back to article Oh, OK then: Ireland will probe Max Schrems' Facebook complaints

Facebook crusader Max Schrems returned to the Irish courts today to hear the nation’s Data Protection Commissioner (the DPC) solemnly promise that yes, it would investigate data flows out of Europe. The court ordered the DPC, which had refused to investigate, to pay Schrems' costs. Four years ago Schrems filed 22 complaints …

  1. Anonymous Coward
    Anonymous Coward

    Highly suspicious refusal

    The refusal of the Irish DPC to look into this reeks of third party influence - there is no way this DPC acts independently, at least not as far as I would judge from events so far. The idea of a DPC is to protect the weaker parties, the consumers. At least, that's the theory. Instead, this DPC has been acting more like a Banking Ombudsman, who doesn''t exactly appear to work on your behalf either..

    Alternatively, maybe the DPC is using this post as a stepping stone into industry. If I recall correctly, that's what the predecessor did - could explain a few things..

    Well done Schrems, but it may not have made you popular in the US..

    1. Doctor Syntax Silver badge

      Re: Highly suspicious refusal

      The Safe Harbour agreement was a product of the Commission and one of the matters the ECJ had to rule on was whether a national authority could investigate it at all or whether the Commission's decision prevented that. See the court's press release on the matter at http://curia.europa.eu/jcms/jcms/P_180250/

      I don't see anything suspicious at all about this. If the DPC were not allowed to investigate but had done so in spite of that they would presumably have been facing action from Facebook. The matter had to be pushed up to a level which was able to give a definitive ruling which was a level capable of over-ruling the Commission at the same time. Don't complain; not only has this clarified procedure in general it's given us the ruling that Safe Harbour wasn't.

      1. Anonymous Coward
        Anonymous Coward

        Re: Highly suspicious refusal

        That sounds reasonable, However, what about: 'The court ordered the DPC, which had refused to investigate, to pay Schrems' costs'. Why are the DPC being ordered to pay costs when the DPC were powerless to investigate?

        1. Doctor Syntax Silver badge

          Re: Highly suspicious refusal

          According to the ECJ's statement the DPC weren't aware that they had the right to investigate. Presumably there was no precedent in the matter to make it clear that that right existed. It's as well to remember that at the core of the matter is the behaviour of government bodies acting illegally. It isn't reasonable to expect the DPC to act if they had no right to do so when that's what we're all complaining about. So Schrems sued them in the Irish High Court who then booted it up to the ECJ. If the ECJ hadn't agreed with him he might have found himself paying the DPC's costs. Remember that he started it out in his own court system in Austria & they told him to raise it with Ireland.

          Overall what's happened is that due process of law has been followed and it's due process, or the lack of it, which is the basis of the Safe Harbour's failure. It needed to go to the ECJ to get everything clarified. It may seem wrong that it required an individual to do this but that's the way case law works; it needs cases. Now there are rulings which can be used by other DP regulators.

          Again it's worth remembering that if you want to complain about due process not being followed you can't really cavil about due process being followed when that complaint is handled.

  2. nematoad

    A question.

    Could it turn out that the so-called Safe Harbour scheme was cooked up by people mostly representing the interests of the US mega-corps?

    A sort of early TTIP.

    It does seem to unduly favour those companies in the US that had an interest in processing data from Europe as cheaply as possible, avoiding having to build data processing facilities in Europe for example.

    Secondly seems as if the onus on ensuring that any data moved to the US was treated in accordance with EU rules was on the Europrean end of the chain. With the laissez-faire attitude to privacy in the US all most users could have been given was a "Yes we are assured that your data is being protected, our US partners tell us that it is so." Not a good basis for any confidence that the data really was being handled securely.

    Lastly, and this is me putting my cynic's/pedant's hat on. The spelling of Safe Harbour. I have noticed that many non-US writers use the American "harbor" spelling. Does this mean that the US-centric view of the whole business is dominant and that most people see it from the US point of view in as much as it's only Europeans' data that has potentially been compromised and that nothing should get in the way of the bottom line?

    1. Bronek Kozicki

      Re: A question.

      @nematoad sadly, there is nothing suspicious about this. That's how politics works in US, and since the agreement was between EU and US, it was certainly driven by US based corporations. Very little happens in US politics without business being involved. Gosh, I'm happy to live in a (very slightly) more civilized country.

    2. Anonymous Coward
      Anonymous Coward

      Re: A question.

      Could it turn out that the so-called Safe Harbour scheme was cooked up by people mostly representing the interests of the US mega-corps?

