Silicon Valley fights European Court of Justice ruling with small print Robbed of their Safe Harbor protection, US cloud giants are taking shelter behind a new data-export and privacy fig leaf. Microsoft and Salesforce have become the first to publicly invoke “model clauses” – saying customers can continue shipping data outside the EU and onto their servers in the US despite Tuesday's ruling by …
"We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California."
Not being a resident of Orange County, California I have no idea what that will entail, and doubt that any sane lawyer in my country would let me sign your T&Cs.
We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California.
Yes, that will work - if your business is in the US. Do you want it to be? If so, I have some more bad news, and it's not about tiny weaselly contractual tricks.
Please tell us the name of your employer so we can add them to our 'do not do business with these weasels' blacklists.
That is BS, because you'd be setting yourself up for a game of whack-a-mole. You should bother to simply read the Terms & Conditions, because what's not in the contract cannot be enforced. If it is written in legalese it's up to you to either get a lawyer involved or tel the company that, based on the precarious state of their T&Cs you do not feel confident the relationship is off to a good start and send them out of the door (I've done that, and it took but a week for their director to show up with a new version that was actually in language humans could read).
This is all about risk management. If you have a requirement that can afford a data leak (like a public website), no problem. Otherwise, don't. Not even if you're in the US yourself (that's the bit they are STILL trying to distract people from).
We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California.
That is illegal in half of jurisdictions over the world and in most of the Eu this makes any contract or commercial agreement with your company unenforceable under fair contract act(s) and their equivalents. I suggest you take some legal advice from someone with some residual clue and knowledge of the contract and data protection law in the jurisdictions you operate. You may need it.
Apple tried messing with a European court a year or two back and finally realised they were getting themselves into very deep, brown, sticky stuff. One doubts the court would consider your T & Cs valid. Just maybe if your client is a sophisticated, international organisation, but not with the average consumer. Try the same stunt on a US court, and see how far you get.
"We have T&C's that state any interaction with the company is subject to US laws and litigation must be commenced in Orange County, California."
T&Cs cannot overrule national law. If you are doing business in country X, then you are subject to country X's laws, irrespective of whatever may be in your contracts. Essentially no T&Cs can protect you if you act criminally
"If your company is handling customer data and interacts with customers via email you just worked yourself an ICO fine."
Then every company that is using MS Windows 10 & Chrome under their standard EULA, for their client data entry systems are also likely to be in breech...
>so why fret about emails etc. passing through US-based servers etc.
Do you have any US based competitors?
Do you have any staff HR records that a bank/insurer/future employer might find interesting?
Do you want all your financial records to be made public by a foreign FOI request?
"Also, the firm importing the data must agree to limit their data processing to that specific mentioned in a contract and must ensure all its stuff adopt appropriate levels of security and received appropriate training."
Given the requirements of legislation in the Patriot Act (other countries and legislations may and probably do qualify). I don't see how a US 'data importing firm' can agree to this. Or rather, they can agree, but they know their agreement can be set aside under US law at any time, and set aside in a manner that precludes them from telling the data provider that such an event has occurred.
I suppose there could be wording added to the contract saying something of the form 'yes, we agree you can't do anything we don't want you to with this data, but we also agree you can do anything you want with it if you are obliged to under US law, and no you don't have to tell us' - but that wouldn't be a smart contract to sign - at least in my view.
Of course, I'm probably wrong. After all, I'm an Idiot...
How can a "model clause" retroactively apply to data already shipped over earlier?
Microsoft's Smith bloggs: "It also makes clear the need for broader reforms of digital privacy laws around the world to strike a better balance between personal privacy and public safety"
He wants to reform the PRIVACY laws? There is some kind of "balance" that has to be "struck"? Presumably between fully out-of-control TLAs and out-of-control TLAs? And "around the world"???
Privacy is not absolute but about balance, at least as defined in the ECHR, but would these clauses be the ones including:
Clause 5: the data importer agrees and warrants.. that he has no reason to believe that the legislation applicable to him prevents him from fulfilling his obligations...?
Those who needed the Safe Harbor rather than any of the other exemptions can no longer do so, but presumably can now sue the Commission for any costs in relocating to Bulgaria or Argentina and losses during the transition that are directly attributable to not correctly implementing a directive. That sounds like a large bill for the Commission, or rather for EU taxpayers.
"Clause 5: the data importer agrees and warrants.. that he has no reason to believe that the legislation applicable to him prevents him from fulfilling his obligations...?"
If I were a US-based data importer I don't see how I could stand over that clause in an EU court*. Ignorance of the law is no excuse.
*And in my time I've written a lot of stuff I had to be able to stand over in court.
