back to article No change in US law, no data transfer deals – German state DPA

The data protection authority at the German federal state of Schleswig Holstein has declared that any and all data protection workarounds for the transfer of data to the US after the European Court of Justice's Schrems v Facebook judgment are going to be illegal. In its first declaration on the post-Schrems legal landscape, …

  1. Paul Crawford Silver badge

    Outlook

    Cloudy, with some rain in the immediate future

    1. Warm Braw

      Re: Outlook

      The problem would seem to be with things like outlook.com being cloudy in the first place..

  2. channel extended

    How does this affect the Win10 data grab?

    1. Anonymous Coward
      Anonymous Coward

      Depends where it goes

      If it goes to Microsoft datacenters in Eu as long as Microsoft is continuing the NY FBI case it is fine.

      From there onward it depends on the outcome of that case.

      If the outcome of that case is Microsoft to surrender the data, things will get very very interesting indeed. In that case, any USA business will end up being not legally allowed to perform any B2C activity in Europe. At all - they will not be able to process the customer data to do so.

      1. <shakes head>

        Re: Depends where it goes

        sorry no, if the data is collected by a US company it can be completed by the patriot act, and as such is illegal. if the company is EU but moves it to a US company irrelevant of where the data is then that EU company has broken the law.

    2. big_D Silver badge

      As AC said, with the caveat that most of the data is anonymous, so they can transfer it willy-nilly, because it cannot be traced back to a specific machine or a specific person.

      Things like Cortana or web search lists, which are linked to the user, will have to stay in the EU.

      1. Grikath

        It also depends on what is used as the basic identifier for the "anonymous data". There must be a unique identifier somewhere in the chain to be able to manipulate it.

        If it's "just"the IP things could get pretty slap-sticky, with Big Tech desperately claiming IP does not identify an individual, and Big Media desperately claiming it does... Both their earning model depend on their version.....Fight!!

        1. big_D Silver badge

          Various EU courts have already ruled on what can be used to identify people and IP addresses are enough to identify a person, usually. Especially if they have a time stamp, because even with a leased IP, the provider has to hold records for a set period about which IP was assigned to what address at what time.

  3. Jason Bloomberg Silver badge
    Thumb Up

    Well said

    all data protection workarounds for the transfer of data to the US after the European Court of Justice's Schrems v Facebook judgment are going to be illegal

    only a change in US law can make US companies compliant with European legislation

    Someone had to come out and say it in plain, simple terms.

    1. Anonymous Coward
      Pint

      Re: Well said

      That's exactly what I've come, clipboard charged, to say:

      "...only a change in US law can make US companies compliant with European legislation and has advised companies to adjust their business relationships accordingly."

      About effin time!

      Also, don't think anyone's said this yet... I know right place, right time etc. but someone had to get off their arse and do it... so...

      Cheers Max Schrems ------>

  4. Blank-Reg
    Flame

    Now's a good time to be a Datacentre specialist in the EU. Me thinks there'll be a small, but significant increase in demand for new ones ...

    ... unless a certain USian court case goes a certain way, then the fireworks really will begin!

    Anyway, anyone fancy some popcorn? This'll be a good one to watch

    1. Anonymous Coward
      Anonymous Coward

      Makes me thing another bombshell's gonna drop soon. What if it's found that EU governments are actually doing data mining and in so doing violating their own laws?

      How soon before we cross into full Don't Trust Anyone mode?

      1. Blank-Reg
        Unhappy

        I thought we were already in "Don't trust anybody" mode?

        1. Charles 9

          Not quite. We still trust our family and ourselves. When we can't even trust ourselves, THEN we're fully in DTA mode, and that's probably when the Internet ceases to be a useful medium. After all, communication requires some degree of trust as Alice and Bob have no way to verify each other if they've never met before and can't trust a Trent to do it (since he may be corrupt).

  5. Anonymous Coward
    Anonymous Coward

    I was wrong...

    I kept saying that public Could would burst but looks like it's caught fire instead!

    Hopefully this is more than political appeasement and something really does happen.

    .

    Anyone know how this effects the UK's standing with "Safe Harbour"?

    Suspect it will be no effect and we're still on track for becoming the 51st state...

    1. Voland's right hand Silver badge

      Re: I was wrong...

      UK has to comply with ECJ rulings same as everyone else.

