back to article Privacy Shield binned after EU court rules transatlantic data protection arrangements 'inadequate'

The EU Court of Justice has struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US, triggering a fresh wave of legal confusion over the transfer of EU subjects' data to America. Austrian privacy activist Max Schrems brought the latest edition of the long-running case ( …

  1. Rich 2 Silver badge

    Standard contractual clauses

    I find it strange that the standard contractual clauses were not also struck down. Surely, any data transferred under them is also subject to US government snooping in the same way as under privacy shield. It’s not as if Joe Public has any say in what “standard contractual clauses” their bank/anti-social hangout/on-line supermarket/whatever signs up to

    1. Woodnag

      Re: Standard contractual clauses

      See https://noyb.eu/en/CJEU-Media-Page

      Vera Jourová didn't tell the truth. SCCs are not valid where US gov by US law gets to see the traffic. So not Facebook etc. For bank transactions, fine.

      See https://www.twitter.com/maxschrems

      "It seems that @VeraJourova is simply ignoring the #CJEU a second time here. The Judgement is clear that you can't just use the SCCs again and there is no "toolbox" to be used when a US company falls under #FISA and alike... "

      1. Rich 2 Silver badge

        Re: Standard contractual clauses

        So faecesbook and similar pond life really are stuffed then? Their only recourse is to keep their (your) data in the EU?

        1. Woodnag

          Re: Standard contractual clauses

          Yes. Useful summary here: http://eulawanalysis.blogspot.com/2020/07/you-were-only-supposed-to-blow-bloody.html

          "Schrems reformulated his complaint to the Irish Data Protection Commissioner (DPC) about data transfers arguing that the United States does not provide adequate protection as United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) and the data is used in a manner incompatible with the right to private life, and that therefore future transfers by Facebook should be suspended."

          1. NATTtrash
            Angel

            Re: Standard contractual clauses

            ... available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI)...

            Where did I hear before that such a direct connection between a company/ companies and governments is "bad, very bad" so you need to boycott them?

        2. sorry, what?
          Unhappy

          Re: Standard contractual clauses

          Those of us in the UK no longer have such protections anyway, what with Brexit and all. When Google shifted all my data to the US back in April I complained to my MP and got a dismissive bunch of drivel back in return saying that my data was just as secure in the US as it would be in the EU.

          1. Woodnag

            Re: Standard contractual clauses

            Brexit doesn't mean exiting GDPR.

            But your MP is right... the 5-eyes share data on each others' citizens to work around "thou shall not spy on thy own" type laws.

          2. Cederic Silver badge

            Re: Standard contractual clauses

            The Data Protection Act 2018 is still in force. You know, the updated UK legislation that supplemented existing data protections with some additional rules to comply with GDPR.

            If you think it's being breached then don't write to your MP, write to the company that's breaching it. If they fail to provide an adequate response then raise a case with the ICO.

            1. Anonymous Coward
              Anonymous Coward

              Re: Standard contractual clauses

              ....but for how long? How long before our beloved leaders find it useful to give away what little protection we have?

              1. John Smith 19 Gold badge
                Gimp

                "....but for how long? "

                Depends if any UK company wants to process data from EU citizens

                If they do and one of those citizens crews foul then all that business (or any business that relies on that process happening) is f**ked.

              2. NATTtrash
                Gimp

                Re: Standard contractual clauses

                Perhaps when it turns out to be profitable? Like for example that nice post Brexit NHS data the US seems so interested in?

                https://www.theregister.com/2019/12/12/nhs_england_database/

            2. Doctor Syntax Silver badge

              Re: Standard contractual clauses

              "The Data Protection Act 2018 is still in force. You know, the updated UK legislation that supplemented existing data protections with some additional rules to comply with GDPR."

              The DPA 2018 does indeed do this. However we no longer have the ECJ watching our backs in terms of enforcement.

          3. MJI Silver badge
            Flame

            Re: Standard contractual clauses

            As the waffling buffoon loves the orange moron so much I think we are screwed.

            Fuck you Johnson.