"Those who needed the Safe Harbor rather than any of the other exemptions can no longer do so, but presumably can now sue the Commission for any costs in relocating to Bulgaria or Argentina and losses during the transition that are directly attributable to not correctly implementing a directive."
How so? The safe harbour provisions pre-date the PATRIOT act which has made them invalid in the eyes of the ECJ. So if anybody is responsible for compensating anybod it must be the US govt. Good luck with that.
"Those who needed the Safe Harbor rather than any of the other exemptions can no longer do so, but presumably can now sue the Commission for any costs in relocating to Bulgaria or Argentina and losses during the transition that are directly attributable to not correctly implementing a directive. That sounds like a large bill for the Commission, or rather for EU taxpayers."
Only an American would be so unbelievably fucked up that they believe corporations should be allowed to sue governments for the cost of complying with the law. Your mind is fucking disgusting.
"but presumably can now sue the Commission for any costs in relocating to Bulgaria or Argentina"
What makes you think you can sue anybody for the costs of not breaking the law?
Mandatory car analogy: if the police pull you up & find that there's a fault on your vehicle do you really think you could sue them for the costs of getting it fixed?
Microsoft would not be drawn further on the details of its model clauses.
What?
Are these covered by "commercial confidentiality", the get-out-of-jail card frequently used by politicians, or is this classed as national security?
Azure Core Services, Office 365, Dynamics CRM and Microsoft Intune all comply with model clauses the software giant said.
If they are following the EU drafted rules, which are, presumably in the public domain, then why hide the details? Or is it a case of "We are Microsoft, you can trust us."
This is surely not the way to assure customers that their data is safe.
I just got in duplicate a marketing blurb from Edmodo which is used by a large number of schools in the UK as a homework submission/grading platform. They were ranting about how they care about my privacy and how I should not worry about it and they keep my child data safe. So I guess the marketing counteroffensive has started.
Quite funny:
1. It was "safe" by USA standards with USA child age limits, etc on marketing used throughout. It was not compliant to Eu ones which are different.
2. It was explicitly referring to Safe Harbor as the guarantee for that.
3. All of that was being delivered out of West Coast AWS address range.
I read it (something most parents probably did not) and lobbed a 5 liner at them via their web site with an ultimatum: You move to Europe by next week (even if it is to AWS) or I am going to lob a complaint to the ICO to enforce the ruling and thus force the schools to terminate their agreements with you.
In any case, as per UK (and most of Eu) contract law small print which "legalizes" an illegal action makes the whole contract illegal so doing that is even more suicidal than referring to safe harbor in a privacy policy. Oh, I keep forgetting - Americans, no law but USA law exist. I bet none of these idiots checked if the new small print and marketing they are trying to shovel onto us is legal in the Eu.
I am going to lob a complaint to the ICO to enforce the ruling and thus force the schools to terminate their agreements with you.
Please follow up with this, and let us know how it goes. It'll be useful to know if the ICO is a paper tiger in this, or actually has teeth.
They can keep slurping our data without getting explicit agreement from me just because it passed through some other EU company who has one of the slightly dodgy agreements with companies like Google, sorry Alphabet?
I can't wait for some EU company to try this with US originated data. They'll be on an unmarked LearJet heading west before their lawyers even get the phone call.
Come all you MEP's pass a law banning ALL data going to the USA. Then you might actually earn some respect from your voters. What? you can't? Because some TLA has a few dodgy photos of you?
[redacted]
... made of dry ice last?
Consider any European company that keeps/processes customers data in the USA and has agreed to these model clauses. Do said clauses lower the European company's liability to their own customers? Obviously not.
At that point, the European company can device a cunning plan, m'lord, to put similar model clauses in their own contracts with end customers. The problems with this approach are that: a) European courts aren't usually kind with abusive clauses in EULAs and contracts, more so when they are signed/accepted by private persons, and b) due to the growing public awareness on these issues, European companies taking this route would receive lots of bad PR and lose many customers due to the use of these clauses.
I'd advice the USA govt. to clean up their act and stop all this spying malarkey before they find themselves up to the ears in an economic bloodbath. Actually, they should have done this years ago, and they'll pay dearly for the delay.
"It does mean doing things the hard way and depriving yourself of shiny web toys, but it can be done,"
I think you mean: "As an added bonus, you will waste less of your life and money trying to grapple with something that previously worked fine but which has now been improved to the point of exasperation.".
That the same key reason why the ECJ ruled that the safe harbor provisions dont apply will also cover Binding Corporate Rules and Model Contract Clauses.
Put simply the BCR's and the MCC's needs to guarantee the same levels of protection as the EU countries laws but no US company can do that thanks to the various NSA programmes and the Patriot Act.
A few T's and C's are not going to sway a judge in Texas from issuing a warrant for data in Ireland.