      Safe Harbour only ever was a political fix to avoid the usual US arm twisting. It was not a legal fix for a very simple to spot reason: on the EU side you have strict compliance demands, on the US side there was only a demand for self certification with pretty weak fines. The FTC started fining a bit more of late, but the value of the fines was a hint too.

      Safe Harbo(u)r has been derided from pretty much BEFORE it was put in place by people like me whose work is actually protecting the privacy of individuals as opposed to helping corporates avoid liability (there is quite a distance between those goals), but I'll wait for the dust to settle before I start pointing out the other problems that there are, on both sides. You'll have to wait for that a bit longer, though, because the Microsoft vs DoJ case needs to settle as well, and a decision either way will be interesting.

      My personal expectation is that this will be halted on whatever pretext they can unearth so there isn't really a decision and, most important, a precedent established.

      We live in interesting times. Globalisation is harder than you think :)

  3. auburnman

    More ammo for Snowden

    I'm just thinking - Snowden is now in a position where some of the highest courts have effectively credited him with exposing widespread lawbreaking. A lot of us have credited him with this from the start obviously, but now that it is in writing from a High court I wonder if that opens any options to him re asylum in other countries in Europe?

    1. Pascal Monett Silver badge

      He should already be able to request asylum in Europe (Russia is not part of Europe). He is not a criminal by any European law, so there shouldn't be an issue there.

      What is blocking any move in that direction is much more likely to be the extradition agreements Euro countries have with the US. In Russia, the US cannot ask for extradition as there is no agreement in place. If Snowden were to apply for asylum in Europe, then the US would be at the door the next day with an extradition request, accompanied by a certain amount of heavy arguments hinting very, very hard that the request would best be granted.

      There are not many Euro countries that currently have the balls to stand up to the US on anything, so I think Snowden is not at all interested in trying that.

    2. dorsetknob
      Coat

      Re: More ammo for Snowden

      He is still safer where he is those wet work teams have a easier job if he is not in Russia

      America Still have him on the Secret laundry list for wetwork

      Here is my coat for Dry Cleaning no wetwork cleaning needed here

    3. Anonymous Coward
      Anonymous Coward

      Re: More ammo for Snowden

      there's never been an issue of asylum in any European countries, as ALL of them refused the requests from his lawyers. Even the governments happy to piss on (and off) Americans, like the French, decided that, liberte, egalite, usw are very wel, but when the good old US of A has something to say on the matter, it's "non!"

      That said, I shouldn't be harsh about the French, my own government was cuntier, with the prime minister, the minister of foreign affairs and the minister of finance, having a good snigger in public, when the news of Snowden request for asylum was shared among them (and caught on camera). It's called "raison d'etat", the ultimate disclaimer.

      1. Danny 14

        Re: More ammo for Snowden

        Switzerland didn't say no or yes - you need to be on swiss soil to claim asylum. But he cannot get to Switzerland anyway. Look at what happened to the Bolivian president...

        1. Anonymous Coward
          Anonymous Coward

          Re: More ammo for Snowden

          Switzerland didn't say no or yes - you need to be on swiss soil to claim asylum.

          A quick visit to a Swiss garden centre could sort that one - ship a bag of soil and presto :)

      2. Anonymous Coward
        Anonymous Coward

        Re: More ammo for Snowden

        cuntier

        I'm relatively OK with the occasional bastardisation of English (Queens version or not), but that one beats them all :).

        1. Tom -1

          Re: More ammo for Snowden

          "cuntier

          I'm relatively OK with the occasional bastardisation of English (Queens version or not), but that one beats them all"

          Why do you think it bastardisation? It's the comparative form from the adjective cunty, and comparitves of adjectives ending with a consonant followed by y are so regularly formed that good dictionaries don't bother to give them an entry (eg you won't find an entry for "sillier" in OED). Since the adjective cunty is there in the OED (with 9 quotations to support the entry, dating from 1890 to 2007) it seems safe to assume that "cuntier" is a valid an English comparative form of that adjective.

  4. Doctor Syntax Silver badge

    Waiting for the other shoe(s) to fall

    According to the site linked in the article there are further complaints against Apple (Ireland), Skype & Microsoft (Luxembourg) and Yahoo (Germany). Presumably the judgement will get the Apple case moving again. What happens with the others remains to be seen.

  5. Luke Worm

    "The court ruled that because of permissive legislation in the USA, and the PRISM programme, Europeans couldn’t be ensured that their data was safe once transferred outside the EU".

    With the same logic, can data even be safely transferred to the UK (GCHQ) ?

