back to article You call THAT safe? Top EU legal bod says data sent to US is anything but

The top advisor to the European Court of Justice (ECJ) has said the current agreement between the EU and US is not worth the paper it’s written on . Advocate General Yves Bot’s opinion on the so-called Facebook vs Europe case is not legally binding, but the court’s final ruling almost always follows his advice. The case was …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Fascinating

    For me, the relevant part is: "... who currently rely on the voluntary Safe Harbour code of conduct which is then legally enforced by the Federal Trade Commission." Might this put some reflected spine into the FTC? FCC has surprised me lately.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fascinating

      I doubt it very much.

      I'd also like the European Parliament to show some teeth and threaten to use their power to kick out the current EC if they don't do as they're told. I think the EC could do with reminding that they are there to carry out the wishes of the Parliament and the Council of Ministers and not whatever comes into their heads.

      1. SleepyJohn

        Re: Fascinating

        I think you have this back-to-front in the real world. It is not the waiters who run a Mafia boss's cafe.

    2. James Micallef Silver badge

      Re: Fascinating

      "Might this put some reflected spine into the FTC?"

      I very much doubt it, because it would pit them against NSA et al. You would have 1 branch of the US government telling FB, Google etc "give us the datas", and FTC threatening to fine FB, Google etc if they do.

      No, the reality is that US snooping has broken 'safe harbour' beyond repair. What's interesting is what happens next. Because the reality of many data-intensive businesses is that they won't work very well if their global data is split up into regional silos.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fascinating

        Because the reality of many data-intensive businesses is that they won't work very well if their global data is split up into regional silos.

        It doesn't have to be, if they simply keep their one silo inside the EU...

        1. tom dial Silver badge

          Re: Fascinating

          If they simply keep their one silo inside the EU... it probably will be no less available to the USNSA (although under a slightly different set of rules) while probably being somewhat more available to authorities in the country in which it is located physically.

      2. nematoad
        Headmaster

        Re: Fascinating

        "..the US government telling FB, Google etc "give us the datas"

        Datum: Singular

        Data: Plural

        Therefor "datas" is incorrect.

        1. John Bailey

          Re: Fascinating

          "Datum: Singular

          Data: Plural

          Therefor "datas" is incorrect."

          Whoosh: A comical reference to the sound that might be made by an object flying above the recipient at high speed.

          Usually offered in an irreverent tone, to point out the party has missed the point or joke. or to someone who is pompous enough to point out grammatical or spelling errors in an obviously deliberately flawed phrase.

          So yes.. we "Can haz datas"

          And "Therefore" usually has an "e" on the end.

        2. nijam Silver badge

          Re: Fascinating

          > Datum: Singular

          > Data: Plural

          That used to be the case in Latin, I believe. Modern English usage is quite different and views "data" as a collective noun.

      3. Suricou Raven

        Re: Fascinating

        It's not unheard of for such situations to occur in the US - the way they split power between different levels means that one part of their government is often actively trying to oppose another. Sometimes it leads to such oddities as classifying pizza as a fruit, occasionally to something more serious.

  2. Sooty

    the US has never been safe

    I did a semester on data protection law as part of my software engineering degree, almost 15 years ago, and everything they did at every point took great pains to hammer it home that the US didn't even come close to meeting EU data protection standards, and you'd have to be crazy to send any data there.

    1. This post has been deleted by its author

    2. ratfox
      Devil

      Re: the US has never been safe

      As if data stored in the EU is safe from the NSA…

      1. John Bailey

        Re: the US has never been safe

        "As if data stored in the EU is safe from the NSA…"

        Safe? No.

        Inadmissible in court.. Yes.

        Kind of a useful distinction.

        1. nijam Silver badge

          Re: the US has never been safe

          > Inadmissible in court.

          Inadmissible in a court in Europe. (Unless GCHQ says "trusts us, we know he's a baddy.")

          FTFY

          1. John Bailey
            Gimp

            Re: the US has never been safe

            "Inadmissible in a court in Europe. (Unless GCHQ says "trusts us, we know he's a baddy.")

            FTFY"

            No. Inadmissible in court, because they would then have to admit it was obtained through spying. Which they try to avoid.

            And when GCHQ says "trust us". UK judges tend to roll around laughing.

            Not every case that comes up in court is an OMG TERRORISTS UNDER THE BED national security one.

            So NSA GHCQ and the tufty club are not always involved. I'm afraid you will need to look elsewhere for today's submissive fetish jolt. I put yu rpicture beside the post to make you feel worse.. better.. what ever it is you want.

  3. Vimes

    What's the reaction of the ICO to all of this? They seem to support the concept of safe harbour, and it would be interesting to see what they have to say on the matter.

    1. paulf
      Holmes

      I expect the reaction of the ICO was to start melting when someone tried to make tea in it.

