back to article 'Safe Harbor': People in Europe 'can get quite litigious about this'

Both small and large US data centre companies are walking "headlong into a legislative buzzsaw" following a landmark 'Safe Harbor' ruling this week, the founder of database software company NuoDB, Barry Morris, has said. On Tuesday the European Court of Justice struck down the 15-year-old "Safe Harbor" pact, invalidating the …

  1. Your alien overlord - fear me

    Morris added that people in Europe "can get quite litigious about this" - confusing "us" with "US of A" I think.

  2. Stuart 22

    Deal or No Deal?

    Don't you have a feeling that the EU commission can suddenly find a fast way to a new harbour in exchange for a wee concession from the USA in the TTIP negotiations?

    1. frank ly
      Thumb Up

      Re: Deal or No Deal?

      Or maybe the US corps will sue the EC governments in secret session, in accordance with TTIP provisions? That sounds like an easier way to make money.

      1. Anonymous Coward
        Anonymous Coward

        Re: Deal or No Deal?

        If TTIP follows with ISDS similar to TPP then expect to see VAG (Volkswagen) sue both the EPA and California's version of the same. This is going to cut both ways, not just US firms attacking EU regulations.

        On a closely related note, the ECJ ruling pits the US multinationals against each individual country's DPA. Kind of lopsided don't you think and this will be even more lopsided if the US corporations pool their resources.... Then toss in TTIP and it will get real ugly, real fast.

    2. Anonymous Coward
      Terminator

      Re: Deal or No Deal?

      SAFE [sic joke] HARBOR II - The Zombie Lie

  3. JimmyPage Silver badge
    Thumb Up

    Beat me to it ..

    Time for a new icon ... pot and kettle perhaps ?

  4. alain williams Silver badge

    David Smith of ICO is a plonker

    said of the ruling earlier this week that businesses using Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law.

    In other words ''business as usual chaps, wait a bit and some lawyer magic will fix it all". What he should have said is "the USA is not safe, review what items of data you send there. Stuff that is too sensitive you will have to not send and look to process it in Europe".

    What a chocolate teapot organisation.

    1. JasonB

      Re: David Smith of ICO is a plonker

      "said of the ruling earlier this week that businesses using Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law.

      In other words ''business as usual chaps, wait a bit and some lawyer magic will fix it all". What he should have said is "the USA is not safe, review what items of data you send there. Stuff that is too sensitive you will have to not send and look to process it in Europe".

      What a chocolate teapot organisation."

      Absolutely!

      i remember challenging the concept of the Safe Harbor as American laws meant the FBI could look at the information with little effort. The ICO wasters never accepted this.

      That and the fact that he's accepted that publishing to a blog or facebook counts as journalism and is a far as those morons are concerned exempt from the Data Protection Act. Try telling that to the patient whose picture has been posted to facebook with less than flattering comments.

      Frankly the current IC should be sacked long with his staff and replaced by qualified people (last time I checked less than half the ICO staff had any qualifications in Data Protection, although that was a few years ago).

  5. Anonymous Coward
    Anonymous Coward

    Since the Office 365 authentication services are only in the US. Where your storage is becomes irrelevant.

    What's the point in agreements and policy if it's not enforceable by the US anyway.

    1. Anonymous Coward
      Anonymous Coward

      tehcnically yes, but legally no.

      It would illegal to pretend to be you and use your authentication to access data on a UK server.

  6. Dr Paul Taylor

    Let's have some European competition

    Why the hell was all this personal data going across the Atlantic in the first place? Europeans (for example El Reg for their lectures) have lazily been using American websites (such as Eventbrite) when it would be easy and entirely in line with the principles of Capitalism for there to be similar sites offering competing services in other countries. We should all take this ECJ judgment as an opportunity. It is time for all sorts of reasons to overthrow the American monopoly of such services. To Hell with Facebook, Google, Amazon and the rest of them!

    1. Len
      Go

      Re: Let's have some European competition

      Hear hear!

      It’s time we get some of our pride back. With over 500 million EU citizens the EU home market is considerably bigger than the US home market and nowadays has a fairly homogenous legislation making the rise of European internet giants a real possibility.

      Of course, the challenge remains that we have so many languages but that could be turned into an advantage. American companies are notoriously bad at internationalisation and localisation (why does Facebook insist on telling me the temperature at an event in the UK in Fahrenheit!? Why does Tweetdeck insist on only allowing to schedule tweets using the moronic 12 h clock!? Why does Wordpress default to the broken date notation of 5-13-2015!?). We should be able to turn this American weakness into an advantage for rapid growth.

      I actually appreciate the actions of companies such as large hoster OVH that publicly state that "OVH datacentres are situated outside Patriot Act jurisdiction area" (https://www.ovh.co.uk/aboutus/technologies/datacenters.xml). My company too has added to its privacy statement that all our data is hosted inside the EU. More companies should be doing (and saying) similar things.

