Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU Court of Justice Declares US-EU Data Transfer Pact Invalid

Posted by timothy on from the clashing-visions dept.

Sique writes: Europe's highest court ruled on Tuesday that a widely used international agreement for moving people's digital data between the European Union and the United States was invalid. The decision, by the European Court of Justice, throws into doubt how global technology giants like Facebook and Google can collect, manage and analyze online information from their millions of users in the 28-member bloc. The court decreed that the data-transfer agreement was invalid as of Tuesday's ruling. New submitter nava68 adds links to coverage at the Telegraph; also at TechWeek Europe. From TechWeek Europe's article: The ruling was the court’s final decision in a data-protection case brought by 27-year-old Austrian law student Max Schrems against the Irish data protection commissioner. That case, in turn, was spurred by Schrems’ concerns over the collection of his personal data by Facebook, whose European headquarters is in Ireland, and the possibility that the data was being handed over to US intelligence services.

29 of 205 comments (clear)

  1. Obvious ruling by Anonymous Coward · · Score: 5, Insightful

    The court simply stated what looks obvious to anyone in good faith: if you do business in a country, you have to abide by the local laws. And given Snowden's revelations, it's purely ridiculous to claim that privacy rights can be respected if foreign data are stored in the US.

    So google, facebook, twitter, microsoft, cloud computing services, etc... will have to open their wallets and create data centers inside single EU countries. Otherwise GTFO.

    Technology must respect the law, not the other way around. Sorry billionaire nerds.

    1. Re:Obvious ruling by Anonymous Coward · · Score: 3, Interesting

      It is really worse than that. Don't forget those court cases (Microsoft is involved in one now) where the US Justice Department believes (and the courts seem to agree so far) that data from email stored in Ireland can be handed over to the US government simply because Microsoft owns the servers and the US can then compel Microsoft to expatriate the data to the US. This seems ridiculous on the face of it - but it shows that there is more to your statement about saying that Google, Facebook, Twitter, Microsoft, etc. need to have data centers in EU countries. They would still fall afoul of this since the US seems to think that they can just take the data by hounding the company. In order to fully comply and protect people, these companies will likely need to form business relationships with wholly owned in Europe companies to host data for them and for the US based companies to have absolutely no control over the servers. This will disrupt things like cloud service update plans ("we are rolling out an update to all users now, except in Europe where our business partners will do it next week").

    2. Re:Obvious ruling by rmdingler · · Score: 4, Insightful

      And given Snowden's revelations, it's purely ridiculous to claim that privacy rights can be respected if foreign data are stored in the US.

      It's pretty ridiculous to claim privacy rights can be respected with regard to personal information stored anywhere.

      Do you reasonably suspect the surveillance powers will have any problem crossing imaginary lines in the dirt?

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    3. Re:Obvious ruling by pnutjam · · Score: 2

      Just wait, the TPP will strip.. er... I mean standardize all privacy rights.

      --
      Cheap storage VM.
    4. Re:Obvious ruling by Zocalo · · Score: 3, Interesting

      Google, Facebook, Twitter, Microsoft, and most of the other cloud computing services, already *have* data centres in the EU, so they can get into full compliance "simply" by ensuring that no applicable EU citizen data leaves those data centres. In Microsoft's case this is probably excellent news since they now have another argument they can use to avoid the US DoJ's attempts to compel them to hand over emails they have in their Dublin DC. It's the smaller US companies that are probably going to take the brunt of this - the one that don't currently have any servers in the EU.

      It's probably a good day to be a CoLo provider with spare capacity in the EU...

      --
      UNIX? They're not even circumcised! Savages!
    5. Re:Obvious ruling by Xest · · Score: 4, Interesting

      "It's the smaller US companies that are probably going to take the brunt of this - the one that don't currently have any servers in the EU."

      Actually I'm not sure that that's the case. If a company operates only in the US (e.g. is headquartered there, only makes money there, only has staff there), but an EU citizen gives them their data, then the EU citizen is effectively accepting that their data will be held under the US' weaker data protection regime.

      The problem here is that Google, Facebook et. al have set up European subsidiaries for tax dodging purposes and so EU citizens are interacting with EU subsidiaries who are held to EU data protection standards. Those subsidiaries cannot make the decision for users to send their data to weaker data protection regimes - only the users themselves can opt to do that.

