Final guidance on Schrems II ruling: Data from EU could be held up if a third country lets authorities access it The European Data Protection Board (EDPB) has finalised its guidance to businesses in how they should proceed following the Schrems II ruling which struck down the Privacy Shield data-sharing arrangement between the EU and the US. In its final version of the recommendations [PDF] on supplementary measures to accommodate the …
"The goal of the EDPB Recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area,"
It should also be important guidance for would-be importers - IDS please note.
It never ceases to amaze me how tectonically slow the wheels of the EU move. And all the while, businesses are openly breaking the law on the grounds of “no guidance”.
It’s like all the GDPR complaints being made against the likes of googlies and faecesbook - the EU might get around to addressing the complaints this century. Maybe? Who can tell?
(disclaimer: I’m not in favour of brexit - it’s a shit storm. And the UK gov (of whatever colour) is just as bad as the EU)
Cue the replacement of Privacy Shield with something else just as feeble so normal business can be resumed for a few more years whilst Schrems III, or whatever it will be called, grinds glacially slowly through the system.
Safe Harbor is going to have more sequels than Harry Potter and the Sorcerer's Stone.
> How long has this been going on?
> It never ceases to amaze me how tectonically slow the wheels of the EU move. And all the while, businesses are openly breaking the law on the grounds of “no guidance”.
According to the sidebar to the article, Privacy Shield was struck down approximately one year ago. Therefore it as taken about 1 year to provide this guidance.
Yes, but it took several years to reach the point of Privacy ShieldFigleaf getting struck down. As already pointed out, we can look forward to another version, which is patently unfit but will keep the data moving for another few years while a Shrems III case grinds it's way through the system.
Now, what it needs is for a case to be brought which punishes ${somescapegoat} for data transfers which broke the law - even if it was within the guidelines at the time or even the Safe Harbour, Privacy ShieldFigleaf, whatever the current incarnation is. Because as long as people can get away with breaking the law simply because they can point at something official that says acting illegally is legal, then it'll carry on.
The thing is, the law is the law, and it's fairly clear. Guidance is just that, agreements are just that - in theory they cannot over-ride the law.
Trouble is, for it to send a real message, somescapegoat needs to be one of the big "professional criminal" type organisations like Faecesborg - but they have the wherewithal to fight things all the way. In practice, it would be some small outfit that can't afford the legal clout to truly look behind what they are being sold by the big outfits.
We're looking at you, Uncle Sam
And, presumably, Boris?
Even with the current UK GDPR law (let alone its proposed replacement), legislation in the UK allows authorities to access data transferred from the EU. Although this may not have been a problem when we were in the EU, as we are now a third country presumably the UK falls foul of this EDPB ruling.
Have I missed something?
No, the UK implementation of the EU GDPR was never compliant and was sent back to Parliament on several occasions for rectification.
But, now that the UK has left the EU, they will have to repair the UK Data Protection act to be compliant with GDPR, if they want to continue processing EU data. They have the same responsibilities as any other country vying for the processing and storage of EU sourced data. If the US can be told to go screw, I doubt they will have any problems telling the UK the same thing, if they fail to tighten up DP, let alone make it more lax.
I imagine the Brexit headbangers see it differently - we were now Global Britain, so no more imports of crappy second rate European data made under restrictive EU rules, but instead making and exporting our own world-beating British data across the planet in a series of lightning trade deals from Azerbaijan to Zimbabwe.
After all, they didn't mind screwing over the farmers, the fishermen, the car manufacturers, the fresh food exporters, the Northern Irish, the students, every SME that exports to Europe, the haulage industry, EU citizens living in the UK and UK citizens living in the EU, so I don't see British companies that process EU data getting any special treatment.
The only surprise is that there is anyone left to vote for them.
Problem is that you cant really use encryption and still do any meaningful processing - except perhaps cloud storage - but good luck even indexing that.
The guidance is a dreamland - generated by eurocrats to avoid having to give explicit permission for data transfers to the US by putting the liability on the EU companies using the services.
Schrems has managed to put GPDR into a hole. There really is no way for a company in the EU to legally transfer personal data to the US. That includes US companies with a presence here. You can have SCCs with Assessments or BCRs - any are overridden by FISA.
So, the companies will break the law - The EU will fine those companies which are the lowest hanging fruit - web-marketing/social media etc....but everyone will do it. - from Ford to Heinz.
There is a saying
Everone pisses in the pool - only the caught piss from the diveing board.
It is worse than that. You can't use a cloud provider storing your data in the EU, if they also have a presence, let alone HQ, in the USA... With FISA or the CLOUD Act, the US Government has said it is irrelevant where the data is stored, if the company storing the data has any offices or employees in the USA, the data is within the US jurisdiction.
Hence the scramble for data centres with local owners, with no ties to the US cloud providers. The US cloud provider has servers in the facility, but they are controlled and maintained by a local third party and the US cloud provider has no administrative access or authority over the data stored there.
It is more complex and less flexible than a US-owned cloud service, which can move the data around willy-nilly, but it at least tries to provide a backstop for EU companies wanting to take advantage of cloud services. It is either that or use home grown cloud services.
Even that only goes half way under the GDPR.
You cant use Azure/Google Docs /Oracle- even if you agree for hosting within the EU.
Strictly speaking, you shiouldnt use ANY work phone for processing PI - including email or contact lists - None are meaningfully made in the EU either the phones or the OS.
The data a windows server sends back to the mothership put that in a problematic state too....
Its all very well to say 'just use linux' - but each software processing PI should be assessed for any data transfer - for the vast majority of companies with real life LOB systems its impractical to do in reality..
If there are connections (vendors, services or sub-sub contractors!) to any other country without an adequacy decision, then you (the company/DPO) needs to assess whatever PI they might be processing and that countries DP laws - and all others !
how in the name of sweet bejesus are you meant to do that?
Something I only learned recently: seems Denmark's been flogging ALL ex-EU traffic to the NSA since possibly the mid 90s.
So if anyone's primarily worried about NSA access, it's all a bit academic. If it leaves EU for ANY jurisdiction, they've got it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
