back to article After safe harbour: Navigating data sovereignty

Max Schrems has a lot to answer for. The Austrian is single-handedly responsible for bringing down a key transnational data agreement that has left cloud service providers scrabbling for legal counsel. This is either a good thing, if you’re a privacy activist concerned about intrusive US surveillance policies, or a confusing and …

  1. Voland's right hand Silver badge

    Schrems has nothing to answer for

    If we did not have him, the passing of CISA would have created him.

    It would take an act of god to come up with an agreement which can accommodate both CISA and the Eu charter of human rights.

    1. Destroy All Monsters Silver badge

      Re: Schrems has nothing to answer for

      That was sarcasm though.

      If the whole construction drops on the floor like spaghetti when challenged, that's where it should be.

    2. big_D Silver badge

      Re: Schrems has nothing to answer for

      Schrems has also taken out a new case against the Standard Contractual Clauses.

      1. Doctor Syntax Silver badge

        Re: Schrems has nothing to answer for

        "Schrems has also taken out a new case against the Standard Contractual Clauses."

        Excellent news. I suppose it's too much to expect whoever the defendants are to fold on the basis that such clauses have exactly the same problem that Safe Harbour did.

  2. Anonymous Coward
    Boffin

    Good old MSFT

    I'm happy keeping everything hosted on OneDrive for Business, that allowed me to right-size the BOFH who 'ran' the SAN.

  3. Anonymous Coward
    Anonymous Coward

    Article correction

    The Austrian is single-handedly responsible for bringing down a key transnational data agreement that has left cloud service providers scrabbling for legal counsel

    No, he hasn't. All Schrems really did was CLARIFYING that said agreement was a load of old bollocks and they should stop pretending in the US that EU data has any protection from acts that would violate the 4th amendment if it concerned US citizens (a protection which, by the way, US citizens don't have either, but that's their problem to sort out).

    Anyone who ever accepted Safe Harbor's premise of self certification should never be trusted with any data of a personal nature because they're clearly not up to date on what it takes to really protect information. Rule 1 is to avoid anything hosted in the US.

    1. Gene Cash Silver badge

      Re: Article correction

      > Anyone who ever accepted Safe Harbor's premise of self certification should never be trusted with any data

      That's not much different than everyone in IT pretty much knowing the NSA was spying on everything on the net, and then the "holy shit" revelations from Snowden revealing what was really going on.

      Schrems explicitly shined the spotlight on the problems in a way that showed all the cockroaches scurrying around and people could no longer ignore the issue.

      You & I knowing it's a problem is an order of magnitude different from Facebook and all the cloud providers finally "knowing" it's an issue and having to acknowledge it to a point it makes a monetary difference.

      It's now something that FB and Zuckerman can't say "yeah whatevs, you have no privacy, get over it" any more.

  4. Doctor Syntax Silver badge

    "There is also a move in the US to pass the Judicial Redress Act, which would give non-US residents a chance to complain to the same degree as US citizens if their data is mishandled."

    Which again fails on exactly the same basis as Safe Harbour did.

    It really is very simple. You cannot export EU citizens' personal data from the EU to the US. If you want to process it in any way you have to do so in the EU or any country with equivalent rules and with a sufficient legal air-gap to stop the US's view that they're entitled to go anywhere they please to get any data they choose. Nothing else will do. Now stop whining & just get on with doing what you know you have to do.

    And yes, I know about GCHQ & the rest. I've a feeling they'll be on the receiving end of a challenge sooner rather than later. One step at a time.

    1. P. Lee

      >You cannot export EU citizens' personal data from the EU to the US. If you want to process it in any way you have to do so in the EU or any country with equivalent rules and with a sufficient legal air-gap to stop the US's view that they're entitled to go anywhere they please to get any data they choose.

      Absolutely true, but the USGov will lean on any organisation it can to get the data. The multinational is stuck with doing something illegal no matter what it does. I haven't heard of a resolution of USGov vs MS(Ireland) so even not being officially a US company is no protection. The only protection is the company being more afraid of the EU than it is of USGov - no appreciable US assets and no desire by directors to visit the US.

      Having a (US) multinational unable to play in the space is viewed as intolerable by the USGov, so they are stuck with not wanting a resolution either way. They would rather play in a grey area. The latest US "cybersecurity" bill pretty much formalises this. "You give us everything we want and we won't tell." They won't need the NSA after that.

      As far as Cloud goes, I'm not a fan. "We gave all your data away, but hey, it didn't cost us much to do it!" isn't the argument we want to hear. If you can't automate your IT, find someone with skills. AWS might be cheaper, but if you are a large business and your business model relies on that kind of cost saving, you've got the wrong business model. Perhaps the banning of US Cloud companies will spur the growth of Non-US cloud companies which fall only under national jurisdiction. Isn't that the point of it all - control of the data by those from whom the data is taken? Wouldn't Americans be incensed if their banking data was all processed in China? Guess what, despite the US' self-image, much of the world doesn't see them as "the good guys." If you want to be seen as the good guys, fix your legal system and your attitude of complete disregard for the rights and legal systems of others.

