back to article Safe Harbour ruled INVALID: Facebook 'n' pals' data slurp at risk

In a landmark ruling that will have far-reaching repercussions, Europe’s highest court has ruled that data sharing between the EU and US under the Safe Harbour framework is invalid. The decision in the Max Schrems case on Tuesday morning has been anticipated for months, but now legal eagles will have to work out how to manage …

Page:

  1. John Robson Silver badge

    Monolithic global companies

    Simply can't deal with multiple sets of legislation...

    When was that a surprise?

    1. Vimes

      Re: Monolithic global companies

      It would be more accurate to say they can but don't want to IMO. It would cost them more.

      1. John Robson Silver badge

        Re: Monolithic global companies

        @Vimes

        No - they cannot, see Dr Mouse's respone.

        US law directly contravenes EU law in this area - you cannot comply with both.

        MS are in court at the moment for trying to comply...

        What has the world come to - I'm supporting MS business practices?!

        1. Gordon 10
          Stop

          Re: Monolithic global companies

          @John Robson

          US law directly contravenes EU law in this area - you cannot comply with both.

          Its a little premature to state this pending the outcome of the MS trial. Certain branches of the America Govt would certainly like it to be the case - but it aint necessarily so yet....

          1. John Robson Silver badge

            Re: Monolithic global companies

            Maye a touch premature - but I notice in the next ElReg article on the matter:

            "No matter how much Brussels bureaucrats want their latest Safe Harbour fudge to work - the cat's out of the bag. US companies that export data are fundamentally illegal in Europe."

    2. Dr. Mouse

      Re: Monolithic global companies

      Monolithic global companies ... Simply can't deal with multiple sets of legislation

      Actually, I think you'll find it comes down to the American government can't respect the rules and laws of foreign countries.

      Facebook has probably* been complying as much as it is able to, but if the US govt says "hand over this data", they have no choice but to comply. This makes it incompatible with EU data protection laws.

      * OK, prbably to the minimum extent allowable, pushing the boundaries as far as they think they can get away with, but still probably technically in compliance except for demands from the US govt.

      1. Matt Bryant Silver badge
        Facepalm

        Re: Duh Mouse Re: Monolithic global companies

        ".....I think you'll find it comes down to the American government can't respect the rules and laws of foreign countries....." Then think again. All this brouhaha makes the flawed assumption that the EU states are not happily involved in the PRISM system and don't spy on their own (https://netzpolitik.org/2015/how-the-german-foreign-intelligence-agency-bnd-tapped-the-internet-exchange-point-de-cix-in-frankfurt-since-2009/). Whenever the NSA has needed local assistance it has been able to call on the local spooks, be they British, Irish, Fwench, German, Austrian, Danish, Dutch, Italian, Spanish, Swedish, etc., etc., if only because those local spooks need the US's help tracking international gangs and terror groups. This was shown in Snowjoke's "revelations", so if you swallow one part of Snowjoke's tale then you have to also accept the EU people now claiming they stand for civil privacy have been lying to you for years already. It is the height of opportunistic hypocrisy for the EU states to now pretend their hands are clean. For example, it was hysterically funny that the same time as Merkel and co were trying to garner votes with their faux outrage over the NSA the BND was desperately trying to get equal access to PRISM as given to the Five Eyes nations, and was sharing data from their own spying ops with the NSA (http://electrospaces.blogspot.co.uk/2015/05/new-details-about-joint-nsa-bnd.html).

        And then we have the so-called repeal of "Safe Harbour", which actually seems to be nothing more than removing the self-certification by US companies. Data going to the US or held by US companies in the EU will now have to be stored in accordance with EU guidelines, which will do absolutely zilch to protect it from either the NSA directly or from their European partners (http://electrospaces.blogspot.com/2013/11/five-eyes-9-eyes-and-many-more.html). US companies will drag in their lawyers, produce some reports, some EU functionary will rubber stamp it and business will continue as normal.

        In short, if you are championing this as a triumph for civil privacy then you have been hoodwinked twice. At best this lets the EU politicians claim to their voters that they have listened to their grievances and "tried to defend them", when the reality is the only possible good that may come out of this is some extra jobs in EU datacenters as the American companies build more in the EU (sorry European social companies but you have already lost the social media wars, Faecesbook and the like are not just going to hand over their European sheep to you). If you are actually of interest to the NSA then this new arrangement will not stop them getting what they want. But, what might help you stop shrieking and ranting is the fact that the chances of you actually being of interest to the NSA are so remote as to be inconsequential. Seriously, there are much bigger problems our EU masters seem happy to ignore in favour of these vote-chasing pronouncements.