          4. Anonymous Coward
            Anonymous Coward

            Re: Standard contractual clauses

            I complained to my MP and got a dismissive bunch of drivel back in return saying that my data was just as secure in the US as it would be in the EU

            Under the Snoopers' Charter, that's probably true...although not exactly comforting.

          5. Anonymous Coward
            Black Helicopters

            Re: Standard contractual clauses

            @sorry,what?

            "bunch of drivel back...saying that my data was just as secure in the US as it would be in the EU."

            There is of course a huge assumption built into that statement about the safety of your data in the EU.

        3. EnviableOne

          Re: Standard contractual clauses

          unfortunatley for them that doesnt put EU citizens data out of reach of the US CLOUD act.

          If its their data the US.Gov can get it.

      2. Charlie Clark Silver badge

        Re: Standard contractual clauses

        Hasn't the matter been handed back to the Irish ICO to establish whether sufficient protection is given? If this isn't the case then the contract is invalid, The contract will be deemed invalid because the US government refuses to declare such data off-limits but will delay things.

        1. Woodnag

          Re: Standard contractual clauses

          There's a separate case that the Irish DPC is avoiding ruling by being incredibly slow.

          https://noyb.eu/en/judicial-review-against-dpc-over-slow-procedure-granted

      3. Anonymous Coward
        Anonymous Coward

        Re: Standard contractual clauses

        Yeh and since when has an *obligation* to ensure EU citizens privacy been a *right-to-waive* said privacy on behalf of said citizens? If they had an obligation to protect EU citizens from being murdered would they waive it for some citizens? Useless foockers playing politics.

        This agreement was always a "we waive this law for the USA because Obama is nice to us" thing.

        Dumbasses never ran the negative scenario and ask themselves what would happen if USA was flipped by an enemy state. What if said malicious leader tried to use it to flip EU states. What if quid-pro-quo leader traded their data for profit. Leveraged their data for power. Leaked their secrets for effect.

        They compromized EU security with this shit.

    2. spold Silver badge

      Re: Standard contractual clauses

      Most larger companies will now be completely pissed off after previously having gone through Safe Harbor being struck down. They were reluctant to do Binding Corporate Rules because it was lengthy and expensive This option will now look much more attractive than relying on standard contractual clauses and having those torpedoed in the future, and will decide to suck it up. This may well overload many regulators' work capacity.

      1. John Jennings

        Re: Standard contractual clauses

        Its not quite like that.

        BCR (Binding corporate rules) apply only for each arm of a multinational, or each company in a conglomorate. You cant have a BCR with a supplier, or customer.

        BCRs are a complete PITA to do - expensive and can take years to complete - they have to be don in conjunction with the local data Authority. I have not been involded in those personally, but when I .last looked into it, there were no more than a couple of hundred firms which had gone through the pain.

        The main issue I have is that most US companies I deal with refuse to use standard contract clauses - they almost all relied upon Privacy Shield - meaning that now we have to go back to them, and renegoiate.

        1. Anonymous Coward
          Anonymous Coward

          Re: Standard contractual clauses

          refuse to use standard contract clauses

          This. This SO much. If I got a penny every time I had to remind US that it's kind of "unusual" to base our contracts on "US laws and customs" in stead of our (legal entity) local legislation, I would be listed above Radcliffe next year.

    3. Doctor Syntax Silver badge

      Re: Standard contractual clauses

      "I find it strange that the standard contractual clauses were not also struck down."

      I think the judgement says that the clauses are fine, just that, as applied to the US, they're not worth the shrivelled fig-leaf they're written on. Applied elsewhere they're fine.

      One aspect of this that bothered me was that the EU position was - and still is - that it was sufficient that the injured party had recourse to law in the country to which the data was exported irrespective of whether such a theoretical right was practically (including financially) possible to enforce. Enforcement in the EU seemed to me essential.

      Not that that has any effect in the UK now. Thanks to Brexit I'm denied these rights anyway so for those of us living in the UK this has become reduced to an academic curiosity. This must be some new meaning of taking back control of which I wasn't previously aware

  2. BebopWeBop
    Thumb Up

    Schrems has done the world a favour.

