
As the pot of petunias once said ...
... "oh no, here we go again"
The European Commission has adopted an agreement with the US, reopening transatlantic data flows between America and EU nations as soon as the decision takes effect on July 11. The EU-US Data Privacy Framework (DPF) is the third attempt between the trading bloc and the US to iron out privacy kinks in the flow of data about …
But I live in England and so will likely soon lose protection under the GDPR as our government seem set to water down protection.
So, pigs are flying now ?
I have absolutely no confidence that the NSA is not going to get its grubby hands on all that delicious data. The only way to limit the USA's access to EU citizens data is to not send it over in the first place.
But hey, diplomats will be diplomats.
So now, when if ever we find out that the USA has not kept its word, what's Plan B ?
@Pascal_Monett
Quote: "...only way to limit the USA's access to EU citizens data is to not send it over..."
Where did you get that word "send"?
In 2013 Edward Snowden showed the world that when it comes to the NSA the proper word is "take". And "take" with extreme prejudice at that.
There.....fixed your post!
There is no Plan B, European commission is an US spy nest.
They are handling US interests, not those of Europeans, handing US our private data until this pesky Schrems wins in two years, is already a significant win for them.
Nothing will change unless Europe manages to rid itself of "US assets" in its various governmental bodies, but since most don't even see it as an issue that European taxer payers pay for people who serve US interests, it will probably never happen.
Diplomats ? Where do you see any diplomats ?
It's only a master-slave relation (these controversial terms are used here with their explicit meaning).
Somebody will be be rewarded for good behaviour (i.e. the conclusion of this sale), watch who is going to become SG of NATO and all will become clear.
The NSA have listening stations all over Europe and a very large, capable one in Yorkshire. They are taking whatever data they want/need anyway so this is all just a show for politics. The average European citizen can see that the politicians are doing something about it, regardless if it is a chocolate teapot.
"The NSA have listening stations all over Europe and a very large, capable one in Yorkshire. They are taking whatever data they want/need anyway so this is all just a show for politics. The average European citizen can see that the politicians are doing something about it, regardless if it is a chocolate teapot."
Just because you've tried nothing and run out of ideas, does not mean the rest of us can't try to protect your privacy for you.
My point was that regardless of whatever protections EU law tries to put in place the NSA listening stations will disregard those laws and take what they want anyway. There will always be nefarious actors in those spaces that do whatever they want, laws and policies can try to help but until we have digital tools that are effective, the average effort of data protection will always be up against it. It's still the wild west in technology and data circles as we develop stuff quicker than we can control it by giving them decent and fair check and balances and the right tools to help enforce those checks and balances.
But if attacking me makes you feel better, then crack on.
ahhh the beloved EU mandarins, how to ensure your employed on a big fat juicy wage and all the trimmings, until the golden pension goose knocks on your door, keep submitting the same old crap legislation that gets kicked out by the courts, rinse, repeat, collect your Wonga, while sipping on that 250é bottle of wine, paid for by the tax peasants !
I think the central weakness of all these arrangements is that any disputes are to be heard in a US court. They should be held in the jurisdiction where the underlying transaction took place, assumed to be that in which the data subject initiated it, and between the data subject and the party with which the transaction took place.
If, for instance some transaction takes place between a customer is in Germany (I'd like to say the UK but obviously we're now mere spectators) and a multinational trading company with an EU base in Ireland who uses a data centre in the US where the data is misused by anyone - US intelligence, some adtech company or a malware-weilding North Jorean gang - it is the multinational who answers to the customer in a German court.
It should be the clear responsibility of a trading company to take care of any data it takes relating to an individual; if the trader relies on a third party they, having tasked that third party, remain responsible for whatever mistakes that third party makes.
> the central weakness of all these arrangements
The central weakness to these arragements is that nothing changed on the US side of things. Nothing, zero, zilch, nada, nix.
FISA still exists.
Patriot Act still exists.
CLOUD Act still exists.
So any protection of data transmitted to the US is still a "trust me bro" issue. And thanks to Edward Snowden, the EU knows exactly how much trust it can have.
That's why all revious agreements have been nixed by the Courts in the EU. And since nothing substantially changed with this agreement either, the sad story will continue.
All of which means that if the non-US business with a non-US customer can be taken to a non-US court by that customer in the event of such intrusion then they have every incentive not to let the data go anywhere near the clutches of the US. And if a non-US customer can take a US business to a non-US court then US businesses have every incentive to finally do some serious leaning on their government or to set up some arm's length way of doing business* that keeps the customer data out of the reach of even the CLOUD Act.
As things stand if an EU customer's data gets breached in this way they're going to have to go to court in the US. That's a massive block to effective enforcement and a chocolate fireguard as far as data subjects' interests are concerned. That's why I consider the place where remedy is sought to be the central issue.
* It should be possible to have, for instance, a franchise operation whereby an EU registered company with EU directors and management owns - or at least leases - and operates data centres on EU soil, licencing such IP as branding and software from the US company. The contract would be under EU law and have a clause which excludes any right by the franchisor to demand access to any data from the franchisee's operation. AFAIA there must be lawyers in Seattle familiar with franchising so companies based in Washington state should have somewhere local to seek advice.
"It should be possible to have, for instance, a franchise operation whereby an EU registered company with EU directors and management owns - or at least leases - and operates data centres on EU soil, licencing such IP as branding and software from the US company. The contract would be under EU law and have a clause which excludes any right by the franchisor to demand access to any data from the franchisee's operation. AFAIA there must be lawyers in Seattle familiar with franchising so companies based in Washington state should have somewhere local to seek advice."
Microsoft did in fact do something like this several years ago - they contracted T-Systems (a part of Deutsche Telekom) to setup and run a Data Centre for them in Germany to host some Microsoft services. The contract was purposely designed so that Microsoft had neither physical access nor remote access to the DC nor the personal data stored there. Basically T-Systems ran the services on behalf of Microsoft. For some reason (lack of demand?) Microsoft had that German DC shutdown after a couple of years and went back to hosting those services themselves in their own DCs.
I think I saw Google announce something similar not that long ago for a few EU countries (also T-Systems for Germany? don't remember who for France).
"Data Protection Review Court (DPRC) in the US to which EU citizens would have access."
It's no secret that the US is protectionist and has a very bizarre (and expensive) legal system. So let's start by having the review court in the EU, where it's just a little harder for the three-letters to lean on it to get the result they want.
Then let's start by asking is all this data transfer necessary? Either everybody has been breaking the law over the past few months or it's actually possible to get on fine without chucking loads of PII to another continent...
"reopening transatlantic data flows between America and EU nations as soon as the decision takes effect on July 11"
The reality is that they never closed. Data flows between the US and the EEA have continued essentially unabated despite Schrems, because most businesses on both sides of the atlantic have just ignored the law and policing has been almost non-existent.