  2. JimmyPage Silver badge
    Mushroom

    So, the US *was* wrong

    the sheer nerve of the US trying to explain *our* laws to us.

    Next year, Teresa May explains to the US congress how they don't really get the US constitution.

    1. Tony S

      Re: So, the US *was* wrong

      @Jimmy Page

      "Next year, Teresa May explains to the US congress how they don't really get the US constitution"

      Based upon some of the things they've done and some of the comments of congressman, I wonder if they do...

      But yeah, Theresa May doesn't understand English Law, so it might be a tad amusing to see her pontificate on US law.

    2. Anonymous Coward
      Childcatcher

      Re: So, the US *was* wrong

      Hope she explains their second amendment to them... along with the fact that, like everything else, their constitution is imperfect (as one might have hoped would have been amply demonstrated to them by the fact they've already "amended" it twentyfuckingseven times) and is overdue for correction... and thus gets them to stop slaughtering their children.

      1. Anonymous Coward
        Anonymous Coward

        Re: So, the US *was* wrong

        Stick it.

    3. Anonymous Coward
      Anonymous Coward

      Re: So, the US *was* wrong

      Knowing the U.S. Constitution is one thing; getting the ass-clowns in the U.S. government to actually respect and abide by the U.S. Constitution is a different prospect.

  3. Jagged

    Am I the only one ...

    ... that expects business to carry on exactly as usual?

    1. h4rm0ny

      Re: Am I the only one ...

      No, but it's going to have repercussions. I was recently involved in a deal that the Safe Harbour provisions were an explicit condition of. That contract is already sealed and I don't expect it to come back across my desk because of this... However, I wouldn't bet money on it. We (well my client - I sell my services as a consultant) will still abide by the provisions and we treat customers' data protection extremely seriously. But we've just lost some assurance under law, I think. This WILL affect business deals. I know of a couple first-hand which have been lost not because of this specifically, but because of concerns about sharing data with US companies generally. And if I know of a couple first hand, there are more out there. It's definitely an issue. Though speaking as a European, I approve of this being taken seriously by our courts.

      1. Sir Runcible Spoon

        Re: Am I the only one ...

        IANAL, but I rather think this ruling, especially since these provisions were a stipulation of your contract, makes the contract null and void.

        This is going to take a while to understand the scale of the impact here.

        I'm guessing that a very fast re-negotiation will take place, and this move has strengthened the European position quite a bit.

        Nuts in a vice.

    2. Alister

      Re: Am I the only one ...

      .. that expects business to carry on exactly as usual?

      Um... well I think you may be in a minority.

      Certainly any ruling which reflects the damning statement transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data.” is going to have serious repercussions.

      My employers will definitely be looking closely at this, as we deal with a lot of data for local government, and we already have to go through a rigorous assessment of how we handle and transfer that data. This will only make things worse.

      1. h4rm0ny

        Re: Am I the only one ...

        Indeed. And I've just read that Twitter began segregating data in expectation of increasing problems like this. And Twitter aren't small. So, yes, I expect some changes resulting from this. And given how easy it is becoming to purchase a set-up from AWS or Azure and replicate your services in a different region, I can see this being a viable approach. A hassle, certainly, but hardly a show-stopper.

      2. 0laf

        Re: Am I the only one ...

        And UK gov says you must use Cloud.

        And Cabinet Office has all their data in a US Google data centre now without Safe harbour.

        And the new Data Protection directive from the EU is pending and it's significantly tougher than the old one.

        Time to buy shares in UK/EU data centres that aren't owned by a US registered company coz there is still that MS Vs US DoJ case to settle.

      3. Matt Bryant Silver badge
        Boffin

        Re: Alister Re: Am I the only one ...

