CJEU Strikes Down Safe Harbour Data Sharing
October 6, 2015 7:36 AM   Subscribe

I wish the U.S. was part of the EU so that the NSA didn't have access to it.

But seriously, I feel this issue is going to be resolved by Facebook just not talking about how their servers in Ireland are accessible from Palo Alto.

I'd love to hear about how this can be enforced.
posted by hal_c_on at 7:47 AM on October 6, 2015

Oh, man, the QA lead at my old job is going to love dealing with this.
posted by odinsdream at 8:02 AM on October 6, 2015 [2 favorites]

odinsdream: Yeah, former QA/current security analyst here. Life is gonna be "fun".
posted by XtinaS at 8:04 AM on October 6, 2015

welp. how the hell do we satisfy this requirement.
posted by Annika Cicada at 8:17 AM on October 6, 2015 [2 favorites]

Just continue doing business, wait for someone to complain, use the slow-ass legal system to delay for a decade, and then hope people forget about it.

There's a reason I said "old job".
posted by odinsdream at 8:26 AM on October 6, 2015 [3 favorites]

Ok, so what is the immediate result of this? What do people expect to see in a year? I know that further court cases are needed, but which countries do you think will act on this? I'm betting that the UK will not, because Cameron is convinced that old Maggie was just too soft, but which other countries will work on this? Also, does this mean that companies will need a server in each country that throws out safe harbor? Or just a central EU server?
posted by Hactar at 8:35 AM on October 6, 2015

>I wish the U.S. was part of the EU so that the NSA didn't have access to it.

Location in US/EU is ~irrelevant for NSA purposes. (1) due to Five Eyes, NSA/GCHQ share data with each other, and with other nations as well. XKEYSCORE is aimed at any "communication" in which one end of the line is not in the US, so this includes any routing through US servers, or temporary storage on, say Amazon's massive server farms. This change in EU law might make some new business for european server companies, but it can't help EU citizens with data security and privacy.

But seriously, I feel this issue is going to be resolved by Facebook just not talking about how their servers in Ireland are accessible from Palo Alto.

Accessing Irish servers for the purposes of snagging information would violate the court's order, but all Facebook needs to do is just not remind people how computers actually work. The CJEU is coming at this like "Data" is some tangible object that's actually moved around, and stored somewhere at night, like a person being stored in their bed. Instead, data is copied and deleted, not "moved", and any transmission results in the creation of a copy. So as long as Facebook says they're not "storing" or "processing" data in US servers, they can transfer the data back and forth through "routing" or perhaps it's because of a "third-party app" or whatever verbiage they come up with, all while continuing to vacuum up any bit of info they please.

I'd love to hear about how this can be enforced.
posted by DGStieber at 8:37 AM on October 6, 2015

So... Stupid banner and a checkbox, I'm guessing?
posted by Artw at 8:47 AM on October 6, 2015 [7 favorites]

Due to the fact that INTERNET has chosen to involve software that will allow the theft of my personal information, I state: at this date of October 6, 2015, in response to the new guidelines of EU SUPREME COURT, pursuant to articles L.111, 112 and 113 of the code of intellectual property, I declare that my rights are attached to all my personal data drawings, paintings, photos, video, texts etc. published on my profile and my page. For commercial use of the foregoing my written consent is required at all times.

Those who read this text can do a copy/paste on their INTERNET wall. This will allow them to place themselves under the protection of copyright. By this statement, I tell INTERNET that it is strictly forbidden to disclose, copy, distribute, broadcast, or take any other action against me on the basis of this profile and or its content. The actions mentioned above also apply to employees, students, agents and or other personnel under the direction of INTERNET.

The content of my profile contains private information. The violation of my privacy is punishable by law (UCC 1-308 1-308 1-103 and the Rome Statute).
posted by mwhybark at 9:29 AM on October 6, 2015 [8 favorites]

Unfortunately mwhybark all your "private"* data has been replicated into multiple governments/corporate big data repositories multiple times prior to this legal notice, more unfortunately the new TPP will subsume all your data after this notice.

* ("private" being an idealized yet imaginary concept of the pre-big-data era)
posted by sammyo at 9:57 AM on October 6, 2015

mvwhybark, every time I read that disclaimer I die a little. That people who know I once interned at the ICC send it to me makes it that much worse.
posted by 1adam12 at 10:49 AM on October 6, 2015 [1 favorite]

What are they defining as "private" data?
posted by klangklangston at 10:56 AM on October 6, 2015

Yey! This rocks. :)

It's pretty trivial to satisfy this requirement : process your European customer's data in the E.U. It's not like they're asking you to redevelop all the analysis software, just deploy it here.

We eventually want rules that companies should not ever posses unencrypted plaintext of their customers private communications, but that's a ways off.

Also, private obviously mean the user interface indicates a measure of privacy, ala instant messages, email, etc. Yes, they should outlaw providing unencrypted instant messages and email.