      My repeated experience with the ICO suggests that comparison is an insult to chocolate teapots. Even when I had wrong doers banged to rights (violated Sect 11 C&D orders etc.) the ICO felt giving them a slap on the wrist was a bit harsh. They probably only support Safe Harbour as long as it saves them doing any work to protect data.

  4. Anonymous Coward
    Anonymous Coward

    To Eu-Rope.

    Good luck with that 'an all.

    Ya'll hear now!

    (up) Yours, The USofA.

  5. Nick Ryan Silver badge

    It's always been useless

    Safe Harbour (harbor for USAians) is and has always been utterly useless.

    The basic premise is that data is covered by the voluntary Safe Harbour agreement when it is stored for the specific purpose that it was registered for. For example a US company registers with Safe Harbour for the storage of EU personal data for the support of their product "ABC". Should this US company release another software package "DEFG" then the storage of EU personal data for support for this software package is not covered unless they specifically have another Safe Harbour registration for this as well. A US company stating that they have registered with a voluntary Safe Harbour agreement means nothing without examining the details.

    While this seems reasonable given that the US company should only be storing EU personal data for the stated purpose, the reality is that most companies will forget that the data is to be used for a single specified purpose and merrily use it for other purposes or forget to register another Safe Harbour agreement. As a result, the chance of EU personal data actually being covered by a voluntary Safe Harbour agreement is pretty slim.

    To compound the problem, while this data is in hands of a US organisation, any US body with the legal authority to do so may request and must be given full access to this data. Once the EU personal data is in the hands of such a body the Safe Harbour agreement does not apply and this data may be used and disseminated at will. Again, this doesn't seem unreasonable until you understand that the scope of organisations able to demand this data is extremely wide and not just limited to law enforcement agencies, i.e. it covers every municipal and county service imaginable.

    Even after all of this - what happens if a US company violates the voluntary Safe Harbour agreement for the storage of EU personal data? Absolutely nothing, that's what. There is no legal recourse as it's a voluntary agreement rather than a statutory requirement.

    1. Mage Silver badge

      Re: It's always been useless

      Yes, even the dogs in the street have always known it.

  6. Tubz Silver badge

    EU commish ignores MEP's to suspend safe harbour, lets see if he has the guts to ignore EU judges.

    The U.S cannot be trusted with personal data or it's companies in honouring agreements, just look at the crap Microsoft thinks it can get away with, in Windows 10.

    1. Pascal Monett Silver badge

      Microsoft is late to data hoovering party

      It is currently playing catch-up with Google and Facebook.

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft is late to data hoovering party

        Aye, but it's (attempting) to get at the data before Google and Facebook get a sniff at the data (well, unless you're using a Chromebook or some Android-based device, in which case, Google presumably pwns your data entire). I wouldn;t underestimate MS's ability to slurp data whilst Windows still has such a large presence in the world of IT.

  7. happy but not clappy
    Meh

    The threat to commerce is overblown

    If the safe harbo(u)r agreement was torn up, it wouldn't be a problem. I imagine lobbyists are presenting this as somehow breaking the world, but technically it is a piece of piss to ensure personal data stays in Europe, just very slightly more costly.

    More interesting is the DOJ's attempt to say it can subpoena data that is already in Europe, but managed by a US company. If that changes then truly M$ and their cloud buddies are shafted.

    1. James Micallef Silver badge

      Re: The threat to commerce is overblown

      " technically it is a piece of piss to ensure personal data stays in Europe"

      that depends on the exact specification. Yes it's very easy to make sure that EU citizens' data is in a data center that is physically on EU territory.... but in a world of VPNs and transnational private intranets, how do you then ensure that data center is not connected to anywhere outside the EU? How do you ensure that no-one outside the EU can query the data remotely? (because conceptually what's the difference between making a copy of the data and retrieving a result set?). What about EU based professionals who have access to the data and are on a business trip outside of the EU?

      For this to work, it would need a spoof-free way of determining whether an incoming connection request is from the EU or not, and we all know how well that works for, say, iPlayer only being available in UK

    2. Mage Silver badge

      Re: The threat to commerce is overblown

      MS is currently fighting the USA over data in Ireland!

  8. Andy The Hat Silver badge

    UK Tax?

    Didn't a US company get the contract with HMRC to deal with UK tax with UK tax data being shipped off to the USA and didn't HM Govt declare undying faith in the data's safety under this agreement? Spanner, works interface coming up I feel ...

    1. John Brown (no body) Silver badge

      Re: UK Tax?

      Yes, and guess the nationality of the company holding and processing all out census data too :-(

  9. Someone Else Silver badge
    Coat

    And that's a problem?

