back to article Privacy Shield: EU citizens might get right to challenge US access to their data

Officials from the EU and US are nearing a solution in long-running negotiations over transatlantic data sharing. Previous legal arrangements for sharing data between the two jurisdictions, the so-called Privacy Shield, were struck down by the EU Court of Justice in what became known as the Schrems II ruling in 2020. The …

  1. Anonymous Coward
    Anonymous Coward

    This is where Europe gets entertaining - and hard to tame

    The EU may set the rules at EU level, but due to the way the EU is structured, every country can implement and sanction on its own. This is why you get Austrian, German and now Belgian judgements that - despite being nationally focused - all have an impact reverberating across the whole EU.

    Lobbying one point was doable as the "legitimate interest" scam aptly proved, but keeping all these little separate annoying countries under control is logistically almost impossible and the hits just keep on coming.

    From my European perspective it's all very amusing.

    :)

    1. stiine Silver badge

      Re: This is where Europe gets entertaining - and hard to tame

      Not impossible, just VERY expensive.

  2. b0llchit Silver badge
    Black Helicopters

    Pipe dreams

    ...offering EU citizens the right to submit complaints to an independent judicial body if they believe the US national security agencies have unlawfully handled their personal information.

    Having the data in the US puts you at a disadvantage you cannot recover from. Regardless how you put it. There is no one here on this side of the pond to get a complaint through to the US side. That is a dreamer's scenario. If the data was mishandled, then the only effective redress would be to rewind time and prevent the US from having access to the data in the first place. There is no way any "independent judicial body" can force some like NSA or other three letter agencies to open the doors and let them fix any problems.

    I do not want the US to have my data at all. I do not want EU entities to send data anywhere unless I give permission before the data is collected and sent. Then we can talk. Not post-factum patches that neither side can control nor verify.

    1. EricB123 Bronze badge

      Re: Pipe dreams

      I'm an American citizen and I totally agree with you.

    2. dajames

      Re: Pipe dreams

      ...offering EU citizens the right to submit complaints to an independent judicial body if they believe the US national security agencies have unlawfully handled their personal information.

      Methinks national security agencies tend to act as though they were a law unto themselves, and that -- given the nature and power of said agencies -- trying to control that tendency is not an easy undertaking.

      It concerns me, but I'm not under any illusion that a few well-meaning laws can stop it.

      What a few well-placed laws might be able to stop is the leakage of offshored personal data to US commercial entities. What safeguards can we expect to prevent that, pray?

      1. Charles 9

        Re: Pipe dreams

        Only one that really makes sense is balkanization. Some kind of ultimatum that demands all companies MUST trade in the US OR the EU, BUT NOT BOTH. Any other approach will introduce loopholes that can and will be exploited.

  3. Woodnag

    F'ing useless bandaid

    "offering EU citizens the right to submit complaints to an independent judicial body if they believe the US national security agencies have unlawfully handled their personal information."

    And exactly how will that help? US national security agencies unlawfully surveil US person already, with no recourse.

    1. Aleph0

      Re: F'ing useless bandaid

      It will surely help the lawyers fund their second yacht. Form the point of view of the user, you get to spend lots of money only to be said in the end "Sorry not sorry, national security trumps all, ktxbye".

      Even if you can prove your data has been accessed, otherwise you have no standing to sue in the first place...

      1. veti Silver badge

        Re: F'ing useless bandaid

        You gain standing by showing that an alleged action has cost you something. That "something" may be as intangible as the work of changing some info (e.g. passwords, bank details) because you suspect they've been improperly accessed.

        It's not necessary to prove that the other party did anything wrong, just that you acted on a reasonable suspicion that they might have done it. It's a low bar, by design. Of course that won't win you the case, but it'll get you into the court.

    2. spold Silver badge

      Re: F'ing useless bandaid

      ...also US authorities can direct a data custodian/processor not to reveal that that an individual's information was disclosed.

  4. Anonymous Coward
    Big Brother

    Just another hurdle

    For intelligence agencies to avoid.

    From the old days when American intelligence would spy on British citizens and turn the data over to British intelligence while British intelligence did the same for the Americans, rules are viewed by intelligence agencies as applying to other people.

    I have no doubt that all the data in question is already in, and will remain in the agencies' vaults and that any rules to the contrary will be ignored.

    1. Pascal Monett Silver badge

      Re: rules are viewed by intelligence agencies as applying to other people

      As brilliantly displayed by that scene in True Lies where Arnold's character asks for a tap on his wife's office phone to track her "affaire", his buddy/colleague starts spouting law and saying that it's illegal and Arnie smashes his fist on a window pane yelling "and we do it a hundred times a day !"

      And he gets his tap, and hilarity ensues.

      In real life, though, there is far less hilarity.

      1. Aladdin Sane

        Re: rules are viewed by intelligence agencies as applying to other people

        I maintain that True Lies is the last decent James Cameron film.

        1. Oh Matron!

          Re: rules are viewed by intelligence agencies as applying to other people

          Jamie Lee Curtis, Art Malik and Bill Paxton were all great :-)

          1. Aladdin Sane

            Re: rules are viewed by intelligence agencies as applying to other people

            I was 11 when I first saw it, Jamie Lee Curtis certainly had an impact on me.