      The real remaining challenge is then funding. European investors are typically much more risk averse when it comes to throwing cash at the umpteenth ‘Facebook+household chores+menstrual cycle+currency markets social sharing mash-up service’ than American investors are.

      1. Anonymous Coward
        Anonymous Coward

        Re: Let's have some European competition

        No, the remaining challenge is the bureaucrats and that's when who you know is what's important. Funding is anticlimactic after that. Those two are reversed in the US where business connections are the prime factor, especially who is fundieyou.

    2. Lars
      Flame

      Re: Let's have some European competition

      Yes, but look at how some of us behave (think!), you know, the gigolo Germans, the manjana Brits, The cheese eating Italianos, the double duch speaking French and so on, and so on. All that shit I decided not to move into my kids brains long ago. Fairly popular shit even among commentards on this site.

      1. Anonymous Coward
        WTF?

        Re: Let's have some European competition

        Eh Lars? Wrong icon? Or ischæmic event?

  7. Gordon 10 Silver badge
    Stop

    How can it be a fig leaf

    If it pre-dates the Safe Harbor legislation anyway and is also a standard approved by some EU rubber stamping body - as per the previous article.

    What it does seem to is extend safe harbour style protections to the US companies at the expense of making them more open to customer lawsuits if they abuse it - so it sounds like a partial win-win to me. They may have to tweak their replication/sharding strategies and build out a bit more capacity but I suspect that most have the basic infrastructure to cope. Given MS'es statements and the current US lawsuit - there's reason to suspect that they are pretty much ready for this. If facebitch hasn't done the prep for this already they are just clueless.

    Also I doubt very much the big boys are going to feel much pain from this. Reams of data already has geographical boundaries - the ruling just adds a set of new countries/regions to it - so they already have the infrastructure to cope.

    The ones that are gonna hurt are the S&ME's who are restricted to onshore US processing - payroll outsourcers and the like.

    1. Anonymous Coward
      Anonymous Coward

      Re: How can it be a fig leaf

      >The ones that are gonna hurt are the S&ME's who are restricted to onshore US processing - payroll outsourcers and the like.

      They should have a word with their political representatives about that then.

  8. Anonymous Coward
    Anonymous Coward

    Companies are either going to figure out it will limit their [growth] - or increase their legal costs.

    Good.

    What we need are more, smaller, competing companies; and not large, consolidated, unaccountable, multinational behemoths.

    1. Anonymous Coward
      Anonymous Coward

      You're not suggesting there's something counter-productive about the way these corporations are allowed to form cartels and consolidate to the scale at which they become able to buy up and crush any and all emerging competition and bribe governments to look the other way while they rape the plebs, Shirley?

      Commie bastard.

      1. Destroy All Monsters Silver badge
        Big Brother

        I'm actually rabidly free-market and I'm Ok with this!

        Also:

        allegedly indiscriminate surveillance by the US

        The adjective should be on a sliding scale:

        "potentially" <------||--> "actually"

        but "allegedly" is utterly inappropriate here.

        Or is someone afraid Uncle Sam will start a defamation lawsuit? Then the whole of El Reg towers gets bombed repeatedly accidentally.

  9. Anonymous Coward
    Anonymous Coward

    Oh good, now we can trust Facebook (cough)

    Is there anyone out there that actually believes the American NSA et al weren't going to get their hands on every bit of crap they submitted to the (contemptious-of-privacy) Facebook anyway, either via quasi-legal weaselling or via outright illegality they know they'll get away with regardless?

    It's not like the laws mean anything when they can get away with breaking them- if you think your data will be safer when being (ostensibly) kept within Europe, then I have a bridge to sell you.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh good, now we can trust Facebook (cough)

      I hear the "Athens Affair" was actually NSA who declined to switch off their listening gear...

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh good, now we can trust Facebook (cough)

      It's not that black and white.

      NSA and the likes will always be able to get your data. That remains unchanged.

      But Facebook can't commercialize your personal information as easily as before, their legal risk is higher now. Also, US courts will have a harder time to do "parallel construction".

      1. Pascal Monett Silver badge
        Flame

        Anything that makes life harder for privacy-violating scum is good in my book.

        Ya hear that, Google/Facebook/Microsoft+20 million others ?

        Oh, right. Everybody's doing it.

        WELL THAT DOESN'T MAKE IT RIGHT.

  10. Anonymous Coward
    Anonymous Coward

    I always read how this affects businesses...

    So a Court of Justice, and the highest one in Europe at that, is being criticised repeatedly everywhere for not considering the impact on businesses? Well heck yes, that's what we expect from a court over here, where you cannot buy justice (at least not that easily). Of course the Land of the Free won't understand!

