Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU Court of Justice Declares US-EU Data Transfer Pact Invalid

Posted by timothy on from the clashing-visions dept.

Sique writes: Europe's highest court ruled on Tuesday that a widely used international agreement for moving people's digital data between the European Union and the United States was invalid. The decision, by the European Court of Justice, throws into doubt how global technology giants like Facebook and Google can collect, manage and analyze online information from their millions of users in the 28-member bloc. The court decreed that the data-transfer agreement was invalid as of Tuesday's ruling. New submitter nava68 adds links to coverage at the Telegraph; also at TechWeek Europe. From TechWeek Europe's article: The ruling was the court’s final decision in a data-protection case brought by 27-year-old Austrian law student Max Schrems against the Irish data protection commissioner. That case, in turn, was spurred by Schrems’ concerns over the collection of his personal data by Facebook, whose European headquarters is in Ireland, and the possibility that the data was being handed over to US intelligence services.

7 of 205 comments (clear)

  1. Re:This ruling won't fix anything by Intrepid+imaginaut · · Score: 3, Interesting

    If they're forced to hand over the data they won't be in business in the EU for long, which considering the enormous size and wealth of the EU is going to hurt any company badly, so I guess they'll have to open seperate competing European branches. Either that or the US government is going to have to play nice with the rest of the world.

  2. Laughable by Crashmarik · · Score: 1, Interesting

    If you take this at face value the best result will be less security for everyone's data, as there will be more vectors to attack to access it.

    If you look at what the real motivation is, namely the EU trying once again to shake down google and facebook, modest bribes will rectify the problem.

  3. Re:Obvious ruling by Anonymous Coward · · Score: 3, Interesting

    It is really worse than that. Don't forget those court cases (Microsoft is involved in one now) where the US Justice Department believes (and the courts seem to agree so far) that data from email stored in Ireland can be handed over to the US government simply because Microsoft owns the servers and the US can then compel Microsoft to expatriate the data to the US. This seems ridiculous on the face of it - but it shows that there is more to your statement about saying that Google, Facebook, Twitter, Microsoft, etc. need to have data centers in EU countries. They would still fall afoul of this since the US seems to think that they can just take the data by hounding the company. In order to fully comply and protect people, these companies will likely need to form business relationships with wholly owned in Europe companies to host data for them and for the US based companies to have absolutely no control over the servers. This will disrupt things like cloud service update plans ("we are rolling out an update to all users now, except in Europe where our business partners will do it next week").

  4. Re:This ruling won't fix anything by PolygamousRanchKid+ · · Score: 5, Interesting

    I don't have any problems with the US spooks asking an EU spook for the data from a specific suspected Muslim terrorist. The EU spook would probably comply, due to sharing agreements that are already in place.

    However, what the NSA does, is to simply harvest anything they want from anyone. I am not comfortable with that. And I don't believe an EU spook would set up a system enabling such universal access. If the EU spook can say the data was harvested outside the EU by the NSA, the EU spook has no problems. If the EU spook enables harvesting . . . we will see the EU spook in court.

    Note that Snowden's revelations did not result in any legal action in the US, despite that the NSA is clearly violating the law. This decision by the EU court is the only legal action that I know of.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  5. Re:Obvious ruling by Zocalo · · Score: 3, Interesting

    Google, Facebook, Twitter, Microsoft, and most of the other cloud computing services, already *have* data centres in the EU, so they can get into full compliance "simply" by ensuring that no applicable EU citizen data leaves those data centres. In Microsoft's case this is probably excellent news since they now have another argument they can use to avoid the US DoJ's attempts to compel them to hand over emails they have in their Dublin DC. It's the smaller US companies that are probably going to take the brunt of this - the one that don't currently have any servers in the EU.

    It's probably a good day to be a CoLo provider with spare capacity in the EU...

    --
    UNIX? They're not even circumcised! Savages!
  6. Re:This ruling won't fix anything by gstoddart · · Score: 5, Interesting

    Simply keeping the data in the EU won't fix anything so long as that data is still being held by US controlled entities, as those entities will still be forced to hand over the data regardless of where it is (lets face it, Microsofts battle against that particular issue is destined to fail).

    And then those entities will be in violation of EU law, and will end up paying massive fines or other penalties ... which would hopefully be severe. So severe as to cripple the companies.

    See, no matter what the US believes, they can't trump the EU law. So if Microsoft's battle to not hand over this data fails, Microsoft in Europe will fail. It really is that simple.

    And at the end of the day, the corporations are going go realize they can't jeopardize their revenue by pulling out of those markets.

    The US doesn't get to pass laws which trump local laws any more than Iran does. And the US can't exempt those entities from local laws, which means this will come down to corporate self interest versus a government who feels it is entitled to collect this information.

    So the bottom line is: too damned bad for the US, because once Microsoft in Europe starts getting fined billions of dollars and people start getting thrown in jail, they're very quickly going to realize they can't do it.

    It really is about time the world tells the US that our privacy and legally protected rights don't take a back seat to US security interests. We don't give a shit what the US wants.

    --
    Lost at C:>. Found at C.
  7. Re:Obvious ruling by Xest · · Score: 4, Interesting

    "It's the smaller US companies that are probably going to take the brunt of this - the one that don't currently have any servers in the EU."

    Actually I'm not sure that that's the case. If a company operates only in the US (e.g. is headquartered there, only makes money there, only has staff there), but an EU citizen gives them their data, then the EU citizen is effectively accepting that their data will be held under the US' weaker data protection regime.

    The problem here is that Google, Facebook et. al have set up European subsidiaries for tax dodging purposes and so EU citizens are interacting with EU subsidiaries who are held to EU data protection standards. Those subsidiaries cannot make the decision for users to send their data to weaker data protection regimes - only the users themselves can opt to do that.