    If Court follows Bot’s opinion and finds the safe harbour agreement unfit for purpose, it would have huge implications for companies like Facebook, Apple, Google, Yahoo, Skype, Microsoft et al, who currently rely on the voluntary Safe Harbour code of conduct which is then legally enforced by the Federal Trade Commission.

    Gee, Mama not being able to post a picture of today's pot roast, and Fuckerberg not being able to "monetize" it, is probably the best news the world could possibly get this week.

  10. This post has been deleted by its author

  11. WibbleMe

    Is some one peeing in the background (red coat)

    1. hatti

      Looks like it is but trying to act inconspicuous by looking out for an imaginary friend.

  12. Doctor Syntax Silver badge

    The EU needs to give a deadline by which the existing SH will be dead unless there is a major change in US legislation - one which will be binding on the NSA with a treaty binding the US govt.

    No more NSLs.

    No more rubber stamping courts.

    No more DoJ fishing expeditions.

    The whole lot repealed from US law.

    The deadline should be just sufficient for companies to bring their data home with a modicum of panic if they get their backsides into action PDQ; sufficient panic to give them serious worries about ever getting into that situation again.

    Then let's see how fast US officialdom can reform to try to meet the deadline from their side. It would help if there were increased political pressures in the US. Isn't there an election coming up soon?

    1. Wommit

      @Doctor Syntax

      Oh that was good, Couldn't stop laughing for nearly five minutes. I keep looking at the "binding on the NSA..." and "treaty binding the US Govt." Almost fall off my chair, best belly laugh I've had in ages.

      Couldn't read the rest, it was just too surreal. I mean "No more DoJ fishing expeditions" even Monty Python whilst doing their hardest drugs never came up with an idea that daft.

      1. h4rm0ny

        Re: @Doctor Syntax

        Well, yes, you laugh. But of the very few things in the USA that can overrule the NSA, one of them is money. I know of at least two large contracts that US companies have lost because the buyer did not trust the US government (not the company, the government) that their data would be secure. If I can name two such lost contracts personally, then that means there are quite a lot more out there. It's definitely become an issue.

        Now if Safe Harbour provisions were no longer valid, that's going to hit at least three orders of magnitude more because it will no longer just be the companies that actually care about data security, it will also be the companies that want to appear to care about data security and that just want to tick some box so they don't have to think about it. And there's a lot more of those than the former.

      2. Anonymous Coward
        Anonymous Coward

        Re: @Doctor Syntax

        Yup. The elephant in the room is GCHQ who are Best Friends Forever with the NSA. In short, the NSA don't need direct acess to data when GCHQ happily passes the data on to them anyway. I live in hope that one day this idiot GCHQ/NSA pact is seen as against the national interest and traitorous. Not

        going to hold my breath about it though.

    2. John Brown (no body) Silver badge

      "a treaty binding the US govt."

      There ain't no such animal! The US government uses treaties like giving your pet puppy a treat.

      1. tom dial Silver badge

        Like all (or almost all) governments, the US generally respects the specifics of treaties, and within the US treaties generally supersede both state and federal laws that conflict with them. Like other governments The US "interprets" the text of the treaty to its own benefit where possible.

  13. hatti

    snafus law

    humans + data = vulnerable

  14. 0laf
    Holmes

    Safe-harbour not worth the data it's written on. Shock of the century!

    A bit like finding out motor manufacturers have found ways to cheat emissions and mpg testing.

    I don't think anyone with even slight knowledge about these industries is surprised in the slightest.

    I don't think it really matters too much with Safe-harbour. It was only ever a legal whitewash on data the USofA would access with impunity any time it wanted anyway.

    1. handle

      I don't think there is any shock that it's not worth the paper it's written on; the shock is that something might be done about it.

  15. Cynic_999

    At the end of the day no law can be enforced by a weaker nation against a more powerful nation, so it makes no difference what laws may be made, the more powerful nations will simply ignore them. Certainly no government will obey its own laws if they stand in the way of what they want to do. Therefore the entire issue of deciding what law to make is a complete waste of time.

    1. Pascal Monett Silver badge

      Seems to me that History has quite a few examples of the weaker standing up to their oppressors and winning.

      But that's obviously difficult when your pants are already around your ankles.

      Assume the position, citizen ! Compliance will be rewarded.

      1. DropBear
        WTF?

        "Seems to me that History has quite a few examples of the weaker standing up to their oppressors and winning"

        Please name one where the weaker one wasn't all-out no-punches-pulled back-against-the-wall bitterly fighting for his mere existence. As we well know, it's not impossible to give a bully a black eye under such conditions; however, until you're prepared to use any means necessary and potentially get beaten to a pulp the bully wins every time no exceptions - I've never heard of an oppressor voluntarily yielding to diplomatic saber-rattling if it thought it can get away with it (unless you had something they highly valued but couldn't simply take and you were prepared to offer it in exchange - but that's exceedingly rare).

