Tech Firms Like Facebook Must Restrict Data Sent From EU To US, Court Rules (theguardian.com) 74
The European Court of Justice has ruled that the "Privacy Shield" data transfer agreement, which had allowed tech companies to transfer EU user data to the US, failed to adequately protect Europeans' data from US surveillance and security laws and was therefore invalid. What this means is companies like Facebook "could be prevented from sending data back to the US," reports The Guardian. From the report: The ruling of the court of justice of the European Union (CJEU) does not immediately end such transfers, but requires data protection authorities (DPAs) in individual member states to vet the sending of any new data to make sure people's personal information remains protected according to the EU's data protection laws (GDPR). The complaint, which goes back to October 2014, was lodged by Austrian privacy activist Max Schrems. He argued, following the Snowden revelations, that the privacy of European citizens could not be guaranteed if their data was sent to the US, given the evidence of widespread eavesdropping by the country's National Security Agency (NSA), and the fact that the US legal system only protected the rights of US citizens. Schrems' initial complaint led to the overturning of the EU/US "safe harbor," which had governed data transfer between the two countries, and the creation of a new treaty, the EU/US "privacy shield." This latest ruling has overturned that policy too. [...]
The ruling is not a total halt on data transfers between the EU and US, said Lisa Peets, a partner at Covington, which represented the UK's software industry in the case. The court upheld the use of "standard contractual clauses" (SCCs) to transfer personal data between Europe and US, allowing companies to seek specific consent from users for data to be exported. "Data flows between Europe and the United States are an integral part of the European economy and of the day-to-day lives of millions of European consumers, and the SCCs are the backbone for many of those data transfers," Peets said. "As for the privacy shield, the European commission will be highly focused on finding a resolution and will be actively working work with the US government to identify a path forward."
The ruling is not a total halt on data transfers between the EU and US, said Lisa Peets, a partner at Covington, which represented the UK's software industry in the case. The court upheld the use of "standard contractual clauses" (SCCs) to transfer personal data between Europe and US, allowing companies to seek specific consent from users for data to be exported. "Data flows between Europe and the United States are an integral part of the European economy and of the day-to-day lives of millions of European consumers, and the SCCs are the backbone for many of those data transfers," Peets said. "As for the privacy shield, the European commission will be highly focused on finding a resolution and will be actively working work with the US government to identify a path forward."
"Most Dicussed" (Score:2)
... with zero comments as I write this one.
What is going on, Slashdot?
Re: (Score:2)
anonymous posting is disabled...
Re: (Score:2)
Re: (Score:2)
I'm guessing they FUBARed the code
Fixed that for you.
In other news: Austrian privacy activist found in same cell as Epstein, cameras were again malfunctioning
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
When it comes to computer opcode, it is sane to place limitations. System resource management exists.
It's sane to place limitations where the limitations themselves are sane.
Most of the time they are a waste of time, because if you use an intelligent system, it will do intelligent things behind the scene.
The majority of stupid problems are caused by doing stupid things, when someone else has already done the work for you, and all you have to do is make use of it. AKA NIH
Re: (Score:2)
They misspelled "Most Disgust".
Re: (Score:2)
I don't know what's going on, but something is broken about the comment-system right now. I wrote a fairly lenghty comment yesterday on another story (the story about Trump requiring Covid-numbers be sent to the White House before the CDC, still on the front page) which appeared correctly back then, but right now it's entirely gone, and I think other comments have disappeared as well.
Previously for a few hours at least commenting was not possible at all, so I'm guessing someone broke the database during an
Re: (Score:3)
What is going on is that Slashdot had to be rolled back over a day in order to fix some deployment error, throwing away comments and indeed whole stories in the process. It's a huge black mark on the eye of BIZX, especially if the same people work on Slashdot and SourceForge. I didn't particularly trust SourceForge before (they are well known for recycling projects early, and often, presumably to get back disk space) but I trust them even less now.
Testing, it's not just for "serious" web sites. Anything mor
Re: (Score:2)
Most discussed? (Score:1)
Re: (Score:2)
Re: (Score:2, Informative)
How did this reach the Most Discussed section of the site when it hasn't been up for 10 minutes and there aren't any comments? Maybe it's always done this and I never noticed.
It's the deep state dude, the deep state.
-- Q
SCCs (Score:3)
The ruling states that SCCs are only valid if the country of destination has laws at least as protective of user data as the GDPR.
hence, those SCCs are invalid for countries which dont.
The US is not one of them.
The UK is now out of the EU, and collaborating with the US in their spying, so, they don't qualify either.
Re: (Score:2)
Re: (Score:2)
The main reason for the court ruling was that U.S. law gives U.S. agencies unlimited rights to the data of non-citizens without any habeas corpus rights for the non-citizens. No single state of the U.S. can change that.
