back to article Campaigners warn of legal challenge against Privacy Shield enhancements

European privacy campaigner Max Schrems is warning that enhancements to the EU-US Privacy Shield data-sharing arrangements might face a legal challenge if negotiators don't take a new approach. In an open letter, Schrems – the lawyer behind the Schrems II ruling which put an end to the transatlantic data-sharing agreement – …

  1. Anonymous Coward
    Anonymous Coward

    Colour me confused

    for all this noise, what has *actually* changed for the little man ? Brexit notwithstanding, I can't say I noticed anything apart from news stories about this up till 2020. No one from Google (for example) contacted me to explain what was going on.

    It's probably going to take a lot more dynamite to shift my cynicism (especially in the UK) that "Data Protection" laws aren't worth a hill of beans. Or to translate that into realspeak, when was the last time anyone you know received a single penny for their data being illegally used ?

    No ?

    Point proved.

    1. Tom Chiverton 1

      Re: Colour me confused

      I'll settle for them stopping selling me behind my back :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Colour me confused

      "It's probably going to take a lot more dynamite to shift my cynicism (especially in the UK) that "Data Protection" laws aren't worth a hill of beans."

      Its worse than that in the UK - the ICO this week informed me they will not look into or take any action regarding possible unlawful activity that occurred under the previous Data Protection law (i.e. before 23/05/2018 when GDPR came into force), they say they have no legal means to do so.

      Great news for organisations who were breaking the law prior to then - ICO is giving them all a "get out of jail free" card.

      However this also has additional implications - in my particular case my personal data stored *currently* by the organisation in question was obtained prior to 23/05/2018 and so ICO are basically saying that they cannot determine the lawfullness of the organisation's storage of my personal data since 23/05/2018 as the ICO cannot/will not look into the lawfullness of the organisation actions when they originally obtaining my personal data in the 1st place many years ago.

      1. Woodnag

        The UK isn't under GDPR any more

        UK is under the Data Protection Act 2018, not GDPR, since Brexit.

        However, to process EU data, UK has to follow GDPR as does the US.

        Of course UK will break GDPR, while loudly saying it isn't, similar to Ireland protecting FB. But at some point the EU will say 'enough' and data flow to UK from the countries subject to EU law will be illegal under GDPR.

        1. Anonymous Coward
          Anonymous Coward

          Re: The UK isn't under GDPR any more

          "UK is under the Data Protection Act 2018, not GDPR, since Brexit."

          Wrong, since Brexit (the end of the transition period?) the UK is "under" UK GDPR, which is where they took the original (EU) GDPR text and replaced reference to the EU with references the UK gov: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/685632/2018-03-05_Keeling_Schedule.pdf

          The UK GDPR operates in conjunction with the UK DPA 2018.

          More info: https://www.mishcon.com/news/mishcons-new-uk-gdpr-pages

      2. Wo

        Re: Colour me confused

        "However this also has additional implications - in my particular case my personal data stored *currently* by the organisation in question was obtained prior to 23/05/2018 and so ICO are basically saying that they cannot determine the lawfullness of the organisation's storage of my personal data since 23/05/2018 as the ICO cannot/will not look into the lawfullness of the organisation actions when they originally obtaining my personal data in the 1st place many years ago"

        So, GDPR gives you rights here. I assume the UK version follows the same rules.

        - you have the right to withdraw consent on data currently stored about you

        - if the data is no longer necessary purpose, or you have withdrawn consent, you can ask for it to be erased

        Your other rights are to be able to know what they are doing with your data, who they share it with and what for, to be sent copies of the data they have on you, and you can ask for details on how they are ensuring the protection of your data. If you think that the protection is not sufficient, this could be another way say they are not legally handling your data. also maybe 3rd parties could be another route.

