back to article Data protection: Don't be an emotional knee jerk. When it comes to the law, RTFM

How many times have you spoken to someone in a call centre who refused to give you information on the basis that the "Data Protection Act" prevents them? Any potential customers in Germany who told you they can’t buy your IT or cloud service because their law prohibits data transfers outside Germany? Has anyone told you that a …

  1. Anonymous Coward
    Anonymous Coward

    Ultra-paranoid, neo-Stalinist USA back on official safe list.

    But not my safe list. Ever.

    1. Pascal Monett Silver badge
      Big Brother

      The NSA knows all about your safe list.

      And it is barely amused.

  2. Whitter
    Devil

    ... this will validate EU/US data transfers once more...

    "... the new Privacy Shield has been negotiated and, with some additional oversights from the US and a little less snooping, this will validate EU/US data transfers once more..."

    I'll admit to being entirely the target audience for this article: is this claim really leaglly true? I would not have thought so myself but, erm, haven't read the law or contracts...!

    1. DaLo

      Re: ... this will validate EU/US data transfers once more...

      The privacy shield has not been ratified and is still currently pending final approval.

      Once it has it will then allow data transfers to the US as a trusted international nation similar to how Safe Harbour was previously accepted (i.e. as long as the US company follows the terms and abides by Privacy Shield then they can have data transferred to them rather than negotiating an individual contract).

    2. TheCloudLawyer

      Re: ... this will validate EU/US data transfers once more...

      Yep, like DaLo said they just need to finalise & ratify but then, like Safe Harbour, you will be able to transfer data to US companies accredited under Privacy Shield.

      1. Anonymous Coward
        Anonymous Coward

        Re: ... this will validate EU/US data transfers once more...

        like Safe Harbour, you will be able to transfer data to US companies accredited under Privacy Shield.

        So that means snoop as normal for the US government then. Nothing will change in the US until they enact the same privacy laws as we have in the EU.

      2. Adam 52 Silver badge

        Re: ... this will validate EU/US data transfers once more...

        Privacy Shield won't change the fact that it, and any contractual provisions, aren't worth anything because of US legislation.

        That was what the Court had an issue with and *nothing* has changed. For an author so obsessed with reading things, Court judgements are worth reading too.

        What it will do is give companies enough legal cover to claim that they are compliant until someone like Max takes another case through the courts.

        1. SImon Hobson Bronze badge

          Re: ... this will validate EU/US data transfers once more...

          > What it will do is give companies enough legal cover to claim that they are compliant until someone like Max takes another case through the courts.

          Indeed, it will be, at best, a very temporary reprieve - and will last a lot shorter time than Safe Harbour (I'd guess months rather than years). Because I assume the likes of FarceBork will quickly use it and Max will be back in court with the same case again. All the evidence is already there, already assessed by the court, and nothing significant will have changed.

          Anyone who uses Safe Shield will be an idiot, and will find themselves in the brown stuff once it too is declared worthless. Well not quite worthless, though I suspect printed material like that isn't very comfortable for use in "the little room".

          The USA, and any company with a presence in the USA, will be off the friends list for a long time - basically until the US government caves in and changes it's laws in ways it so far shows no interest in doing. In fact, so far it seems to be negotiating Safe Shield, while at the same time making it's laws even more incompatible with it.

          1. Jeroen Braamhaar

            Re: ... this will validate EU/US data transfers once more...

            "The USA, and any company with a presence in the USA, will be off the friends list for a long time - basically until the US government caves in and changes it's laws in ways it so far shows no interest in doing."

            Unfortunately intelligence services have become very good in concealing scope, scale and depth of their activities from oversight - and if anyone believes that this Safe Harbor Mk2 will change anything to limit that, they are very much deceiving themselves.

            It's not just laws that need changing ....

  3. Doctor Syntax Silver badge

    "Or has a customer refused to buy your solution because you’re reselling public cloud, which means they will lose ownership of data?"

    I'm sorry, Mr Jennings, but there's no way to soften this blow.

    Not everyone obeys the law.

    With increasing remoteness between users and data there's a greater opportunity for one of those who doesn't.

    1. TheCloudLawyer

      True, not everyone obeys the law. Having words in a contract doesn't necessarily change that. And adding more intermediaries into the supply chain could increase the risks. That aside, a large public cloud vendor's standard position will be to recognise the customer owns its data.