Re: (Score:2)
The EU does not recognise individual states of the USA; they negotiate at the federal level.
Re: (Score:2)
Likely true, but the Internet has scaled this up enormously. Anyway, if this can be the impetus to put a cork in that spying, let's take it. Better late than never.
People forget that governments are not some magical entities that can be trusted. Governments are composed of people, and while most people are harmless, some are venal. If you would not willingly share your data with those pe
Re: (Score:1)
Re: (Score:1)
Does not matter anyways. It's all smoke and mirrors and like everything else just another shakedown law. Basically laws that are designed to be escapable for businesses that work with government and punishable for businesses that do not work with the government or the ones that become popular to hate.
It's one of them days i wish i had modpoints but i don't. This is spot on. Govs all over the world are very selective and laws often only serve as stick to be able to hit with.
Someone downmodded you as troll though. Probably some communist or socialist or other authority-loving individual or shill. Hence a comment.
Re: (Score:2)
Re:SCCs (Score:4, Insightful)
Re:SCCs and USA (Score:3)
USA is considered to be a valid destination using SCC, at least according to various tech companies...
Re: (Score:3)
The UK is still in compliance until the end of this year, after that... Well it probably depends how bad brexit is, like many things.
If there is some kind of trade deal then the UK might keep GDPR compliance to facilitate the trade in services with the EU. The government seems hell bent on divergence and destroying the financial services industry though (any trade deal with the US will target London and finance) and the desired outcome of the negotiations seems to be no deal, so we may lose many of the prot
Makes sense (Score:3)
Network Routing? (Score:1)
Re: (Score:3)
How are they going to enforce this with general network routing?
The compliance burden is on the companies, but they can encrypt data using strong cryptography and following necessary security practices to protect the data so that only the source and destination of the data and the security of the cryptography and keys will end up mattering.
Re: (Score:2)
Re: (Score:2)
How are they going to enforce this with general network routing? It is not completely uncommon for traffic to be routed greatly out of the way intentionally or accidentally, or to ensure it goes thru a 'data monitoring' node (not always in the US nor always by the US).
Their users have the right to claim damages if the companies don't comply.
In other words, some US-American ideas, like extreme litigiousness, aren't that bad when used in a targeted fashion against corporations by lots of pissed off citizens.
Re: (Score:2)
Re: (Score:2)
Re:Network Routing? (Score:4, Insightful)
Nice little sidestep you're doing there, by false equivalencing a right to sue with extreme litigiousness.
What does making a right to sue too extreme for you?
Re: (Score:2)
One consequence could be the often proposed EU-net or whatever you want to call it. An internet infrastructure independent of the outside.
We've seen this trend popping up in various other parts of the world like China, Russia, Iran, or India I think. I'm not perfectly sure on the latter two other than having read news that they shut down parts of their internet for some time, meaning that the state has far reaching control over
Solution (Score:2)
Problem solved
Re:Solution (Score:5, Insightful)
Cutting Europe from US websites would be a notable decrease in US revenues, and, in the longer run, force Europe to build their own infrastructure, meaning much less US dependencies.
You can't see past your nose.
Re: (Score:3)
Occasionally I see a link on Slashdot but when I open it the site tells me that I isn't GDPR compliant and I can't come in. I can never be bothered to walk around the blockade with my VPN.
A lot more sites are just non-compliant but no-one has got around to making a complaint yet. When I have time I throw one in.
Re: (Score:2)
Occasionally I see a link on Slashdot but when I open it the site tells me that I isn't GDPR compliant and I can't come in. I can never be bothered to walk around the blockade with my VPN.
Agreed. The thing that amuses me is that GDPR is concerned with the capture and storage of personal data [europa.eu]. So unless your site requires a login account, or you are deploying some sort of covert tracking mechanism, you don't have a GDPR issue.
Re: (Score:3)
Most sites are deploying some sort of covert tracking mechanism, so they can profile you for ads.
Re: (Score:1)
so what anyone should be doing anyway, backup infrastructure instead of just a single point of failure.
Re: (Score:2)
Is e.g. google.co.uk a US website or a UK website?
Re: (Score:2)
As it targets people who are currently part of Europe it's considered a European site (from a GDPR point of view)
From my understanding GDPR generally says "If you're targeting / selling to Europeans, or have obtained a significant percentage of European customers, then you need to follow the GDPR rules"
After the end of the year who knows
Re: (Score:2)
It was a rhetorical question. My point is that blocking "European IPs from US websites" is in the realm of category error rather than just non-solution. (FWIW I'm sure it wasn't intended to be taken seriously).
