New EU Legal Privacy Framework: We're Not Kidding 243
An anonymous reader writes "Viviane Reding, Vice-President of the European Commission announced today a new regulation for data privacy in Europe (PDF) in replacement of a 1995 Directive. Recently, privacy laws have been under a lot of criticism for their practical inability to ensure a high level of protection to EU citizens. The new data privacy framework will bring a lot of changes: 24 hours security breach notifications, mandatory security assessments, end of notifications to local data privacy agencies, mandatory data protection officers and huge administrative fines: up to 2% of the annual worldwide turnover (that would have meant $1.2 Billion for Microsoft in 2008). Indeed that's 'the necessary "teeth" so the rules can be enforced.'"
So... (Score:5, Insightful)
Where do I sign up to vote "yes please"?
Re:So... (Score:4, Interesting)
Totally agree...this idea that businesses shouldn't be held responsible for their actions (or inactions) goes back to the business "revolution" of the 70s...the professional manager who operates without ethics, and who's only allegiance is to the shareholder (or their own salaries/bonuses)...it's about time governments started standing up for their citizens again....sign me up too!
Re:So... (Score:5, Insightful)
Note that it's 2% of turnover, not profit; a 10% fine would ruin a lot of businesses, which is not the intent of the law.
Re:So... (Score:5, Insightful)
Re: (Score:3)
I would say those governments would spend/invest that money far, far, far better than a company that allows repeated data breaches.
Re: (Score:2)
Re: (Score:2, Interesting)
That would be interesting... Any company that has 3 data breaches in a 5 year period gets a year ban from the internet.
Re: (Score:2)
What's the point?
Companies can easily be shot and resurrected. Found a new company, transfer all assets, let the old one crumble. You don't even lose the brand name since that's an asset which, you guessed it, was transfered to the new company.
Meet the new crook, same as the old one.
Re:So... (Score:4, Informative)
What you describe is possible, yet probitively difficult. Transferring assets with this intent, particularly if the old company becomes insolvent, is a criminal offence (at least in the UK). There is a whole raft of laws that make this process more complicated than slipping on a fresh pair of underpants. Granted though, fly-by-night operations could try such a thing, yet by your logic, pretty much all laws can be rendered useless.
Re: (Score:3)
Why not put corporations in 'jail'. They are persons after all. If they are convicted, all of their assets are frozen for X years, just like if a physical person was.
Then stockholders can sue the management for causing the situation and loosing them money.
Re: (Score:3)
Where do I sign up to vote "yes please"?
How does someone of distantly European ancestry upgrade by moving back? Figure an average /.er, in other words highly skilled/educated but no Nobel prize, plenty of money but not a billionaire, etc. I liked visiting Ireland, although that was before the economic collapse...
Re:So... (Score:5, Interesting)
No it can't just be ignored. If these laws pass, every EU country will be forced to implement them. The European Commission has very sharp teeth indeed on stuff like this, and does not take kindly to companies trying to ignore its rules.
Yep yep.
As a US citizen now thoroughly ashamed of my society's behavior (esp. regulatory capture, as well as the all-classes corruption of the housing bubble), this news is the first time in my entire life that European society has seemed superior.
It is quite a moment for me, coming as it is at the tail end of twenty years of staunch libertarian patriotism.
Re: (Score:2)
Interesting. So you suddenly favor big government and regulation? How did that happen? (Just curious - I am not a libertarian).
Re: (Score:3)
His privacy HAS zero value to a company. And the cost to protect his data must not exceed the price tag they can slap onto it when selling it.
Welcome to the data market.
Re: (Score:3)
Or rephrased, can't have a free market when the two big players, the govt and megacorps have all of the money, power, and force of law, and everyone else is tiny and has none.
You're much more likely to have a truly libertarian free market in the .eu than .us
Also there is no such thing as a "free market" without contract law and WRT privacy we are not allowed legally to have that in .us, as chattel property of the megacorps.
Re:So... (Score:5, Interesting)
As a US citizen now thoroughly ashamed of my society's behavior (esp. regulatory capture, as well as the all-classes corruption of the housing bubble), this news is the first time in my entire life that European society has seemed superior.
The first time ever? That's incredible.