And private should ideally include all metadata of conversation history too, but that requires technical advances.

posted by jeffburdges at 11:40 AM on October 6, 2015 [2 favorites]

NSA Screws Up Another Thing: EU Court Of Justice Throws The Internet For A Loop(back) In Ending Safe Harbor

they missed a golden opportunity to geek way the fuck out with that title.
posted by Annika Cicada at 12:58 PM on October 6, 2015

Oh, this is fun. Myself and another hack who specialises in EU tech law have enjoyed today far, far too much.

Basically, if you don't have Safe Harbor - which as of now, we do not - then you need to satisfy each data protection agency in each EU country that your out-of-EU data service provision is secure against privacy breaches - which derive from EU human rights law.

Typically, this is done by things called Binding Corporate Rules (BCR), if the data transfer is within a multinational, or the use of Model Clauses (contractual provisions preapproved by your DPA) when doing business with third parties. Having to create all of those for the US is not going to be trivial, and the DPAs across Europe are simultaneously delighted that data protection is being taken seriously and horrified that they're being landed with a huge smelly turd of a problem with no particular resources to tackle it with dispatch.

Emergency meetings are even now taking place.

There are also a number of DPAs in Europe who really do not like the US, for lots and lots of reasons, some of which may even be valid. The current DPA in charge of the association of European DPAs is the French lot. They really, REALLY do not like the US.

That would be bad enough. But also, the reasons given by the CoJ for nullifying the SH are not reasons that can be easily sorted out through contractual work - in effect, Europe has decided that the US system cannot currently provide the legally mandated privacy rights of EU citizens. There's nothing that individual companies can do about this, because the US has an out-of-control data acquisition spree run by the NSA with oodles of spooky secret sauce.

Until that's regulated to the point that EU citizens can be sure that they will know where their data is going, and have redress, this isn't going to change. (This doesn't mean properly court-mandated and regulated data revelation to properly constituted legal entities: that's not the problem.)

But wait, I hear you say. Surely the Snowden revelations showed that this sort of thing goes on within the EU as well, especially with GCHQ connected at the hip with the NSA? Yes indeed - and what's more, it's illegal, as ruled earlier this year by the UK's Investigatory Powers Tribunal, the only thing that gets close to a complaints bureau for citizens concerned with GCHQ. (The first ruling that found against a UK intelligence agency since the IPT was set up in 2000, btw. Snowden strikes again.)

What does this mean if an EU citizen decides to take an EU company to a DPA on the grounds that if the system cannot guarantee privacy law, neither can the company?

That's a good question.

And what happens in the interregnum before Safe Harbor is replaced, should any EU citizen decide to take a US company (or an EU company using US services) to a DPA? There was a press conference by the EUropean Commission this afternoon that said "In the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law.", but as far as I know, that's a judicial call, not a condition that the EC can mandate through fiat. As noted, BCRs and model clauses do not yet exist for US companies, thanks to Safe Harbor, and they haven't magically appeared to fill the gap.

In other words, a determined and only reasonably well-funded EU activist group could create one hell of a stink in short order, through the courts and DPA mechanisms.

I think the NSA has done more to endanger free trade (to the tune of around $200bn) than any terrorist group could dream of approaching. Because it (and its friends) ignored human rights.

I could be wrong on a lot of this, IANAL and this is my interpretation, and a lot is only going to become apparent over the next weeks and months - unprecedented territory.

It isn't going away, though, and it will not become a tickbox on a cookie warning.
posted by Devonian at 1:21 PM on October 6, 2015 [21 favorites]

(whups - I should say that BCRs and MCs _do_ exist for US-EU data transfers, but not ones that have been designed for or tested under the conditions that now exist post Safe Harbor cancellation. It's a new world...)
posted by Devonian at 1:29 PM on October 6, 2015

The NSA has destroyed trust in even connecting with US systems. This is overdue, honestly.
posted by odinsdream at 3:12 PM on October 6, 2015

Devonian, you might not be a lawyer but you're doing a fairly credible impression of one! I was a speaker at a cloud computing law conference in London today, and a couple of the presentations got pretty much junked and rewritten on the fly as we digested the CJEU press release and then (when it finally emerged) the judgment. Your summary is pretty much the consensus I heard from some senior IT lawyers as to the likely fallout from this.

And yes, words like 'transatlantic data war' were being bandied about by fairly sober senior counsel.
posted by Major Clanger at 4:13 PM on October 6, 2015

HR departments are shitting bricks. This isn't restricted to customer data, it includes employee data. The NSA just made international expansion financially untenable for startups.
posted by jenkinsEar at 5:36 PM on October 6, 2015

Devonian, you might not be a lawyer but you're doing a fairly credible impression of one!

Seconded. And I am a lawyer working this in area. Nicely done.
posted by His thoughts were red thoughts at 7:22 PM on October 6, 2015

« Older The Columbine effect   |   Cake is one of the major food groups Newer »

This thread has been archived and is closed to new comments