Re: Solution (Score:3)
Gee, what are Europeans going to do without Facebook, Twitter, Fox News?... That'll be a real Cat Astrophe, I'm telling you...
Re: (Score:2)
Re: (Score:2)
Just block all European IPs from US websites. Problem solved
... sure, so your plan is to go home, you lock yourself in your basement hideout and sulk? Meanwhile your competitors are busy hoovering up your market share and the profits that go with it which you voluntarily abandoned in order to go home and sulk? This is why you haven't become a billionaire yet, people who became billionaires didn't get there by giving up as easily as you do. Good business people find a way to work within the new rules.
Re: (Score:2)
TikTok: Just ban Indian and US IPs!
Re: (Score:3)
Ah, the usual troll that always shows up when there's anything about the EU on /.
Facebook made 4.25 Billion in Europe in Q1 2020, compared to 8.56 Billion in North America (USA+Canada). - https://businessquant.com/face... [businessquant.com]
Go ahead, throw away a quarter of your revenue.
Google makes almost a third of it's revenue in the EMEA region - https://www.statista.com/stati... [statista.com]
Most other US online companies have similar figures. Some make more money in the EU than in the USA.
This is a pipe dream that hasn't yet realized
Re: (Score:2)
The bigger threat (Score:2)
failed to adequately protect Europeans' data from US surveillance and security laws
Does the EU have laws to protect data against Chinese surveillance, too?
Re:The bigger threat (Score:5, Informative)
failed to adequately protect Europeans' data from US surveillance and security laws
Does the EU have laws to protect data against Chinese surveillance, too?
Yes. The same laws apply. The difference is that there was never any “safe harbor” or “privacy shield” agreement in place with China to provide the illusion of privacy.
Re: (Score:2)
failed to adequately protect Europeans' data from US surveillance and security laws
Does the EU have laws to protect data against Chinese surveillance, too?
Does the EU have laws to protect data against US surveillance, too? Yes, but in the case of US surveillance it has (a) been proven to exist and (b) be far more pervasive than anything the Chinese are doing and (c) the part of this surveillance that is being perpetrated by corporate entities can at least be dealt with through legislation and law suits, lots and lots of law suits.
Re: (Score:3)
Does the EU have laws to protect data against Chinese surveillance, too?
Yes, it does. In fact, the EU-US relations are the ones that are special in that the EU has repeatedly attempted to create laws that basically say "don't apply protection laws to US companies, they're almost as good as EU ones when it comes to data privacy" - and as any idiot could've told, they've been repeatedly struck down because, well, they aren't.
There are no such deals when it comes to any other countries.
Re: (Score:2)
Considering that many EU members are Belt and Road countries now, China doesn't have to ask permission. If they mention a Chinese company name while talking about permission, they have to send a C-level as a human sacrifice to Pooh Bear.
Feels (Score:2)
and the creation of a new treaty, the EU/US "privacy shield." This latest ruling has overturned that policy too.
Treaties are not "policy". They are higher on the totem pole than general laws. If it conflicts with general laws, the laws lose. Only basic rights in a constitution itself are higher, not mere statutorily-created rights.
Now if one wants to say there isn't such a structure in the EU, I'm sure it's news to politicians over there to be schooled in how treaties actually work, severed from millenia of practice.
Re: (Score:3)
In this respect they are. Both the EU and the US government know that privacy will never be respected, so they use treaties to circumvent the law. Both the "safe harbor" and the "privacy shield" were meant to allow US companies to mine EU citizen's privacy. Expect a third such treaty with the same content and a different name. It has worked twice already, and everyone knows beforehand that
That must be (Score:2)
the most unsurprising court verdict since a court ruled against the paternity suit against the viking Olaf No-Nuts.
"could be prevented from sending data back.... (Score:2)
"could be prevented from sending data back to the US,"
Sounds like a golden opportunity to freelancers to me. Start hiring people in the EU to make lots and LOTS of friends on Facebook. Copy all of "their" data on "their" personal media, because they can -- after all, you can't access it elsewhere. Then take an all-expense-paid trip someplace Magical Kingdom-ish with their own personal media. Once they return "empty-handed", they pick up right where they left off, even describing the wonderful times and great places they had with pictures and phone numbers
Technically incorrect (Score:2)
and the fact that the US legal system only protected the rights of US citizens.
Technically that's not true. For example, Visa holders and greencard holders are regularly afforded the full protection of US law. It's debatable rather than being a "fact".
Rights apply to non-citizens in both civil and criminal courts. Technically anyone, even those outside of the US or those who are in the US without permission, have equal rights. In practice it's a bit of a mess because US agencies trample on the rights of those who have no recourse. But if you do make it into a courtroom, generally a ju