Europe and the US have different views (to varying degrees) on many topics. Money, commerce, society, art, sex, the poor, the rich, military, environment, privacy, citizen rights and restrictions, punishment, education, transport, sport, patriotism, police, tax ...
Pick any one of those and I'll be able to describe things I like about Europe (and dislike about America), and vice-versa.
Re:Here's mine (Score:5, Insightful)
art: US? Seriously? Have you ever BEEN to Europe?
transport: US? Seriously? Where do you live that has better transit systems than most of (modern) Europe?
punishment: US? Is that YOU getting punished or your desire for strict punishment on OTHERS? The latter -- US, the former, Europe.
Re:Here's mine (Score:5, Interesting)
Every time I see that measured, it consistently shows the US having the least social mobility of all developed nations. For example, here: http://ftp.iza.org/dp1993.pdf [iza.org] and http://wrap.warwick.ac.uk/81/ [warwick.ac.uk]
I do often see the claim that the US has an advantage here, but I have never, ever seen it backed up, while I have seen the counterclaim backed up.
Re: (Score:3)
We are talking about today, not past history, something which happened BEFORE even US existed.
You haven't probably heard that many EU countries too have their own form of "The Declartion of Independence".
Also, the root laws protecting citizen rights are not as easily broken here in EU than in US.
Get out from under the rock, and look around. Think PATRIOT ACT, TSA, Homeland security. All the breaches in citizen rights happening there.
They are broken so casually that even tho i'd like to visit US, i simply do
Re: (Score:3)
Money: USD has heavy fluctuation. EUR is quite stable in comparison. US has wider margin between poor and the rich, making rich richer and poor poorer. It's harder to strike "little bit rich" in US in that sense.
Commerce: EU companies generally concentrate more on the quality of things, and has countries with the easiest entrepreneurship anywhere in the world, ie. Finland is one of the easiest countries in the world to run a company! and many other EU companies join the same. Companies in EU also enjoy big
Re: (Score:3)
and USD has been on verge of what exactly for past several years?
Exactly.
Re:So... (Score:4, Informative)
In the Netherlands, there is a "knowledge worker" rule that says that if you can find a job that requires a degree and pays X% better than minimum (or modal?) wage, it's easy to get a working permit, plus you get a huge tax break (although I think there are cutting down on the latter). Any decent sized company will have someone in the HRM department who knows these rules and can help with the paper work.
If you are here 5 years and pass a test you can apply for citizenship but that might require renouncing your US citizenship.
Re: (Score:2)
The same rule is in effect in most countries, and that bar gets lower every year. IIRC the German "wage bar" is down to about 50k a year. Guess it gets harder and harder to find good floor sanitation technicians.
Re: (Score:2)
Marry an EU resident :)
How many EU states are cool with polygamy? That would be a complication...
Re:So... (Score:5, Insightful)
My only dissapoint is the constant bandying about of the fines thing. They point out that 2% is massive in monetary value, well yes, it can be, but it's not enough of a deterrent.
In the UK, for companies like Phorm, and ACS:Law, this would be zero deterrent to what they did, the fines shouldn't be capped percentage wise, as only a fine of perhaps 80% of annual revenue would've been enough to make Phorm and ACS:Law start behaving. The $1.2bn figure for MS sounds a lot less scary when you consider for someone like Andrew Crossley at ACS:Law who really has been in gross breach of the UK's data protection act, were he bringing in £250,000 a year with his personal one man business, would only see a fine of £5000, still leaving him £245,000 to take home. Where the fuck is the deterrent in that? You could write it off as the cost of doing business and just carry on doing it.
Jail terms for owners/execs, or completely uncapped fines left to the decision of the judge as to what size fine to levy would be the only real deterrents. That's the biggest problem I see with this proposed law - there's no worthwhile deterrent for companies with no positive image to protect (e.g. Phorm) in the fines, they're toothless as proposed right now.
Re: (Score:2)
Oh, but although the company is fined 2%, ordering your employees to do something illegal is criminal... So I don't think this would end as "the cost of doing business".
Re: (Score:2)
Unless there's some sanction for repeat offenders, they can just feign incompetence, so unless the authorities can find a whistleblower willing to act as a witness proving malice, there's little they can do to demonstrate it wasn't incompetence.
Re: (Score:2)
In general, fines are associated with a delay to remedy the situation. Then it becomes a repeat offence and the fines go up.
