Silicon Valley now 'illegal' in Europe: Why Schrems vs Facebook is such a biggie Today's victory by Austrian privacy advocate Max Schrems in the European Court has massive repercussions for how the superpowers make law, and how Silicon Valley conducts business. And it may only get worse for America's data processing giants, very soon. Microsoft is challenging the notion that the world's data is by default …
" Seems like once again the EU is protecting people from their gover[n]ments."
And yet there are a lot of people who want to take the UK out of the EU. I suppose that then the protections granted by the data regulations of the EU will be withdrawn leaving us to the mercy of anyone who has our personal data.
Unlikely? One of the countries who expressed satisfaction with "safe harbour" happens to be the UK, the other is the Republic of Ireland, which would, I suppose, show why their Data Protection Commissioner declined to take any action over Schrem's complaint.
I think we need someone on our side on this and the only one willing to come forward seem to be the ECJ.
"....and that the problem is the USA not the EU." LOL! Ignoring that the Europeans are not innocent of spying on all they can get, your presumption is that the US (in this case US government agencies such as the NSA and FBI) having access to European data is The Problem. The real problem is that view - that giving the US access is something that is wrong and needs to stop. That this is a view actually not shared by the governments of the individual EU countries is easily shown by the fact they all co-operated with the NSA in return to access to data from PRISM. Why else come up with the fudge of Safe Harbour in the first place? And, since the EU is nothing more than the sum of those individual governments with an extra layer of bureaucracy, it would seem obvious that the real view of the EU is that allowing the US access to European data is actually good but needs to be hidden from the paranoid lest they spook the voters.
So, having already shown that the EU itself doesn't actually think the US having access to European data is The Problem, let's look at why voters in Europe might think it is. Is it bad if the NSA intercepts terrorist communications? Surely not, especially if they provide information on threats to Europeans as well. Or the activities of international criminal gangs? Nope, sounds a good thing to me. So I suppose the only "bad thing" would be if the NSA actually were spying on everyone indiscriminately, not just the "bad guys". And here we can just ignore the fact that even the NSA doesn't have the resources to spy on everyone, that there would seem little other than paranoia to even suggest they would want to, and get back to the usual question the tinfoil-attired refuse to answer - if you are so sure it is a "bad thing", show me the harm done. Because despite Snowjoke's grandiose posturing he has actually provided SFA to build a case that the US agencies do anything but look for "bad guys".
Dear tinfoil-attired, your downvoting will not change the facts outlined above but will give me cause to laugh. But, for added humour value, please at least try and post a counter to the idea the members of the EU are just as eager to keep the NSA in business.
"... please at least try and post a counter to the idea the members of the EU are just as eager to keep the NSA in business."
Well it depends on which "members of the EU" you are talking about.
If you mean the member states then yes, they probably are all trying to spy on anyone they want.
However this decision has not been taken by the member states but by the ECJ. This is the independent judicial arm of the EU. Its decisions are binding on the member states and gives EU citizens a way of holding said states to account, so that if Schrems was to make a similar complaint now he would have a much stronger footing.
Of course politicians in the member states will all say that they accept the court's decision, they have no choice, but will then go about subverting and sidestepping the new regulations as fast as they can. Being believers in the saying "One rule for us, another rule for them" they will try and carry on as usual but with the threat that if they are caught out they will get hammered.
So it's a step in the right direction. We the citizens now have a powerful stick with which to beat the spies when they get caught, but everyone must keep watching. The powers that be won't give up their lazy ways and stick to the new rules and it's up to us to try and make sure that they do.
"So I suppose the only "bad thing" would be if the NSA actually were spying on everyone indiscriminately, not just the "bad guys". And here we can just ignore the fact that even the NSA doesn't have the resources to spy on everyone,"
Once data is stored .. the data crunching power will come along sooner or later to trawl through it. You are saying no one will want to?.. maybe.
In case you have not been paying attention - starting years BEFORE 9/11, the NSA was already pouring money in to huge data centres and putting intercepts into every fibre link they had access to (inside and outside of the USA). The forerunner of the massive data sifting engine that the NSA now has, existed BEFORE 9/11, and was simply expanded on.