      So while the UK DPA will drag its feet to the maximum extent possible, it will be dragged kicking and screaming into the 21st century. With lawsuits if need be. The biggest result of Max Schrems vs the Irish Data Protection commissioner is that the interpretation of the law and the facts is now set. As long as a case appears in front of a court the court has bugger all freedom to rule anything different.

  6. Anonymous Coward
    Big Brother

    Doesn't matter if the US changes it's laws anyway...

    They'll continue to grab as much data as they can... legally or illegally...

    1. Anonymous Coward
      Big Brother

      Re: Doesn't matter if the US changes it's laws anyway...

      Exactly. This "Safe[sic] Harbour" fraud, the MS v FBI charade, etc., are all about overt expatriation of data. The covert expatriation operations (Prism etc.) don't exist already, so will go on completely unaffected... or, if anything, will be increased to compensate.

  7. Wommit
    FAIL

    Let me get this straight

    The USA has to CHANGE its laws to allow legal import of personal data from the EU?

    I got it, right?

    The absolute and utter absurdity of the idea that the US government would change its laws due to foreigners is beyond comprehension. Most of the USians aren't even sure where the EU is (over there somewhere, with an unknown quantity / direction for 'there.') The US won't even abide by WTO agreements, which now has the delightful effect of seeing small countries decline to accept US copyrights, and increase their own bank balance by selling legal copies of films and music. Have the US congress / house of representatives even ratified the arrest & deportation agreement with the UK yet? You know the one that they have used to drag UK subjects over the pond to face US crimes which were not UK crimes. Lets face it, The US government has broken or ignored every one of its treaties since those with the native Americans.

    The US does not have a good record of accepting that the rest of the world actually exists. Let alone coming to real accommodations with other countries. I see LOTS of nasty words in the immediate future, and threats, lots and lots of threats. The worlds economy is going to collapse, or at least that bit of the economy the the USians are concerned about. i.e. their own.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let me get this straight

      Not exactly difficult to comprehend.

      You (the USA) want to play in our (EU) back yard.

      Therefore you (USA) need to follow our (EU) rules.

      Additionally, no rules you have at home (in the USA), can be used to circumvent the rules over here (EU).

      Simples...

      1. Anonymous Coward
        Anonymous Coward

        Re: Let me get this straight

        This'll depend on how broad the two sides take it. After all, the USA can reciprocate, if not in customers then perhaps in other diplomatic matters, such as military support (that could hurt if Europe is forced to go it alone against a chest-thumpin' Russia).

        1. Grikath

          Re: Let me get this straight

          Dear AC, if there's one thing the US fears is that the EU aligns with "chest-thumping Russia". Which really, isn't that far off into the future.

          1. fishbone

            Re: Let me get this straight

            You can have them you deserve each other, no brain no memory

        2. Trevor_Pott Gold badge

          Re: Let me get this straight

          After all, the USA can reciprocate, if not in customers then perhaps in other diplomatic matters, such as military support (that could hurt if Europe is forced to go it alone against a chest-thumpin' Russia).

          So you want the EU to align with Russia and China against the US?

          $deity you're thick. Even for a nationalistic yankee moron, that's dumb.

          The US isn't that important. You only have the relevance you do because you have the allies you do. You cannot go it alone against the whole fucking world.

          But I would dearly love to see you try.

          1. Anonymous Coward
            Anonymous Coward

            Re: Let me get this straight

            "So you want the EU to align with Russia and China against the US?"

            Do the EU REALLY want to gamble on that, given the attitude of the people in charge there?

            Probably the only thing worse than bending the knee to imperialists would be to tick off a nation with lots of nukes and nothing else to lose (meaning it would be willing to go MAD).

            1. Trevor_Pott Gold badge

              Re: Let me get this straight

              "Do the EU REALLY want to gamble on that, given the attitude of the people in charge there?

              Probably the only thing worse than bending the knee to imperialists would be to tick off a nation with lots of nukes and nothing else to lose (meaning it would be willing to go MAD)."

              Where's the gamble? The US is not militarily superior to a bunch of fucking poor people in the goddamned desert, let alone the fully up to date militaries of the EU. The EU, Russia and China combined (which would probably include most of South America and Africa, quite frankly, because China has been making a LOT of friends there lately) would crush the US like a bug. A shitty little irrelevant bug.

              NUKES? If the US fires their nukes then everyone else who's got them will fire them (and that is rather a lot of countries at this point) and then pretty much all the "superpowers" are rubble for the next 75 years.

              Even the Americans aren't that stupid.

