back to article EU gives its blessing to reopen data pipelines to the US

The European Commission has adopted an agreement with the US, reopening transatlantic data flows between America and EU nations as soon as the decision takes effect on July 11. The EU-US Data Privacy Framework (DPF) is the third attempt between the trading bloc and the US to iron out privacy kinks in the flow of data about …

  1. UCAP Silver badge
    Joke

    As the pot of petunias once said ...

    ... "oh no, here we go again"

    1. b0llchit Silver badge
      Coat

      Re: As the pot of petunias once said ...

      Indeed, just like a whale getting to terms with the situation before dying a splashing death because ground was not inclined to be friends with it.

  2. alain williams Silver badge

    Be thankful for Max Schrems

    But I live in England and so will likely soon lose protection under the GDPR as our government seem set to water down protection.

    1. Anonymous Coward
      Anonymous Coward

      Re: Be thankful for Max Schrems

      And if they do manage to water down the GDPR and we want to carry on doing business with the EU, our datacentres will have to give better protection to EU citizens than they do to British Subjects. Wont' that be nice...

    2. Arthur the cat Silver badge

      Re: Be thankful for Max Schrems

      I reckon Max Schrems is going to have more sequels than the Friday the 13th or Fast & Furious franchises.

    3. Anonymous Coward
      Anonymous Coward

      Re: Be thankful for Max Schrems

      Congratulations, you won!

      Savour your sovereignty and don't worry your pretty little head about GDPR.

      Next stop, ECHR.

  3. Pascal Monett Silver badge

    "limits to the access US intelligence agencies have to EU citizen's data"

    So, pigs are flying now ?

    I have absolutely no confidence that the NSA is not going to get its grubby hands on all that delicious data. The only way to limit the USA's access to EU citizens data is to not send it over in the first place.

    But hey, diplomats will be diplomats.

    So now, when if ever we find out that the USA has not kept its word, what's Plan B ?

    1. Doctor Syntax Silver badge

      Re: "limits to the access US intelligence agencies have to EU citizen's data"

      "what's Plan B ?"

      I think this is Plan C already. And Max Schrems will already have his counter Plan C to hand already and I doubt he'll wait for the US to not keep its word.

    2. Anonymous Coward
      Anonymous Coward

      Re: "limits to the access US intelligence agencies have to EU citizen's data"

      @Pascal_Monett

      Quote: "...only way to limit the USA's access to EU citizens data is to not send it over..."

      Where did you get that word "send"?

      In 2013 Edward Snowden showed the world that when it comes to the NSA the proper word is "take". And "take" with extreme prejudice at that.

      There.....fixed your post!

    3. naive

      Re: "limits to the access US intelligence agencies have to EU citizen's data"

      There is no Plan B, European commission is an US spy nest.

      They are handling US interests, not those of Europeans, handing US our private data until this pesky Schrems wins in two years, is already a significant win for them.

      Nothing will change unless Europe manages to rid itself of "US assets" in its various governmental bodies, but since most don't even see it as an issue that European taxer payers pay for people who serve US interests, it will probably never happen.

    4. Anonymous Coward
      Anonymous Coward

      @Pascal Monett - Re: "limits to the access US intelligence agencies have to EU citizen's data"

      Diplomats ? Where do you see any diplomats ?

      It's only a master-slave relation (these controversial terms are used here with their explicit meaning).

      Somebody will be be rewarded for good behaviour (i.e. the conclusion of this sale), watch who is going to become SG of NATO and all will become clear.

    5. Rob

      Re: "limits to the access US intelligence agencies have to EU citizen's data"

      The NSA have listening stations all over Europe and a very large, capable one in Yorkshire. They are taking whatever data they want/need anyway so this is all just a show for politics. The average European citizen can see that the politicians are doing something about it, regardless if it is a chocolate teapot.

      1. NoneSuch Silver badge
        Coffee/keyboard

        Re: "limits to the access US intelligence agencies have to EU citizen's data"

        "The NSA have listening stations all over Europe and a very large, capable one in Yorkshire. They are taking whatever data they want/need anyway so this is all just a show for politics. The average European citizen can see that the politicians are doing something about it, regardless if it is a chocolate teapot."

        Just because you've tried nothing and run out of ideas, does not mean the rest of us can't try to protect your privacy for you.

        1. Rob

          Re: "limits to the access US intelligence agencies have to EU citizen's data"

          My point was that regardless of whatever protections EU law tries to put in place the NSA listening stations will disregard those laws and take what they want anyway. There will always be nefarious actors in those spaces that do whatever they want, laws and policies can try to help but until we have digital tools that are effective, the average effort of data protection will always be up against it. It's still the wild west in technology and data circles as we develop stuff quicker than we can control it by giving them decent and fair check and balances and the right tools to help enforce those checks and balances.

          But if attacking me makes you feel better, then crack on.

  4. Tubz Silver badge

    ahhh the beloved EU mandarins, how to ensure your employed on a big fat juicy wage and all the trimmings, until the golden pension goose knocks on your door, keep submitting the same old crap legislation that gets kicked out by the courts, rinse, repeat, collect your Wonga, while sipping on that 250é bottle of wine, paid for by the tax peasants !