After 9/11 all bets were off. The US spook agencies used court orders and federal "secrets act" gag orders to forcibly get all the data they wanted, while keeping the people at the telecoms and big web providers & phone manufacturers silent (or else). Either you cooperated with their breaking the law or you were "defaco" a terrorist.
And what data was being acquired?
Snowdon made it very plain that a common pastime of contractors with the NSA, is looking at the sex photos & sex videos taken from peoples cell phones. These are images taken off of phones without any warrants at all. They are from RANDOM people's cell phones. I do not mean those photos grabbed as they passed through the cell network (with a FISA warrant) although they definitely have all of those too. If it is on your phone, or was on your phone, they have it stored somewhere. The size of the server farms they are running is ungodly huge.
So there is no secure data. The NSA put their own 'spook' contractors into every I.T. company (and government agency that dealt with "security"). They compromised the standards, and broke the code. We also know all of that from Snowdon.
The truth is that SSL has been broken for years now. The spooks have no intention of cooperating with the courts, or the people. They want your data and they will have it. None of this is new anyway. The US was taking data from the sat network with PRISM ages ago (including aiding in corporate espionage). Germany is one of the worlds biggest pipes of data to the NSA. They want "easy in" back doors for the few larger system that do not already have them. However a "back door" for ANYONE rapidly becomes a back door to EVERYONE.
Here is a big part of the problem. Aside from the terrible infringements on privacy, businesses MUST have privacy to do business. Intellectual property is very valuable. Right now there is no security that is meaningful, on any system on any network. Not any more. We need unbreakable hard encryption just so that business can (again) have the ability to do business properly.
Meanwhile the spook agencies continue to grab all the data they can find, no mater what it is.
One of the points made over the recent Paris attacks and those in Turkey is that indiscriminate mass surveillance creates a MASSIVE body of information that is impossible to meaningfully search. Sure there is face recognition done on every photo taken at every stop light and bank camera, and security camera (guess what FACEBOOK, Instagram, etc al are used for). SO they have a lot of data - a lot of it was illegally seized even by the "overly broad"quazi-legal powers of the NSA. However there is so damned much of it that NOBODY (not even the best A.I. in the world) can sift through it in a meaningful manner.
So we have lost all privacy. The NSA has a search system similar to GOOGLE for their own in house use (and they have been giving limited access to it to large police agencies) and we are all in it that system.
In return all we have gotten out of the process is a bunch of unethical NSA contractors fapping over peoples private images.
And the we have the patriot act (and others) which give the US draconian and near unlimited powers, in the USA and OUTSIDE of it. Businesses just *cannot* refuse an order to provide them unlimited data access. Saying no is officially "treason", at which point they can do anything they want to those who say no.
Google, Facebook, Apple, Viacom, Comcast...and every other large business out there has been FORCED to let the NSA wander through their data, and store anything they want for later. Apple has been on the "shit list" of the NSA ever since they started modifying their phone OS so it is less possible SPY on at will.
The only game in town is a VPN paired with an ONION server connection, and every copy of ONION software that is downloaded, results in a "watch order' on the person who grabbed the software.
It's worth adding that most of the objectionable provisions of the Patriot Act were already in place for use in the "War On Drugs", and had been in use for years. How do you think they nabbed that Panamanian dictator (and former CIA contractor), and all those Columbian drug lords?
In today's climate (no pun intended), the only real limitation is the cooling capacity of computing facilities. NSA's Signals Division spends more on computing than NASA's entire budget. Of course, that is matched by the National Reconnaissance Office and USAF satellite surveillance, which is also more than NASA's entire budget.
I would like some form of legislation that says that being in possession of any piece of 'private and personal' information is illegal unless it has a clear, auditable link to specific, named permission from the subject. Wont happen of course. Big Brother is watching us all and taking copious notes.
IIRC at one time Sweden had a very strong privacy law, and an enforcement arm that could go into any business to assure that they weren't storing personal information unnecessarily, nor passing it to anyone else without permission. But that was a long while ago, IDK what the present situation is.