      2. veti Silver badge

        Re: rules are viewed by intelligence agencies as applying to other people

        It's a fun movie, but it's not actually a primary source. Nor a meticulously researched and referenced documentary.

        1. Fred Daggy Silver badge
          Big Brother

          Re: rules are viewed by intelligence agencies as applying to other people

          Parody can often teach us much more than the truth. Truth can often wear a stern face, parody a wry smile.

          This is Spinal Tap, Yes (Prime) Minister and Frontline (Australia) taught us more about rock 'n roll, politics and journalism than any upstanding documentary ever could. All three are excellent studies of the ego, as well.

    2. nijam Silver badge

      Re: Just another hurdle

      Just another hurdle for intelligence agencies to ignore, in fact.

  5. Doctor Syntax Silver badge

    "it would give EU citizens more privacy rights in the US than Americans currently enjoy."

    Does that mean twice as good? As in twice as good as nothing?

    I doubt the ink will be dry on any agreement before Max Schrems' next lawsuit goes in.

    Having taken back control we in the UK, of course, have nothing to worry about.

    1. John Brown (no body) Silver badge

      "Having taken back control we in the UK, of course, have nothing to worry about."

      I was also wondering where the UK stands on this. As we are still using an unchanged GDPR, is the UK also at this negotiating table or are we shafted more than EU?

      1. nijam Silver badge

        > are we shafted more than EU?

        Yes, in this and many other respects.

      2. Cynical Pie
        Coat

        We aren't subject to GDPR since we left for the sunlit uplands (still waiting to get there). We are now using the snappily titled 'UK GDPR' which has had all references to the EU and EU Institutions removed.

        That includes any Europe wide remedies.

        Mines the one with a copy of the Keeling Schedules for GDPR in the pocket.

  6. Potemkine! Silver badge

    The best for Europeans would be a guarantee their data stay in the EU and in the EU only.

    1. Richard 12 Silver badge

      True in every way in fact

      For privacy, for jobs and for tax take.

      It does seem that a few EU nations have now realised that being a really big and valuable bloc means they can tell the US to get stuffed, and ensure factories and datacentres are both built and owned by local businesses, paying actual tax instead of exporting all the profits to some overseas conglomerate.

      Shame the UK decided to be a tiny minnow instead. Minnows get eaten.

      1. DevOpsTimothyC

        Re: True in every way in fact

        datacentres are both built and owned by local businesses

        So where are the EU equivalents of AWS, GCP or Azure? Can the EU mandate that european businesses cannot use Salesforce?

        The problem is that all of the companies I mentioned are subsidiaries of US corporate entities and so all the data (even if housed in the EU by EU registered subsidies) is subject to 702 FISA. The EU would need to get amendments along the lines of "Except for the EU".

        1. Doctor Syntax Silver badge

          Re: True in every way in fact

          To a large extent I think it's a matter of enforcement. GDPR lays down a lot of requirements but it doesn't provide any means of pro-actively enforcing them. It takes an individual complaint to go to court to say whether such and such an arrangement invalidates them. Trade negotiators, of course, have traditionally wanted to do a bit of hand-waving to ignore them and it's taken the likes of Max Schrems to get any movement - hopefully that's changing.

          I think if compliance really starts to be taken seriously there'll have to be some sort of arm's length arrangement if the US corporations want to stay in the game. Rather than establish EU data centres and/or subsidiaries they come to a franchise arrangement. An EU owned. managed and staffed company operates a DC using IP and branding licensed from the US parent under a contract under EU law (a difficult concept for US governments to grok) specifically limiting data transfers to those required to perform transactions.

          1. DevOpsTimothyC

            Re: True in every way in fact

            licensed from the US parent

            The tricky part there is parent. As soon as it's a subsidiary then it's subject to US laws, and that's the problem

        2. SImon Hobson Bronze badge

          Re: True in every way in fact

          Can the EU mandate that european businesses cannot use Salesforce?

          No, but they can say that (using your example) Salesforce doesn't comply with the law and hence it's illegal to use them. The reason we don't have the big homegrown tech is that the US has provided an environment where they could get going and through a variety of illegal techniques killed off any meaningful competition.

          If the law was properly enforced such that use of "US services" was effectively illegal, then we'd rapidly see a number of options pop us -and some of them already exist.

          Take MS. In theory* we are told that the data centres in Ireland are operated by a a separate business resident in and subject to the law in Ireland. In theory*, the us corporation known as Microsoft is physically unable to access data held in a data centre in Ireland. I suspect some of the others have already set up such structures - and if done right can comply with the law.

          Any of the usual suspect will be able to sit back and either sort out something similar, or see their EU business dry up - and as pointed out, the EU is big enough than few of these international corporations can afford to walk away from it. But if they did, then others will be happy to pop up and fill the gap.

