'Safe Harbor': People in Europe 'can get quite litigious about this' Both small and large US data centre companies are walking "headlong into a legislative buzzsaw" following a landmark 'Safe Harbor' ruling this week, the founder of database software company NuoDB, Barry Morris, has said. On Tuesday the European Court of Justice struck down the 15-year-old "Safe Harbor" pact, invalidating the …
If TTIP follows with ISDS similar to TPP then expect to see VAG (Volkswagen) sue both the EPA and California's version of the same. This is going to cut both ways, not just US firms attacking EU regulations.
On a closely related note, the ECJ ruling pits the US multinationals against each individual country's DPA. Kind of lopsided don't you think and this will be even more lopsided if the US corporations pool their resources.... Then toss in TTIP and it will get real ugly, real fast.
said of the ruling earlier this week that businesses using Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law.
In other words ''business as usual chaps, wait a bit and some lawyer magic will fix it all". What he should have said is "the USA is not safe, review what items of data you send there. Stuff that is too sensitive you will have to not send and look to process it in Europe".
What a chocolate teapot organisation.
"said of the ruling earlier this week that businesses using Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law.
In other words ''business as usual chaps, wait a bit and some lawyer magic will fix it all". What he should have said is "the USA is not safe, review what items of data you send there. Stuff that is too sensitive you will have to not send and look to process it in Europe".
What a chocolate teapot organisation."
Absolutely!
i remember challenging the concept of the Safe Harbor as American laws meant the FBI could look at the information with little effort. The ICO wasters never accepted this.
That and the fact that he's accepted that publishing to a blog or facebook counts as journalism and is a far as those morons are concerned exempt from the Data Protection Act. Try telling that to the patient whose picture has been posted to facebook with less than flattering comments.
Frankly the current IC should be sacked long with his staff and replaced by qualified people (last time I checked less than half the ICO staff had any qualifications in Data Protection, although that was a few years ago).
Why the hell was all this personal data going across the Atlantic in the first place? Europeans (for example El Reg for their lectures) have lazily been using American websites (such as Eventbrite) when it would be easy and entirely in line with the principles of Capitalism for there to be similar sites offering competing services in other countries. We should all take this ECJ judgment as an opportunity. It is time for all sorts of reasons to overthrow the American monopoly of such services. To Hell with Facebook, Google, Amazon and the rest of them!
Hear hear!
It’s time we get some of our pride back. With over 500 million EU citizens the EU home market is considerably bigger than the US home market and nowadays has a fairly homogenous legislation making the rise of European internet giants a real possibility.
Of course, the challenge remains that we have so many languages but that could be turned into an advantage. American companies are notoriously bad at internationalisation and localisation (why does Facebook insist on telling me the temperature at an event in the UK in Fahrenheit!? Why does Tweetdeck insist on only allowing to schedule tweets using the moronic 12 h clock!? Why does Wordpress default to the broken date notation of 5-13-2015!?). We should be able to turn this American weakness into an advantage for rapid growth.
I actually appreciate the actions of companies such as large hoster OVH that publicly state that "OVH datacentres are situated outside Patriot Act jurisdiction area" (https://www.ovh.co.uk/aboutus/technologies/datacenters.xml). My company too has added to its privacy statement that all our data is hosted inside the EU. More companies should be doing (and saying) similar things.
The real remaining challenge is then funding. European investors are typically much more risk averse when it comes to throwing cash at the umpteenth ‘Facebook+household chores+menstrual cycle+currency markets social sharing mash-up service’ than American investors are.
Yes, but look at how some of us behave (think!), you know, the gigolo Germans, the manjana Brits, The cheese eating Italianos, the double duch speaking French and so on, and so on. All that shit I decided not to move into my kids brains long ago. Fairly popular shit even among commentards on this site.
If it pre-dates the Safe Harbor legislation anyway and is also a standard approved by some EU rubber stamping body - as per the previous article.
What it does seem to is extend safe harbour style protections to the US companies at the expense of making them more open to customer lawsuits if they abuse it - so it sounds like a partial win-win to me. They may have to tweak their replication/sharding strategies and build out a bit more capacity but I suspect that most have the basic infrastructure to cope. Given MS'es statements and the current US lawsuit - there's reason to suspect that they are pretty much ready for this. If facebitch hasn't done the prep for this already they are just clueless.
Also I doubt very much the big boys are going to feel much pain from this. Reams of data already has geographical boundaries - the ruling just adds a set of new countries/regions to it - so they already have the infrastructure to cope.
The ones that are gonna hurt are the S&ME's who are restricted to onshore US processing - payroll outsourcers and the like.
You're not suggesting there's something counter-productive about the way these corporations are allowed to form cartels and consolidate to the scale at which they become able to buy up and crush any and all emerging competition and bribe governments to look the other way while they rape the plebs, Shirley?