... this is all about making sure the data is easily available to EU gov'ts and that there are jobs for Europeans at large foreign firms.
AVG proved what a joke EU 'privacy' regulations are - all you need is to store your data in the EU, then you can do whatever you want with it, including handing it over to any gov't without due process.
Max Schrems is a fool if he thinks this makes any difference, your data is safer from EU gov'ts if it is in the US (although not safe from the US gov't) - and vice versa (nach).
I'm sure all the EU spy agencies are opening champagne today as Schrems has done something they have not yet managed to do, e.g insure they can always access citizen data. If Schrems thinks that this will stop access to data, well I've got a bridge for sale.
Up next, mandatory data retention..... You know it's right and good for you.
The concern isn't the spy agencies. The spy agencies will get all your data whether it is in the UK, Eu or USa, whether it is legal or not.
The issue is the commercial use.
A US company wants access to all your medical records before giving you a mortgage?
Illegal in the Eu, but without safe harbor all they have to do is copy your data to the US (or some island with no Data Protection) check your "lifestyle choices" for insurance risks and then their Eu subsidiary can use the conclusion without you having any knowledge
Max Schrems is a fool if he thinks this makes any difference, your data is safer from EU gov'ts if it is in the US (although not safe from the US gov't) - and vice versa (nach).
Nope, for a whole raft of reasons, the simplest one is that data in the US is simply not protected as well, even if that data is of a US citizen. At present we're very focused on EU vs US, but we're overlooking the fact that US people actually have the same problem and would indeed be better off hosting in the EU. That would not protect them from legal requests for data (nor should it, that is a law enforcement tool), but it would keep their data safe from the US mass surveillance.
We have to be careful with generic terms here - "US" also includes US citizens, which are people just like you and me (although possibly better armed) who are just as entitled to privacy, and who (as far as I can tell) don't exactly get it either. When we start looking for solutions we have to take a step back and keep a bigger picture in mind because I do not think this can be solved in isolation. We can START in isolation, sure, but the answer lies in working towards a solution that works on both sides.
@AC: Who the data is about, is not really relevant, except in that it establishes who has standing to sue. An American citizen who lives in France and provides his data to a company in Belgium? - their data is "protected", for whatever that's worth, by the European directive, and the person's citizenship is irrelevant. And anyone who lives in the US is subject to - and protected by - US law, regardless of citizenship. (The 14th amendment makes it unconstitutional to make special protections only apply to "citizens".)
The issue is that if you give consent for anyone in the US to access your data legally - then that person can be compelled under US law to access that data without your consent, e.g. to pass it on to the NSA, regardless of any local law elsewhere that says they can't. That's the case Microsoft is fighting right now.
As for who is "entitled to privacy" - that's easy, no-one. Or everyone. It depends on what you mean by "entitled". And "privacy", come to think of it. To me, "privacy" means that my personal shit is shared only with my knowledge and consent. When I do stuff online, I know spooks can track it, and by the act of doing it online I could be said to "consent" to that, and therefore my privacy is not really being violated. QED.
And what I'm "entitled" to is what the law, as interpreted by the courts, says it is, no more and no less. My entitlement, and yours and everyone else in the worlds' - changed with this ruling. That's why it's a big deal.
And what I'm "entitled" to is what the law, as interpreted by the courts, says it is, no more and no less. My entitlement, and yours and everyone else in the worlds' - changed with this ruling. That's why it's a big deal.
I don't think that your rights have not changed one iota by this ruling. They have been clarified and so freed from the nebulous clouds of BS that US vendors have been using to shield user from the truth (and thus protect their income), but the rights in play already existed for quite some time.
It is very important to keep this in mind because it will help you understand why the noise coming from the US is drama rather than substance - they have known this for ages, but have been milking your ignorance of the law for all it's worth. Don't be blinded by just more BS.