Re: (Score:2)
Re: (Score:2)
2% is massive in monetary value, well yes, it can be, but it's not enough of a deterrent.
I don't think it's meant to be a 'deterrent'. Companies don't have data breaches on purpose, even the best security can be subverted.
This is more to get them to have some security in place and to avoid coverups after it happens, eg. a decent security system doesn't let people take the data home for the weekend so no more 'lost laptops' (hopefully).
Re:So... (Score:4, Interesting)
I'm in risk management. The fine is pretty much already a deterrent, or rather, it's a good incentive to invest a few bucks in security.
Security, or rather, anything related to heeding a law in a company, is a game of chances. What's my gain to break the law (or ignore it), what's the cost of the fine and how likely is it to happen. These are, in a nutshell, the things I deal with on a daily base. Yes, laws and following them is not a matter of "being good" or "doing no evil". It is simply and bluntly a matter of cost and benefit.
2% annual revenue as budget is a wet dream for security and risk management. And while we won't get it (not by a longshot), we can now easily argue with the increased monetary risk when it comes to the question whether and how much investment is necessary for security.
Re: (Score:2)
The problem is, if the fines get too high, companies start to evade them. It's easy for corporations (and yes, giving corporations "person" status was the first blunder and should be removed, but that's beyond the scope here).
You fine me 90% of my annual revenue? The same nanosecond a new company is created, which just happens to have the same board, who scoops up everything from the yard sale the company you fined has after going bankrupt, including all brands and patents. How do you plan to avoid that? Sh
Re:So... (Score:5, Insightful)
You fine me 90% of my annual revenue? The same nanosecond a new company is created, which just happens to have the same board, who scoops up everything from the yard sale the company you fined has after going bankrupt, including all brands and patents. How do you plan to avoid that? Short answer, you can't. The company just went bankrupt due to the fine, in the bankruptcy process all liabilities get cut to a certain percentage and the new company can scoop up everything for a penny for the dollar. Yes, it's still some money lost, but we're a far cry from the 90% you wanted. if you're lucky, you get 1-2%. Which is pretty much where we're right now.
Not that easy. If a company goes bankrupt and has sold on all kinds of stuff before the bankruptcy, all these sales can be invalidated, with more additional consequences.
And think what would happen to a company like Google, or Facebook, or Apple, or Microsoft. Going bankrupt is not an option. If Google sold patents to Google v.2 for a dollar each, and then declares bankruptcy, surely Apple and others would go to the courts and offer twice the money.
Re: (Score:2)
Where do I sign up to vote "yes please"?
Sadly, not in the US of A. The EU may be screwed up in some ways, but on this item they have a firm grip of reality. Well done.
Re:You Can't Vote (Score:4, Informative)
Apart from - you know - the fact that two of the more important EU institutions are the Council of Ministers and the Parliament - both of which contain people you voted for.
Re:You Can't Vote (Score:5, Informative)
The Council of Ministers doesn't contain anyone I voted for. It contains people selected by the leader of the political party that won the national election. Neither the candidate MP I voted for nor the one who was elected to represent me is a member of this party, so my MP does not have any say in their selection. MPs are not supposed to respond to comments or questions from people in other constituencies, so the people who 'represent' me in the CoM are not actually supposed to communicate with me at all, and I have no influence on their reelection.
I am much better represented in the Parliament. I have 5 MEPs, one of whom does a very good job (although when the Welsh Nationalist is the sane one, you start to worry about the system), but at least there is one MEP who represents my views and is accountable to me there.
Unfortunately, every time we try to push more power to the Parliament, the Eurosceptics manage to get it overturned...
Re: (Score:2)
No, just stop it. This bullshit of, "Well I didn't vote for the people who won, therefore I don't have representation" is patently false.
Re:You Can't Vote (Score:4, Informative)
Did you read my post? It's not that I didn't vote for the person who won - the person in my constituency who does represent me (even though I didn't vote for me, he is accountable to me and the other people in my constituency) has no say in selecting the people who go to the Council of Ministers. They are selected by the government (a coalition at this point, more commonly a single party with a majority) from the pool of their MPs.