              And hell, what if they are? If they are really that arrogant, short sighted and filled with unrelenting hubris best to get World War 3 out of the way now while there's still some oil to be had. Oil is a cheap source of energy and it will be vital to rebuilding after we've blown all our major cities to hell and gone.

              If we wait until the US burns it all then rebuilding is going to be completely awful for everyone and a hell of a lot more people will die because we can't keep the hospitals powered or the farms ploughed.

              Now, ideally, we don't have ourselves a merry little war. That means we can keep complicated and high maintenance power technology like nuclear power and large hydro working. That means we can transition to a post-oil economy in a relatively smooth manner and we can probably avoid that whole "not having enough power for critical infrastructure" bit.

              But it comes down to having to have a war then best get it over with soon.

              And for the record, there's no goddamned difference between a "partnership of equals" with the Russians and Chinese and kowtowing to the Americans. Except, you know, that the Russians and the Chinese actually just might abide by the treaties they sign and might even be somewhat trustworth whereas the Americans don't, won't and aren't.

              Actually, come to think of it, I don't understand why we put up with those barbarians at all.

      2. Anonymous Coward
        Anonymous Coward

        Re: Let me get this straight

        I think you've got this exactly backwards. U.S. companies created services that you Europeans wanted to use, now you're whining that you want the U.S. companies to offer those services consistent with *your* rules rather than with ours. No one forced you to create a Facebook/Google/Microsoft account.

        1. Anonymous Coward
          Anonymous Coward

          Re: Let me get this straight

          I think you've got this exactly backwards. U.S. companies created services that you Europeans wanted to use, now you're whining that you want the U.S. companies to offer those services consistent with *your* rules rather than with ours. No one forced you to create a Facebook/Google/Microsoft account.

          You've got it backwards AC: There have been plenty of European equivalents to all those things, many preceded those examples you gave. They all had to comply with EU law, as is proper. Meanwhile US corporations had illegally been given carte blanche to flout the law and pimp-out their victims as they pleased, thus unlawfully securing what is known as economic advantage. This obvious and illegal mistake has now been corrected... at least for a couple of weeks or so... while the appeasers feverishly draft their replacement fraud...

          "The second-best option is a re-negotiated arrangement, said Oettinger, for once sticking to the Commission official line."

        2. Doctor Syntax Silver badge

          Re: Let me get this straight

          "No one forced you to create a Facebook/Google/Microsoft account."

          I don't have a Facebook or Google account nor a Twitter account for that matter. I have a Hotmail account that I use as a spambin. If the NSA or anyone else wants what's in that they're welcome. My main email traffic is based on my private domain which is now hosted by a UK company. So as regards those I have no skin in the game.

          What I do object to is that as a customer of EU companies that they have been using some US-based services and exporting my data, which they're supposed to treat according to EU-specific rules, to a country where there's no way of ensuring those rules can be followed.

          That's the issue as far as I'm concerned.

        3. Brent Beach

          Re: Let me get this straight

          Nicely done, AC. You epitomize the US "our way or the highway" attitude.

          This of course creates space for EU based companies to provide facebook/google/microsoft type services.Time for open source, crowd sourced social media, mail, search.

          It is about time those big US monopolies got broken up.

          Then to find a way to break the hold of Wall Street on the rest of the planet as well.

      3. DanielN

        Re: Let me get this straight

        "Therefore you (USA) need to follow our (EU) rules."

        Or just get a waiver contract signed by the person. EUians are perfectly free to scan their souls and email the file straight to NSAbook if they want. If history is any guide, they will cheerfully sign over their firstborn for a few shiny trinkets.

        Trying to legislate total mandatory privacy is a losing battle. For example, take international air travel. If personally-identifying data is controlled by EU law, and cannot under any circumstances be exported to another country, then how do you handle passenger lists and emergency contact information? What about long distance telephone billing information? Transnational satellite comm services? If this stupidity were actually enforced, international commerce would be dead within a week, followed by the EU economy.

        If this insanity actually grows legs, expect the NSA to identify where EUians are leaking "valuable" private data to "rogue"countries and then sue on their behalf. Backlash is a dish the alphabet soup agencies know how to serve.

    2. Brewster's Angle Grinder Silver badge

      Re: Let me get this straight

      It's going to be interesting to watch the reaction: because this has the potential to hit rich, vocal businesses in the wallet.

      1. I. Aproveofitspendingonspecificprojects

        Not Straight

        You are thinking in terms of Democracy. The USA is a democracy of very rich men who only write laws suggested by cadres of even richer gangs of rich men who can afford sponsors and public relations entities whose job it is to find out what the politicians want to be given.