"....Seems like once again the EU is protecting people from their goverments." Sorry, but that comes across as an incredibly naive take on the EU. Apart from the fact the various EU governments and their spook agencies have all been party to the NSA activities, most (if not all) of them already spend plenty of time on their own efforts intercepting both traffic from their own citizens and those abroad (look up Frenchelon for a start). The only difference is the NSA did it bigger and better, which is why the EU spooks wanted in on the deal. Those same governments then form the EU system and make the political decisions that guide the lumbering EU monstrosity. To put it quite simply in terms the tinfoil-attired might comprehend, the EU data crooks are driving the data bus and simply trying to make it look like they aren't co-operating in the data heist with the US data crooks.
This whole repeal of Safe Harbour is simply EU political windowdressing - no-one is going to stop Faecesbook's or Google's Internet traffic going out of Europe today, tomorrow or next week. There may be some polite queries as to what safeguards those companies are going to put in place, to which I predict the companies will respond with some sweet nothings, and eventually they will thrash out a new compromise (all data going to the US is encrypted whilst in transit and at rest, ignoring that as the key-holders the US comapnies can still be ordered to decrypt and hand over the data in the US) and business will proceed as usual.
Schrems argued with the Irish DC that he hadn't agreed that Faeces,... could send on his data.The ECJ said ok, maybe, it depends on the smaller print, BUT, the general shopping bag that the EC agreed with the USA has no right to be assumed as the carte blanche, that is the crux. It would not be so bad if we hadn't learned from Snowden and the post 9/11 stuff in the patriot act, etc., what the US could/would do with the data.
I would never agree that the EU/EC has any interest in protecting any of us, they are driven by pols. We on the other hand have an interest, or some do, and Schrems has provided a better mousetrap.
On the other hand, could we in the EU grow some companies to rival the big US Tech firm's services?
That is the exact problem. Someone who has a bright idea in the US can easily find someone to sponsor them (as witnessed by the ease by which Peeple got both investment and publicity) and then has a large market to sell into. In the EU, the first problem is that investment is a lot harder to get, the second problem is marketing across all the different countries who still all have their own laws and language. The result is that anything large can only grow if it has political friends or Really Big Money behind it.
The short version is that we can't, and thus need at least US technology. Services less so.
For the public sector this effectively rules out the use of most cloud services as we are required to protect personal data and not transfer it to other jurisdictions without protection. Goodbye office 365, google apps etc, hello, on premise data centre, exchange, etc.
"Goodbye office 365"
Office 365 is one of the few such services that you can set to retain your data only within the EU - which can be enforced by DRM (secured by Thales hardware HSM systems) that is specifically designed not accessible from the US if that's what you want...
Please pardon my ignorance, but I thought that one of the design principles of the internet was fault tolerance, and so if your data can;t get from A to B diretly, it'll automatically try anotehr route. Which could in theory mean someone in the Uk trying to aess data held in teh UK but it travelling a circuitous route via one or more foreign countries. And if one of those countries happened to be teh US, we're back to square one, surely? Or am I missing something? (I expect I probably am, I'm no expert in this...)
I'm not sure, but if an encrypted copy were sent to another jurisdiction (e.g. USA), but the keys were never sent out, that might provide backup with reasonably secure privacy. It would have to be sent back to EU before decryption, slowing things down a bit, but small price. The USA copy could be safely 'disclosed' in its encrypted form without violating privacy. Of course it would be necessary to use multiple keys, at least one for each small unit of data like a file.
It would also be useful to store the encrypted data on drives with Full Disk Encryption, with the disk key(s) also stored in a special system outside the jurisdiction. The US Fifth Amendment actually protects against forcing a person from disclosing a password to an FDE drive, _if_ the person has never written it down or disclosed it to anyone (verbally, email, whatever). The court case regarding a corporate person's privacy and what constitutes disclosure if the data is on a special server would be interesting.
O365, was, and is a solution to a problem that only Redmond ever had.
Amen to that. The problem was "how to squeeze revenue out of something that everyone already has when we can't get away with changing the document format anymore". That's also why they're trying to move to a subscription model but they couldn't just be satisfied with a license ping every so often, no, in typical MS style they tried to go the whole hog and grab personal data. I can see that becoming a bit of a problem now :).
Not that this a problem I have, mind - I've been using LibreOffice for years on Windows, Linux and OSX as it's the only solution where the UI has been left usable and fidelity remains consistent regardless of platform. It doesn't just save us money, it saves time.