          * I say "in theory" because it's not as clear cut as they claim. Firstly, the domain names used are under US control - so there's no guarantee that things couldn't be redirected for nefarious purposes. We've seen how this complex international web of stuff can create fragility where the failure of a server somewhere can cause outages for customers on a different continent. Secondly there's that rather inconvenient issue that MS in the US handed over data held on Irish soil the day after the US passed the CLOUD act.

  7. A.P. Veening Silver badge

    Only one real solution and that is reciprocal legislation with the EU collecting personal data on USA citizens with high priority for NSA and other intelligence employees with higher priority for higher ranks together with elected officials. Of course they will scream bloody murder, but that is their problem.

    1. Dr Paul Taylor

      EU collecting personal data on USA citizens

      That would only be possible if there were a Euromicrosoft and a Eurogoogle and a Eurofacebook and all the rest. But Europe has failed to create those things and so surrendered long ago. (As for the little island floating adrift in the Atlantic, it only knows how to lick American boots anyway.)

      1. A.P. Veening Silver badge

        Re: EU collecting personal data on USA citizens

        That would only be possible if there were a Euromicrosoft and a Eurogoogle and a Eurofacebook and all the rest. But Europe has failed to create those things and so surrendered long ago.

        I did mention reciprocal legislation, didn't I? How about putting some legal pressure on the European daughters of those American companies? And I am sure nastier minds than my own can come up with some nice improvements like gag-orders on that pressure.

  8. Anonymous Coward
    Anonymous Coward

    Pathetic....and then Even More Pathetic....

    Quote: "...offering EU citizens the right to submit complaints to an independent judicial body if they believe the US national security agencies have unlawfully handled their personal information..."

    Pathetic really......HOW WOULD "EU citizens" EVEN KNOW ABOUT FOREIGN MISHANDLING???

    Even more pathetic: "..the right to submit complaints..." SO WHAT?

  9. Anonymous Coward
    Anonymous Coward

    Dream On!!!

    Rewrite: "...offering UK citizens the right to submit complaints to an independent judicial body if they believe the UK national security agencies have unlawfully handled their personal information..."

    Yup.....I need to write to Jeremy Fleming and ask him what stuff his agency holds on me! Can he tell me how his agency acquired all that stuff? And can I ask him (politely....."Pretty Please!") to delete all the stuff that was "unlawfuly handled"?

    Dream on, AC!!!

  10. Anonymous Coward
    Anonymous Coward

    Considering how much the Americans beak about Chinese, Russian, and Middle Eastern spy agencies and cybercrimes, they sure do hoover up a lot of data from the entire planet themselves. Declaring "but OUR spying is legal" doesn't wash with me as a Canadian.

    You know that the 5-Eyes have agreements not to spy on their own citizens. But I've heard nothing about those agreements saying they won't provide information they've collected about each other's citizens using their own perfectly "legal" out-of-country networks...

  11. I am the liquor

    Enhanced privacy shield

    Great idea. Wait for your data sharing agreement to be struck down by the courts, then just repackage the same old shit, with a few ineffectual changes and a different name, and you have another 2 years of business-as-usual while Max Schrems chips away at that one. Seems like that could work indefinitely, or until Max is worn out, whichever is the sooner.

    1. heyrick Silver badge

      Re: Enhanced privacy shield

      I await the day when the EU rules "you've had five tries, you failed, it's over".

      1. John Brown (no body) Silver badge

        Re: Enhanced privacy shield

        Three strikes and you're out would be more understandable to the US negotiators. And bring a result sooner. Are we currently on #2 or #3 at the moment?

  12. prh99

    Even if it gets ratified there is zero chance this is going to work. The NSA doesn't even follow it's own internal regulations much less laws or The Constitution, if it did U.S citizens wouldn't be subject to warrantless surveillance. Good luck convincing the politicians who keep voting to renew and expand this stuff to sign off on this and not undermine it.

    Petition this "court" and the NSA comes back and says we have no such records.

  13. Doctor Syntax Silver badge

    If the data subject has dealings with some business or organisation which collects PII then that entity should be solely and directly responsible to the data subject for their own misdeeds or those of any third party for whom they are an agent or to whom they outsource. The data subject should not have to deal with any third party or any foreign jurisdiction to obtain redress. In the event of that entity ceasing to exist the responsibility should devolve personally to its former directors, officers or owners.

    1. b0llchit Silver badge
      Facepalm

      The problem is not "subject has dealings with some business or organisation", but the government and shadow organisations within. How do you get redress there? Asking the president of the USA to do the Right ThingTM?

  14. Ropewash

    "it would give EU citizens more privacy rights in the US than Americans currently enjoy."

    Any value at all, no matter how tiny, is infinitely greater than zero.

    1. prh99

      This will have less than zero value given the effectiveness of current regulation which the NSA dutifully ignores whenever it wants.

  15. spold Silver badge

    We're doomed (nod to Private Frazer)

    As long as five eyes is in effect (and I don't see the US opting out of that anytime soon), SCC - Standard Conractual Clauses as a means of international data transfer is in effect, then I don"t see the problem being resolved - waiting for Schrems 3.

    p.s. Binding Corporate Rules is a better way to go - just file them with Ireland (business-friendly, or Luxembourg (glad you know where we are)).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like