      1. Trevor_Pott Gold badge

        That's nothing more than faith speaking, and it means no more than when people bleat about their god(s).

        Microsoft is a large cloud vendor, and they don't even recognize a customer's right to control their own operating system. In what universe can anyone be fool enough to believe they think customers own their own data? Or that Google believes this? Amazon?

        Your data belongs to them, to use, abuse, sell and give to the snoops as they see fit. If you pay them enough money, they might let you use that data in between periods where someone else is using it.

        Public cloud vendors can not be trusted. Especially American ones and most certainly ones named Microsoft.

        But hey, you go put your customers' data in the cloud. I'll weep when you're sued into a hole in the ground when that data is inevitably used against your customers.

        I wonder what president Trump will do with all that delicious data. How nice of you to make his oppression so easily automated.

  4. PaulAb

    On one Hand..And on the other

    The UK watchdog Ofgem has anounced that it wants to create a database for Energy companies to access to sell more of their crap savings offers to certain consumer groups (those who haven't moved supplier for 3 years or more, as an example). So who is protected and what rights do consumers have if this latest laughable government department squib come to fruition? Can you opt out, who regulates what the suppliers see, how secure will it be (Right out the box security is not going to happen with a bunch of plundering suppliers with access to your data), and then we can all look forward to many more years of spam mail/email and foot in the door salesmen(Probable all targeting the weakest in society - Elderly - On meters etc.) you know, the easy meat.

    Ofgen, you and your spangley relationship with those naughty suppliers, you make us all proud.

  5. Doctor Syntax Silver badge

    Privacy Shield?

    You mean the Privacy Figleaf.

    Please tell me, Mr Jennings, how do you think things are improved to any meaningful degree if I have to seek legal redress in the US for breaches there?

    At the very minimum redress should be sought against the EU organisation that exports the data. And even that's not adequate. The US govt agencies clearly consider their interest in the data falls into categories outside the agreement (I think the official category would have to do with national security, their real category is "we want it") so this is as meaningless as the alleged Safe Harbour arrangement.

    1. heyrick Silver badge

      Re: Privacy Shield?

      "At the very minimum redress should be sought against the EU organisation that exports the data."

      This.

      This cannot be upvoted enough.

  6. Huw D

    I'll tell you what's worse...

    "Data Protection" as a cover for "data gathering".

    "Hello, $PersonAtWellKnownStoreThatRhymesWithSparksAndMencer, I'd like a refund on this suit, due to shoddy stitching"

    "Do you have the receipt?"

    "Yes"

    "Ok, and you want the refund back to the card you paid on?"

    "Yes"

    "I just need your address and date of birth"

    "Why?"

    "Data Protection"

    "You didn't need it when I bought the damn thing"

    "But I can't process the refund without it"

    "I bet you can..."

    1. Doctor Syntax Silver badge

      Re: I'll tell you what's worse...

      There really ought to be a clause in the DPA which makes it an offence to invoke the DPA where it's inapplicable

    2. Anonymous Coward
      Anonymous Coward

      Re: I'll tell you what's worse...

      That's the shop assistant not knowing the law, and conflating two different scenarios.

      If you're returning something under the sale-of-goods act (which you were), then you have no obligation to provide any personal information. If you're returning the goods under some scheme that the shop provides that goes over-and-above the act (eg. allowing you to return goods if you've just changed your mind), then they can ask for whatever information that they want.

      The reason that they want your information under those circumstances is to help them try and prevent fraud - which normally takes form of an employee pushing through fake returns and pocketing the cash.

      1. Sam Liddicott

        Re: I'll tell you what's worse...

        Not if you depended on the notices of their "over-and-above" scheme when you bought the item, and those notices did not mention the need to gather personal information.

    3. captain veg Silver badge

      Re: I'll tell you what's worse...

      I had that at Debenhams (IIRC) trying to return a shirt that was a different size to that advertised on the packaging. This was back in the 1980s, before "data protection" was a thing. Only the excuse changes.

      -A.

  7. Mike Shepherd
    Meh

    Euphemisms

    With heroic terms like "Safe Harbour" and "Privacy Shield", you can be sure there's a lot of deception going on.

    1. TheCloudLawyer

      Re: Euphemisms

      Haha, it does make it sound like a film sponsored by Marvel...