These ministers are not allowed to communicate directly with other the constituents of other MPs. This means that the people who is supposedly representing me at the CoM are not allowed to communicate with me. I am not supposed to write letters to them, and they are not supposed to reply. In contrast, I have 5 MEPs who represent me and even though I only voted for two of them (I think - one definitely, I can't remember about the others) they are all supposed to be available for direct communication with me.
Re:You Can't Vote (Score:5, Insightful)
And yet somehow, bureaucratic oppressive Europe got awesome privacy legislation. What did the democratic land of the free get? SOPA.
Life is good here in the socialist hellhole. ;-)
Re:So... (Score:4, Informative)
Vote yes for more expansive government authority to protect you from something that would be no danger if you could just keep your mouth shut. Governments shouldn't be about protecting you from yourself.
How would "keeping their mouth shut" prevent consumer data disclosures? Companies that aren't doing business "online" still hold a treasure trove of data about you, much of which I'd imagine you'd prefer was kept private. ...if they were under any obligation to disclose to you that they were holding information about you, that is.
Re:So... (Score:4, Insightful)
Re:So... (Score:5, Insightful)
Shut the fuck up, seriously. This idea that companies should not be held responsible for their actions is completely asinine.
If you don't want companies to be held responsible, go find somewhere without "government intervention". I hear Somalia is lovely this time of year.
This is only proposed set of rules (Score:4, Informative)
Re: (Score:2)
As someone who is involved in putting in place processes to cope with legislation like this I can only say it sounds like yet another ludicrous set of disincentives for small businesses. So every business needs a data protection officer, the ability to respond to a query within 24 hours, gold plated toilets, forms to fill out in triplicate. I'm all for ensuring consensual use of personal data but I am completely against legislation which mandates a bureaucratic process to implement it which means that I end
Re:This is only proposed set of rules (Score:4, Informative)
A quick scan does not seem to forbid the outsourcing of this function meaning specialist companies will be available to manage oversee your privacy compliance.
Important is the rule this Privacy Officer needs to be totally independent of the management.
The easiest and for me obvious way for any company to lower the amount of effort controlling this privacy sensitive data is to only keep the absolute minimum of it.
O2 (Score:4, Interesting)
This looks like a failure waiting to happen (Score:2)
Re:This looks like a failure waiting to happen (Score:5, Insightful)
Well the obvious answer is that they can't if it really has no EU ties, just like they can't do anything about sites outside the EU hosting child porn currently.
But that's just the way the world works, it's designed with that knowledge, but it wont protect companies like Facebook, Google, Apple etc. as they do have a prescence, and even if they withdrew that prescence they could potentially still harm those companies by preventing EU firms advertising with them for example.
I'm sure firms will argue it'll cause some competitive disadvantage, but I'm not convinced that's true- I'd argue the opposite if anything, users across the globe should feel far more comfortable using companies that adhere to these rules, than those that don't.
So I don't really see how it'll be a failure, it'll force all major online firms to adhere to it because they do have an EU prescence, and from there anyone else that doesn't comply will have the disadvantage of being much less attractive to customers. Who wants their data held by some fly by night company that has no restrictions on what it can do with that data when they can instead use a company with more ethical rules surrounding what it can and will do with your data?
Re: (Score:2)
The intent I fully and whole-heartily agree with... However, 2% of _world_wide_revenues_ is what concerns me. I'd rather see it phrased as 2% of world-wide revenue apportioned to user base / affected users (affected or not by breach).
Hence, the larger the breach, the larger the fine. I could easily see Company A arguing to US regulators : "We shouldn't have to pay for US users as the EU already fined us for everyone.".
Re: (Score:2)
No it wont, complying with this legislation isn't exactly hard and frankly a lot of responsible companies of all sizes do this sort of thing already.
I dealt with a number of recruitment agencies earlier this year, some very small, some larger, but none of them went bust when they complied with my request to remove my personal details from their systems after I'd finished looking for a new role.
Re:This looks like a failure waiting to happen (Score:4, Insightful)
Good fucking riddance. If they can't actually secure my private data, they shouldn't be in business in the first fucking place.
You people always bitch and moan about "regulations being a burden!", but for some reason, you think it's completely fucking ok for companies to just not give two shits about someone's data.
Re: (Score:3)
In the same way that U.S. authorities enforced the warrant against MegaUpload (HK based company, owned by german-finnish citizen currently residing in NZ ...): Uni-, bi-, multiliteral contracts, I guess.
