back to article Committees: Wait! Don't strap on the Privacy Shield yet

The revelations by rogue NSA sysadmin Edward Snowden in 2013 caused indignant EU politicians to open a dialogue with the US government to update the data transfer regime to safeguard personal data. The Privacy Shield is the culmination of those discussions. The US's hands-off approach has always differed from the EU's …

  1. Anonymous Coward
    Anonymous Coward

    There is a simple reason it's a mess..

    Europe is trying to fix a mess that is not of its own making.

    The problem is that the US has wandered too far into a modus operandi that has all the trappings of a police state in that there is very little control over agencies and law enforcement accessing information. Add to that the issues that Snowden laid bare (basically, agencies happily overstepping the few remaining limitations set on them, and God help whoever dares blowing the whistle on that) plus the fact that open, unrestricted access means lots of money for the likes of Facebook, Google and friends and you have a mess that is only fixable from the US side of the border. Where there is ZERO interest in doing so, unless it costs someone money or campaign contributions.

    This is why it is so difficult to come to an agreement - Europe is trying to impose a much better privacy regime on a country that is hell bent on not learning the lessons we already picked up during our history. I'm not sure where this will end, but I suspect lots of bribing lobbying may be in progress, with the European side simply holding out for better payment agreements. I am as yet unconvinced any of that haggling is actually in our interest - only the results will tell.

    It is not exactly helping that actual government bodies seem to have no problem with breaking sovereign secrecy. Important bits of UK government like Cabinet Office happily use Gmail, which once upon a time would have been cause for CESG to storm in and rip the civil servants' computers out of their coffee stained hands, but security no longer seems to matter. Weird.

  2. Doctor Syntax Silver badge

    "Data controllers should make sure they have adequate safeguards in their contract terms with processors, even if that processor is a large US cloud company which trades on its own terms."

    Under current US legislation no such safeguards are possible. That's why the shield doesn't shield the public, it simply shields the transferrers and, probably more importantly in their minds, the negotiators. As the article implies, it will last no longer than it takes to get to the EU Court of Justice. That's why it's better to call it a fig-leaf.

  3. Anonymous Coward
    Anonymous Coward

    Maybe we need some blue-sky thinking here ...

    With personal data flying around the internet in ever-increasing (possibly exponential) quantities, there is a an argument to be made that no matter what anyone does, it will end up in places it wasn't originally intended to go.

    If we assume that a priori then attention - and effort - would be better placed in devising a framework within that data leakage can be recognised and dealt with using the one thing the state brings to the party - the law - that only the state can bring.

    Example:If we take it as given that GCHQ will slurp my personal data, then rather than prancing around with "rules" and regulations that will never stop it, we need much much tougher control over what GCHQ (and all it's little imps) can actually do with it. Targeted intelligence lead surveillance of high-risk subjects - GFI. Low-level trawling to see who has a subscription to "Practical Wireless" (they might be building something bad) - get lost.

  4. Anonymous Coward
    Anonymous Coward

    Notably missing

    What's the difference between the world WITH 'Privacy' Shield and the world WITHOUT 'Privacy' Shield??

    WITHOUT Privacy Shield: Corps that deal in European data are required to ensure that data is held compliant with EU law. It can be held abroad, but the protections need to be in place to take it to EU standards. Fail and they are fully liable.

    WITH Privacy Shield: As above, except the corporations are NOT liable if it turns out to be a lie. "Redress" is not liability! An Ombusdman is not a substitute for it.

    It's not a privacy shield, it shields corporations from full liability from breaches of EU privacy law. They get to put in an ombudsman who will review individual requests, i.e. categorizing the violations of law as a minor contract dispute similar to forced arbitration.

    The law stands, EU Commission do not get to simply waive EU laws as they choose. ECJ decision was correct, Safe Habour is gone. US Corps who breach EU Privacy law are fully liable for the penalties under those laws and you lot don't get to substitute this for those laws:

    "The US State Department will appoint an ombudsman, who will hear complaints from Europeans regarding US surveillance and will respond to inquiries from the EU’s Article 29 Working Party (“WP29”) (comprised of data protection authorities from each EU member states) about access to personal data by the US intelligence community. The DOC and the European Commission will meet on an annual basis to review all aspects of the Privacy Shield agreement, with intelligence agencies from both the US and the EU invited to take part."