    2. John G Imrie

      Re: Euphemisms

      "Safe Harbour" and "Privacy Shield" where the titles of the treaties. To quote Sir Humphrey Appleby -

      you always dispose of the difficult bit in the title. It does less harm there than on the statute books

  8. Anonymous Coward
    Anonymous Coward

    And yet the ICO spout the same rubbish

    I had a few questions about the data protection law basically outlining situations where someone may expect privacy from a business but in situations which weren't covered by the data protection act. My question was whether there were any general privacy directives that would cover these situations so I could state these when doing employee inductions.

    Half an hour of misinformation and misunderstanding by the ICO representative followed where the entire reasoning and purpose of the act was turned on its head (rather than protecting information that falls under the act he essentially said that you should store more data rather than less). Anyway in the end he agreed that there was no lawful right of privacy for information or data that does not fall within the scope of the act unless covered by other scenarios such as slander, libel and pseudo legal such as PCI.

    However I wonder how an ICO adviser (who I had to wait for quite some time to call me after an enquiry so it wasn't just a call centre worker) did not understand the fundamentals of the act and also immediately and continuously took an over authoritative and patronising stance while not actually basing his advice on facts.

  9. sysconfig

    Law/Theory vs Practice

    The thing with law is that it looks excellent on paper (more or less). If a customer says they don't want to do business because their data protection laws forbid it, you can just substitute with: "I'd rather keep the data in a country where I can take legal action without jumping through hoops" -- the country said customer lives in. Or it could simply mean: "I don't trust you or your country."

    If you then look at how data is being used here in the UK for example, and what the gubbermint's plans are (health data, utilities as pointed out earlier), you can easily understand that even within the confines of their own borders, people become increasingly wary about who to share their data with. Can't blame anybody in Europe who followed the Safe Harbour / Privacy Shield and, more recently, IPBill events, if they refuse to do business with the UK, especially with the EU membership discussion looming, which may or may not change how data is handled. Uncertainty is something that will put off businesses, especially big ones.

    I don't need to read the law to understand this: No matter where the leak is, once my data is shared with third parties, we're past the point of no return. You can sue the crap out of the leaking party, but you can't revert a data protection violation. It's too late; the data is out there.

    So rather than going by the letter of the law, the decision who to do business with (and where) boils down to a very simple question: Do I trust the party to keep data safe (and am I convinced that third parties cannot lay hands on it -- like in the US)?

    If it's anything short of a yes, we're not going to do business together, regardless of what the law says.

    1. TheCloudLawyer

      Re: Law/Theory vs Practice

      "Do I trust the party to keep data safe (and am I convinced that third parties cannot lay hands on it -- like in the US)?

      If it's anything short of a yes, we're not going to do business together, regardless of what the law says."

      Agreed. The law is a fall back position but shouldn't replace due diligence on suppliers (and customers for that matter) or common sense.

    2. Whitter
      Unhappy

      Re: Law/Theory vs Practice

      And should they go bankrupt and bought in a administration fire-sale, will I trust the new owners?

  10. teebie

    Data protection, like health and safety, is a helpful and constructive idea that is too often co-opted by dishonest bellends as an excuse not to do something they should be doing as part of their job.

  11. Uplink

    Data Protection as an excuse to be lazy

    One day I was unable to go through the Overground gates using my contactless card. After a few attempts which resulted in "seek assistance", I went online to see what the Internet has to say about this. The TfL website said that the staff at the station should be able to tell me what's going on, so I went and asked. The response? "Talk to your bank. I can't tell you what's wrong because of Data Protection." even after pointing out what the website said. They didn't even try to look up any error data that could have said "it's your bank's fault". Later on I called the bank and they said there's nothing wrong with my card - it wasn't blocked, wasn't subject to fraud, nothing. And it worked fine since then too. But I'll never know what happened.

    1. Anonymous Coward
      Anonymous Coward

      Re: Data Protection as an excuse to be lazy

      TfL seems to have interesting ideas about the DPA in other areas too - they had a habit a couple of years ago of mendaciously using "data protection" as an excuse to ignore informal challenges against on street parking Penalty Charge Notices served on hired vehicles when both the hire company (the registered keeper) and the hirer were clearly limited companies rather than living individuals, the Ltd at the end of the names being something of a clue. That this misinterpretation denies the hirer an opportunity to challenge before the cost goes up from £65 to £130 was, I am quite sure, coincidental.