      1. Anonymous Coward
        Anonymous Coward

        >Perhaps the banning of US Cloud companies will spur the growth of Non-US cloud companies which fall only under national jurisdiction.

        This. Why the hell not, after all? You could pretty much build the infrastructure in your sleep if you're any kind of Regtard worth your salt, and it's a hot topic right now so what better time? I'm actually a bit surprised I've not seen firms advertising "sovereignty guaranteed" cloud hosting on the back of all this.

        This sort of thing is exactly why I've always gone with hosts that have only UK datacentres: were it not this exact thing, it would have been some other jurisdictional brouhaha to extricate m'clients from. There was bound to be one eventually, so I've always seen it as saving future headaches.

        [That said, back when I arrived at that policy I didn't anticipate quite how questionable our *own* data governance would become wrt rule of law and so forth; but I'd still rather it be a UK court I go to the mat in, if I ever have to. Sweden seems a bit hit-and-miss depending who/how influential the plaintiff is.]

  5. Paul Crawford Silver badge

    Technological solution

    The main problems with all of this discussion about the legal aspect is it relies on all gov doing the same thing in law as the EU standard and companies honouring that as well. Both as slow and unlikely to happen, and also likely to get screwed over by some gov deciding to change the law on slurping (or just doing it by the back door of secret court orders).

    But there is the option of encrypting a customer's data with their own key(s) in such a way that the cloud service never has access to said keys. In that sense it matters not one hoot as to where your data is because its always under your lock & key.

    Yes, I know it might not be fully NAS-proof if they took a fancy to it, but it is enough for companies to be able to honestly say they cannot prove clear-text data, so there is no point in asking. In addition there is little to no risk of accidental disclosure to a corrupt cloud company employee, discarded equipment, sale if cloud company goes in to administration or is taken over, etc...

    Of course that has its own issues, and is not going to go down well with data slurping companies like FB, Google and (sadly now) MS where scanning your data to whore you to advertisers is how they make a living. They could work around that to have a decent compromise, but without all of the lovely profitable user-identifying data to play with. So bugger-all chance of them volunteering to do this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Technological solution

      But there is the option of encrypting a customer's data with their own key(s) in such a way that the cloud service never has access to said keys. In that sense it matters not one hoot as to where your data is because its always under your lock & key.

      Not so fast, Paul, you just mentioned the word "legal". The premise "asking us fort cleartext data is pointless because we don't have a key" has as yet not been proven in court - there is no case law to back up that that is indeed an answer that absolves the provider from a failure to supply data under warrant. The way I see US legislation going (badly for privacy) it is well possible that at some point a company will be alleged to obstruct justice by doing this at which point the Backdoor Boys™ finally have what they want via a different route (because that idea won't die either, as idiotic as it is).

      From where I sit I see no sign that the US government is realising it has drilled a rather large hole below the waterline for all Silicon Valley service providers, and they had about 15 years to discover that (because the flaws in Safe Harbor were not exactly hard to spot - it's not the EU's fault that they chose to ignore them). I know most of Silicon Valley that could afford a lawyer was definitely aware because I have entertained myself for years asking their CEOs those questions on shows and watch them squirm and undo their glossy presentations (yes, I don't get invited much now, but they can't keep out a paying customer and it's worth it for the entertainment alone :) ). I also kept running into lobbyists in EU Parliament surroundings and forums, so the collective wailing about the demise of Safe Harbor was rather fake, they knew damn well they were making profits on legally very shaky grounds. The only reason Safe Harbor even came into being was to prevent US trade restrictions, but Snowden provided enough political power to the EU to ruin that particular game of blackmail for the US, at least this time round (what they negotiate in secret is for another time).

      However, on the plus side (for them, not us), now it has become clear that one private bank founder by the name of Tony Blair has quietly allowed a sort of NSA mirror to be established without any shred of democratic process, maybe US providers can now claim to be at least UK compatible?

      1. Havin_it

        Re: Technological solution

        >there is no case law to back up that that is indeed an answer that absolves the provider from a failure to supply data under warrant.

        Wait, what?

        "You are under arrest for failing to surrender data that you never possessed in the first place."

        I'm the most paranoid person I know [OR AM I?] and even I don't think that'll cut much ice.

  6. Doctor Syntax Silver badge

    "But there is the option of encrypting a customer's data with their own key(s) in such a way that the cloud service never has access to said keys."

    If this is just the customer using the service for storage, then yes. But the problems start when the service company is doing some processing. Think, for instance, of your pension company processing your data in the US. Or your employer using an online HR system there.

  7. dan1980

    Max Schrems has a lot to answer for . . .

    Indeed he does - how dare he point out the nudity of the emperor!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like