        1. Anonymous Coward
          Anonymous Coward

          Re: Colour me confused

          "- you have the right to withdraw consent on data currently stored about you"

          That only applies where "Consent" is the lawful basis/lawful condition used for the processing of the personal data. As the organisations in question claim to be using "Public Task" as the lawful basis for processing (sharing) then, in their minds, there is no consent (for processing) that can be withdrawn.

          Part of my complaint to the ICO is that the organisations originally used "Consent" and then in mid-2019 (unlawfully) changed to "Public Task". The organisations' response was that they always used "Public Task". The lead org has recently admitted to ICO that there has been a "misunderstanding" by all orgs as to the lawful basis in use since the start of the sharing. If the ICO is unwilling to look into the timeframe before GDPR then how can ICO satisfy themselves as to what the lawful basis/conditions actually were at the start and without determining this then how can they then determine whether the lawful basis/condition did change or not (and if any change was lawful).

          "- if the data is no longer necessary purpose, or you have withdrawn consent, you can ask for it to be erased"

          Again consent is not relevant *if* it was not the lawful basis/condition used. That is one of the issues at dispute in my case. The orgs claim that as they are using "Public Task" as the lawful basis then the Right to Erasure does not apply.

          Regarding erasure if the data is no longer necessary, this would be covered by GDPR Article 5(1)(e) Storage Limitation. As I have had a locked record/'Access' opt-out in place since the start of this sharing system then my personal data has never been used for the purpose it was shared for (the audit logs I obtained show all attempts to access my data were blocked due to lock/opt-out) and so, again, part of my complaint to ICO is that the orgs have breached Article 5(1)(e) by the continued storage of my personal data as it has not/cannot be so used.

          "Your other rights are to be able to know what they are doing with your data, who they share it with and what for, to be sent copies of the data they have on you, and you can ask for details on how they are ensuring the protection of your data."

          I'm well aware of what my others rights are under the (UK) GDPR - I've read the relevant sections many many times.

          "If you think that the protection is not sufficient, this could be another way say they are not legally handling your data."

          Again another aspect of my ICO complaint is regarding one of the organisations' security of handling my personal data - when they transferred my (special category) health data via encrypted ZIP files on several occasions to myself and to my GP Practice they breached their own security procedures (e.g. using short predicatable passwords of 6-8 chars made up of Initial single capital letter, 5-7 lower case letters, and then single digit with the letters forming local placenames. On at least 2 occasions they also separately emailed encrypted ZIP files and the password for decrypting these files to the *same* email address at 1 minute intervals. Also they're using the "original" ZIP file encryption which has been known to be unsafe for 15-20 years)

          "also maybe 3rd parties could be another route."

          Which 3rd parties had you in mind?

          I've tried emailing the Health Minister, raised the matter with one of my local politicians, opened 2 cases with ICO, talked to MedConfidential, talked to a solicitor regarding taking legal action myself, approached several press organisations (including The Register)...

    3. yetanotheraoc Silver badge

      Re: Colour me confused

      Schrems II ... "triggering a fresh wave of legal confusion over the transfer of EU subjects' data to America"

      Confusion => Wait, you mean we can't transfer whatever we want whenever we want?

      enhanced Privacy Shield ... "enable predictable and trustworthy data flows between the EU and US"

      Predictable => always on

    4. DS999 Silver badge

      Re: Colour me confused

      Wasn't this what forced so many web sites to have a pop up to accept their cookies, and most requiring additional work to reject them?

      That's just annoying, and we have no reason to believe they aren't collecting that data in other ways even if you reject the cookies.

      1. Joe W Silver badge

        Re: Colour me confused

        Yeah, and the absence of a quick "reject all" is actually in contrast to what the current rules say.

        I refuse to use websites that don't have a "no thanks to all of that" button. But that is just me, and maybe many of the fellow commentards here, who also use adblocking and noscript and these things. We are a minority.

      2. The Central Scrutinizer

        Re: Colour me confused

        Whenever I land on one of those websites with all that stupid shit, I go elsewhere. Talk about ruining the Internet.