  16. Dadmin

    Send the wolves to protect my sheep

    I love Ed Snowden. He's my contractor hero and I love the fallout of the world's spotlight shone on a greedy, manipulative, illegal organization like the NSA. Especially the major loss in business that this causes, and to the right parties. All the big players can afford to fight for my privacy, or be held responsible for my privacy and suffer if proven otherwise. And almost none do. Let SH die and let the big players figure out how to play fair and safe with all data for all nations. Not providing backdoors to 'protect' us from; terrorists (AKA terrys), polar bears (no polar bear attack with the NSA and FBI on duty!), tiger attacks (except for that pinhead who claimed into a tiger's cage), Godzilla attacks, etc. Very safe due to your efforts, guys@NSA. Hope you get ass cancer, one and all.

    My 'buddies' at AT&T will feel a small pang when I exit them for another carrier soon. Sure, the next one might have the NSA meathooks in them, but even a little respite from a known NSA friendly pit of vipers is a step in the right direction. Let the big players pay and pay big for their misdeeds. A US Cloud is a cloud of deceit, all hooked in the back end to the nosiest of fucking bad neighbors; the NSA.

  17. heyrick Silver badge
    Stop

    “We are concerned about the potential disruption to international data flows if the Court follows today’s Opinion,”

    You. Right there. Stop. Stand up. Step forward. Shame yourself.

    Mr. Higgins,

    I am concerned that you seem to care more about the whims of commerce than to bother obeying the law. Nobody is suggesting that all data in and out of Europe grind to a halt. What we are asking for is that our basic privacy be respected. We ought to understand what is going to happen if we regurgitate every detail of our lives to Facebook or Twitter, but this is talking about business. Is my insurance policy information safe? Or are you quite happy that the businesses that you claim to represent sell the medical (or creditworthiness; or purchase history; or...) information that they know just to make a few extra bucks? Or are you happy that the businesses that you claim to represent may process the data overseas because it is cheaper (and frankly who cares what happens to the data so long as it isn't found out by those whom it may concern)?

    You seem to think that it is acceptable for businesses and commerce to spaff personal data all over the place with no apparent regard for the people whose data is being handled. That's fine, because in return I think it is acceptable for the directors of said businesses to be taken from behind by a Grey with a half-metre barbed penis. So we're all good then, right?

    Or maybe, Mr Higgins, you might wish to consider somewhat more carefully what data is being collected and what is being done with it in compliance with the relevant European laws regarding such basic issues as privacy. Sadly I feel the need to point out that the cat is definitely out of the bag and is busy marking the upholstery. This is an unhealthy combination of rampant advertising/data collection in a post-Snowden world. I can only wonder how far it will go before the general public (and not just El Reg readers) start to rebel against these sorts of behaviours? Might I suggest you consider instead asking businesses to respect those who are their clients and obey the law. Is that too much to ask?

    (Hey)Rick.

  18. Anonymous Coward
    Anonymous Coward

    Very naive people

    Does anyone in Blighty actually think their personal data is of any interest to anyone unless they are a crim? Sorry folks but no one really cares about your worthless arse unless you are a crim.

    1. The_Idiot

      Re: Very naive people

      With - well, with a currently undefined level of respect, but a level I hold sincerely, er - may I disagree?

      "no one really cares about your worthless arse unless you are a crim"

      OK. Again, if I may, even assuming I _am_ in fact a 'crim', and not one whose only crime is against the English language (now watch the gremlins make me put errors all over this post) - someone was interested in my worthless arse before I was one. Because to _be_ one I had to be convicted in a court of law. And to find myself in that court, there had to be some form of investigation. Of, um, my worthless arse. And since I hadn't been found guilty at the time, I wasn't actually a crim then.

      Second, but sticking with said investigation, either some gentle-person of the law got extremely lucky, or more worthless arses than mine were at least looked at (stop sniggering at the back, Jones Minor) prior to someone becoming convinced it woz me wot done it. So all those other worthless arses, who weren't crims, were at least of interest for a while. And that's ignoring the idea that someone @$*^#^ up, and it actually wasn't me wot done it, but I got _done_ for it.

      Third, we can consider all the insurance companies wanting to know how they can get out of paying me, the marketing companies who want to tell people with things I don't want that I really, really want to buy them, and politicians and the like who want to find out if I'm going to vote for them at the next election. Because obviously, if I'm not, I must be a crim, right?

      Of course, I'm probably talking rubbish. After all, I'm an Idiot...

    2. Anonymous Coward
      Anonymous Coward

      Re: Very naive people

      Oh, and crims won't use your data to fit you up for crimes they have committed? Insurance companies won;t take a peek and decide not to give you insurance? That's jolly decent of them! </arcasm> Sheesh, it's yourself being naieve, AC!

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like