  5. Doctor Syntax Silver badge

    I think the central weakness of all these arrangements is that any disputes are to be heard in a US court. They should be held in the jurisdiction where the underlying transaction took place, assumed to be that in which the data subject initiated it, and between the data subject and the party with which the transaction took place.

    If, for instance some transaction takes place between a customer is in Germany (I'd like to say the UK but obviously we're now mere spectators) and a multinational trading company with an EU base in Ireland who uses a data centre in the US where the data is misused by anyone - US intelligence, some adtech company or a malware-weilding North Jorean gang - it is the multinational who answers to the customer in a German court.

    It should be the clear responsibility of a trading company to take care of any data it takes relating to an individual; if the trader relies on a third party they, having tasked that third party, remain responsible for whatever mistakes that third party makes.

    1. mpi Silver badge

      > the central weakness of all these arrangements

      The central weakness to these arragements is that nothing changed on the US side of things. Nothing, zero, zilch, nada, nix.

      FISA still exists.

      Patriot Act still exists.

      CLOUD Act still exists.

      So any protection of data transmitted to the US is still a "trust me bro" issue. And thanks to Edward Snowden, the EU knows exactly how much trust it can have.

      That's why all revious agreements have been nixed by the Courts in the EU. And since nothing substantially changed with this agreement either, the sad story will continue.

      1. Doctor Syntax Silver badge

        All of which means that if the non-US business with a non-US customer can be taken to a non-US court by that customer in the event of such intrusion then they have every incentive not to let the data go anywhere near the clutches of the US. And if a non-US customer can take a US business to a non-US court then US businesses have every incentive to finally do some serious leaning on their government or to set up some arm's length way of doing business* that keeps the customer data out of the reach of even the CLOUD Act.

        As things stand if an EU customer's data gets breached in this way they're going to have to go to court in the US. That's a massive block to effective enforcement and a chocolate fireguard as far as data subjects' interests are concerned. That's why I consider the place where remedy is sought to be the central issue.

        * It should be possible to have, for instance, a franchise operation whereby an EU registered company with EU directors and management owns - or at least leases - and operates data centres on EU soil, licencing such IP as branding and software from the US company. The contract would be under EU law and have a clause which excludes any right by the franchisor to demand access to any data from the franchisee's operation. AFAIA there must be lawyers in Seattle familiar with franchising so companies based in Washington state should have somewhere local to seek advice.

        1. Anonymous Coward
          Anonymous Coward

          "It should be possible to have, for instance, a franchise operation whereby an EU registered company with EU directors and management owns - or at least leases - and operates data centres on EU soil, licencing such IP as branding and software from the US company. The contract would be under EU law and have a clause which excludes any right by the franchisor to demand access to any data from the franchisee's operation. AFAIA there must be lawyers in Seattle familiar with franchising so companies based in Washington state should have somewhere local to seek advice."

          Microsoft did in fact do something like this several years ago - they contracted T-Systems (a part of Deutsche Telekom) to setup and run a Data Centre for them in Germany to host some Microsoft services. The contract was purposely designed so that Microsoft had neither physical access nor remote access to the DC nor the personal data stored there. Basically T-Systems ran the services on behalf of Microsoft. For some reason (lack of demand?) Microsoft had that German DC shutdown after a couple of years and went back to hosting those services themselves in their own DCs.

          I think I saw Google announce something similar not that long ago for a few EU countries (also T-Systems for Germany? don't remember who for France).

        2. Ken G Silver badge
          Facepalm

          Yes, it's being branded "Sovereign Cloud".

          It's like public cloud except you can't scale, can't go multi-region and have fewer available services.

  6. heyrick Silver badge

    "Data Protection Review Court (DPRC) in the US to which EU citizens would have access."

    It's no secret that the US is protectionist and has a very bizarre (and expensive) legal system. So let's start by having the review court in the EU, where it's just a little harder for the three-letters to lean on it to get the result they want.

    Then let's start by asking is all this data transfer necessary? Either everybody has been breaking the law over the past few months or it's actually possible to get on fine without chucking loads of PII to another continent...

    1. Brewster's Angle Grinder Silver badge

      I'm going with everybody breaking the law.

  7. Anonymous Coward
    Anonymous Coward

    Data Pipelines ...

    US: Bend over!

    EU: How far?

    1. Anonymous Coward
      Anonymous Coward

      Re: Data Pipelines ...

      UK: Deeper, Harder, Faster!

  8. localzuk Silver badge

    The fundamental flaws still exist

    The US CLOUD Act still exists, so this agreement can't change that. It needs legislative change to be compatible. Pinky swears by the executive isn't enough, as they don't set the law.

  9. Mike 137 Silver badge

    Plus ça change, plus c'est la même chose

    "reopening transatlantic data flows between America and EU nations as soon as the decision takes effect on July 11"

    The reality is that they never closed. Data flows between the US and the EEA have continued essentially unabated despite Schrems, because most businesses on both sides of the atlantic have just ignored the law and policing has been almost non-existent.

  10. Claptrap314 Silver badge

    I cannot undertake to put my finger on that article of the constitution

    that permits a president to create a court. (It requires an act of congress.)

    Of course, the only thing about this agreement that I messed up was the acronym...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like