    1. Warm Braw

      >Can data even be safely transferred to the UK

      The fine legal distinction is that being in the EU, the UK is ultimately subject to EU law and in theory any "disproportionate" data-slurping could be struck down. If you could, of course, prove it was going on.

      Indeed the gathering of the wagons around GCHQ following the Snowden revelations was likely to have been related to this specific point: their activities may well be "legal" under current UK legislation (since that's essentially administratively defined and every time it's found illegal the goalposts are moved) but illegal under EU legislation (as well as the ECHR) and it would be inconvenient if evidence were to appear to that effect.

      However. there is likely to be rather closer scrutiny of the new data retention law in Germany and the revised version of Ms. May's Snoopers' Charter in the fallout from all of this.

      EDIT: Not of course that it's necessary to transfer the data to the UK in any case: GCHQ isn't just able to access data within UK borders.

      1. sysconfig

        @Warm Braw

        "However. there is likely to be rather closer scrutiny of the new data retention law in Germany"

        That's a different thing, though. The data retained under that law is held by whowever logged it (ISPs, Telcos mostly).

        In order to get hold of the data, law enforcement still needs proper court orders. That's a major difference to the slurping that goes on elsewhere, and the lack of oversight in particular (which was the main reason why Safe Harbour was declared null and void).

        Completely agree with everything else in your post, though!

    2. TitterYeNot

      "With the same logic, can data even be safely transferred to the UK (GCHQ) ?"

      No, don't be silly, it's not like that at all here on Airstrip One in dear old Blighty, it's all perfectly fine and the weather's lovely...

    3. Doctor Syntax Silver badge

      " can data even be safely transferred to the UK (GCHQ) ?"

      As I've said elsewhere it's going to be a step at a time. We're starting to move in the right direction and this is going to gather momentum. Pissing off MPs wasn't a bright move from their point of view.

  6. Anonymous Coward
    Anonymous Coward

    The fact that the Irish DPC is over a supermarket in a small country town pretty much sums up the government's attitude!

    1. Semtex451
      Coat

      Photo

      The Google employee in the background pretty much sums up their attitude!

    2. AndrewInIreland

      you can thank Charlie McCreevy's Decentralisation plan for that...

    3. Doctor Syntax Silver badge

      " the Irish DPC is over a supermarket in a small country town"

      I think they may be looking for larger premises soon.

  7. LucreLout

    I don't get it....

    Everyone jumps all over data shipping to the USA, which I'm not attempting to defend, yet conveniently ignores it going to India.

    Yes, your data goes to India, it just does so via a totally artificial process. Your bank (actually pretty well any large company with which you interact), has an army of Indians dialling into virtual machines hosted inside the EU to process and manipulate your data. The working hypothesis being that what they see is an image of data held within the EU not the data itself, so no Safe Harbour violation.

    Sounds great? No, I didn't think so either. Especially when you understand that one poorly secured connection process later and they can copy that data from the virt to the local physical machine, after which it can and does go anywhere.

    1. Stoneshop

      There's a slight difference

      If your bank data goes astray, you have an entity to yell at that is subject to your local data protection laws, and there's a central banking authority who will be interested in what happened. Also, if it's not just isolated incidents, customers will start voting with their feet.

      Banks don't like any of that.

      1. LucreLout

        Re: There's a slight difference

        @Stoneshop

        If your bank data goes astray, you have an entity to yell at that is subject to your local data protection laws

        Agreed, but that doesn't bring your data back. You will, in all likelihood simply never know its been copied and sold.

        Forget any financial implication for a moment, as fraud is legally the banks problem to pay for, and think about how many contactless payments a person makes in a month or two. I'd know where you lived, where you worked, what you spend you time doing, I could probably work out many of your hobbies - including any you may not advertise.

        The privacy invasion is at the very least comparable to any artificial nonsense you may (or not) spend your time writing on tw@tter or Farcebook. One thing I discovered when I was doing my MSc, is that while a great many companies claim not to sell your data to third parties, none of them (at the time of my study) claimed not to buy data about you from them. Think about that, then think about the rampant data theft from Indian outsourcing shops that you may not have realised even had access in the first place....

        1. Graham Cobb Silver badge

          Re: There's a slight difference

          If you had hobbies you didn't want to advertise, what would you be doing using banking services to pay for them?

          In the last couple of years, I have moved as much as possible of my spending to cash. Not because I have something to hide, but because I don't. But others may and their behaviour shouldn't stand out.

          In particular, I have stopped using cards (credit, debit or loyalty) in supermarkets at all. Now that the supermarkets and credit card companies track not just the total, but every item on the receipt I have no wish to provide that information for them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like