      3. Cuddles

        Re: Colour me confused

        "Wasn't this what forced so many web sites to have a pop up to accept their cookies, and most requiring additional work to reject them?"

        No. Many sites chose to do that, but since it's just as illegal for the pop-ups to work that way as it is to not have them at all, clearly legal compliance had nothing to do with that decision. The real reason so many sites did that is because they want to trick the average person into blaming the law that would protect them, instead of blaming the exploitative behaviour of the sites they are being protected from.

      4. localzuk Silver badge

        Re: Colour me confused

        No. The EU cookie law was an entirely different law. EU privacy directive, amended in 2009, effective from 2011.

  2. VoiceOfTruth Silver badge

    'Our' politicians vs Schrems

    They probably regard him as a nuisance. They so badly want to do what Uncle Sam tells them.

  3. heyrick Silver badge

    "Unfortunately there is complete gridlock in Congress and it has proven impossible to introduce any federal privacy law. Adding the need for additional measures to keep the EU happy would make any such legislation even more difficult to pass."

    So we get screwed because your government is highly dysfunctional? How about we just agree that in its current state, your country is actively hostile to the very concept of privacy, and thus data transfer simply cannot continue in its current form...

    1. Pseu Donyme

      Indeed, stopping data transfers from the EU to the US seems like the only solution (until there is decent data protection legislation on the US federal level - which doesn't seem entirely impossible as the attitude towards Big Tech has soured quite a bit on both sides of the relevant US aisles; moreover, California's attempt toward this seems promising).

    2. Anonymous Coward
      Anonymous Coward

      "your country is actively hostile to the very concept of privacy"

      we're actively hostile to basically everyone and everything now tbh

    3. EnviableOne

      GDPR Allows SUbjuristictions

      I'm ok with CCPA protections, so maybe we could deal with California, but not the rest of them?

      1. Anonymous Coward
        Anonymous Coward

        Re: GDPR Allows SUbjuristictions

        It is a good observation, hence the up vote, but the real sticking point is the federal US CLOUD act, also known as All Your Data Are Belong To Us.

  4. Anonymous Coward
    Anonymous Coward

    More misdirection......why am I not surprised?

    [Plus] Plaudits to Max Schrems on the subject of "Data Transfer"

    [Minus] .....but why no mention of the huge privacy problems associated with "Data Aggregation".....problems which CREATE the subsequent problem of "Data Transfer"?

    Just one example: The UK is in the process of slurping all the available medical data into one huge database, likely to be exploited by contractors like Palantir.

    Link: https://www.bloomberg.com/features/2018-palantir-peter-thiel/

    Link: https://www.theregister.com/2022/04/22/nhs_ai_leader_joins_palantir/

    Link: https://www.theregister.com/2022/04/14/nhs_england_seeks_240m_data/

    Link: https://www.theregister.com/2022/05/05/palantir_leaps_from_covid_role/

    .....and in this example, the "Data Aggregation" has real privacy problems.......even if there is NO SUBSEQUENT "Data Transfer"!!

    .....and, just in passing, in case you think the usual excuse eliminates the problem ("the data is anonymised"), perhaps a quick read of this link will show how pathetic this excuse really is:

    Link: https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds

    Quote (William Burroughs): "The paranoid is a person who knows a little of what is going on."

  5. Anonymous Coward
    Anonymous Coward

    Traitors

    > In March, the US and EU announced they had reached an agreement

    What happened was that the arrogant German bitch stood next to her overlord, that geezer who gives air handshakes, and said "it's all sorted" ignoring, as Schrems points out, that no public discussion nor legislative process has taken place on either side of the Atlantic (and particularly not in the US which is where the changes need to happen) or, for that matter, that she has no authority to decide on this or practically any other matters.

    With the US CLOUD act in place, transfers involving personal data are simply not legally possible, as the CJEU has found. Twice.

    What those traitors in the EC should be doing is protecting the rights and interests of people in Europe and defending their own laws, not kissing the septics arse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like