Commie bastard.
I'm actually rabidly free-market and I'm Ok with this!
Also:
allegedly indiscriminate surveillance by the US
The adjective should be on a sliding scale:
"potentially" <------||--> "actually"
but "allegedly" is utterly inappropriate here.
Or is someone afraid Uncle Sam will start a defamation lawsuit? Then the whole of El Reg towers gets bombed repeatedly accidentally.
Is there anyone out there that actually believes the American NSA et al weren't going to get their hands on every bit of crap they submitted to the (contemptious-of-privacy) Facebook anyway, either via quasi-legal weaselling or via outright illegality they know they'll get away with regardless?
It's not like the laws mean anything when they can get away with breaking them- if you think your data will be safer when being (ostensibly) kept within Europe, then I have a bridge to sell you.
I hear the "Athens Affair" was actually NSA who declined to switch off their listening gear...
It's not that black and white.
NSA and the likes will always be able to get your data. That remains unchanged.
But Facebook can't commercialize your personal information as easily as before, their legal risk is higher now. Also, US courts will have a harder time to do "parallel construction".
So a Court of Justice, and the highest one in Europe at that, is being criticised repeatedly everywhere for not considering the impact on businesses? Well heck yes, that's what we expect from a court over here, where you cannot buy justice (at least not that easily). Of course the Land of the Free won't understand!
If Uncle Sam wants it, and they have a US entity they can use as a conduit, their attitude is they have a right to it and will get it by hook or by crook. In Safe Harbour or other contractural remedy we are doing little more than making paperwork, manifesting the digital equivalent of Frances World War II folly, the Maginot Line. No contract clause or its ilk will stop them breaching EU data protection.
Read my full breakdown at ‘Safe Harbour and the age of the Digital Maginot Line’ http://nrgfxit.net/2015/10/08/safe-harbour-and-the-age-of-the-digital-maginot-line/
I think the guy needs to understand a bit about law. Legislation is what legislatures produce - statutes. Courts interpret those to apply them to the facts of specific cases. So the ECJ's decision is not legislation. There's been no recent legislative shift. The most recent shift was in the US. It was the PATRIOT act.
What the ECJ has done is interpret existing EU law in a case in which the facts include the current state of data protection in the US in the wake of the PATRIOT act.
It should have been quite clear for several years that any time anybody took the Safe Harbour to court it would be found wanting. It's amazing it lasted so long.
They can't, because they cannot guarantee that US law enforcement and three letter agencies won't demand the data (or lift it by means that don't even involve the knowledge of the company) and then use it in any way they please. This is what creates the breach of EU privacy laws.
So the question is, if the fall of Safe Harbour is such a big deal for the US economy, why don't they employ privacy laws similar to Europe and introduce some oversight as to who, when and why data is required? What is preventing the US from doing that?
> What is preventing a US company from largely using EU privacy rules as a matter of internal practice?
Nothing at all - and that's what the "alternatives" are about. It's been suggested that model contract clauses could handle this, and that's the "fig leaf" that's being talked about.
But as pointed out, the law in the US means that such clauses are not worth the paper they are written on. Because US law does not respect privacy etc, no company with a US presence is able to offer such guarantees - to do so either exhibits an incredible ignorance of the law, or an incredible ability to bullsh!t with a straight face.
The ONLY difference between Safe Habour and these contractual alternatives is that only Safe Harbour has been tested in court (yet). Yes, others will no doubt revamp their T&Cs - but sooner or later another Max Screms will bring a case and those T&Cs will also be found to be worthless.
Put simple, it is not legally possible to transfer personal data to any company with a US presence without the express permission of the data subject. Even where permission has been "given", future court cases may rule that as not sufficient - eg a school making parent "give" permission for their child's data to be sent to the US for processing as a condition of the child being educated would be struck down if it ever got to court.
The law to take control of this is already there - it just needs enough of us to make official complaints and back them up in order for all these "fig leaves" to be stripped off.
Could US companies move ALL of their data processing to the EU, and thereby protect US citizens from all encompassing data grabs by TLAs?
Or would the fact that the data isn't about an EU citizen make that protection meaningless.
Within the EU, is all personal data protected, or just EU citizens/residents data?
> Could US companies move ALL of their data processing to the EU, and thereby protect US citizens from all encompassing data grabs by TLAs?
NO, that doesn't work. If the data is still "under the control of" the US company then it's still "up for grabs" by the US TLAs. There also needs to be a corporate structure in place making the data physically inaccessible to the US based company - see the Microsoft Ireland case for an example of how that might work.
The europeans should attach a small fragment of the Dallas Buyers Club bit-torrent to every data set.
If the NSA is pirating personal information of individuals they will have the American Movie Industry coming after them.
If the US goverment and European Courts are unable to keep these guys in check - the Movie Industry surely will.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