    1. Anonymous Coward
      Pint

      Not quite the world

      I only wish that US citizens had GDPR protection in the US.

      I fear that for Britains it will come down to whether BoJo wants a trade deal with the US or the EU more.

      But I'll raise a pint for Schrems, the EU, and privacy.

      1. BebopWeBop

        Re: Not quite the world

        whether BoJo wants a trade deal with the US or the EU more.

        You have to ask? With magic trade deals with China scuppered and a dominant parliamentary party who appear to hate our neighbours, I am sure Johnson is praying that the US will ride to the rescue. At least it will distract the Daily Mail and others from the breakup of the 'United Kingdom'. Past governments (of both colours) have put all of their eggs in the financial services basket, so technology is just an irrelevance to them.

      2. Charlie Clark Silver badge

        Re: Not quite the world

        US rules usually distinguish between US citizens and aliens (the rest of the world). As spying on US citizens is bad but spying on the rest of the world is good, having companies that collect private, personal data from the rest of the world is good™. It's what keeps you safe at night. Well, apart from RTAs, muggings, shootings, corporate rent-seeking, etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not quite the world

          US rules usually distinguish between US citizens and aliens (the rest of the world)

          That's a false distinction in actual practice. Rules, laws, and constitutional rights that supposedly protect "US persons" are routinely ignored or bypassed at scale.

          1. John Brown (no body) Silver badge

            Re: Not quite the world

            Isn't it the case that there are "special considerations" in terms of laws and the constitution within 100 miles of borders or entry points? And that the vast majority of US citizens live in those zones, ie within 100 miles of physical borders or airports considered as a "point of entry".

  3. Spanners Silver badge
    Holmes

    Good

    Was anyone here even a fraction surprised?

    Does anyone here believe this will not be part of the thrust of downgrading our data security laws?

    1. Doctor Syntax Silver badge

      Re: Good

      Surprised, no.

      By "our", who do you mean? The EU's, probably not. UK's maybe. US's - can they get worse?

    2. Warm Braw

      Re: Good

      downgrading our data security laws

      It puts us in a very interesting position. It's arguable our existing data security laws aren't adequate for EU purposes - we only got to play because we were EU members and our laws were in principle subject to EU courts.

      We may find ourselves caught between being obliged to strengthen our laws to continue data exchanges with the EU and being obliged to weaken them in the interests of securing a US trade deal.

      Fortunately, we've taken back control so we can invent our own social media: writing abusive messages on scraps of paper and chucking them out of car windows at passing strangers should be an adequate Twitter substitute, for example.

      1. Dr_N

        Re: Good

        Warm Braw> Fortunately, we've taken back control so we can invent our own social media: writing abusive messages on scraps of paper and chucking them out of car windows at passing strangers should be an adequate Twitter substitute, for example.

        Litter™®

        1. Anonymous Coward
          Anonymous Coward

          Re: Good

          Warm Braw & Dr_N, this has made my day.

        2. Mr Sceptical
          Trollface

          Re: Good

          Viz top tip:

          Need to throw an abusive message at a passing stranger without littering?

          Simply put the paper on the end of a dart and hurl with force at the intended recipient!

  4. Anonymous Coward
    Anonymous Coward

    In other news, birds gotta fly!!

    I'm not surprised by this at all. Privacy Shield is a fiction invented by the EU and U.S. governments. It's role is to keep trans-Atlantic trade, investment and business partnerships going at the request of the many European companies who want access to the U.S. market, continuing vital U.S. corporate investment in the EU and placating the U.S. government so it continues its security and intelligence cooperation with various EU members. All this while making it look as if the EU is still doing something to protect it's citizens' data.

    I'm not at all surprised to see that the European Commission (which is subject to political pressure from the EU Council and nations) gave this their seal of approval, while the courts (which work to a different standard based on law) put Privacy Shield out of it's misery.

    1. Anonymous Coward
      Anonymous Coward

      Re: In other news, birds gotta fly!!