> Goodbye office 365
Actually, that is probably one thing you can use ! Read up on the Microsoft vs DoJ case. If MS have done things properly then the US company won't be able to hand over the data - one of two things will happen :
1) They win, and the DoJ is told to FOAD
2) They lose, the US officers instruct the Ireland officer to hand over the data. The officers in Irelnd tell them to FOAD as it would be illegal. The US officers return to court, and point out that they cannot obtain the information.
I really hope option 1 happens. Option 2 would open so many more cans of worms than today's ruling - not least would be the farcical situation where US officers of the company would be unwise to set foot in Europe, and European officers of the company would be lunatics to set foot anywhere under US control !
If option 1 does happen, then it'll demonstrate that given the right structure it is possible for a US based company to comply with both US and EU law. The key is that Microsoft Ireland is a separate legal entity to Microsoft US, and Microsoft US have no access to data held by Microsoft Ireland. At least, that's what they are claiming.
given the right structure it is possible for a US based company to comply with both US and EU law. The key is that Microsoft Ireland is a separate legal entity to Microsoft US, and Microsoft US have no access to data held by Microsoft Ireland. At least, that's what they are claiming.
I do this for a living, and sadly, that's not how it works. The problem is leverage. MS Ireland is a subsidiary of MS US, and is thus controlled by MS US in both organisational and monetary/investment terms. The DoJ will thus claim that MS US has the means to get that data and will fine them for non-compliance if they don't cough up. As the main article stated, this is for fairly sensible reasons but rather inconvenient for Microsoft.
There is another vector at work here too: how do you get to legally force data out of a US outfit? In the US, post 9/11 there are so many routes to demand legally supported access to information it is a miracle that this hasn't leaked earlier although part of that can be attributed to VERY, VERY persistent refusal to even discuss the problem in public, which is something that now no longer can be avoided. If you're an EU business outsourcing to the US I'd start looking at what part of that data can be considered private and find a way to separate that out before it becomes ugly. This story is long from over.
And without Eu wide safe-harbor rules, the USA can negotiate a special treaty with Ireland where the USA has access to all data held in Ireland. If Ireland doesn't sign then all those US companies can switch their Eu-HQ to Luxemburg or some other European country that says yes.
Yes, agree.
I posited that US data wranglers would be forced into partnerships with EU companies only the other day. The US company would front up the infrastructure costs to get their EU partner to where they need to be and then garner royalties from licensing their brand name and IP.
The EU company wouldn't be subjected to the Patriot Act and its US partner would no longer need to support such a monstrously fat pipe to the NSA.
It could work, and it could also see many more European IT jobs in the offing.
That will work as long as the US organisations and those offering the service make indeed sure that there is no possible leverage (typically, investment and finance are dangerous routes).
There are a few legal kinks you have to work out, mainly on the contractual front, but yes, it is possible and at the moment it's even essential for a US company if it wants to retain its EU customers.
Actually there is at least one cloud provider that ensures your data stays within the EU. The one I'm thinking of allows you to store it all in the UK. Very good news for them this announcement.
The competition of course need to get the ability to keep cloud data within the EU sorted. I wonder how many companies have been using cloud companies but not mentioning that some of their users personal data is being stored in the US?
I am no MS fan, but MS has datacenters in the EU, the only issue is that they would need to store the data in the EU DataCenters... A simple choice by region when choosing provider? even now it makes sense to store it in the EU to save on transmission time between EU and US..
Although I disagree with the gmail argument in the text...
If I email someone with a gmail.com email address, you assume it is US based right?
If I email someone with a gmail.com email address, you assume it is US based right?
Let's not do assumptions, I just dug up the 5 machines that handle email for gmail.com.
Here is the list:
74.125.200.27
74.125.25.27
173.194.72.27
74.125.136.27
74.125.204.27
Paste that list into <a href='http://www.ipligence.com/iplocation">http://www.ipligence.com/iplocation</a> and see for yourself.
I am no MS fan, but MS has datacenters in the EU, the only issue is that they would need to store the data in the EU DataCenters
No.