      Buried down in the obscure depths of s. 1(1) DPA (the top of page 2 of the print version) is the cryptic definition:

      “personal data” means data which relate to a living individual who can be identified—

      (a) from those data, or

      (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

      and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

  12. Eclectic Man Silver badge

    Overheard conversation

    On a bus to the airport a few weeks ago (yes, I do go on holiday once in a while) I heard a builder complaining that he had applied for some jobs form a company and not heard back. When he enquired, he got the impression that the jobs were fictitious, and the company was merely creating a list of suppliers of building services which they could then approach when a real job appeared, presumably for a commission.

    Just because the DPA applies in the UK does not mean it is being observed here.

  13. Wommit

    Oh, not again.

    Read Snowden's revelations, read Shrem's argument, this situation was never about the corporations on any side of the pond. It has always been about governments illegally accessing / demanding data to which they have no right. At one time I could just point to the USA, but now it's the UK too.

    'National Security' is being used as a cover excuse for anything the agencies might even think ( sorry - one sentence with agencies and think in it,) that they might vaguely, just possibly sometime in the future like to have a laugh^Wlook at. Along with terrorists and peodos of course.

    Nothing has changed, if you have a contract with a US / UK company to safeguard your data you've wasted your time. It means nothing, it will not stop the 'authorities' getting access. You most likely will never even know that the data has been accessed.

    It isn't contracts that need to be changed or renegotiated, it's laws. Until governments can be forced to remember that they are supposed to be servants of the people, rather than masters of the rabble. nothing is going to change.

    Roll on the revolution.

  14. big_D Silver badge

    But the Bundesdatenschutzgesetz, the German data protection law, does not prevent transfers of data outside Germany.

    The BDSG maybe not, but the Finanzamt (the equivalent of Inland Revenue) says that any tax related information cannot be stored on servers outside of Germany.

    There are certain get-arounds - you can apply for an exemption certificate, but you need to prove that the data is safe and won't do a disappearing act or be changed, and that it conforms to German accounting practives.

    1. subject

      Could you please identify the relevant law?

  15. Anonymous Coward
    Anonymous Coward

    A knee-jerk anti-cloud reaction is the only sensible policy. Privacy shield? Hah! It's just a re-badged Safe Harbour with the same basic flaws and the same lack of fucks given by US companies.

    "Finally, public cloud, on the whole does not sneakily transfer ownership of your data just by using vendors' services."

    Yes it does. When -not if- it gets hacked, ownership is transferred.

    1. Frank Jennings - The Cloud Lawyer

      Yes, remains to be seen how Privacy Shield will improve in practice what was Safe Harbour.

      I see what you mean about hacking & ownership - once it's out of your control, do you really own it, but that's a different point. The person I spoke to the other day had heard that a large public cloud vendor had inserted terms transferring ownership of data.

      1. subject

        Interesting. Whatever the vendor might think "ownership" means in this context, it can't impact data protection law or criminal law. Perhaps it's assignment of copyright.

    2. Alistair
      Windows

      @moiety

      Whilst I'm inclined to agree wholeheartedly with you moeity, there is the fact that, well, just because the data remains on premises does not mean that it is unhackable.

      c.f. <far to many corporate data leaks>

      and -- well Murphy.

      1. Anonymous Coward
        Anonymous Coward

        Re: @moiety

        There's 2 separate issues here...ownership and control. As soon as your data hits the cloud you -unless you are duplicating locally-encrypted containers and only then- are ceding control. You are subject to terms, conditions and applicable laws of your cloud provider; and the fact that they also care less about your data than you do. What guarantees and promises are offered by the cloud provider mean nothing; they are as ephemeral as the pixels they are delivered on...the company could change management; could go into receivership; and can be dipped into by authorities at any time. That, by the way, was the fundamental flaw in Safe Harbour -warrentless fishing- and that isn't about to change no matter how many pages Privacy Shield devotes to the subject.

        True, they are probably better at security than you are and homebrew security doesn't guarantee quality; but a cloud provider is (usually) a far richer target because if you crack that, the loot is better.

        1. Anonymous Coward
          Anonymous Coward

          Re: @moiety

          Be interesting to see how the encryption features of a hosted SQL Server plays into that when hosted and using, say, homologic functionality.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like