        ".....any ruling which reflects the damning statement transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data.” is going to have serious repercussions....." Well, OK, let's look at that for a second. Faecesbook being the example, they have just been told they can't copy data from their EU datacenters to the US. Ever stop to think why they were copying it in the first place? They didn't go to the expense of renting cable bandwidth and putting in the transfer systems for fun. They can run analytics against it in the EU without the need to send it to the US, they only copied it to the US for backup purposes. This is a fairly common "follow-the-sun" data-protection solution; Asia-Pacific was backed up to the EU, EU was backed up to the US, US was backed up to the Asia-Pacific, and so if Faecesbook lost their systems on one continent due to a disaster there would always be another copy of the data to rebuild from. Now, all this repeal of Safe Harbour does is increase Faecesbook's backup bill as they now have to do a local backup rather than an inter-continental one. They can still analyse the data locally and send the results to the US, and the NSA can still hit that data in the US or ask one of their European partners to get the data for them. Result? Nothing changes other than some backup routines, some extra cost carried by the social media companies, and some sheeple in the EU will think they have "ensured their privacy". LMAO!

    3. John Bailey

      Re: Am I the only one ...

      "... that expects business to carry on exactly as usual?"

      No.

      But there are plenty of idiots around who think that companies are above the law. Including people running companies.

      Always entertaining to watch them discover the truth.

      1. Anonymous Coward
        Anonymous Coward

        Re: Am I the only one ...

        more entertaining to watch who pays the cost in the end. Wot, another price rise?! Must be the inflaction, eh?

      2. Matt Bryant Silver badge
        Boffin

        Re: John Bailey Re: Am I the only one ...

        "....But there are plenty of idiots around who think that companies are above the law. Including people running companies...." To be fair to companies like Faecesbook or Google, they are the ones in the middle of this - they have to comply with US laws, so when the NSA or FBI comes knocking with a FISC warrant they are pretty powerless to decline. That's if the NSA do it the polite way as Faecesbook has little chance of keeping the spooks out when they own the cable infrastructure already. The EU will come up with some list of privacy requirements, the social media companies will then enact them, and the NSA will carry on as usual.

    4. Whitter
      Thumb Up

      Re: Am I the only one ...

      Other news site have plethora of quotes along the lines of "businesses scrambling to put replacement measures in place". Which is rather pitiful: this case is rather high visibility and a clear business risk that should have been evaluated and planned for. If your company hasn't already worked out their replacement measures then that is a failing of the company's board. And if there simply aren't suitable replacement measures, then your business is (and always has been) illegal.

    5. Anonymous Coward
      Anonymous Coward

      Re: Am I the only one ...

      Not really. They cannot.

      Anyone now can nuke any company with data on US soil with a data protection compliance claim and drive it. It also entitles individuals to sue DPAs which do not enforce it.

      Some popcorn, nuts and a comfy sofa to watch the show. It will be worth watching.

      1. Anonymous Coward
        Anonymous Coward

        Re: Am I the only one ...

        Preferable not from a hospital as the US dislikes hospitals.

    6. Voland's right hand Silver badge

      Re: Am I the only one ...

      Nope you are not the only one.

      If you look at the stock prices for FB, Google, Amazon, etc - the stock market is indeed having a perception that this immaterial and nothing has happened. The ruling is in the newsfeed for the relevant stocks, but there is no stock market reaction to it.

      1. Anonymous Coward
        Anonymous Coward

        Stock market

        hasn't reacted, because it's already factored regulatory pressures into share prices.

        The lack of impact on shares is a demonstration of what happens when stockbrokers get it right.

    7. Anonymous Coward
      Anonymous Coward

      Re: Am I the only one ...

      No, you're not the only one, because only the hopelessly naive believed it ever really meant anything.

  4. Vimes

    One guess as to where the ICO host their website. And which company provides the analytic scripts they use.

    For that matter, how many other UK government websites are hosted in the US?

    1. Anonymous Coward
      Anonymous Coward

      Probably quite a few. And that's before you get into Google Analytics, Google Docs, use of US-based mailing list systems, online survey providers, collaboration tools etc etc etc. The list goes on.

      These services often get chosen before some "information governance" bureaucrat raises a red flag. Historically the stock response to such objections was "oh, it's under Safe Harbour so it's OK". Clearly just a fig leaf as El Reg says, and turns out to have been a pretty small fig leaf at that.

      The whole thing's a mess. There are some good, useful, services hosted in the US; rather than just being able to use them I predict an additional layer of information governance approval bureaucracy will now be added at the UK end. And/or government web projects will be forced to select from an EU-friendly subset of suppliers, missing out on suppliers who are potentially better or cheaper. The latter often seems to be the case with US suppliers, perhaps because hosting's cheaper across the pond.