    6. Re:Obvious ruling by NostalgiaForInfinity · · Score: 2

      And given Snowden's revelations, it's purely ridiculous to claim that privacy rights can be respected if foreign data are stored in the US.

      If a European stores his data on a US computer, yes, the NSA may snoop on it. If you store it on a European computer, European governments will snoop on it, guaranteed. Who do you think is more likely to cause problems for you, the NSA or your own government? Which government actually has jurisdiction over you?

      So google, facebook, twitter, microsoft, cloud computing services, etc... will have to open their wallets and create data centers inside single EU countries.

      Yes, protectionism is one reason the EU is pushing so much for this. The other reason is to keep the online data of Europeans in Europe where it is easily accessible to European spy and law enforcement agencies.

      Otherwise GTFO.

      They may do that. Of course, that doesn't mean Europeans will stop using their services.

    7. Re:Obvious ruling by tnk1 · · Score: 2

      It is a problem if the US business has EU customers. Not that the US business can be sued, but the EU customer may be a business itself, who then is sued by their employees if the personal data is removed from the EU.

      That means that the EU businesses might be forced to drop US businesses if they can't comply or open a European subsidiary.

  2. This ruling won't fix anything by Richard_at_work · · Score: 5, Insightful

    Simply keeping the data in the EU won't fix anything so long as that data is still being held by US controlled entities, as those entities will still be forced to hand over the data regardless of where it is (lets face it, Microsofts battle against that particular issue is destined to fail).

    The only real way this is going to be solved is to force all EU data to be stored by entities that are not owned or controlled by a non-EU entity. Which means Amazon SaRL will be unconnected to Amazon.com and effectively competing against each other.

    1. Re:This ruling won't fix anything by Intrepid+imaginaut · · Score: 3, Interesting

      If they're forced to hand over the data they won't be in business in the EU for long, which considering the enormous size and wealth of the EU is going to hurt any company badly, so I guess they'll have to open seperate competing European branches. Either that or the US government is going to have to play nice with the rest of the world.

    2. Re:This ruling won't fix anything by currently_awake · · Score: 4, Insightful

      You don't understand how this works. The NSA will ask their Euro allies to get the data for them, therefore ensuring continued access.

    3. Re:This ruling won't fix anything by locofungus · · Score: 2

      Simply keeping the data in the EU won't fix anything so long as that data is still being held by US controlled entities, as those entities will still be forced to hand over the data regardless of where it is>

      NO! This isn't the case.

      What each entity will have to do is separately agree contracts with the relevant data protection registrar (default contracts exists) as to how they will protect that data.

      Those contracts will have "get outs" for providing data to law enforcement under warrant. What will be prevented is the wholesale transfer of data to other parties the US. This was supposed to have been prevented anyway - the companies self certified that they were abiding by the relevant EU data protection laws - that data would only be used for the purpose it was gathered for and, if it was passed on to any other parties, those parties would be contractually obligated to follow the same terms.

      What this ruling has said is that the "safe harbour" self-certifying regime is not sufficient for data being sent to the US and companies will have to agree individual contracts (with legal and financial consequences if they then violate them)

      For the big operators this isn't going to be such a big deal anyway (unless they're secretly handing everything over to the NSA when it will hurt if/when that is uncovered) but it's going to be a right royal pain for smaller companies that may, for example, export payroll data to the US head office for processing.

      Furthermore, there's no problem with EU citizens exporting their data to the US - so buying things on a US website, giving name address etc, won't be a problem UNLESS that company operates its servers in the EU. The EU data protection directive basically restricts what OTHERS can do with an individuals personal information to that which is strictly required to complete whatever process it was gathered for.

      --
      God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
    4. Re:This ruling won't fix anything by PolygamousRanchKid+ · · Score: 5, Interesting

      I don't have any problems with the US spooks asking an EU spook for the data from a specific suspected Muslim terrorist. The EU spook would probably comply, due to sharing agreements that are already in place.

      However, what the NSA does, is to simply harvest anything they want from anyone. I am not comfortable with that. And I don't believe an EU spook would set up a system enabling such universal access. If the EU spook can say the data was harvested outside the EU by the NSA, the EU spook has no problems. If the EU spook enables harvesting . . . we will see the EU spook in court.

