Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
EU Government Privacy United States Your Rights Online Politics

EU Court of Justice Declares US-EU Data Transfer Pact Invalid 205

Sique writes: Europe's highest court ruled on Tuesday that a widely used international agreement for moving people's digital data between the European Union and the United States was invalid. The decision, by the European Court of Justice, throws into doubt how global technology giants like Facebook and Google can collect, manage and analyze online information from their millions of users in the 28-member bloc. The court decreed that the data-transfer agreement was invalid as of Tuesday's ruling. New submitter nava68 adds links to coverage at the Telegraph; also at TechWeek Europe. From TechWeek Europe's article: The ruling was the court’s final decision in a data-protection case brought by 27-year-old Austrian law student Max Schrems against the Irish data protection commissioner. That case, in turn, was spurred by Schrems’ concerns over the collection of his personal data by Facebook, whose European headquarters is in Ireland, and the possibility that the data was being handed over to US intelligence services.
This discussion has been archived. No new comments can be posted.

EU Court of Justice Declares US-EU Data Transfer Pact Invalid

Comments Filter:
  • Obvious ruling (Score:5, Insightful)

    by Anonymous Coward on Tuesday October 06, 2015 @07:32AM (#50669365)

    The court simply stated what looks obvious to anyone in good faith: if you do business in a country, you have to abide by the local laws. And given Snowden's revelations, it's purely ridiculous to claim that privacy rights can be respected if foreign data are stored in the US.

    So google, facebook, twitter, microsoft, cloud computing services, etc... will have to open their wallets and create data centers inside single EU countries. Otherwise GTFO.

    Technology must respect the law, not the other way around. Sorry billionaire nerds.

    • Re: (Score:3, Interesting)

      by Anonymous Coward
      It is really worse than that. Don't forget those court cases (Microsoft is involved in one now) where the US Justice Department believes (and the courts seem to agree so far) that data from email stored in Ireland can be handed over to the US government simply because Microsoft owns the servers and the US can then compel Microsoft to expatriate the data to the US. This seems ridiculous on the face of it - but it shows that there is more to your statement about saying that Google, Facebook, Twitter, Microsof
      • by mysidia ( 191772 )

        host data for them and for the US based companies to have absolutely no control over the servers.

        Not the servers; the physical servers are irrelevent. For the US based companies to have absolutely no access to the decryption keys that are used to protect user files.... they can use that by performing decryptions in a HSM which is physically tied to a location

        At that point, the only thing the US government could order them to do would be to modify DNS entries to route users' traffic through the US

      • by tnk1 ( 899206 )

        From what I have seen, there is no need to form European subsidiaries. American businesses just need to adopt the EU model clauses for European data. It's a pain in the ass, but not much will probably change.

      • The solution to that particular problem is obvious: Megacorp does not, in fact, do business in the EU but rather has licensed everything EU-related to a company named MiniMus. The fact that MiniMus is a wholly-owned (or practically-so) subsidiary is beside the point, as it'd still be legally another company...and the Megacorp can rightfully say that they'd love to comply but that data is MiniMus's property. The overall result would be that there'd be a very annoyed judge wondering why the US DoJ even both

    • Re:Obvious ruling (Score:5, Insightful)

      by rmdingler ( 1955220 ) on Tuesday October 06, 2015 @08:04AM (#50669591) Journal

      And given Snowden's revelations, it's purely ridiculous to claim that privacy rights can be respected if foreign data are stored in the US.

      It's pretty ridiculous to claim privacy rights can be respected with regard to personal information stored anywhere.

      Do you reasonably suspect the surveillance powers will have any problem crossing imaginary lines in the dirt?

      • by AmiMoJo ( 196126 )

        It's about choice. We want to choose who fucks us, not be raped by whoever happens by.

    • by pnutjam ( 523990 )
      Just wait, the TPP will strip.. er... I mean standardize all privacy rights.
      • by MikeKD ( 549924 )

        Just wait, the TPP will strip.. er... I mean standardize all privacy rights.

        Harmonize. The euphemism is "harmonize".

    • Re:Obvious ruling (Score:4, Interesting)

      by Zocalo ( 252965 ) on Tuesday October 06, 2015 @08:32AM (#50669805) Homepage
      Google, Facebook, Twitter, Microsoft, and most of the other cloud computing services, already *have* data centres in the EU, so they can get into full compliance "simply" by ensuring that no applicable EU citizen data leaves those data centres. In Microsoft's case this is probably excellent news since they now have another argument they can use to avoid the US DoJ's attempts [theguardian.com] to compel them to hand over emails they have in their Dublin DC. It's the smaller US companies that are probably going to take the brunt of this - the one that don't currently have any servers in the EU.