They are already in court fighting exactly that case; if they win, then what you have said above is (almost) true.
But at present, they are legally oblliged to hand over any data they "control" - i.e. any data in any data centre in the world over which they have any power.
Vic.
It's not necessarily goodbye to those tools. Google might have a bit more of a problem technically (educated guess, not fact), but MS could very easily spin up a distinct European Azure and I'm certain that Amazon wouldn't find it any harder. Indeed, both already have the infrastructure in place and putting the necessary data segregation in place would be fairly straight-forward (at least for the architects of such epic projects as AWS and Azure it would be).
And if the question is a legal one, well MS could certainly licence the Azure technologies to some European countries. They essentially already do this as MS Server and many of their own commercially available tools are the same as in Azure. In business terms, licencing "AWS" might be a little harder but again, hardly insurmountable. In both cases, find a large European company as a front, and away you go.
The argument here is complete bollocks. If data were held in, say, Ireland the USA would need to request an Irish court to release the data. If the Irish court was satisfied that there is good reason then it would probably order a release of the necessary documents, much as it would agree an extradition of a person.
Requesting a court in the USA for access to data held in the USA is also what the FBI should do, but it is just much simpler for them to go & grab it.
What this will stop is fishing expeditions and the use of data for purposes other than nailing criminals. There has long been a suspicion about the USA helping themselves to trade secrets.
> If data were held in, say, Ireland the USA would need to request an Irish court to release the data
I guess the DoJ are arguing that as Microsoft (US) doesn't need to ask an Irish court for permission to get data from Microsoft (Ire), therefore they can compel the data transfer internally so that they can get it from MSUS.
Doesn't make it right, of course, but that's the Land of the Free(TM) for you.
The argument here is complete bollocks. If data were held in, say, Ireland the USA would need to request an Irish court to release the data. If the Irish court was satisfied that there is good reason then it would probably order a release of the necessary documents, much as it would agree an extradition of a person.
In the Microsoft case, the US government could indeed have asked the Irish courts for the data. The fact that they haven't, and are pushing this issue through the US courts, suggests to me that this is not about getting this particular data from Microsoft, but about setting a precedent.
If the US government can get a legal precedent set, that US corporations must hand over data wherever it lies, then they wouldn't have to get cooperation from, or even inform, other nations that information was being requested.
If the US government can get a legal precedent set, that US corporations must hand over data wherever it lies, then they wouldn't have to get cooperation from, or even inform, other nations that information was being requested
But getting a legal precedent will be in a court in the USA, not Europe.
Data held on a server in Dublin owned by an Irish subsidiary managed by Irish employees is still going to be subject to Irish/EU law. When the USA parent company is ordered to order an Irish employee of its Irish subsidiary to do something against Irish law we are going to see an interesting conflict. If the parent company tries to order sacking will the subsidiary be allowed to comply - or find itself having to pay compensation ?
Time to order the popcorn by the mega bucket load.
Do you really believe someone in Seattle has not RDP/SSH access to systems in Ireland? They really don't need to ask someone in Ireland to perform that - they can do from the US. MS could have easily complied, but they did know when the news had spread, nobody would trust their EU systems any longer.
FBI wanter an US precedent because it's there where it can find a judge allowing them access to data stored abroad - without the nuisance of asking the locals, data are just a remote session away, aren't they?
The issue is not a future Enron, where probably a foreign court will send data to FBI following the bilateral agreements - the issue is when FBI & friends want to access data a foreign court will probably deny them access. They are trying now with a drug dealer case because they hope to make people think "hey, it was a fucking drug dealer, FBI is right!" - but once working for drug dealer, it will work for any case you can find a US judge issueing you a warrant to access a foreigner email... and FBI does a lot more than going after drug dealers...
"There has long been a suspicion about the USA helping themselves to trade secrets."
US companies like Autodesk are pushing Cloud only (no local data storage) applications. Which is very concerning, as their applications are used for product design in many leading edge fields (eg bio-medical, robotics, automation systems, etc).
Hopefully this new ruling makes that practise illegal.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
