Schrems' Facebook case edges closer to ruling over EU-US data flows

the whole thing will presumably have to start up again under GDPR

I don't think so. It was because of this case that the ECJ struck Safe Harbour down. So while some issues may need reevaluation in the light of changes in the law, it's unlikely to need to start the whole thing again.

Re: They forgot an obvious question

"Hey CJEU, who died and made the USA the emperor and supreme generalissimo of the world?"

The USA appointed themselves that title some time ago and nobody thought it worth challenging, so here we are.

Re: They forgot an obvious question

It may be an obvious question but it's not a question at issue in Schrems' case against Facebook. If you want that question to be asked you need to find some body against whom you have a specific claim relating to that and raise that claim with the regulator in whose jurisdiction it falls. Then it will become not only an obvious question but also a relevant one and it's relevance to the case in hand that determines whether it can be raised at the ECJ.

Re: I'm prepared for a whimper

"I frankly doubt that the EU courts will have the balls to force Facebook to balkanize its data into independent units."

I don't think they have the power to do that. It would be a legislative requirement.

What the courts do have is the power to do is to react to specific claims that might arise from that and issue fines against the companies concerned or even take action against senior officers of the companies and I can't see why the courts would have any compunction in doing that. It's ip to the companies to decide whether they can accept those sanctions on a regular basis or whether they need to find a means to avoid them. If they choose the latter course, and it seems likely, then they have option of setting up some arm's length operation which may be what you mean. They also have options of quitting the European market altogether or of ceasing to be US corporations.

Whilst I can't see the courts being reluctant to take such action where cases are put before them the willingness of the regulators to play their part is a different matter.

Re: I'm prepared for a whimper

> The recent US law makes it very clear that as long as Facebook US keeps control over the place where the data is stored, they have to cough it up to Uncle Sam whenever he asks.

That's a completely separate issue though.

In the Microsoft case (where the CLOUD act is relevant) I suspect the EU have already started the paperwork to start punitive action should MS Ireland comply with the US's orders.

The US can pass whatever law they like, but no company is going to enjoy the consequences complying once GDPR comes into force.

I'm not sure what the ultimate outcome is going to be, but privacy is one of the areas where the EU tends not to back down. And Europeans in general aren't going to quietly accept having our privacy levels dragged down to match the level afforded in the US market. On the flip-side, the US aren't going to back down and rescind CLOUD either, so my guess would be that there'll be a stand-off for a while where the US demands something and the EU fines the company for complying.

Somewhere in amongst that mess, of course, will be US politicians crying foul when other countries pass similar laws and start demanding data from companies operating in the US.

> Is this even possible now that the US has passed legislation that allows a simple internal US-issued warrant served on a company in the US to force that company to turn over data stored in foreign jurisdictions?

Yes, sort of.

You'd need to make sure that the US arm/parent/whatever did not have the ability (in any way) to access that data for itself. Access to the data would need to be totally reliant on the EU entities co-operation.

The EU entity would refuse (as it'd break EU law) and the US entity would be unable to comply.

But, it'd mean you'd need to be willing to accept whatever penalty the US entity then gets hit with for non-compliance. From what I've seen though, that's still significantly less than the fine you could get under GDPR, so from a pure financial sense it makes more sense to tell the US to fuck off.

> According to the US government, they no longer need to issue an international warrant under their various treaties and get the co-operation of the government of the nation where the data is located.

Yeah that's what they say. It's unlikely to work well for them in most countries though. It's not that different to the Kremlin passing legislation stating that they are now cleared for unescorted access around the Pentagon and that interfering with their passage within the building is a capital offence.

You can pass whatever law you want in your own country, you can even say you're not going to use diplomatic channels. The other side, though, doesn't have to accept it. Where the other side has the ability to punish your middle-man for compliance, it'd be foolhardy to push it too far.

1a) Even if you are paying you may still be one of the products being sold.