EU High Court To Review US-EU Data Safe Harbor Agreement

jfruh (300774) writes with news that a complaint in Irish Court against Facebook for possibly sharing personal data of EU citizens with the NSA has escalated to the European Court of Justice which will review the continuance of the U.S./EU Safe Harbor Framework in light of PRISM. Under European laws, personal data of EU citizens can't be transferred to countries that don't meet EU standards for data protection. The U.S. doesn't meet those standards, but American companies have worked around this by using EU standards for the data of European citizens, even that data stored on servers outside of Europe. Now the EU's highest court will decide if this workaround is good enough — especially in light of revelations of the NSA's Prism data-mining program.

I can see why they didn't investigate

[timrod]

The decision by the Irish DPC not to investigate makes perfect sense - this case is essentially all politics, and nothing more. The finding is inevitably going to be that the existence of the NSA violates European data privacy laws, but there really isn't a whole lot the EU could do about it - they can't tell the US to shut down the NSA, and they can't revoke the ability of non-EU servers to host EU data without effectively creating a second Great Firewall. Nothing can ultimately be done about it, and so the only real result would be this "Europe-v-Facebook" group scoring some political points.

Re:I can see why they didn't investigate

[i+kan+reed]

You can punish the hell out of a perpetrator of the crime(assuming they have presence in the EU). That's what's being considered. Giving companies that have business in the EU pause about mindlessly toadying to US government organizations.

Re:I can see why they didn't investigate

[Sique]

It could give all the european intelligence agencies cold feet for cooperating with the NSA. It could give all the citizens angry about the constant surveillance and the nonchalance of their politicians about it a boost. It makes everyone liable who gives material support to the NSA from within the E.U., which in turn makes the life miserable for David Cameron and the GCHQ.

Re:I can see why they didn't investigate

[Charliemopps]

They could fine Facebook until they hosted European data in Europe. If they refused they could seize their assets, and deny them revenue from European companies. The end result being that facebook and other companies like them would go screaming mad to congress. So yes, there's plenty that could be done.

Re:At what point

[Sique]

To what end? That means that they can't use the irish tax havens anymore. That means that they have no footing if they want to sue. That means that even mediocre european companies will eat their marketshare because they are present in the E.U.. And if the sales company in the E.U. sues them for falsely representing the actual handling of the data, they aren't off the hook either.

Yes, an U.S. based company could avoid the fallout. But is it worth it?

Stopping this would stop snooping in the UK too.

[Hammeh]

It was announced this week that GCHQ don't need permission to snoop on UK citizen's activity when the services being used are located abroad as they class it as "external communication" (for the likes of Facebook, Twitter and Google). It wouldn't surprise me in the light of recent events, if the UK government back this plan, to only turn around and say, "Yes you need to keep the data in Europe, but we don't want it here." just so they can continue to *legally* spy on the people via this "external" (overseas) communication loophole.

The problem with safe harbor

[L-One-L-One]

With the safe harbour agreement american companies basically "promise" to follow some rules related to privacy, which are compatible with European values. But to make such an approach effective, someone has to verify that the "promises" are real and eventually impose sanctions if they are not. That someone is -- in theory -- the FTC.

The problem with safe harbor is that it is been very weakly enforced. In the first decade since it was created, there has been no real enforcement action that I've heard of. This gives the impression that Safe Harbor is pretty toothless. FTC has only recently (2014) began to enforce this framework, because Europeans threatened to abandon it.

Re:The problem with safe harbor

[Jahta]

The trouble is that facebook et al are subject to the patriot act - this means that all the govt of the USA needs to do is say ''give me this data'' and they have to do it. The data can be anywhere in the world, if they can access it they need to give it to the NSA/... upon demand and can be stopped from telling anyone what they have done.

No, the trouble is that the jurisdiction of the Patriot Act (and all other US laws) ends at the US border; regardless of what agencies like the NSA like to believe. If US companies won't (or feel they can't) abide by the laws of the foreign countries in which they trade, then they'll just have to stop trading in those countries.

The economic impact on US tech companies of Prism, the Patriot Act, etc. is not exactly news; NSA's Prism Could Cost U.S. Cloud Companies $45 Billion - InformationWeek.

Re:The problem with safe harbor

[Jahta]

No, the trouble is that the jurisdiction of the Patriot Act (and all other US laws) ends at the US border; regardless of what agencies like the NSA like to believe.

Got bad news for you. It is NOT illegal for the NSA to spy on foreigners.

Any more than it is illegal for the espionage agencies in your country to spy on foreigners.

That is, in fact, what espionage agencies are for - to spy on people.

Got bad news for you. While the activities of the NSA may be technically legal *inside* the US, they are certainly not legal anywhere *outside* the US. The same is true in reverse; the US certainly doesn't operate a "live and let live" policy towards foreign espionage agencies operating inside its borders.

In any event, the point here is that US companies operating in foreign countries can't use the Patriot Act (or any other US law) as an excuse for flouting local laws. The personal data of EU citizens is protected under EU law. If US companies want to do business in Europe then they must abide by those laws.

The US wouldn't tolerate foreign companies breaking US law in America. What makes you think other countries should tolerate US companies breaking their laws?

Re:It's not. But neither is the EU protection

[Luckyo]

It means you only need to build that fourth wall, instead of third and fourth.

Re:At what point

[Poeli]

And leave behind a 500M people market? Abandon all their current contract and cloud services? I don't think so. The EU is the second biggest market after China.

Even if they do, several European companies will quickly fill the void (like in China) and the USA based companies will have an extra couple of competitors in the world.

Re:It's not. But neither is the EU protection

[Xest]

Plus it seems pretty clear that GCHQ is in breach of the Data Protection Act in the UK, which makes allowance for law enforcement, but obviously by harvesting all data GCHQ goes beyond that. The specific exemptions in law are:

- the prevention or detection of crime;
- the capture or prosecution of offenders; and

Obviously harvesting data of innocent non-crime committing people achieves neither of these things. Which is why I suspect GCHQ's acts wont survive subsequent court challenges anyway - even if they succeed in national courts, they'll get slapped down at European level as whilst the creation of the UK's supreme court has created a puppet for parliament in the judiciary they still have no way of manipulating the European Court of Justice.

So it's a multi-pronged approach. Saying "Well there's no point fixing this, because that is broken" is stupid when "that" is also being targeted for fixing also. As you imply, just because there's more than one issue doesn't mean we should deal with none of them, it just means they have to be dealt with as separate cases.