      It's probably a good day to be a CoLo provider with spare capacity in the EU...
      • by ranton ( 36917 ) on Tuesday October 06, 2015 @09:07AM (#50670115)

        I assume this ruling helps US cloud providers since even more small companies will be compelled to not host their own servers. I can easily spin up servers on AWS in Ireland and Frankfurt, but not so easily set up my own data center.

        Its rare for any increase in regulation to not help large companies, since they have the scale to deal with the lawyer fees necessary to comply.

        • I assume this ruling helps US cloud providers since even more small companies will be compelled to not host their own servers.

          If I have no business presence in the EU, my payments are processed in the US, and my servers are in the US, why would it make any difference to me what the EU wants or what the US rules are?

          • If you provide a digital service to a European citizen, you are required to submit VAT payments; as you are completing a sale in the EU. (Much like how the US treats the customer's location as the point of sale, in determining tax-rates, applicable laws, etc.)

            Thus, in this case, you will be breaking the law in Europe.
            Which is perfectly fine if you don't have any intention of ever stepping foot in Europe.
            Or are not evading taxes to such an extent that the EU decides to extradite you.

            • Maybe. If a Euro citizen comes to the US and buys a car, the Euro governments get no taxes. If your servers are in the USA and your terms of service claim all transactions are done in the USA then you can claim the same, they came into US jurisdiction.
      • Re:Obvious ruling (Score:5, Interesting)

        by Xest ( 935314 ) on Tuesday October 06, 2015 @09:30AM (#50670281)

        "It's the smaller US companies that are probably going to take the brunt of this - the one that don't currently have any servers in the EU."

        Actually I'm not sure that that's the case. If a company operates only in the US (e.g. is headquartered there, only makes money there, only has staff there), but an EU citizen gives them their data, then the EU citizen is effectively accepting that their data will be held under the US' weaker data protection regime.

        The problem here is that Google, Facebook et. al have set up European subsidiaries for tax dodging purposes and so EU citizens are interacting with EU subsidiaries who are held to EU data protection standards. Those subsidiaries cannot make the decision for users to send their data to weaker data protection regimes - only the users themselves can opt to do that.

        • by tnk1 ( 899206 )

          It is a problem if the US business has EU customers. Not that the US business can be sued, but the EU customer may be a business itself, who then is sued by their employees if the personal data is removed from the EU.

          That means that the EU businesses might be forced to drop US businesses if they can't comply or open a European subsidiary.

    • And given Snowden's revelations, it's purely ridiculous to claim that privacy rights can be respected if foreign data are stored in the US.

      If a European stores his data on a US computer, yes, the NSA may snoop on it. If you store it on a European computer, European governments will snoop on it, guaranteed. Who do you think is more likely to cause problems for you, the NSA or your own government? Which government actually has jurisdiction over you?

      So google, facebook, twitter, microsoft, cloud computing serv

      • by Luckyo ( 1726890 )

        I'm interested in how you will spin this particular tirade of yours when you actually read the OP and notice that this wasn't initiated by EU, but by a concerned citizen.

    • by tnk1 ( 899206 )

      google, facebook, twitter, microsoft, cloud computing services etc... will have to open their wallets and create data centers inside single EU countries.

      These businesses already have data centers inside the EU. This doesn't affect them except for some new language and maybe some documentation adjustments.

    • And this is in response to the US insisting it can subpoena Microsoft's data in Ireland because MS is a US company.

      I'm not sure why the US government is getting so arrogant over some things lately; we have never had that sort of power over the pond. In the aftermath of WWII, while our dollars are pouring in for rebuilding, while they were scared to death of the Soviets; they still often told us to go pound sand on many occasions.

      I mean good for them; they need to maintain some semblance of sovereignty or ap

    • by KGIII ( 973947 )

      Meh... They'll just put their servers on US soil. Then the onus is on the EU to prevent access if they want. Reality is that this will probably mean nothing in the end.

      • Companies found in breach of data protection regulations can be fined up to 5% of annual revenue, and the local management can get jailed for 20 days. 20 days doesn't seem much, but it is enough to hurt their job prospects for the next five years in regulated markets. That means basically that they can't work for payment institutions, insurance companies, banks, companies storing personal data, companies sub-contracting for the preceding, ..., in most of Europe until the conviction gets "time barred" after

        • by KGIII ( 973947 )

          That's what I expect them to do. "So long, suckers." With the ability to host anything anywhere they don't really have to comply with this. The more difficult it is, the more likely they'll simply move servers to a new location and drop the office and encourage staff to relocate.