      "while the courts (which work to a different standard based on law) put Privacy Shield out of it's misery."

      Privacy shield and its predecessors have always relied on suspension of disbelief to make it as far as the basis of a legal framework for exchanging data by not asking about activities that the other party might violate carry out which would violate the agreement. The challenge is that the scope of this decision is far wider than just Facebook and other US data slurping countries - it affects all business.

      Does the EU actually implement their privacy laws and reinvent all services they currently use from non-EU countries or do we all gasp as the magician takes off his hat and pulls out the Super Privacy Safe Harbour Act out of his hat and business continues as normal?

      Workable solutions on the back of a beer mat please.

  5. Anonymous Coward
    Anonymous Coward

    More legal misdirection -- good try, but COMPLETELY BESIDE THE POINT!

    Quote: "In effect, the EU court said American spies had too much free rein to harvest EU citizens' data from US companies."

    *

    Pardon my scepticism, but who says the NSA (or their poodle in Cheltenham) isn't hacking European databases EVERY DAY OF THE WEEK?

    *

    .....never mind data transfers "from US companies"........

    *

    26 January 1999 -- Scott McNeally -- https://www.wired.com/1999/01/sun-on-privacy-get-over-it/

    *

    If you want ANY SORT OF PRIVACY...........stay away from the intenet!

    1. Woodnag

      Re: More legal misdirection -- good try, but COMPLETELY BESIDE THE POINT!

      This doesn't stop spies spying.

      This stops businesses passing private data to others (including governments).

      If data is used in a court case, it may matter how the evidence was obtained, partly in the legal admissability sense, partly because the method used to obtain may have to be disclosed... spying orgs don't like that.

      1. Malcolm Weir Silver badge

        Re: More legal misdirection -- good try, but COMPLETELY BESIDE THE POINT!

        This is exactly right. We discovered, in the post-Snowden brouhaha, that there was thriving cottage industry within the intelligence communities for fabricating plausible "sources and methods" narratives, so that information that had been gathered through dodgy channels would not reveal that the channels had been compromised, which served double-duty by allowing law enforcement to pretend that the information had not been collected with a warrant.

        I'm thinking of rows of clairvoyants with highly-tuned crystal balls advising the local cops that they were getting a vision that the merchandise was hidden sixteen paces to the north of the old oak tree...

        1. Anonymous Coward
          Anonymous Coward

          Re: More legal misdirection -- good try, but COMPLETELY BESIDE THE POINT!

          You've drifted into spying again....this isn't about espionage/counter-espionage, it's about what can be obtained/used via legal methods, typically for non-criminal cases.

          In criminal cases, asking the country in question for the same information as you may have obtained in violation of Privacy Shield will generally result in equivalent information being provided from the source country as eveyone wants a similar outcome of the bad guys being put away. If some of that evidence was gathered via covert means, distributing it to the country of origin for them to consider is still possible and if they are co-operative will likely result in sufficient non-covert evidence supporting the prosecution. i.e. ways are found to provide the information outside of Privacy Shield as mentioned by Snowden.

          In contractual disputes between countries, the cases are less black and white and government interference will probably be a bad thing.

          That covers the two extremes - if we look at more practical examples, these regualtions have allowed US companies (Apple and MS) to say no to clear overreach by US law enforcement for fishing attempts in EU hosted data as an easy shortcut to gathering evidence. While the motive may have been criminal prosecutions the justification wasn't criminal law.

          I'm not going to claim this is the perfect solution but I'm also pragmatic about the risks of more idealistic systems and the potential unintended consequences of those systems where no co-operation means one side no longer has any rules to hold it back.

          1. Woodnag

            Re: More legal misdirection -- good try, but COMPLETELY BESIDE THE POINT!

            Unfortunately surveillance isn't just about catching bad guys (oh, think of the children!), partly because the most successful criminals are protected by the status quo because they are an untouchable part of the fabric. It's about keeping tabs on those challenging the status quo (think whistleblowers), and those protesting the status quo.

  6. Mike 137 Silver badge

    "... the standard contractual clauses remain a valid tool ..."