      Nobody wins from this situation except perhaps the lawyers. F**k you NSA, f**k you very much.

      Anon because I work in the area, obviously.

      1. Vimes

        Nobody wins from this situation except perhaps the lawyers.

        Except perhaps EU businesses as well as the privacy of citizens, since the rest of Europe will also have to start thinking in similar terms. And if businesses over here benefit from increased business then this will in turn allow them to grow and develop in ways that weren't previously possible.

        Perhaps this would only be a good thing in the longer term as opposed to the immediate future, but it could end up being good depending on how things progress.

      2. Doctor Syntax Silver badge

        "potentially better"

        I suppose anything other than already perfect is potentially better. And when someone completely fails at a basic requirement then yes, there's maybe potential for improvement. But if they fail due to circumstances outside their control* then I'm not sure the potential really exists.

        *Other than buying themselves a better government.

    2. Tony S

      "For that matter, how many other UK government websites are hosted in the US?"

      It's not just for data centres over there; the data centre could be in Mexico or the Philippines, but if it's managed by a US company, then it's probably no different to being in one actually on US soil.

      1. Anonymous Coward
        Anonymous Coward

        "It's not just for data centres over there; the data centre could be in Mexico or the Philippines, but if it's managed by a US company, then it's probably no different to being in one actually on US soil."

        It also applies to DC's in Europe, and all US companies operating in Europe.

        For example, how could Microsoft employ a UK person without processing their PI data, which would then be subject to US law in direct conflict of Safe Harbour (which no longer exists)?

        Removing Safe Harbour without a clear path forward for all major implications is going to cause chaos.

        1. Vimes

          For example, how could Microsoft employ a UK person without processing their PI data, which would then be subject to US law in direct conflict of Safe Harbour (which no longer exists)?

          I would imagine that there would still be room for the prospective employee to agree to it. Getting rid of Safe Harbour wouldn't stop permission being given, it just wouldn't allow permission to be given automatically (or am I wrong in saying that?).

          God forbid US companies have to *ASK* before processing our personal data...

          1. Sorry, you cannot reuse an old handle.

            personal data should be just that: personal. how good would be to get a specific request from each party processing these data BEFORE they actually see the data itself and be able to decide as needed ? (think of it as app permissions on your iPhone - and now on Marshmallow too...)

        2. Julz

          Having worked for a few USA employers, they all asked me to sign a document agreeing to my personnel and other employment data to be kept and processed wherever they saw fit. Not sure how legal that was at the time and not sure if this ruling affects that too much. It would only be tested in court if somebody had the means and motivation to do it and given that you mostly want the job and compared to the US-MegaCorp, of puny means, it's pretty unlikely to be tested. So I guess things will just carry on.

        3. James Micallef Silver badge

          "how could Microsoft employ a UK person without processing their PI data, which would then be subject to US law... "

          And that's exactly why the whole can of worms in the first place. It is Microsoft UK hiring the person, and not Microsoft parent company. But multinational companies like to see themselves as a single unit in cases such as this for data processing purposes, but as completely separate entities in other cases such as tax law. And the laws of many countries are currently written to accommodate these companies (indeed, in some cases, the laws are drafted by these companies or their lobbyists).

          It's great that finally these contradictions are coming to light, because that's the first step to getting them resolved.

        4. Anonymous Coward
          Anonymous Coward

          "Removing Safe Harbour without a clear path forward for all major implications is going to cause chaos."

          There was no "safe harbour" to remove. It was a lie. A sham. A fraud.

          "Safe harbour" has not been "removed" because "safe harbour" never existed.

          1. Anonymous Coward
            Anonymous Coward

            ""Safe harbour" has not been "removed" because "safe harbour" never existed."

            It might have been a fig leaf, but it did allow work to carry on. Now that the fig leaf is gone there is no protection (in law) - regardless of what the reality is/was.