But I fear for our good-but-still-not-enough german laws. I'll bet they'll be watered down to a great degree.
Re: (Score:2)
Erhm ... that's lateral, of course ...
Re: (Score:2)
In the same way that U.S. authorities enforced the warrant against MegaUpload (HK based company, owned by german-finnish citizen currently residing in NZ ...): Uni-, bi-, multiliteral contracts, I guess.
But I fear for our good-but-still-not-enough german laws. I'll bet they'll be watered down to a great degree.
I would be fun to see the UK extradite from the US for a change...
Re: (Score:2)
Re: (Score:2)
If they target the region, that's having a business there under their jurisdiction. I assume there's a google.fr and a facebook.de ... that pretty much makes you covered under their laws.
And, let's face it ... the USA is extraditing people who committed no crime in their own country and SOPA would have allowed t
Re: (Score:2)
Re: (Score:2)
If they're receiving and storing personal information, then they need to obey the law. Why should being a small company exempt you?
Google et al are directly gathering more personal information, and, as we've seen [slashdot.org], they're getting more aggressive about it.
Gander/goose? (Score:3)
Re: (Score:2)
The existing data protection regulations apply to government agencies as much as anyone else and as far as I can tell, so would these new ones.
Re: (Score:2)
Yes, yes, we all hate America over here and it's all just a big conspiracy to steal money from your corporations because we're so jealous of them.
Hopefully (Score:2)
I really hope this passes. It'll be interesting to see all the stuff that I thought I'd deleted off Facebook suddenly reappear* so that I can actually remove it permanently.
*Apparently FB doesn't actually delete anything and it's just hidden from the user.
Re: (Score:2)
You gotta figure Facebook is between a rock and a hard place on this one. They have to retain material 'deleted' for a while, in case someone shows up with a warrant demanding they produce this information (otherwise wouldn't you just delete anything from facebook that might be inconvenient in a divorce or the like). But they can't retain it too long because then you're into a privacy violation, nor can you necessarily manually asses anything before deleting it because of the sheer scale and lack of conte
Big Fines can be OK... (Score:3, Insightful)
Also - who is responsible for the fine if the breach is due to "off the shelf" software?
Re: (Score:2)
Big Fines should go to the users harmed, not the State. A corporate screw-up should be punished, but the money shouldn't be flushed down some bureaucratic hole.
Why do you think these sort of laws are put in place? Laws can be written such that a civil lawsuit can be brought for damages, or they can be written to bring heavy fines. Which do you think a government is more likely to pass?
Consent and EULAs (Score:5, Interesting)
One of the important rules is "If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter." In other words, merely consenting to a long EULA that involves transference of data isn't enough. There has to be a separate checkbox to allow redistributing data. EULAs that allow one party to change the terms at any time won't qualify, either.
Red tape and garbage (Score:2, Interesting)
This law simply looks like an empowering of the EU, and giving it the ability to assault companies and organisations. None of which really deals with the issue at all.
This law needs individual assertion. A citizen needs to have the right to have access to their data, and have rights to control it with limited caveats. Only laid out circumstances should exist where someone can hold your data (your employer for example) or government departments (your passport or health records) - and the citizen should have
Re: (Score:2)
I don't know about the EU, but in the US, a criminal penalty does not prevent a civil lawsuit for defamation and/or breach of contract. So, if Facebook broke the rules, Vivian Reading would give Facebook a multi-billion euro fine, and all that criminal evidence would make the class-action lawsuit a relatively simple affair (because the evidence is already introduced in the criminal proceeding, so proving Facebook broke the rules is quite easy).
Not all bad (Score:2)
EU could become solvent again (Score:3)
Re:Doubt it will go anywhere (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
No it can't just be ignored. If these laws pass, every EU country will be forced to implement them. The European Commission has very sharp teeth indeed on stuff like this, and does not take kindly to companies trying to ignore its rules.
How serious are they about data protection, if even the EU governments themselves are even ignoring the most basic principles of secure database deployment.
Case in point, recently the database of the Luxembourgish service medico-sportif was breached [www.wort.lu]. No, not by an evil-genius uberhacker, but by a sportsman who saw a password on a note stuck to a medico-sportif doctor's screen ...