    "The Court of Justice declared the Privacy Shield decision invalid, but also confirmed that the standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries."

    Which is jolly funny as it was pointed out a couple of years back that the standard contractual clauses don't entirely comply with the GDPR. Not really surprising as they were defined in 2001, 2004 and 2010.

    The UK ICO wasn't interested when we pointed this out either. Yet another example of "compliance" in quotes?

  7. Cederic Silver badge

    What is the "double standard"?

    I'm confused, What's the double standard that ITIF thinks is in place?

    EU companies operating in the EU and processing personal data of EU citizens must obey GDPR.

    EU Companies operating in the US and processing personal data of EU citizens transferred from the EU must obey GDPR.

    UK companies operating in the EU and processing personal data of EU citizens must obey GDPR.

    UK Companies operating in the US and processing personal data of EU citizens transferred from the EU must obey GDPR.

    US companies operating in the EU and processing personal data of EU citizens must obey GDPR.

    US Companies operating in the US and processing personal data of EU citizens transferred from the EU must obey GDPR.

    I see no double standard going on here.

    1. Anonymous Coward
      Anonymous Coward

      Re: What is the "double standard"?

      "US Companies operating in the US and processing personal data of EU citizens transferred from the EU must obey GDPR."

      Are you sure? The EU maybe able to effectively prosecute US companies with an EU presence but that case doesn't cover all US companies.

      1. Spanners Silver badge
        Black Helicopters

        Re: What is the "double standard"?

        The EU maybe able to effectively prosecute US companies with an EU presence

        And until there is an adult in charge in the white house, every time we do, we will get lies fake news and threats tweetblasted at us for it.

        1. Anonymous Coward
          Anonymous Coward

          Re: What is the "double standard"?

          "And until there is an adult in charge in the white house, every time we do, we will get lies fake news and threats tweetblasted at us for it."

          You realise this is an ongoing saga approaching 25 years that Trump has had very little involvement in?

          Sure, try to drag him in as the cause, but it will likely create the fake news you are decrying.

    2. Jaybus

      Re: What is the "double standard"?

      I believe the "double standard" that Eline Chivot was referring to is that Trans-Atlantic data transfers are being held to a different standard that Trans-Pacific data transfers, given that China's CSL specifically gives actual ownership of the data to the Chinese government.

  8. Claptrap314 Silver badge

    Same song, second verse

    o'tta get better....

    So Safe Harbor was replaced by Privacy Shield.

    Assuming that the three letters now in play suffice, I expect the replacement for Privacy Shield to be entitled "Half Privacy".

    This is a charade played out by the EU government to placate its citizens while permitting the merry game of monetization of privacy to proceed full speed ahead. We're going to see a "really, truly better, I really, really mean it" fig leaf about three days before the deadline. Which will take two-three years to be ruled invalid.

    1. EnviableOne

      Re: Same song, second verse

      with any luck the next one will forgo the pretences and be called

      Pan -Atlantic Profits Plaster

  9. YetAnotherJoeBlow

    In the end...

    This is all just theater anyways. I mean really, do you think our respective countries will ever play by the rules? If you are a crook, you will just exchange encrypted binary blobs using a dead drop (either digital or physical.) In the end if the government wants to read all your goodies, they of course will.

    I have often wondered what would happen to Google et al if I prevented scraping - it is not that hard to do really (I mean physically - not robots.txt.) What would Google do? Start paying you maybe? Or, how about on Facebook, just posting armored ASCII between all your contacts?

  10. Potemkine! Silver badge

    Sorry ITIF

    The US IT and Innovation Foundation (ITIF), meanwhile, complained the ruling was "irresponsible"

    What is irresponsible is the way the US deals with EU citizens' data. The US can't be trusted, especially since a minority of US voters put a sinister clown in the White House.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sorry ITIF

      The collapse of Safe Harbor and Privacy Shield don't have much to do with Trump. This squabble/sleight of hand/red-headed stepchild has been going on since George W. Bush was in the White House, and maybe Clinton before him. The Trump administration is just using the same playbook that everyone in office over the last 20+ years has been using.