        While this has been the European view of democracy since before the First World War, we don't like to make it so obvious. When it was just a post war piss up for the Labour Government before the righteous ruler-ship took over again, nobody minded. But these days things are getting a little out of hand and obviously the chances of our corrupt arses wanting the same as their corrupt assholes, there never will be agreement.

        Unless we have suddenly acquired more stately home with owners having pretty daughters we can sell them it isn't going to happen. Besides if we do have one or two handy looking lovelies, hadn't we better keep them ready for another World War?

    3. Anonymous Coward
      Go

      Re: Let me get this straight

      Pretty much everyone in the US would be happy to have Europe's privacy laws. We don't give a damn if it destroys the big bad tech firms.

    4. SolidSquid

      Re: Let me get this straight

      There's nothing saying they *have* to change those laws, it's just that US based companies will have a major obstacle if they want to operate in the EU unless they do

    5. Zoopy

      Re: Let me get this straight

      " Most of the USians aren't even sure where the EU is"

      What an absurd broad-brush insult to the typical American. Either you're a foreigner, in which case you're being an elitist jerk, or you're an American, in which you're self-flagellating in some embarrassing attempt to suck up to this sites non-US readers.

      1. Trevor_Pott Gold badge

        Re: Let me get this straight

        Or they're an ex-pat who is still (technically) a USian, but is also a citizen of another country. In which case they're both.

        Or maybe they're one of hundreds of thousands of people who were born in American while their family was on vacation and were thus made "stealth" USians against their will (or the will of their family members) and are now hounded across the globe by the IRS for a lifetime's worth of taxes, despite never having set foot in the US.

        I know you probably don't know about those sorts of things, but they aren't jokes. The "stealth" citizenship is a rather miserable fucking problem where I'm from that has caught up a largish % of our population. People try to (for example) go to Vegas with some friends and oh look you're on a list of Us citizens that owe a lifetime's back taxes and you never even knew you were a citizen. Now you can get trapped in the country until you pay.

        Awesome.

        Oh, and extra bonus? You can't renounce your citizenship (that you didn't know you had) until you pay up. And even after that, you can't renounce anyways because you have to be classified as mentally competent to renounce your citizenship, but that determination is made by the people administering the paperwork, and one of the reasons they can (and do) declare you mentally unfit to renounce your citizenship is that you want to renounce your citizenship!

        You see, by USian logic you have to be crazy to want to not be a US citizen so you obviously can't be mentally competent when you apply to renounce your US citizenship.

        And, of course, the US claims legal ownership and jurisdiction over every aspect of every US citizen's life, even those that don't know they are citizens.

        Double awesome.

        The point is, there are a lot more things in the US and outside of it that are dreamt of in your philosophy. Maybe it is worth investigating these and learning some things beyond what you "know".

        You'd then quickly see the world isn't binary. For example, it is entirely possible to be a USian, hate the shit out o that backwards ass country, and not be self-flagellating at all. Because your USianness is in fact unwanted legal imperialism and you consider yourself a non-USian.

        But you are a USian. But you're not too.

        The world. Grey. Shades of.

        Learn.

  8. kmac499

    Judicial Culture Shock

    US CEO to Head of Legal

    "What!!! You mean that foreigners want their own laws, and want us to abide by them just because they connect to us from their country.."

    HoL: "Yes sir"

    CEO: "Who do they think they are, don't they know about our constitutional rights?"

    HoL: "The constitution doesn't apply there sir, they have their own conventions"

    CEO: "So who do we sue..??"

  9. Mage Silver badge
    Holmes

    Global USA Megacorps

    They will just offshore all their data to Iceland, Ireland, Iberia, Italy etc

    After all they already offshored manufacturing to China and Customer Support to Mexico (Spanish) and India (English)?

    It's not going to make any difference to USA Megacorps. It may affect some USA based IT staff.

    1. Doctor Syntax Silver badge

      Re: Global USA Megacorps

      "They will just offshore all their data to Iceland, Ireland, Iberia, Italy etc"

      When they've done spluttering with rage this is exactly what they'll do. But they'll have to do it carefully by setting up locally owned & managed franchise operations or maybe some other form of outsourcing to take care of any possibility that the MS case could go the wrong way.