It turned out, that the service ignored the most elementary security precautions:
Re:Doubt it will go anywhere (Score:5, Insightful)
Re:Doubt it will go anywhere (Score:4, Informative)
Re:Doubt it will go anywhere (Score:4, Insightful)
Re:Doubt it will go anywhere (Score:5, Insightful)
Perhaps you haven't noticed, but being associated with Big Media is pretty much toxic for politicians right now.
Oh, and also in case you hadn't noticed, the EU hasn't actually signed ACTA yet. Technically they have until March next year, IIRC, though I expect someone will try to sneak it through in the very near future before the politicians realise it's too close to SOPA and PIPA (in some respects) and likely to cause similar grief.
Also, while the European Commission (the unelected guys who seem to be behind the secret negotiations) still publicly support ACTA [europa.eu], whether they can get it through the European Parliament (the elected guys who recently got new teeth under the Lisbon Treaty and seem to be enjoying exercising their powers) is a different question.
Re: (Score:2)
Perhaps you haven't noticed, but being associated with Big Media is pretty much toxic for politicians right now.
Not really, considering that they're all associated with Big Media. In order for that to be a problem their political opponents would have to be able to point fingers and say "Look at him! He's in bed with Big Media!!", but none of them can do that without their hypocrisy being on display. The MAFIAA and these other organizations/business groups buy off everyone. Why throw your support behind one candidate that could potentially lose an election if you can afford to hedge your bets by supporting both?
Re: (Score:3)
The MAFIAA and these other organizations/business groups buy off everyone.
Everyone? They can't buy off the pirates, which are now popping up in every European country, and firmly intend to participate in the 2014 European elections...
Ok, so you may say, pirates are not in parliament yet, and 2014 will be too late to stop ACTA. However, even now, pirates are already creating enough of a stir that the current political parties are feeling compelled to adopt some of their stances about the internet. Case in point: the recent commemorations against "Vorratsdatenspeicherung" (preemp
Re: (Score:3)
Perhaps you haven't noticed, but being associated with Big Media is pretty much toxic for politicians right now.
It may be toxic, but they don't seem to care! http://torrentfreak.com/australia-us-copyright-colony-or-just-a-good-friend-120121/ [torrentfreak.com]
Oh, and also in case you hadn't noticed, the EU hasn't actually signed ACTA yet. Technically they have until March next year, IIRC, though I expect someone will try to sneak it through in the very near future before the politicians realise it's too close to SOPA and PIPA (in some respects) and likely to cause similar grief.
Poland is looking to sign it now. That was the reason for all those attacks, and they seem to be pushing them forward against the public wishes. http://politics.slashdot.org/story/12/01/25/0211219/piratbyran-co-founder-says-stop-ddosing-polish-sites [slashdot.org]
Also, while the European Commission (the unelected guys who seem to be behind the secret negotiations) still publicly support ACTA [europa.eu], whether they can get it through the European Parliament (the elected guys who recently got new teeth under the Lisbon Treaty and seem to be enjoying exercising their powers) is a different question.
That would make sense, but the politicians all over the world seem to be doing the opposite of what is sensible. Once again, the
Re:Doubt it will go anywhere (Score:5, Insightful)
That's roughly what a lot of people said before the EU went after Microsoft for anti-competitive behaviour, too. More than $1,000,000,000 in fines for defying sanctions later, those people had changed their tune.
Re: (Score:2)
The EU isn't that weak. The EU is sort of a cross between the UN and the USA (If you consider each state to be sovereign states instead of egotistical providences). I don't know how close to which end of the spectrum it is, however.
Re:Doubt it will go anywhere (Score:4, Insightful)
EU law has direct force in national law, EU law trumps national law, and questions of interpretation of EU law are handled by the EU court, whose decisions are binding for the national courts. The EU is very far from toothless in areas where it has legal competence.
If they are indeed replacing the '95 directive the "published document" will have the form of a EU directive, which member states are compelled to turn into national law. If they don't do so, the EC (or, I think, any citizen with standing) can sue them in the EU court for failing to comply.
What you are referring to as toothless is probably in issue domains like foreigh affairs and defense, where the member states have full competence and the only thing the EU can do is try to forge some sort of consensus.