  11. John Smith 19 Gold badge
    Gimp

    Cynicism is *the* simplest politcal doctrine

    Because it demands nothing of the adoptee.

    "We knew this was going to happen." "The courts have overturned this but the US will win" "THE PATRIOT trumps the GRPR (true)"

    Blah, blah, whine, whine.

    <rant>

    If you don't care about privacy STFU. If you do understand that politicians are mostly ignorant about anything outside politics (just like any specialist outside their chosen field in fact). Educate them. Remind them of Snowden's revelations and ask them how they'd feel if they had a fried with a deep secret (not themselves of course, politicians have no secrets) and how would they feel if that was revealed to the world? Or the "Digital Stripsearch" of UK rape victims and how "successful" that's been improving conviction rates. Fight the "We must be protected against drug dealing paedo-terrorists and their money laundering" BS. It's about privacy and the insatiable urge to acquire more data of some senior civil servants ("Give me 6 lines from an honest man and I'll find something to hang him with" is the real driver). Start talking to Americans about THE PATRIOT act and getting its sunset clauses actually ended . Probably by getting some of the more spy-friendly Congress types out of the seats on certain committees. Dianne Fienstein comes to mind immediately. And how about an age limit? Some of those (alleged) old crooks have been lining their pockets for decades.

    Data fetishism. It's not a sane policy. It's a personality disorder

    </rant>

    1. NATTtrash

      Re: Cynicism is *the* simplest politcal doctrine

      Kind of sad actually. Since (as those old enough here) know, the discussion on the "ownership of data" is actual ever since company execs figured out "what to do with this new interwebz thing" in the 90s. We all remember sessions we sat in, where it was concluded that money was made with data, so maybe the owner of that data should perhaps profit from her/ his property. In stead users (data owners) have been ushered in with narrative that the use of services is "free", carefully concealing the fact that what they give away is worth much more than what they receive. And have no control over/ are hindered excessively in determining what is in- or excluded. Then again, we should not condemn users for that though. After all, legislation determines that specific consent should be given, and a clear choice (accept/ reject) should be available without limiting "the service". So how many websites have you seen that offer just an "Accept" button? And how much is that "policed"?

    2. This post has been deleted by its author

  12. TwoSheds30619

    Spice

    The (spice) data must flow ...

    +1 for the Dune reference

  13. Anonymous Coward
    Anonymous Coward

    It's my birthday today.

    It'd make me the happiest person alive if you upvoted this post. Downvotes will make me sad, so please don't do it.

    A bit of background about me: I'm a through-and-through Trump supporter who believes he's making America great again and I'd happily shoot anyone who disagrees because that makes you a left wing commie. What else? Well I'm passionate about the great Mr Johnson getting Brexit done for you, so we can finally take back control (of the UK). I'm also pro-equality, as long as women know their place in the equality hierarchy; I think we can all agree that the only thing you get if you give a woman a job is a dirty house. I love the Register because it's one of the few right-wing IT sites the left-wing MSM hasn't yet poisoned. I'm off hunting now. Thanks for reading folks. God bless.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's my birthday today.

      Have an upvote from a left-wing commie. Anon so you don't shoot me.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's my birthday today.

      Have an upvote.

      About the only thing we agree on is liking the Register but its your birthday so enjoy.

  14. Anonymous Coward
    Anonymous Coward

    And so starts the Great Firewall of the EU..

    For the first time since early 1993, when I made my first http:// request, the WWW has now been broken into two separate regions, the EU (a.k.a) GDPR Land, and everyone else. There are now a lot of non-EU web-sites that are blocked from EU access because its not worth dealing with the very deliberately nasty features of GDPR. The GDPR has zero with personal privacy as understood by Anglophones. If you look at the actually prosecutions under GDPR you will see its the standard Civil Law tradition governments information control and suppression. A threat of a huge GDPR fine will soon make "uncooperative" EU jurisdiction companies cooperate with what the local government want. Looks at how the German government as been actively suppressing free speech on unsuitable subjects over the last year or two to see how it works in practice.