So, knowing that the clauses are pointless any EU company relying on those has no defence to a complaint that they knowlingly passed data to an unsafe country and equally the liability shift back to the processor is going to get bogged down in the US courts as well.
The only sane way any EU company can operate is to have the contract with the EU version of the processor and then specifically ban them from taking the data to the US.
"then specifically ban them from taking the data to the US."
This is another thing the developers of the Internet omitted: route barring lists! Because the only way that would permit data to be transferred over the Internet that fully satisfies this ban is for all IP packets to contain 'region' codes that denote either 'route only within this country/region' or 'avoid this country/region'.
It is beginning to look like we do need to urgently start work on IPv8 or some other unused number (IPv7 was basically an OSI CLNP based version of IP)...
Actually IPv6 will work fine. The address space is easily large enough for each legal jurisdiction to have its own prefix. As a helpful side effect for most (non-business) end-users, a foreign address would then be a very powerful hint for your spam filter.
Of course, it would need someone running the internet who actually cared about running the internet rather than simply milking it.
"Actually IPv6 will work fine. The address space is easily large enough for each legal jurisdiction to have its own prefix."
Remember the IPv6 address space largely follows the IPv4 address structure, hence whilst it would allow the creation of geographic/legal jurisdiction subnets, as per IPv4 it doesn't (currently) have a rigid structure like the international telephone system. So a business would need multiple IP addresses (one subject to legal jurisdiction routing rules and one subject to normal routing rules). Whereas the usage of a route restriction header field would avoid this and provide a field that (with API enhancement) could be populated by an individual application.
However, I suspect the down-voter to my original post had the right of it: If it is important that the data doesn't go outside of a particular jurisdiction then don't use the Internet, use physical private circuits.
"That the same key reason why the ECJ ruled that the safe harbor provisions dont apply will also cover Binding Corporate Rules and Model Contract Clauses."
And it will end up back in the ECJ with a similar decision.
At the very minimum the data exporter should be liable to the EU resident, not the importer, with the case to be heard in an EU court.
"At the very minimum the data exporter should be liable to the EU resident, not the importer, with the case to be heard in an EU court."
As the exporter is effectively the controller of the data they already carry that liability which would fall under the EU jurisdiction the customer and/or controller are in.
For example, a UK citizien buys stuff from a UK business using a cloud based service with servers in the US. The UK citizien is the "data subject", the UK business is the "Data Controller". Its the job of the data controller to have carried out an adequate risk assessment on the use of the cloud service they buy to ensure the data processor can meet the standards previously held to by safe harbor. If they cannot show reasonable due dilligence or other accepted protections the controller is immediately in breach of the DPA.
The reality is that Safe Harbor was on shaky ground after September the 11th 2001 and now any data controller with even half an idea will realise that shipping data to the US without the veneer of protection of safe harbor will mean a huge liability shift to the controller in the EU.
The big players already have stuff in place, its the small to medium businesses which will get the shaft from this.
"As the exporter is effectively the controller of the data they already carry that liability which would fall under the EU jurisdiction the customer and/or controller are in."
I know. The trouble is that AFAICS the Commission is now trying to throw this over the wall. The data subject is to be able to claim from the importer.
It's a big mess. As a data subject am I supposed to be bound by an agreement between my supplier and a third party? If the theory is that this is going to be covered by small print or by some 3 pixel high, pre-ticked, well-hidden box it's going to fail on the basis of unfair terms and/or lack of informed consent. The trouble is it's going to cost someone a lot in legal fees, time and trouble to take all this to court and get the precedents set. Possibly a data protection regulator with teeth is going to call BS on it in that the circumstances that invalidate safe harbour also apply to such clauses. Would that be the ICO?
American technology companies are naive and arrogant to think that they can subvert the ruling of a European Court of Justice, just because of some clause inked with customers, as if this overrides International governments' regulations.
If Microsoft, Salesforce and or any other behemoth US corporations snub their noses at other countries - bodies like European Union law, they should be denied business entry into that jurisdiction. Period.
This crass and bullying attiude is no different from US State Department telling the European Union that because the US Justice Department did not impose severe penalties on Microsoft for severe business technology infrations, then the EU therefore cannot impose "their own" laws and rulings on Microsoft operations in “their” space.
Arrogance and stupidity are hallmarks of many USA corporations, even many millions of citizens, and they will learn - sometimes the hard way, that they do not govern or control the rest of the world - all other countries on the planet.
Principles ought to be along line of "we [US company] will protect your (EUcitizen) data from our own employees' incompetence, dodgy marketeers, hackers (criminal, foreign states and those doing it for lols), Bob walking in off the street et al, but we can't guarantee that our own government won't look at if they put their mind to it. "
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