Re: (Score:2)
Not quite. Yes, the local (read: national) government make the laws, but they cannot ignore a EU directive. It MUST be implemented. It's up to the national governments to do it, and they have some leeway how they implement it (in a nutshell, you can almost always be stricter but rarely more lenient), but not implementing it results in a quite serious fine.
Re: (Score:3)
How is any of this going to protect you from the police?
It won't (well, on the basis of what the summary says) but they're surely not the only threat.
Re: (Score:2)
I am less worried about the police than the media industry.
Re:data location? (Score:5, Informative)
Transferring personal data from inside the EEA to places outside like the US, where there are not such strong data protection rules, requires either the subject's consent or certain specific guarantees under a safe harbour agreement. Otherwise taking the data out is already illegal.
Re: (Score:2)
Thats what EULAs are for.
Re:data location? (Score:4, Insightful)
Funny thing: some rights, you cannot sign away. So the EULA is irrelevant. For example, no contract of indentured servitude is legal. In the same way, you cannot sign away your right to privacy.
Re: (Score:2)
I agree but agreeing to "Company G storing your data in various locations around the world" isn't giving up your privacy and I'm sure G's lawyers & lobbyists will quite gladly spend time & money making a few judges agree.
Re:data location? (Score:5, Informative)
In most of Europe, we don't vote for judges. They are appointed and are quite immune to lobbyists. Also, most of Europe has a civil law system, and under that system, the laws do not get "interpreted" by the judges...
It is a bug of the American system that judges are affected by lobbyists and get to decide what laws mean. This doesn't mean our system is better. This is just a bug we don't have.
Re: (Score:2, Interesting)
In most of Europe, we don't vote for judges. They are appointed and are quite immune to lobbyists. Also, most of Europe has a civil law system, and under that system, the laws do not get "interpreted" by the judges...
It is a bug of the American system that judges are affected by lobbyists and get to decide what laws mean. This doesn't mean our system is better. This is just a bug we don't have.
As a point of fact, at the federal level and in many states judges are not elected. Instead they are appointed (by someone or some group that was also elected), and are basically set for life.
Depending on the jurisdiction involved (varying states or the federal justice system), they either have lifetime appointments or appointments to a mandatory age of retirement.
Some jurisdictions allow for the removal of judges based on the quality of their work (i.e. a judge who made *many* *very* *boneheaded* decisions
Re: (Score:2)
As a point of fact, at the federal level and in many states judges are not elected. Instead they are appointed (by someone or some group that was also elected), and are basically set for life.
... and so they will stay forever faithful to whichever party appointed them, which is not necessarily a good thing either.
Indeed a president in office during a period where lots of Supremes happen to retire and/or die has suddenly the power to (indirectly) set judicial policy for the next 30 years or so...
Re: (Score:2)
Re: (Score:2)
I'd like to see that in court ... an EULA can't violate the law, and if it's against the law for them to share your data with the US, they can't change the EULA to say you waive your legal protections.
I would hope that something like that would basically get pursued as a willful violation of this, and lead to a fairly epic smackdown.
Of course, since with the Patriot Act that the US has given themselves the right to demand data [theregister.co.uk] from US owned companies ... so I can see it being possib
Re: (Score:3)
They're a bit like the disclaimers you see at the bottom of some companies E-mails, a waste of bandwidth.
Re: (Score:2)
Re: (Score:2)
True.
However, the company has to operate entirely outside of the reach of European legislation for that to apply. Some do, but any business with a European presence is subject to those laws, which actually covers a surprisingly large number of the big names: Facebook have an office in Ireland, PayPal (Europe) are registered as a bank in Luxembourg, all the giants like Microsoft and Google have European offices, etc.
The export restrictions are a more significant issue for smaller US companies that provide B2
Re:keeping it regional? (Score:4, Informative)
It is completely within their remit. The part of the company paying is EU-based, but the fine is calculated based on worldwide activities.
Why would it be? (Score:2)
The idea is to create a fine that will actually hurt the companies. If they said X% of the turnover in EU, it would just give companies even more incentive (in addition to tax dodging) to claim their profits are actually from somewhere else.
I'm trying to come up with some sort of logical/ethical/economical/whatever reason for why EU shouldn't be able to fine X% of worldwide turnover but I can't come up with any.