    GDPR gives individuals zero protection for personal privacy. At least as would be understood by Anglophones only familiar with the Common Law traditional of individual liberty. The Civil Law in its application recognizes no such right. Any such "right" is bestowed by the state purely at its discretion. To be taken away or curtailed purely when the state and its funcionaires so decide. In this case GDPR is part of the process of making EU citizens only see and post opinions that are acceptable to the government.

    Yeah, sure, you can use a VPN. But EU governments are not interested controlling the online habits of the less than 1% competent enough to use this route. They are utterly irrelevant. If the EU governments can control what the other 90% / 95% of the population see online then GDPR and the inevitable future laws will have achieved the intended goal.

    There was a very funny feature on the Norwegian NRK TV News recently showing just how little actual privacy a fully compliant GDPR legal frameworks gives. The reporter bough a bunch of datasets from a broker and was able to discover the owners of hundreds cell phones plots and their daily routine. Where they worked etc. Turned up a bunch of people who worked in very sensitive government jobs. Then there was their online viewing habits...

    Thats how much privacy protection GDPR actually gives in the real world. None. But it gives EU governments enormous power to make online companies do what they want when it comes to what is allowed to be seen online. The EU's model for control of the www is China.

    1. Anonymous Coward
      Anonymous Coward

      Re: And so starts the Great Firewall of the EU..

      If a broker had that info there is no way they are complying with GDPR. They would have zero basis for holding that information.

      The only correct statement you make is that GDPR gives no real world protection. That protection can only come from enforcement of GDPR, not the legislation itself. The ICO are unfortunately as much use as a chocolate fireguard.

      1. Anonymous Coward
        Anonymous Coward

        Re: And so starts the Great Firewall of the EU..

        Everything I wrote was factually correct and based on 35 years of very extensive experience in DNS land, 27 years in HTTP land and almost as long writing security software. Also have very direct experience of the legal realities of day to day life in a bunch of non Anglophone countries. Very different universe from Common Law countries. Not got your compulsory ID card on you, which has to be produced on demand with no reason needed, then off to the pokey for you..

        The NRK story was funny because Norway has full alignment with all relevant EU law and regs, the journalist bough the data from a UK broker, and as the minister embarrassing explained every part of the chain was GDPR compliant.

        You need to get out more and start reading the non Anglophone press. Of all political hues. Lots of very interesting stories which you will never read in the Guardian. For a start the very interesting pattern of actual prosecutions and fines under GDPR . Especially recently in the Bundesrepublik.

        1. Anonymous Coward
          Anonymous Coward

          Re: And so starts the Great Firewall of the EU..

          Hmm, residing and working (past and present) in the countries you mention, and proficient in the local languages, I doubt seriously whether you're even able to grasp what you talk about here. But then again, that's what you're trying to compensate for by casually sharing info on all those years of DNS and HTTP experience, and "very direct experience of the legal realities of day to day life in a bunch of non Anglophone countries" (whatever that qualification means) right? The only thing your comment demonstrates to me is that you have absolutely no flying clue what you're talking about and should put the lid back on that jar you're sniffing on. It's going to destroy braincells (kind assumption here). Oh, and maybe don't hang around so much in those silly-message-enhancing echo chambers. Get out more, fresh air does wonders. And if that doesn't work for you; looking at your rhetoric, you might feel more comfortable if you indeed focused on your own life and refrain for spreading your infinite wisdom to others, since we're doomed anyway.

      2. EnviableOne

        Re: And so starts the Great Firewall of the EU..

        The ICO atleast attempt to fine people within their remit.

        Unfortunatley, the large majority of US corps make their EU HQ in Ireland

        and their equivalent are yet to take any sort of enforcement action....

  15. Nematode

    Wot about FATCA?

    Yet the EU seem to have rolled over when it comes to FATCA, and in spite of the many challenges by "Accidental Americans" (Google them), are refusing to budge and willing for their own tax authorities to hand over citizens financial data to the US IRS just because they happened to be born there but never had any further connection with the US.

