EU High Court To Review US-EU Data Safe Harbor Agreement

← Back to Stories (view on slashdot.org)

EU High Court To Review US-EU Data Safe Harbor Agreement

Posted by Unknown on Wednesday June 18, 2014 @01:33AM from the unsafe-harbor dept.

jfruh (300774) writes with news that a complaint in Irish Court against Facebook for possibly sharing personal data of EU citizens with the NSA has escalated to the European Court of Justice which will review the continuance of the U.S./EU Safe Harbor Framework in light of PRISM. Under European laws, personal data of EU citizens can't be transferred to countries that don't meet EU standards for data protection. The U.S. doesn't meet those standards, but American companies have worked around this by using EU standards for the data of European citizens, even that data stored on servers outside of Europe. Now the EU's highest court will decide if this workaround is good enough — especially in light of revelations of the NSA's Prism data-mining program.

17 of 60 comments (clear)

Min score:

Reason:

Sort:

It's not. But neither is the EU protection by Opportunist · 2014-06-18 01:39 · Score: 2, Insightful

Considering that the USA don't even need it but could essentially siphon the data directly from European countries with the aid of European governments... does it really matter?
That's essentially pondering whether the front door should be locked when the back door is opened from the inside by those we employ to guard it.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:It's not. But neither is the EU protection by Anonymous Coward · 2014-06-18 01:57 · Score: 2, Informative
  
  What does it matter?... It would basically make it impossible for facebook and google to send user data to non-EU datacenters, and that means that the company and EU-side workers will be liable if EU customer data is siphon'ed off at those non-EU datacenters. Basically they cannot longer hide behind the safe harbor framework.
  About the GCHQ/etc sucking up all our data as it moves between datacenters... well that comes under the requirement that the companies keep private data safe. That's another lawsuit for another time.
2. Re:It's not. But neither is the EU protection by Luckyo · 2014-06-18 02:54 · Score: 3, Interesting
  
  It means you only need to build that fourth wall, instead of third and fourth.
3. Re:It's not. But neither is the EU protection by Xest · 2014-06-18 03:08 · Score: 3, Insightful
  
  Plus it seems pretty clear that GCHQ is in breach of the Data Protection Act in the UK, which makes allowance for law enforcement, but obviously by harvesting all data GCHQ goes beyond that. The specific exemptions in law are:
  - the prevention or detection of crime;
  - the capture or prosecution of offenders; and
  Obviously harvesting data of innocent non-crime committing people achieves neither of these things. Which is why I suspect GCHQ's acts wont survive subsequent court challenges anyway - even if they succeed in national courts, they'll get slapped down at European level as whilst the creation of the UK's supreme court has created a puppet for parliament in the judiciary they still have no way of manipulating the European Court of Justice.
  So it's a multi-pronged approach. Saying "Well there's no point fixing this, because that is broken" is stupid when "that" is also being targeted for fixing also. As you imply, just because there's more than one issue doesn't mean we should deal with none of them, it just means they have to be dealt with as separate cases.
4. Re:It's not. But neither is the EU protection by Megol · 2014-06-18 06:19 · Score: 2
  
  Yeah. Except that isn't true. Unlike in the US and most other countries the EU have strict laws about gathering and sharing information and many countries have even stricter local laws. The EU also thinks personal privacy should be protected (within reasonable limits). Some countries even require registration before storing public information into databases, that is non-sensitive, non-secret data. Why? Because using a lot of public data cross referenced with each other can be used to extract patterns hinting to other things that are either private or secret. It is a whole world of difference in just this view on data.
  The big problem is in the "mini-me" of the US - the UK. And even there the really big problems are most likely done by intelligence people breaking local laws. The problem is that the UK (like their idol US) have things like secret trials and a long experience in covering up severe crimes of the intelligence service and other departments.
I can see why they didn't investigate by timrod · 2014-06-18 01:50 · Score: 4, Insightful

The decision by the Irish DPC not to investigate makes perfect sense - this case is essentially all politics, and nothing more. The finding is inevitably going to be that the existence of the NSA violates European data privacy laws, but there really isn't a whole lot the EU could do about it - they can't tell the US to shut down the NSA, and they can't revoke the ability of non-EU servers to host EU data without effectively creating a second Great Firewall. Nothing can ultimately be done about it, and so the only real result would be this "Europe-v-Facebook" group scoring some political points.
1. Re:I can see why they didn't investigate by i+kan+reed · 2014-06-18 02:02 · Score: 3, Interesting
  
  You can punish the hell out of a perpetrator of the crime(assuming they have presence in the EU). That's what's being considered. Giving companies that have business in the EU pause about mindlessly toadying to US government organizations.
2. Re:I can see why they didn't investigate by Sique · 2014-06-18 02:03 · Score: 3, Interesting
  
  It could give all the european intelligence agencies cold feet for cooperating with the NSA. It could give all the citizens angry about the constant surveillance and the nonchalance of their politicians about it a boost. It makes everyone liable who gives material support to the NSA from within the E.U., which in turn makes the life miserable for David Cameron and the GCHQ.
  