    • no, if a eq user accesses facebook, they are doing business whereever the server is located.
      • US Courts have generally decided that the point of sale is where the customer is located, not the server. Hence sales tax is taxed at the customer's location, and not the server location (otherwise the original idea of putting servers / warehouses in states with no sales-tax would have continued to work).

  • by Richard_at_work ( 517087 ) on Tuesday October 06, 2015 @07:34AM (#50669375)

    Simply keeping the data in the EU won't fix anything so long as that data is still being held by US controlled entities, as those entities will still be forced to hand over the data regardless of where it is (lets face it, Microsofts battle against that particular issue is destined to fail).

    The only real way this is going to be solved is to force all EU data to be stored by entities that are not owned or controlled by a non-EU entity. Which means Amazon SaRL will be unconnected to Amazon.com and effectively competing against each other.

    • by Intrepid imaginaut ( 1970940 ) on Tuesday October 06, 2015 @07:39AM (#50669419)

      If they're forced to hand over the data they won't be in business in the EU for long, which considering the enormous size and wealth of the EU is going to hurt any company badly, so I guess they'll have to open seperate competing European branches. Either that or the US government is going to have to play nice with the rest of the world.

      • by currently_awake ( 1248758 ) on Tuesday October 06, 2015 @07:50AM (#50669481)
        You don't understand how this works. The NSA will ask their Euro allies to get the data for them, therefore ensuring continued access.
        • Except we still have vestiges of due process here in the EU.
          • "Due process" applies to legal proceedings, not to espionage or national security. When it comes to espionage and national security, European citizens have fewer protections from their governments than Americans have from the US government. Countries like Germany scan every E-mail, phone call, and text message they can get their hands on for keywords, limited only by technology, and have done so for decades; it's not even a secret, it's just not talked about much in the press.

            • by fyngyrz ( 762201 )

              When it comes to espionage and national security, European citizens have fewer protections from their governments than Americans have from the US government.

              That'd be great, if the US government actually complied with those protections in a more significant manner than lip service.

            • Ever heard of Prism?
          • by Luckyo ( 1726890 )

            Swedes tried this. They really did.

            In about two decades, they went from Palme to Bildt. US has extreme amount of ability to unseat politicians they do not like and replace them with those they do when they need it. Results were very visible in everything ranging from Sweden's eroded political neutrality to things like incarceration of people US didn't like (i.e. Pirate Bay case, "inappropriate sexual conduct" charges against Assange). From most vocally neutral to most Finlandized country in Europe in just a

            • Assange hasn't been charged for "inappropriate sexual conduct" but for rape. He even admitted to the facts. Aside from that, honestly, I really admire the Swedes' tranquil and laid-back democracy, their ability for dialog, the relative humility of their politicians. But I'm French. It's not a good idea to try to hijack France. It may result in uncanny alliances of angry people.
        • by PolygamousRanchKid ( 1290638 ) on Tuesday October 06, 2015 @08:15AM (#50669681)

          I don't have any problems with the US spooks asking an EU spook for the data from a specific suspected Muslim terrorist. The EU spook would probably comply, due to sharing agreements that are already in place.

          However, what the NSA does, is to simply harvest anything they want from anyone. I am not comfortable with that. And I don't believe an EU spook would set up a system enabling such universal access. If the EU spook can say the data was harvested outside the EU by the NSA, the EU spook has no problems. If the EU spook enables harvesting . . . we will see the EU spook in court.

          Note that Snowden's revelations did not result in any legal action in the US, despite that the NSA is clearly violating the law. This decision by the EU court is the only legal action that I know of.

          • However, what the NSA does, is to simply harvest anything they want from anyone. I am not comfortable with that.

            Nor am I. But the BND, DGSI, or MI5/GCHQ do the same thing. You can't avoid your data being harvested by someone. The question you should ask yourself which spy agency can cause you more problems when they make a mistake, and that is probably your own domestic spy agency. That's why storing data outside the country is a good idea: it becomes more accessible to foreign spy agencies but less access

          • but what was going on was the EU spook was HARVESTING data for the US, in exchange for access to the NSA data pie. clean your own house.
        • You don't understand how this works. The NSA will ask their Euro allies to get the data for them, therefore ensuring continued access.

          Full Disclosure: Optimistic USian here, still behind prodding my government back to a place worthy of repect in the World...

          but, if we don't improve out international reputation, we won't long have as many European allies.

