeli). It was then shipped to me in the US. This cost me less than $100.

    Increase regulation is an increase cost. Historically, when businesses get tired of competing, they shift to rent seeking. So while the bigs are turning on the water works today, in the long term, this will entrench them. So be very careful how you proceed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like