  --
  .sig: Sique *sigh*
3. Re:I can see why they didn't investigate by timrod · 2014-06-18 02:21 · Score: 2
  
  If that were the case, this "Europe-v-Facebook" group should have gone after GCHQ, which is in an EU member nation and which is under the jurisdiction of the EU high courts. Heck, they could even make the exact same case: GCHQ collects data on EU citizens on the grounds that if they use any service located outside of the EU it counts as foreign, and sends some of that data to the NSA, who undoubtedly do not have the required EU privacy regulations in place. The EU courts could then regulate GCHQ and other EU intelligence agencies and force them to cease cooperation with the NSA, which would likely be a major blow to their global surveillance plans.
  They probably won't do that, because if they did, GCHQ would likely send representatives to the court and fight it, which would cost tons of money and result in a prolonged legal battle even if GCHQ is ultimately in the wrong. It would also result in fewer political points for the group bringing the suit, because GCHQ would no doubt counter with a wave of "Mass surveillance is necessary to keep the citizens of the United Kingdom, and by proxy all of the EU member nations, safe from terrorism. Any attempt to regulate us might result in secrets leaking and allow terrorists to harm EU citizens", and some people are going to agree with that, as misguided as it is.
  In contrast, the NSA is an easy target - they won't care because they know full well the EU can do absolutely nothing to stop them directly. They probably wouldn't even acknowledge legitimacy by sending someone to represent them.
  There were better ways to do this ,but this group picked the route that would help them the most politically rather than potentially bring about reform.
4. Re:I can see why they didn't investigate by Charliemopps · 2014-06-18 02:25 · Score: 5, Informative
  
  They could fine Facebook until they hosted European data in Europe. If they refused they could seize their assets, and deny them revenue from European companies. The end result being that facebook and other companies like them would go screaming mad to congress. So yes, there's plenty that could be done.
Re:At what point by Sique · 2014-06-18 01:58 · Score: 4, Interesting

To what end? That means that they can't use the irish tax havens anymore. That means that they have no footing if they want to sue. That means that even mediocre european companies will eat their marketshare because they are present in the E.U.. And if the sales company in the E.U. sues them for falsely representing the actual handling of the data, they aren't off the hook either.
Yes, an U.S. based company could avoid the fallout. But is it worth it?

--
.sig: Sique *sigh*
Stopping this would stop snooping in the UK too. by Hammeh · 2014-06-18 02:01 · Score: 3, Informative

It was announced this week that GCHQ don't need permission to snoop on UK citizen's activity when the services being used are located abroad as they class it as "external communication" (for the likes of Facebook, Twitter and Google). It wouldn't surprise me in the light of recent events, if the UK government back this plan, to only turn around and say, "Yes you need to keep the data in Europe, but we don't want it here." just so they can continue to *legally* spy on the people via this "external" (overseas) communication loophole.
The problem with safe harbor by L-One-L-One · 2014-06-18 02:06 · Score: 3, Interesting

With the safe harbour agreement american companies basically "promise" to follow some rules related to privacy, which are compatible with European values. But to make such an approach effective, someone has to verify that the "promises" are real and eventually impose sanctions if they are not. That someone is -- in theory -- the FTC.
The problem with safe harbor is that it is been very weakly enforced. In the first decade since it was created, there has been no real enforcement action that I've heard of. This gives the impression that Safe Harbor is pretty toothless. FTC has only recently (2014) began to enforce this framework, because Europeans threatened to abandon it.
1. Re:The problem with safe harbor by Alain+Williams · 2014-06-18 02:51 · Score: 2
  
  The trouble is that facebook et al are subject to the patriot act - this means that all the govt of the USA needs to do is say ''give me this data'' and they have to do it. The data can be anywhere in the world, if they can access it they need to give it to the NSA/... upon demand and can be stopped from telling anyone what they have done.
  This could result in these companies being put into an impossible position where they have to meet conflicting demands both of which they must absolutely obey. The only way that they will survive is to lie, either ''we do not have the data'' or ''we did not give it away''. I suspect that the NSA will, at least initially, win this and they will just lie to tell the EU regulators ''we did not give it away''.
2. Re:The problem with safe harbor by Jahta · 2014-06-18 04:00 · Score: 3, Informative
  
  The trouble is that facebook et al are subject to the patriot act - this means that all the govt of the USA needs to do is say ''give me this data'' and they have to do it. The data can be anywhere in the world, if they can access it they need to give it to the NSA/... upon demand and can be stopped from telling anyone what they have done.
  No, the trouble is that the jurisdiction of the Patriot Act (and all other US laws) ends at the US border; regardless of what agencies like the NSA like to believe. If US companies won't (or feel they can't) abide by the laws of the foreign countries in which they trade, then they'll just have to stop trading in those countries.
  The economic impact on US tech companies of Prism, the Patriot Act, etc. is not exactly news; NSA's Prism Could Cost U.S. Cloud Companies $45 Billion - InformationWeek.
3. Re:The problem with safe harbor by Jahta · 2014-06-18 05:15 · Score: 3, Insightful
  
  No, the trouble is that the jurisdiction of the Patriot Act (and all other US laws) ends at the US border; regardless of what agencies like the NSA like to believe.
  Got bad news for you. It is NOT illegal for the NSA to spy on foreigners.
  Any more than it is illegal for the espionage agencies in your country to spy on foreigners.
  That is, in fact, what espionage agencies are for - to spy on people.
  Got bad news for you. While the activities of the NSA may be technically legal *inside* the US, they are certainly not legal anywhere *outside* the US. The same is true in reverse; the US certainly doesn't operate a "live and let live" policy towards foreign espionage agencies operating inside its borders.
  In any event, the point here is that US companies operating in foreign countries can't use the Patriot Act (or any other US law) as an excuse for flouting local laws. The personal data of EU citizens is protected under EU law. If US companies want to do business in Europe then they must abide by those laws.
  The US wouldn't tolerate foreign companies breaking US law in America. What makes you think other countries should tolerate US companies breaking their laws?
Re:At what point by Poeli · 2014-06-18 02:57 · Score: 5, Insightful

And leave behind a 500M people market? Abandon all their current contract and cloud services? I don't think so. The EU is the second biggest market after China.
Even if they do, several European companies will quickly fill the void (like in China) and the USA based companies will have an extra couple of competitors in the world.