  11. NRGFXIT

    Safe Harbour - The age of the Digital Maginot Line

    If Uncle Sam wants it, and they have a US entity they can use as a conduit, their attitude is they have a right to it and will get it by hook or by crook. In Safe Harbour or other contractural remedy we are doing little more than making paperwork, manifesting the digital equivalent of Frances World War II folly, the Maginot Line. No contract clause or its ilk will stop them breaching EU data protection.

    Read my full breakdown at ‘Safe Harbour and the age of the Digital Maginot Line’ http://nrgfxit.net/2015/10/08/safe-harbour-and-the-age-of-the-digital-maginot-line/

  12. Doctor Syntax Silver badge

    the shift in the legislative landscape

    I think the guy needs to understand a bit about law. Legislation is what legislatures produce - statutes. Courts interpret those to apply them to the facts of specific cases. So the ECJ's decision is not legislation. There's been no recent legislative shift. The most recent shift was in the US. It was the PATRIOT act.

    What the ECJ has done is interpret existing EU law in a case in which the facts include the current state of data protection in the US in the wake of the PATRIOT act.

    It should have been quite clear for several years that any time anybody took the Safe Harbour to court it would be found wanting. It's amazing it lasted so long.

  13. a_yank_lurker Silver badge

    A Puzzler

    What is preventing a US company from largely using EU privacy rules as a matter of internal practice? If they did, then the EU's rulings would largely be moot.

    1. sysconfig

      Re: A Puzzler

      They can't, because they cannot guarantee that US law enforcement and three letter agencies won't demand the data (or lift it by means that don't even involve the knowledge of the company) and then use it in any way they please. This is what creates the breach of EU privacy laws.

      So the question is, if the fall of Safe Harbour is such a big deal for the US economy, why don't they employ privacy laws similar to Europe and introduce some oversight as to who, when and why data is required? What is preventing the US from doing that?

    2. SImon Hobson Silver badge

      Re: A Puzzler

      > What is preventing a US company from largely using EU privacy rules as a matter of internal practice?

      Nothing at all - and that's what the "alternatives" are about. It's been suggested that model contract clauses could handle this, and that's the "fig leaf" that's being talked about.

      But as pointed out, the law in the US means that such clauses are not worth the paper they are written on. Because US law does not respect privacy etc, no company with a US presence is able to offer such guarantees - to do so either exhibits an incredible ignorance of the law, or an incredible ability to bullsh!t with a straight face.

      The ONLY difference between Safe Habour and these contractual alternatives is that only Safe Harbour has been tested in court (yet). Yes, others will no doubt revamp their T&Cs - but sooner or later another Max Screms will bring a case and those T&Cs will also be found to be worthless.

      Put simple, it is not legally possible to transfer personal data to any company with a US presence without the express permission of the data subject. Even where permission has been "given", future court cases may rule that as not sufficient - eg a school making parent "give" permission for their child's data to be sent to the US for processing as a condition of the child being educated would be struck down if it ever got to court.

      The law to take control of this is already there - it just needs enough of us to make official complaints and back them up in order for all these "fig leaves" to be stripped off.

  14. PapaD

    One option

    Could US companies move ALL of their data processing to the EU, and thereby protect US citizens from all encompassing data grabs by TLAs?

    Or would the fact that the data isn't about an EU citizen make that protection meaningless.

    Within the EU, is all personal data protected, or just EU citizens/residents data?

    1. SImon Hobson Silver badge

      Re: One option

      > Could US companies move ALL of their data processing to the EU, and thereby protect US citizens from all encompassing data grabs by TLAs?

      NO, that doesn't work. If the data is still "under the control of" the US company then it's still "up for grabs" by the US TLAs. There also needs to be a corporate structure in place making the data physically inaccessible to the US based company - see the Microsoft Ireland case for an example of how that might work.

      1. Richard 12 Silver badge

        Re: One option

        And for what the US does about it.

        The result of that case will either kill all US "cloud" providers forever, or permit them to have wholly-owned EU subsidiaries.

        Yet the US TLAs do not see that - or don't care.

  15. Anonymous Coward
    Anonymous Coward

    Dallas Buyers Club

    The europeans should attach a small fragment of the Dallas Buyers Club bit-torrent to every data set.

    If the NSA is pirating personal information of individuals they will have the American Movie Industry coming after them.

    If the US goverment and European Courts are unable to keep these guys in check - the Movie Industry surely will.

  16. Anonymous Coward
    Anonymous Coward

    Blame the Feds, man...

    Don't blame the EU, blame the Feds.

    If they weren't so keen to ignore extraterritoriality, then the Safe Harbour would still be in place.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020