          • by fnj ( 64210 )

            Optimistic USian here, still behind prodding my government back to a place worthy of repect in the World

            You don't think Trump or any of the other likely Republican contenders would fundamentally change this stuff, do you? I happen to believe Cruz and possibly Paul would have some effect, but neither one has a snowball's chance in hell of getting anywhere. Certainly Clinton or Biden would wholeheartedly continue the lowering of the dark curtain over the U.S. Sanders I think would try to make meaningful chang

    • Assuming you're correct about Microsoft's challenge to the US Justice Department on that, then it brings things to a rather interesting head. What happens then? If US companies can't move Europeans' data to the US, it seems to me that these companies will be forced to choose between:

      A) Operating in the European Union
      B) Keeping their headquarters in the US/being a US company

      When push comes to shove, I'm inclined to think they'll all bail out for Ireland or whereever, and leave their operations in the
      • by fnj ( 64210 ) on Tuesday October 06, 2015 @09:28AM (#50670269)

        being a US company

        These gigantic corporations are not "U.S. companies" by any stretch of the imagination - if that term even has any meaning at all any more. They are me-first entities whose only allegiance is to themselves, and they operate globally with complete cynicism. If they can't defy regulations in secret (VW?) or win their case in court (Microsoft) or co-opt authorities and get regulations changed openly or behind the curtain, they will accommodate the players who are large enough that their citizens and corporations can't be forgone as customers. And that certainly includes both Europe and the U.S.

    • Simply keeping the data in the EU won't fix anything so long as that data is still being held by US controlled entities, as those entities will still be forced to hand over the data regardless of where it is>

      NO! This isn't the case.

      What each entity will have to do is separately agree contracts with the relevant data protection registrar (default contracts exists) as to how they will protect that data.

      Those contracts will have "get outs" for providing data to law enforcement under warrant. What will be p

    • by gstoddart ( 321705 ) on Tuesday October 06, 2015 @08:52AM (#50669959) Homepage

      Simply keeping the data in the EU won't fix anything so long as that data is still being held by US controlled entities, as those entities will still be forced to hand over the data regardless of where it is (lets face it, Microsofts battle against that particular issue is destined to fail).

      And then those entities will be in violation of EU law, and will end up paying massive fines or other penalties ... which would hopefully be severe. So severe as to cripple the companies.

      See, no matter what the US believes, they can't trump the EU law. So if Microsoft's battle to not hand over this data fails, Microsoft in Europe will fail. It really is that simple.

      And at the end of the day, the corporations are going go realize they can't jeopardize their revenue by pulling out of those markets.

      The US doesn't get to pass laws which trump local laws any more than Iran does. And the US can't exempt those entities from local laws, which means this will come down to corporate self interest versus a government who feels it is entitled to collect this information.

      So the bottom line is: too damned bad for the US, because once Microsoft in Europe starts getting fined billions of dollars and people start getting thrown in jail, they're very quickly going to realize they can't do it.

      It really is about time the world tells the US that our privacy and legally protected rights don't take a back seat to US security interests. We don't give a shit what the US wants.

    • I was hoping this would also put an end to airliners having to share heaps of personal information with the US government about anyone flying to the US, transiting at any US airport (without entering the country) or even just flying through US airspace.

    • Which means Amazon SaRL will be unconnected to Amazon.com and effectively competing against each other.

      Which will never happen because then Amazon.com would have to actually pay taxes.

  • The BBC reports [bbc.co.uk]

    The EU forbids personal data from being transferred to and processed in parts of the world that do not provide "adequate" privacy protections.

    So, to make it easier for US firms - including the tech giants - to function, Safe Harbour was introduced to let them self-certify that they are carrying out the required steps.

    More than 5,000 US companies make use of the arrangement to facilitate data transfers

    self-certify that they're completely above-board and that no privacy is being invaded.. says Google and Facebook.

    I guess all that will happen is that these companies will open EU offices to scour though all our stuff instead of sending it to an American datacentre. Plus ca change!

  • Laughable (Score:2, Interesting)

    by Crashmarik ( 635988 )

    If you take this at face value the best result will be less security for everyone's data, as there will be more vectors to attack to access it.

    If you look at what the real motivation is, namely the EU trying once again to shake down google and facebook, modest bribes will rectify the problem.

    • any western government (not the US) who is trying to 'shake down' google or FB gets my 100% blessing in anything they do to reduce the force, power and evilness of both of those companies.

      anything that causes either of those companies PAIN is a good thing in my, uhm, 'book'.

      corporations are evil and the biggest ones have the most evilness to them. anything that knocks down the evil corps even a little is a Good Thing(tm).