      Note that Snowden's revelations did not result in any legal action in the US, despite that the NSA is clearly violating the law. This decision by the EU court is the only legal action that I know of.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    5. Re:This ruling won't fix anything by rmdingler · · Score: 2

      You don't understand how this works. The NSA will ask their Euro allies to get the data for them, therefore ensuring continued access.

      Full Disclosure: Optimistic USian here, still behind prodding my government back to a place worthy of repect in the World...

      but, if we don't improve out international reputation, we won't long have as many European allies.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    6. Re:This ruling won't fix anything by gstoddart · · Score: 5, Interesting

      Simply keeping the data in the EU won't fix anything so long as that data is still being held by US controlled entities, as those entities will still be forced to hand over the data regardless of where it is (lets face it, Microsofts battle against that particular issue is destined to fail).

      And then those entities will be in violation of EU law, and will end up paying massive fines or other penalties ... which would hopefully be severe. So severe as to cripple the companies.

      See, no matter what the US believes, they can't trump the EU law. So if Microsoft's battle to not hand over this data fails, Microsoft in Europe will fail. It really is that simple.

      And at the end of the day, the corporations are going go realize they can't jeopardize their revenue by pulling out of those markets.

      The US doesn't get to pass laws which trump local laws any more than Iran does. And the US can't exempt those entities from local laws, which means this will come down to corporate self interest versus a government who feels it is entitled to collect this information.

      So the bottom line is: too damned bad for the US, because once Microsoft in Europe starts getting fined billions of dollars and people start getting thrown in jail, they're very quickly going to realize they can't do it.

      It really is about time the world tells the US that our privacy and legally protected rights don't take a back seat to US security interests. We don't give a shit what the US wants.

      --
      Lost at C:>. Found at C.
    7. Re:This ruling won't fix anything by fnj · · Score: 3, Informative

      being a US company

      These gigantic corporations are not "U.S. companies" by any stretch of the imagination - if that term even has any meaning at all any more. They are me-first entities whose only allegiance is to themselves, and they operate globally with complete cynicism. If they can't defy regulations in secret (VW?) or win their case in court (Microsoft) or co-opt authorities and get regulations changed openly or behind the curtain, they will accommodate the players who are large enough that their citizens and corporations can't be forgone as customers. And that certainly includes both Europe and the U.S.

    8. Re:This ruling won't fix anything by NostalgiaForInfinity · · Score: 2

      However, what the NSA does, is to simply harvest anything they want from anyone. I am not comfortable with that.

      Nor am I. But the BND, DGSI, or MI5/GCHQ do the same thing. You can't avoid your data being harvested by someone. The question you should ask yourself which spy agency can cause you more problems when they make a mistake, and that is probably your own domestic spy agency. That's why storing data outside the country is a good idea: it becomes more accessible to foreign spy agencies but less accessible to your own.

      That's, of course, also the real reason the EU hates it when Europeans use US servers.

  3. Re:TTIP declares... by Chrisq · · Score: 5, Funny

    ... All euro courts are invalid. Seriously, eurosluts, what do you think you can do? Where are your carriers? Har har har.

    Yes but we'll laugh back when highly polluting VWs have to be accepted on US roads because they meet European standards

  4. Re:Laughable by TheGratefulNet · · Score: 2

    any western government (not the US) who is trying to 'shake down' google or FB gets my 100% blessing in anything they do to reduce the force, power and evilness of both of those companies.

    anything that causes either of those companies PAIN is a good thing in my, uhm, 'book'.

    corporations are evil and the biggest ones have the most evilness to them. anything that knocks down the evil corps even a little is a Good Thing(tm).

    --

    --
    "It is now safe to switch off your computer."
  5. Re:Laughable by PolygamousRanchKid+ · · Score: 5, Informative

    If you look at how this law case started, it was initiated by a private citizen. Not by the EU executive branch. The EU justice branch made a decision that the EU justice branch is visibly not comfortable with, because it places a lot of companies in legal limbo. Read more here:

    http://www.economist.com/news/...

    Because the EU executive branch did nothing about it themselves . . . well, it shows that they were in cahoots with the USA/NSA folks.