    If you don't want to obey EU Privacy laws, don't do business in the EU. You won't be missed.

  5. Sir Sham Cad

    Re: data transfers will continue

    Hahahaha nope. With no agreement in place I'm not having any corporate data leave the UK, never mind the wider EU and certainly nowhere near the US. Just no.

  6. Anonymous Coward
    Anonymous Coward

    Anon for obvious reasons ...

    I've raised these issues internally since we "make extensive use" of Microsoft hosted stuff. Our email is on Office 365, we push customers to use Office 365, we use Sharepoint, etc, etc, etc.

    Stock answer is that we're OK as we have settings to keep our data in the EU, problem solved, now shut up.

    Except ...

    A while ago MS had widespread problems logging into Office 365. It turns out that some of the authorisation servers we use are in the US - there's a labyrinthine mess of servers, DNS CNAMEs, etc which constantly shifts and so no-one really ever knows where (as a minimum) their logins go.

    So riddle me this ...

    If at least one of the authorisation servers I use is in the USA (and therefore has the means of access to the login data), then how can we have any confidence that some {redacted} in the USA can't just rock up with a bit of paper that says "let them in and don't tell anyone" and have access to our data even if that data is "safely" stored in the EU ?

    1. John G Imrie
      Mushroom

      So riddle me this ...

      You can't.

      Next question please.

      1. Frank Jennings - The Cloud Lawyer

        Re: So riddle me this ...

        Yep, that's pretty much it. NSA / FBI will use whatever legal means they have to get access to data controlled by US entities, whether or not the data is actually held in the USA. See the ongoing legal case against Microsoft by US gov to get access data in Dublin.

        1. Anonymous Coward
          Anonymous Coward

          Re: So riddle me this ...

          Actually, they will use any means, legal or otherwise. Trust me, those folks at NSA just do not care.

          This begs the question, then; if Safe Harbor collapses, then there will no legal agreement on this subject between the US and EU. If that happens, there will be no legal restriction at all on the NSA, and they wll pretty much go back to doing what they have always been doing - which is reading your emails as fast as you can type them. I am sure the EU regulators know this - but again, I honestly don't know if they care.

          As I stated before, I really do think this is an attempt by the EU to grab more share of the world data center market. They can use this agreement to arm-twist more companies into locating their data centers in the EU. And if the agreement collapses, the pressure to locate data in the EU gets even higher.

  7. Anonymous Coward
    Anonymous Coward

    Euros are infamous for creating regulations without paying any attention to the consequences. Remember when the EU created "butter boats" - that is, they subsidized the production of butter so heavily, that it had to be kept on boats in international waters? I know, ridiculous, right?

    Now we have this debacle. The EU negotiators have negotiated a deal that likely its own courts won't uphold. But it is likely the best deal that the EU can negotiate with the US - indeed, the US negotiators have already given a lot of concessions. If the EU thinks that they can get further concessions from the US - such as removing the intelligence and law enforcement clauses - then think again. The US regulators will never allow that - nor would Congress ever pass enabling legislation for that. No way.

    So, where does that leave us? If this fails, is there no room for a third try at this? And does the whole data transfer regime collapse? More importantly, is that what the EU leaders really want?

    It wouldn't surprise me if the end game game that the EU leaders envision is this: Privacy Shield is declared illegal by the courts, and can't be replaced. However, most multinationals still require a way to move data to cloud. So, they begin moving data not to US data centers, but to EU data centers. As a result, the EU share of the data center market skyrockets. (We have already seen example of this so far, with companies such as Amazon and Facebook opening up data centers in EU, so they can take advantage of coming wave of migration to locations there.)

    I am a highly cynical person - and I see cynicism in others. I highly suspect that this is how the cloud marketplace evolves over the next few years. And US leaders are gullible enough to let it happen. Most US leaders could not negotiate their way out of a $10 traffic ticket.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like