      • any western government (not the US) who is trying to 'shake down' google or FB gets my 100% blessing in anything they do to reduce the force, power and evilness of both of those companies.

        anything that causes either of those companies PAIN is a good thing in my, uhm, 'book'.

        corporations are evil and the biggest ones have the most evilness to them. anything that knocks down the evil corps even a little is a Good Thing(tm).

        Your anger is nothing short of madness. Sure hate Google, I mean those bastards giving away search and indexing services that used to cost hundreds of dollars/hour to use.

        https://books.google.com/books... [google.com]

        Ooh there is a reason to hate them. They made it trivially easy for me to destroy your position.

        • Re:Laughable (Score:4, Insightful)

          by fnj ( 64210 ) on Tuesday October 06, 2015 @09:38AM (#50670319)

          Google is just doing what any corporation does. The bottom line is their own aggrandizement. Anything they can get away with to that end they will do. Why do you have this fantasy that they are special?

          Capitalism is all about strife and self-interest. It's inherent in the system. You can but-but that by bringing up the "invisible hand of the market", but it is a truism.

          • Google is just doing what any corporation does. The bottom line is their own aggrandizement. Anything they can get away with to that end they will do. Why do you have this fantasy that they are special?

            Capitalism is all about strife and self-interest. It's inherent in the system. You can but-but that by bringing up the "invisible hand of the market", but it is a truism.

            No they aren't special. No more so than the petroleum company that provides you insanely cheap energy, the coal and power company that provide you cheap power, the agribusinesses that make food available to you at ridiculously low prices.

            Why do you want to hate them for making your life better ?

            • by fnj ( 64210 )

              Do you have a point, or are you just butthurt that not everyone has the same starry-eyed worship for capitalism?

              You sure as HELL don't seem to be conversant with what it takes to pay the unconscionably through-the-roof costs of feeding yourself and warming yourself in the winter. Food prices and heating oil prices are through the roof. I don't thank selfish bastards for making themselves rich at my unavoidable expense. It's called realism, son.

              • by tnk1 ( 899206 )

                In the olden days, you fed yourself by killing your own food and finding your own firewood. While that was "free", you had to find it, transport it, prepare it, store it, and just about everything else.

                Now, you get that stuff piped to your house, or you might actually have to go to a store and get it. Even poor people have the possibility of comforts that even rich people didn't have in the past.

                I agree that the prices can strain the ability for us to keep up with them, but even this capitalist world is a

              • The only person who seems to be butthurt here is you.

                You seem extremely upset that other people do better in life than you do. You should look in the mirror for the source of your problems

    • Re:Laughable (Score:5, Informative)

      by PolygamousRanchKid ( 1290638 ) on Tuesday October 06, 2015 @07:53AM (#50669497)

      If you look at how this law case started, it was initiated by a private citizen. Not by the EU executive branch. The EU justice branch made a decision that the EU justice branch is visibly not comfortable with, because it places a lot of companies in legal limbo. Read more here:

      http://www.economist.com/news/... [economist.com]

      Because the EU executive branch did nothing about it themselves . . . well, it shows that they were in cahoots with the USA/NSA folks.

      So in this case, it is not a shakedown by the EU. The EU governments and Executive branch were perfectly happy with the way things were. It was a private citizen who appealed to the EU highest court that caused this.

      • It's amazing how if you look at things through a narrow window they look like one thing

        https://www.google.com/search?... [google.com]

        When you take a look at the broader view things look a little different.

      • It was a private citizen who appealed to the EU highest court that caused this.

        Who is unfortunately probably now on the US 'no fly list' for life.

    • Re:Laughable (Score:5, Insightful)

      by Schmorgluck ( 1293264 ) on Tuesday October 06, 2015 @07:54AM (#50669509)
      Nope, the real motivation is compliance to EU laws, like every company has to. Companies who believe they can fully own data about EU citizens and do whatever they want with it are in for a lot of trouble, whatever their nationality. European companies, and even governments, have been condemned too.
  • Basically, doesn't this means that data will be stored in EU data centers, e.g. in Ireland, UK etc..., where it will be (more or less) lawfully intercepted by British GCHQ and handed over to the NSA based on the Five Eyes Agreement? So this ruling won't change anything fundamental for the spying a.k.a. mass surveillance of EU citizens. The NSA, instead of siphoning the data from data centers in the US, will just have to route the traffic through a couple of big VPN pipes via GCHQ from data centers in the EU
  • ... and what about the spyware built-in to Windows 10. Will European companies still be allowed to use Windows 10 if it will regularly transmit all keystrokes (including passwords, and customer data) to the mothership in the US?

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...