    So in this case, it is not a shakedown by the EU. The EU governments and Executive branch were perfectly happy with the way things were. It was a private citizen who appealed to the EU highest court that caused this.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  6. Re:Laughable by Schmorgluck · · Score: 4, Insightful

    Nope, the real motivation is compliance to EU laws, like every company has to. Companies who believe they can fully own data about EU citizens and do whatever they want with it are in for a lot of trouble, whatever their nationality. European companies, and even governments, have been condemned too.

    --
    There's nothing like $HOME
  7. Helps Cloud Providers by ranton · · Score: 3, Informative

    I assume this ruling helps US cloud providers since even more small companies will be compelled to not host their own servers. I can easily spin up servers on AWS in Ireland and Frankfurt, but not so easily set up my own data center.

    Its rare for any increase in regulation to not help large companies, since they have the scale to deal with the lawyer fees necessary to comply.

    --
    -- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
  8. Re:They will be a muslem country in a few years. by kilfarsnar · · Score: 5, Informative

    The European union will be isis by the time they are done.

    Looking at some of the appeasers here it wouldn't surprise me

    Wow, you guys have really been taken in by the US media's propaganda. They want you to be afraid. A frightened populace is a controllable populace.

    Do you really not see how the fear of Muslim terrorists has been used to curtail your freedoms and tighten control of the authorities? We now have the NSA and who knows who else spying on everyone, the FBI looking at what you read, border checkpoints miles from any border and police using evidence collected in secret, all in the name of protecting us from terrorists.

    Terrorists use violence to put fear into a population. Well who is really putting fear into our population? The media and the government spokespeople who feed them information. They want you to be afraid so you'll support their wars (that they lie to us about) and their restrictive policies at home, and keep watching their news channels. Don't fall for it.

    --
    "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
  9. Re:Laughable by fnj · · Score: 3, Insightful

    Google is just doing what any corporation does. The bottom line is their own aggrandizement. Anything they can get away with to that end they will do. Why do you have this fantasy that they are special?

    Capitalism is all about strife and self-interest. It's inherent in the system. You can but-but that by bringing up the "invisible hand of the market", but it is a truism.

  10. Re:They will be a muslem country in a few years. by Zontar+The+Mindless · · Score: 4, Insightful

    If ISIS want to send infiltrators to Europe, they can do it much more quickly, easily, and reliably with a few fake passports and some plane tickets.

    --
    Il n'y a pas de Planet B.
  11. Re:They will be a muslem country in a few years. by kilfarsnar · · Score: 3, Informative

    Wow, you guys have really been taken in by the US media's propaganda.

    I live in the US and I have no clue what you're referring to. These are just idiots. The media here is bad but not this bad or in this way. The extreme right republicans would do this but most of the media is on the left.

    At the risk of sounding smug, you aren't supposed to notice. The message management is subtle enough that it's hard to detect. I would recommend the film "Manufacturing Consent" and the "Century of the Self" documentary series. You might also read the book "Propaganda" by Edward Bernays. From Bernays' book:

    The conscious and intelligent manipulation of the organized habits and opinions of the masses is an important element in democratic society. Those who manipulate this unseen mechanism of society constitute an invisible government which is the true ruling power of our country.

    That's what I'm talking about. Bernays went on to revolutionize the fields of advertising and public relations. His methods work to influence the thoughts, opinions and attitudes of people without their knowledge. They really do work; power now relies on it. Look into it, if you're interested. I find it quite fascinating.

    --
    "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
  12. Re:They will be a muslem country in a few years. by Luckyo · · Score: 3, Funny

    As a point of reference, if you think that "most of US media is on the left", you are so far on the right end of the spectrum from European point of view that expression and practice of many of your ideas has been outlawed in much of Europe after our last bout with national socialism.

  13. MS-resident spyware by fyngyrz · · Score: 2

    There is no keystroke logger in Windows 10.

    Haven't connected your Windows machine to the Internet yet, I see.

    --
    I've fallen off your lawn, and I can't get up.
  14. Re:They will be a muslem country in a few years. by Stephan+Schulz · · Score: 2

    Who knows. But a few or even a few hundred idiots are not a substantial threat to Europe. CNN just published this graph, showing that the risk for Americans to be killed by firearm in the US is more than two orders of magnitude greater than the risk of an American being killed by terrorism (home or abroad). And if you exclude 9/11, it's more than three orders of magnitude. If the US can survive the NRA, then Europe can survive a couple of other fanatics.

    --

    Stephan