  16. Anonymous Coward
    Anonymous Coward

    Haters gonna hate, spies gonna spy...

    What I find so charmingly naïve about this is that so many of you think the law really makes any difference - especially those who seem to think the EU is any better than China or the USA.

    All governments are as bad as each other when it comes to spying on their enemies, their allies... and their own people.

    1. Woodnag

      Re: Haters gonna hate, spies gonna spy...

      This isn't about preventing spying. It's about who gets your private data, legally, as a matter of course.

  17. Harry Stottle

    GDPR Compliance of Major US Cloud Vendors

    Since the Reg, amongst others, spelled out the implications of the USA Cloud Act, I've been advising my own clients that if they keep any GDPR protected data on any digitally accessible platform whose provider retains access to the platform and is either American or has a legal presence on US soil, then unless the relevant data is provably encrypted with a key possessed only by themselves, they cannot claim to be GDPR compliant.

    This new ruling seems to amplify that case considerably.

    Does anyone disagree?

    1. Anonymous Coward
      Anonymous Coward

      Re: GDPR Compliance of Major US Cloud Vendors

      While I can understand your interpretation of the USA Cloud Act and understand the advice about key retention, I would question if it is "good" legal advice in a GPDR compliant jurisdiction as while one country can make laws, applying them outside their jurisdiction is difficult at best.

      If no successful application oft the USA Cloud Act for data held in a foreign jurisdiction occurs in 5 years (as an example), money spent complying with your advice would be considered wasted - if there was a successful application then a company would have to alter their position rapidly to get back within compliance but that still may be cheaper than immediate compliance. The judgement of "good advice" only occurs at some future point where it proves to protect the company - if you were to avoid the risk of any International legal agreement becoming invalid and putting your company at risk the costs of complying likely exceed the costs of doing business internationally and it wouldn't be done.

      Moving to the decision at hand, I suspect that any data for EU citizens stored in the US (or vice versa for what limited protections they have) is now breaking local data protection rules - there maybe attempted prosecutions but as long as companies show intent to correct the issues, I doubt there will be any prosecutions before the next shaky Safe Harbor/Privacy Shield replacement is in-place to continue the charade for another X years.

      We know the EU and US views of data privacy differ - but business still has to occur unless the EU wants to create their own little privacy island within the business world with all of the implications that come with it.

      1. EnviableOne

        Re: GDPR Compliance of Major US Cloud Vendors

        The EU DPB have said in their opinion (the one that counts for GDPR) if a US organisation or one with US operations is served with a warant under the CLOUD Act they will have the choice of breaching one or the other.

        basically the transfer need to pas tests under article 6 and article 49 and there are very limited cases where that may apply.

  18. StrangerHereMyself Silver badge

    The simple fact is that non-Americans have no rights in the U.S. and they will therefore use the data for whatever purpose they see fit. This simple fact took 7 years of wrangling and court-cases to uncover?

    1. Anonymous Coward
      Anonymous Coward

      "The simple fact is that non-Americans have no rights in the U.S. and they will therefore use the data for whatever purpose they see fit. This simple fact took 7 years of wrangling and court-cases to uncover?"

      7 years? I count 20 so far and a further 2 years spent developing something "acceptable" between the US and EU. Add in a further 20 years for developing a common view within the EU.

      We know the US and EU views around data protection differ significantly and that Safe Harbor/Privacy Shield are just sticking plasters over an ugly festering sore.

      The choices are isolation with no agreement, another "fake" agreement that ignores the differences and pretends everything is OK and continue to develop "minimum protections" or try and fail to get an agreement on the EU terms.

      And remember that this isn't about Facebook or Google - this is about businesses operating multinationally.

  19. david 12 Silver badge

    How is this different to EU/UK practice?

    As I understand it, "the processing of personal data by competent authorities for law enforcement purposes is outside the GDPR’s scope (e.g. the Police investigating a crime)", and National Security is exempt. In the UK and in Ireland and in the EU. How does FBI and NSA access differ from this?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like