  10. svddoel

    This does leave me with a few questions:

    - data stored in EU locations with US companies still falls under the USA Freedom Act/Patriot Act so data could be transfered to the USA without consent: is this still allowed?

    - Office 365 states in its SLA that data could be moved to the USA "for support purposes", I guess this means Office 365 is no longer safe for personal information either?

    1. Anonymous Coward
      Anonymous Coward

      - data stored in EU locations with US companies still falls under the USA Freedom Act/Patriot Act so data could be transferred to the USA without consent: is this still allowed?

      No. This is precisely what the ECJ ruled when discarding "Safe[sic] Harbor[sic]"

      - Office 365 states in its SLA that data could be moved to the USA "for support purposes", I guess this means Office 365 is no longer safe for personal information either?

      Why do you imply it ever was?

  11. noj

    Applying EU pressure to US tech companies will apply pressure to politicians to act differently. The US does favor business over many other things, such as common sense or individual rights. And when a US company gets hit in the pocket book, politicians tend to listen.

    The question is whether those companies have enough sway with the politicians to make a significant impact. If oil companies were involved it might be a wholly different story. But with tech companies it will probably be easier to make some secret deal and force the tech companies to slurp on the sly. The EU legally would only be able to go after the tech company and only after the slurp occurred and was detected. If a few "uncooperative" companies suffer that would make certain government agencies pretty happy. What's a little collateral damage when there are so many disk drives in Utah to fill?

  12. sysconfig
    Mushroom

    Rules are great, but how to enforce them?

    So, right now at this point in time -from my IANAL point of view- US companies have to start storing EU customers' data in the EU and -more importantly- leave it there. (The FBI vs M$ case aside for a moment)

    What if they don't? And sure as hell, right now most of them won't, if they ever will. How are we (the EU) going to enforce this? This is a powder keg waiting to cause... see icon.

    This is really going to be interesting to watch. And I kind of hope that the court in the US makes the huge mistake of forcing M$ to hand over data from their Irish subsidiary. Then it's going to get nuclear. (not literally I hope, but this could become a much wider political issue -- and a huge opportunity for EU companies)

    1. Paul Shirley

      Re: Rules are great, but how to enforce them?

      We will eventually end up enforcing it by fining local EU entities that buy the affected services. If the US thinks they can just secretly carry on as normal, they don't understand the problem, any leak or even the suspicion of infringement will render them all toxic to EU business.

      Any direct arrangement with end users will render them directly liable.

      Either way, US companies will find the EU becoming a very unprofitable environment if they cheat.

    2. Anonymous Coward
      Anonymous Coward

      Re: Rules are great, but how to enforce them?

      What if they don't?

      First instance - complaint to the DPA. I am writing a couple tomorrow while having my afternoon coffee.

      Second instance (if DPA answer is unsatisfactory) is to see who in your country is driving the steamroller labeled "Shem vs Irish DPA Aftermath". Throw that to them. If everything else fails - file a case of your own with ECJ.

      If you feel in popcorn mode you can also throw the first complaint at the actual USA company for fun. That will not be productive - you will be writing a complaint to the DPA anyway.

  13. Anonymous Coward
    Anonymous Coward

    Fine for the transfer of personal data?

    "It has warned businesses and governmental bodies that they may be fined up to €300,000 for the transfer of personal data to the US "without a legal basis"."

    What's the metric - per company, per data subject, per transfer, per individual item transferred, some combination thereof? If it's per company, which company - the US-owned entity, or it's channel, or .... ? The only way that seems fair is per data subject, with at least some of the amount going to the data subject in question ....

    This could make the MS / FBI outcome seriously expensive - even if all of the issues in the "Normal Use" environment are sorted out by requiring EU-based storage for cloudy data, if those kind of fines are in place and some random judge can order a breach of EU data protection laws at €300k per data subject, say goodbye to a lot of companies .....

    1. Anonymous Coward
      Anonymous Coward

      Re: Fine for the transfer of personal data?

      DPA fines are per violation. What is a violation and are multiple instances of illegal transfer one violation or multiple is left to the DPA to determine and depends on local law.

      It is unfortunately not per user and not per transfer. It is also a fixed fine in the range of up to 1M (France) - not global turnover like competition fines.

      By the way - 300K per violation for someone who handles data as a business is going to hurt anyway you look at it. For example if typical cloud service is found liable, you are looking at a fine per customer so this is in the billions even if the fine is nowhere near the maximum amount.

  14. Mark 85

    A chilling side-effect...