            1. Matt Bryant Silver badge
              Boffin

              Re: AC

              ".....Now that the fig leaf is gone there is no protection (in law) - regardless of what the reality is/was." Actually, there is. Since the current "law" (Safe Harbour) has been repealed in the EU the fall-back position is that, until a new agreement is drafted, agreed and put in to service, the US companies can avoid litigation by using existing EU data protection laws. The current law is based around the EU Data Protection Directive, itself under review and due to be replaced by the General Data Protection Regulation which has been slowly dribbling through the EU bureaucracy as a draft since 2012. The EU Data Protection Directive is notoriously woolly and led to the Safe Harbour agreement in the first place as it only says personal data may only be transferred to third countries outside the EU if that country provides an adequate level of protection without actually stating in great detail what those protective measures are. This was intended to give EU companies the means to defend themselves in court against unexpected hacks so the burden of securing data did not make EU businesses uncompetitive - "M'lud, we took all reasonable precautions against our customers' data leaking but we could not be expected to protect against threats we did not even know existed", "Fair enough, not guilty, off you go then!" So, US companies can simply look at the current EU regs, add a few processes where required, and declare themselves in accordance with existing EU privacy laws. If they want some court-proof boilerplate they can get some consultants in to show how their practices are in accordance with the ISO/IEC JTC 1/SC 27 committees' recommendations and get themselves a shiny ISO plaque, none of which will keep the NSA out seeing as it has done nothing to keep the spooks out of European companies' data in the past.

      2. Anonymous Coward
        Coffee/keyboard

        We'll all have to create personal shell companies in banana republics.

    3. Anonymous Coward
      Anonymous Coward

      "For that matter, how many other UK government websites are hosted in the US?"

      Sad, isn't it? If you have a serious interest in economical growth in your own country (and a government should have that interest), you don't use foreign services, unless you absolutely have no other choice.

      This ruling is very good news for European companies, including British. And it gives new incentives to offer competing services where previously companies might have thought: "not worth doing, everybody's going to [US market leader of choice] anyway"

    4. Sorry, you cannot reuse an old handle.

      gov.uk DNS roots there so USofA might claim jurisdiction

  5. Mephistro
    Thumb Up

    Great news!

    At this pace, The USA govt will soon have to choose between almost totally dismantling several TLAs or causing many thousands of American IT and services companies to go bust. My heart bleeds for them! ;-)

    I hope they take the right decision. Crossing my fingers on that, though.

    1. Anonymous Coward
      Anonymous Coward

      Re: Great news!

      The US Gov won't do a single thing.

      Why?

      The Atlantic versino of the TTIP wil (AFAIK) give US Megacorps total freedom to slurp whatever data the want and sell it to whoever they please.

      Do we get access to their 'data'? Like hell.

      These deals are ONLY for the benefit of the US Corps who fund the US Politico's re-election campaigns to the tune of close to a $1B.

      No matter what the Euopean Courts might decide it will be the USSC that lasy down our laws in future,

      The EU will become the 51st state but with no representatives in DC. Get out while you still can.

      1. Anonymous Coward
        Anonymous Coward

        Re: Great news!

        The Atlantic versino of the TTIP wil

        As a Greek friend of mine used to say. You know what is Avrio? It is Manana without the sense of urgency.

        I want to see that ratified first _AFTER_ this decision. In fact one of the consequences of this decision is a torpedo salvo under the waterline of those negotiations.

      2. Doctor Syntax Silver badge

        Re: Great news!

        "The Atlantic versino[sic] of the TTIP wil[sic] (AFAIK) give US Megacorps total freedom to slurp whatever data the want and sell it to whoever they please."

        I think your AFAIK has just met a bit of a stumbling block.

      3. The Dude

        Re: Great news!

        "The EU will become the 51st state but..."

        Get in line. Canada is already the 51st state.

    2. Matt Bryant Silver badge
      FAIL

      Re: Mephhead Re: Great news!

      "... The USA govt will soon have to choose between almost totally dismantling several TLAs or causing many thousands of American IT and services companies to go bust....." Please do explain why you baaaahlieve so, if only for the comedy value. Please do bear in mind the current EU privacy laws that "protect" EU citizen data in Europe has provided SFA protection against the NSA mainly because the European spooks were all happily working with those American TLAs. The added burden of implementing current EU privacy laws on data imported to the US from the EU will hardly be so high as to remove the stranglehold US social media companies have on the market. You seem to have put little actual thought into your presumption, just a lot of mindless hate.

      "....My heart bleeds for them!...." IMHO it appears to be bleeding into your brain.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like