AOL, Adobe, Salesforce, Datalogix, Marketo, BlueKai, Criteo, Merkle and others
Are Merkle spying on Merkel?
More than 30 big US tech firms are breaking international agreed-upon US-EU Safe Harbor commitments to safeguard Europeans’ data, according to a complaint filed with the US Federal Trade Commission (FTC) on Thursday. The Washington-based Center for Digital Democracy (CDD) claims tech giants such as AOL, Adobe, Salesforce, …
It's not about "privacy".
"Privacy" refers to contracting between you and the provider handling your data.
"Safe harbour" refers to contracting between the provider handling your data and the provider handling the platform that holds your data.
Or in other words: in how many salesforce accounts does personal information about your actually reside, all with the requisite privacy guarantees promised in good faith. Do you know?
Try getting the ICO to comment on the suitability of exporting data to the US given the lack of rights foreigners have over there. Go on - have a go.
I did as part of my inquiries related to the gathering of personal data by political parties. The question of suitability was repeatedly ignored.
Both the government and most of the media (one report on C4 news a few days ago being a notable exception) seem to do their level best to pretend that the question doesn't even exist, much less require an answer.
Try getting the ICO to comment on the suitability of exporting data to the US given the lack of rights foreigners have over there. Go on - have a go.
Actually, the ICO are presently in a difficult place. Safe Harbor is in reality pretty much dead, but as negotiations between US and EU are ongoing (with the US' ability to just blackmail the EU into doing what it wants seriously curtailed by the Snowden revelations), the ICOs of Europe (sound like a club) are keen not to rock the boat and will thus not be that forthcoming with generic answers.
However, here is a more specific question you can ask:
If I, as a business, use Gmail for my corporate email and I receive a client email which contains personal information such as even just their email address, am I not breaking EU privacy laws by exporting this to a 3rd party (Google) without the sender's consent?
The answer I got was "yes" - in 3 different countries. You don't have to believe me, try it yourself.
THAT is what is bubbling under the surface. If the US doesn't get a new "get out of jail" card organised soon, a sort of Safe Harbor v2 if you like, pretty much the whole of the US IT industry becomes off-limits for EU companies who have a legally prescribed duty to protect the privacy of their customers. Personally, even WITH a new Safe Harbor in place I'd be unhappy with a company shipping data to the US because the companies there are left defenceless against legally compelled intercept.
The American companies aren't responsible for misuing our data any more than a dog is responsible for eating meat put in front of it. The ones we should be lynching - and have the power to - are the companies that gave our data to the Americans in the first place. This they had no right to do just because some worthless assurance was given.
It's wrong of the American companies, certainly. But it is NEGLIGENT of the European ones. Don't just name and shame the American companies - tell us who over here has been handing our data out!
From the horse's mouth:
"HOW AND WHERE WILL THE U.S.-EU SAFE HARBOR BE ENFORCED?
In general, enforcement of the U.S.-EU Safe Harbor will take place in the United States in accordance with U.S. law and will be carried out primarily by the private sector. Private sector self-regulation and enforcement will be backed up as needed by government enforcement of the federal and state unfair and deceptive statutes. The effect of these statutes is to give an organization's U.S.-EU Safe Harbor commitments the force of law vis a vis that organization."
I think you are being overly harsh, suggesting the American government can be trusted less with our data than our own dear government. I always use a non-discriminatory approach. I do not trust any government
(I am wondering why I put that joke icon there, in retrospect, it is not funny at all)
The point of safeharbour wasn't to protect your data from the CIA/MI5/KGB it was that in the Eu your medical records can't be sold to insurance companies or tabloid newspapers. But a foreign company could claim that this was legal in Liberia or Panama or where ever it is registered and do this legally.
The safe harbour provision was to show that the US company followed the same rules as an Eu one. In the same way that we have joint agreements to allow the US to claim that a US airline is safe to land at an Eu airport and v.v.
Had to let our legal team loose on a cloud hosting contract and Safe Harbor did little to dampen their nit-picking. They were very keen to get indemnities written in, whilst the cloud provider just stuck to their boiler-plate contract. Cue handbags at dawn...but what can you do when the alternatives are largely US-based? Host it yourself I suppose.
Hey, love the place, but you gotta be realistic.
As a Canadian, I wouldn't give Canada's companies the benefit of the doubt. If anything, we usually lag behind compared to the US when it comes to consumer privacy (do not call lists and credit card # on receipts came in 2-3 yrs behind US initiatives). Lobbying by big corps is even more effective here.
As far as gov snooping goes, doubt they'd keep much of US hands either. Esp w Harper.
Mind you, Canadian hosters love to drum up US privacy concerns to whip up business. They would, of course.
Now, Germany I would be more inclined to trust.
Really, what some small country needs to do is to become the Switzerland of hosting. Laws yes, but privacy first.
like HavenCo?
HavenCo is almost as bad as the "we're in Panama so we're safe" alternatives out there (or South Africa).
When I want someone to protect my personal and/or corporate privacy I also want to make sure I can actually reach them and get to them legally if they screw up. Shipping my data to a place I can only reach by boat or helicopter and which is one dragging anchor away from disconnection doesn't strike me as a good idea from a continuity and risk management perspective.
I suppose someone had to maintain the Canadian stereotype...
The fact that Canada has a set of privacy laws that the EU considers acceptable rather than the American voluntary system makes Canada two years behind? And somehow Canada's strict limit on personal donations and total ban on corporate donations rather than the American's unlimited somehow makes Lobbying more effective in Canada?
You really don't seem to know much about your own country.
This post has been deleted by its author
Had to let our legal team loose on a cloud hosting contract and Safe Harbor did little to dampen their nit-picking. They were very keen to get indemnities written in, whilst the cloud provider just stuck to their boiler-plate contract. Cue handbags at dawn...but what can you do when the alternatives are largely US-based? Host it yourself I suppose.
No, there is a way and there are more providers out there, but it always starts with designing a *legal* structure, THEN a technical one, typically with data segregation and, in some cases, information diodes (I do this for a living). Especially multinationals tend to get themselves into a serious mess before they start asking for help. The hardest part is getting data migration into this new structure legally clean, but once you've done that you can pretty much relax about your legal exposure as it's then easy to assess and manage.
There is, however, one absolute no no: you cannot have your HQ in the US, because then you're pretty much hosed from the get go. A subsidiary isn't a problem, but a HQ provides too much leverage on your entire global business.
BTW, don't fall for the "subsidiary in Switzerland" idea that I have seen some larger consultancies recommend: this falls foul of a specific clause in Swiss privacy law which considers that subsidiary as remaining under the privacy regime of the originating/owner's country. I've had to clean up a few of those :(.