back to article What happens in Europe, doesn't stay in Europe: US giants accused of breaking EU privacy pact

More than 30 big US tech firms are breaking international agreed-upon US-EU Safe Harbor commitments to safeguard Europeans’ data, according to a complaint filed with the US Federal Trade Commission (FTC) on Thursday. The Washington-based Center for Digital Democracy (CDD) claims tech giants such as AOL, Adobe, Salesforce, …

  1. hplasm
    Coat

    AOL, Adobe, Salesforce, Datalogix, Marketo, BlueKai, Criteo, Merkle and others

    Are Merkle spying on Merkel?

    1. Anonymous Coward
      Anonymous Coward

      Privacy?

      I laughed so much I sh*t myself.

  2. Anonymous Coward
    Meh

    Meh....

    ..the Safe Habour is about a good a reflection on privacy as ISO9001 is for quality. So long as you tick the correct boxes yourself, all is ok.

    1. Destroy All Monsters Silver badge

      Re: Meh....

      It's not about "privacy".

      "Privacy" refers to contracting between you and the provider handling your data.

      "Safe harbour" refers to contracting between the provider handling your data and the provider handling the platform that holds your data.

      Or in other words: in how many salesforce accounts does personal information about your actually reside, all with the requisite privacy guarantees promised in good faith. Do you know?

    2. Vimes

      Re: Meh....

      Try getting the ICO to comment on the suitability of exporting data to the US given the lack of rights foreigners have over there. Go on - have a go.

      I did as part of my inquiries related to the gathering of personal data by political parties. The question of suitability was repeatedly ignored.

      Both the government and most of the media (one report on C4 news a few days ago being a notable exception) seem to do their level best to pretend that the question doesn't even exist, much less require an answer.

      1. Anonymous Coward
        Anonymous Coward

        Re: Meh....

        Try getting the ICO to comment on the suitability of exporting data to the US given the lack of rights foreigners have over there. Go on - have a go.

        Actually, the ICO are presently in a difficult place. Safe Harbor is in reality pretty much dead, but as negotiations between US and EU are ongoing (with the US' ability to just blackmail the EU into doing what it wants seriously curtailed by the Snowden revelations), the ICOs of Europe (sound like a club) are keen not to rock the boat and will thus not be that forthcoming with generic answers.

        However, here is a more specific question you can ask:

        If I, as a business, use Gmail for my corporate email and I receive a client email which contains personal information such as even just their email address, am I not breaking EU privacy laws by exporting this to a 3rd party (Google) without the sender's consent?

        The answer I got was "yes" - in 3 different countries. You don't have to believe me, try it yourself.

        THAT is what is bubbling under the surface. If the US doesn't get a new "get out of jail" card organised soon, a sort of Safe Harbor v2 if you like, pretty much the whole of the US IT industry becomes off-limits for EU companies who have a legally prescribed duty to protect the privacy of their customers. Personally, even WITH a new Safe Harbor in place I'd be unhappy with a company shipping data to the US because the companies there are left defenceless against legally compelled intercept.

  3. Steve Gill

    If it can be proven they've broken the rules the EU should ban them from trading with any European entities for at least as many years as they've been breaking the rules,

    1. h4rm0ny
      Mushroom

      Re: If it can be proven they've broken the rules the EU should...

      The American companies aren't responsible for misuing our data any more than a dog is responsible for eating meat put in front of it. The ones we should be lynching - and have the power to - are the companies that gave our data to the Americans in the first place. This they had no right to do just because some worthless assurance was given.

      It's wrong of the American companies, certainly. But it is NEGLIGENT of the European ones. Don't just name and shame the American companies - tell us who over here has been handing our data out!

  4. Anonymous Coward
    Anonymous Coward

    HOW AND WHERE WILL THE U.S.-EU SAFE HARBOR BE ENFORCED?

    From the horse's mouth:

    U.S.-EU Safe Harbor Overview

    "HOW AND WHERE WILL THE U.S.-EU SAFE HARBOR BE ENFORCED?