    So If I were in an EU location as a citizen, and I were to order something from a smallish company in America that doesn't have an EU presence, this will negate that? I couldn't do it?

    Given the combative nature of politicos here in the States, I suspect they'll just create a similar law here that US data has to stay in the US which also prevents business being conducted.

    I see a lot of smaller-than-the-big-guys going out of business or at least taking a major hit as not everyone uses Amazon, E-Pig..err.. bay... etc.

    1. Doctor Syntax Silver badge

      Re: A chilling side-effect...

      "Given the combative nature of politicos here in the States, I suspect they'll just create a similar law here that US data has to stay in the US which also prevents business being conducted."

      A US govt passing laws to prevent business? That seems unlikely.

      1. Anonymous Coward
        Anonymous Coward

        Re: A chilling side-effect...

        "A US govt passing laws to prevent business? That seems unlikely."

        Preventing business, yes. Preventing business prevention? As in preventing business getting stolen? Oh, they'll respond. And since this smacks of an embargo, they may respond with an embargo, creating a digital Atlantic divide. Plus there may be other diplomatic options. It'll all depend on how willing Europe is to really, really go it alone because we don't know how much exactly America contributes to Europe (particularly in secret, diplomatic ways). I mean, is Europe willing to not ask America for help on high-profile, international data hacks or other such "common ground" matters?

      2. Mark 85

        Re: A chilling side-effect...

        It does seem that way, but lately there's been some CongressCritters waving the flag which usually trumps business. I guess it's wait and see.....

  15. dan1980

    The US are bitching about this hurting trade but the way forward is clear: if trade is so important to you, then change your laws to to ensure they comply.

    You don't have to and it is your sovereign right to make whatever laws you want but those laws are not without consequences.

    1. John Brown (no body) Silver badge

      "You don't have to and it is your sovereign right to make whatever laws you want but those laws are not without consequences."

      ...and they stop becoming applicable at your borders.

  16. Anonymous Coward
    Anonymous Coward

    Cabinet Office and Google Apps

    Where does this leave the Cabinet Office's use of Google Apps?

  17. Sirius Lee

    Unnecessary hyperbole here

    The ECJ has declared the safe harbor statement invalid but the *view* of the DPA in one German state is not a definitive interpretation of the standing of the law, it is a *view* by one regulator that will need to be tested in court. If the DPA in question is being genuine, not just trying the cause confusion, they will test the law immediately.

    Model clauses do and did exist. The invalidation of the safe harbor agreement is not retrospective so does not affect data processed before the judgement. Model clauses have not been invalidated which means companies can rely on them until they, too, are invalidated. But here's the problem. If you or I have signed up to a contract with a business that uses a model clause, even since the ECJ ruling, we have given away our rights to the extent described in the relevant clause. That is contract law and so far as I'm aware contract law has not been changed yet.

    1. Anonymous Coward
      Anonymous Coward

      Re: Unnecessary hyperbole here

      "If you or I have signed up to a contract with a business that uses a model clause, even since the ECJ ruling, we have given away our rights to the extent described in the relevant clause. That is contract law and so far as I'm aware contract law has not been changed yet."

      Under some laws, rights are sacrosanct and can't be given away, even under contract. The ECJ ruling can easily be construed to interpret the right to privacy as sacrosanct. A contract that attempts to breach a sacrosanct right can be rendered null and void. Thus rights law can trump contract law. That's why there's a lot of fallout potential.

  18. Valheru

    Change yes but not for the average joe.

    The most likely result IMHO is an agreement between the EU and the USA. The result could be a test for EU federalism.

    US corporations work in the EU via a variety of legal structures designed to lower tax and limit liability/risk. They have managed to profit nicely despite changes to EU and local law by just staying ahead of the very slow legislative process and lobbying. Similar methods will be used to architect legal data transfer.

    I admit it is fun to imagine this turning into an exciting change. So riddle me this:

    How does an EU citizen act against a non-European & non-resident company doing bad things with their data today?

    All of the UK is not in the EU, what happens if an EU person's data makes it to the USA via the Cyprus Sovereign Base Areas or British Indian Ocean Territory?

    1. Doctor Syntax Silver badge

      Re: Change yes but not for the average joe.

      Your question has already been answered in relation to a different question. The EU citizen does business with an EU company. That EU company has responsibilities under the relevant data protection legislation. If they fail in that responsibility by passing on the data by the routes you suggest they are liable to the citizen and if they haven't arranged indemnity from their business partner then more fool them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like