    In general, enforcement of the U.S.-EU Safe Harbor will take place in the United States in accordance with U.S. law and will be carried out primarily by the private sector. Private sector self-regulation and enforcement will be backed up as needed by government enforcement of the federal and state unfair and deceptive statutes. The effect of these statutes is to give an organization's U.S.-EU Safe Harbor commitments the force of law vis a vis that organization."

  5. Rich 11

    Just goes to show...

    Self-regulation is no regulation. Why do the politicians keep falling for it, when it fails time after time? Can't be anything to do with the potential for cushy non-exec directorships, can it?

    1. Someone Else Silver badge
      Pirate

      @Rich 11 -- Re: Just goes to show...

      Why do the politicians keep falling for it, when it fails time after time?

      A: They're paid to.

      Next question?

  6. tkioz

    Is anyone surprised? The American government and American companies can't be trusted to honour their commitments or agreements, known fact.

    1. Michael H.F. Wilkinson Silver badge
      Joke

      I think you are being overly harsh, suggesting the American government can be trusted less with our data than our own dear government. I always use a non-discriminatory approach. I do not trust any government

      (I am wondering why I put that joke icon there, in retrospect, it is not funny at all)

      1. Yet Another Anonymous coward Silver badge

        The point of safeharbour wasn't to protect your data from the CIA/MI5/KGB it was that in the Eu your medical records can't be sold to insurance companies or tabloid newspapers. But a foreign company could claim that this was legal in Liberia or Panama or where ever it is registered and do this legally.

        The safe harbour provision was to show that the US company followed the same rules as an Eu one. In the same way that we have joint agreements to allow the US to claim that a US airline is safe to land at an Eu airport and v.v.

  7. MyffyW Silver badge

    Safe Harbour +

    Had to let our legal team loose on a cloud hosting contract and Safe Harbor did little to dampen their nit-picking. They were very keen to get indemnities written in, whilst the cloud provider just stuck to their boiler-plate contract. Cue handbags at dawn...but what can you do when the alternatives are largely US-based? Host it yourself I suppose.

    1. Gerhard Mack

      Re: Safe Harbour +

      There are perfectly good cloud hosting providers in Canada and Germany so there is no reason to host in the US.

      1. JLV
        Black Helicopters

        Hosting providers in Canada and Germany

        Hey, love the place, but you gotta be realistic.

        As a Canadian, I wouldn't give Canada's companies the benefit of the doubt. If anything, we usually lag behind compared to the US when it comes to consumer privacy (do not call lists and credit card # on receipts came in 2-3 yrs behind US initiatives). Lobbying by big corps is even more effective here.

        As far as gov snooping goes, doubt they'd keep much of US hands either. Esp w Harper.

        Mind you, Canadian hosters love to drum up US privacy concerns to whip up business. They would, of course.

        Now, Germany I would be more inclined to trust.

        Really, what some small country needs to do is to become the Switzerland of hosting. Laws yes, but privacy first.

        1. Preston Munchensonton
          FAIL

          Re: Hosting providers in Canada and Germany

          "Now, Germany I would be more inclined to trust."

          Is this an echo from 1938?

        2. Lyndon Hills 1

          Re: Hosting providers in Canada and Germany

          like HavenCo?

          HavenCo [wikipedia]

          1. Anonymous Coward
            Anonymous Coward

            Re: Hosting providers in Canada and Germany

            like HavenCo?

            HavenCo is almost as bad as the "we're in Panama so we're safe" alternatives out there (or South Africa).

            When I want someone to protect my personal and/or corporate privacy I also want to make sure I can actually reach them and get to them legally if they screw up. Shipping my data to a place I can only reach by boat or helicopter and which is one dragging anchor away from disconnection doesn't strike me as a good idea from a continuity and risk management perspective.

        3. Gerhard Mack

          Re: Hosting providers in Canada and Germany

          I suppose someone had to maintain the Canadian stereotype...

          The fact that Canada has a set of privacy laws that the EU considers acceptable rather than the American voluntary system makes Canada two years behind? And somehow Canada's strict limit on personal donations and total ban on corporate donations rather than the American's unlimited somehow makes Lobbying more effective in Canada?

          You really don't seem to know much about your own country.

        4. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Safe Harbour +

      Had to let our legal team loose on a cloud hosting contract and Safe Harbor did little to dampen their nit-picking. They were very keen to get indemnities written in, whilst the cloud provider just stuck to their boiler-plate contract. Cue handbags at dawn...but what can you do when the alternatives are largely US-based? Host it yourself I suppose.

      No, there is a way and there are more providers out there, but it always starts with designing a *legal* structure, THEN a technical one, typically with data segregation and, in some cases, information diodes (I do this for a living). Especially multinationals tend to get themselves into a serious mess before they start asking for help. The hardest part is getting data migration into this new structure legally clean, but once you've done that you can pretty much relax about your legal exposure as it's then easy to assess and manage.

      There is, however, one absolute no no: you cannot have your HQ in the US, because then you're pretty much hosed from the get go. A subsidiary isn't a problem, but a HQ provides too much leverage on your entire global business.

      BTW, don't fall for the "subsidiary in Switzerland" idea that I have seen some larger consultancies recommend: this falls foul of a specific clause in Swiss privacy law which considers that subsidiary as remaining under the privacy regime of the originating/owner's country. I've had to clean up a few of those :(.

  8. Peter Galbavy

    shocking

    "I am shocked... shocked to find gambling going on in this café!"

    1. Captain DaFt

      Re: shocking

      "Ahem, your winnings, sir."

    2. Spamfast
      Thumb Up

      Re: shocking

      "Your winnings, sir."

      Apposite quote.

      "In Casablanca I am master of my fate!" comes to mind too.

    3. ecofeco Silver badge

      Re: shocking

      Damn. Beat me to it.

      Upvoted.

  9. DJ

    Duh

    Why wouldn't they?

    @Peter: touche!

  10. Destroy All Monsters Silver badge
    Mushroom

    Ok, that does it.

    I'm TIRED of this MUTHAFUCKIN' SH*T on this MUTHAFUCKIN' CLOUD!!

  11. Someone Else Silver badge
    Thumb Down

    More than 30 big US tech firms are breaking international agreed-upon US-EU Safe Harbor commitments in order to slurp Europeans’ data, according to a complaint filed with the US Federal Trade Commission (FTC) on Thursday.

    FTC response: (yawn...)

  12. Fungus Bob
    WTF?

    legally enforceable but voluntary

    Exactly how can something be legally enforceable and voluntary at the same time. Thats like insisting that someone make a square circle.

    1. Richard 12 Silver badge

      Re: legally enforceable but voluntary

      Contract law.

      You don't have to sign the contract, but if you do then a civil case can be made against you for breaking it.

    2. Anonymous Coward
      Anonymous Coward

      Re: legally enforceable but voluntary

      Where I work, we have Mandatory Guidelines ... In fact I am supposed to be writing one now.

      1. Anonymous Coward
        Anonymous Coward

        Re: legally enforceable but voluntary

        that would be like health & Safety guidelines, just guidelines until something happens and then they are evidence

  13. Anonymous Coward
    Anonymous Coward

    Let them feel

    Europe's wrath!

    1. Kevin Johnston

      Re: Let them feel

      I think you forgot to add the Joke icon....

      1. Fungus Bob

        Re: I think you forgot to add the Joke icon....

        Wasn't it obvious enough?

  14. Gannon (J.) Dick
    Mushroom

    "... give Europeans the same rights of redress as American citizens if their data is used inappropriately."

    Hasn't Europe suffered enough ? The rights of redress posessed by American citizens are explained in detail in a sentance much shorter than this: None, you Dung Beetle.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like