Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy EU The Courts United States Technology

Tech Firms Like Facebook Must Restrict Data Sent From EU To US, Court Rules (theguardian.com) 74

The European Court of Justice has ruled that the "Privacy Shield" data transfer agreement, which had allowed tech companies to transfer EU user data to the US, failed to adequately protect Europeans' data from US surveillance and security laws and was therefore invalid. What this means is companies like Facebook "could be prevented from sending data back to the US," reports The Guardian. From the report: The ruling of the court of justice of the European Union (CJEU) does not immediately end such transfers, but requires data protection authorities (DPAs) in individual member states to vet the sending of any new data to make sure people's personal information remains protected according to the EU's data protection laws (GDPR). The complaint, which goes back to October 2014, was lodged by Austrian privacy activist Max Schrems. He argued, following the Snowden revelations, that the privacy of European citizens could not be guaranteed if their data was sent to the US, given the evidence of widespread eavesdropping by the country's National Security Agency (NSA), and the fact that the US legal system only protected the rights of US citizens. Schrems' initial complaint led to the overturning of the EU/US "safe harbor," which had governed data transfer between the two countries, and the creation of a new treaty, the EU/US "privacy shield." This latest ruling has overturned that policy too. [...]

The ruling is not a total halt on data transfers between the EU and US, said Lisa Peets, a partner at Covington, which represented the UK's software industry in the case. The court upheld the use of "standard contractual clauses" (SCCs) to transfer personal data between Europe and US, allowing companies to seek specific consent from users for data to be exported. "Data flows between Europe and the United States are an integral part of the European economy and of the day-to-day lives of millions of European consumers, and the SCCs are the backbone for many of those data transfers," Peets said. "As for the privacy shield, the European commission will be highly focused on finding a resolution and will be actively working work with the US government to identify a path forward."

This discussion has been archived. No new comments can be posted.

Tech Firms Like Facebook Must Restrict Data Sent From EU To US, Court Rules

Comments Filter:
  • ... with zero comments as I write this one.

    What is going on, Slashdot?

    • by sxpert ( 139117 )

      anonymous posting is disabled...

    • I'm guessing they updated the code (got my notifications back yesterday!) and have reset some variables, so it could take a few days before the site is back to normal.
      • by sabri ( 584428 )

        I'm guessing they FUBARed the code

        Fixed that for you.

        In other news: Austrian privacy activist found in same cell as Epstein, cameras were again malfunctioning

    • 99 bug reports on the wall... 99 bug reports... take one down, pass it around, 127 bug reports on the wall...
      • Also history: I wonder if it was an exact repeat of the comment ID problems from almost 14 years ago... neglected to update related table indices despite having updated the database structure years prior... https://slashdot.org/story/06/... [slashdot.org]
    • They misspelled "Most Disgust".

    • by Kiuas ( 1084567 )

      I don't know what's going on, but something is broken about the comment-system right now. I wrote a fairly lenghty comment yesterday on another story (the story about Trump requiring Covid-numbers be sent to the White House before the CDC, still on the front page) which appeared correctly back then, but right now it's entirely gone, and I think other comments have disappeared as well.

      Previously for a few hours at least commenting was not possible at all, so I'm guessing someone broke the database during an

    • What is going on is that Slashdot had to be rolled back over a day in order to fix some deployment error, throwing away comments and indeed whole stories in the process. It's a huge black mark on the eye of BIZX, especially if the same people work on Slashdot and SourceForge. I didn't particularly trust SourceForge before (they are well known for recycling projects early, and often, presumably to get back disk space) but I trust them even less now.

      Testing, it's not just for "serious" web sites. Anything mor

  • How did this reach the Most Discussed section of the site when it hasn't been up for 10 minutes and there aren't any comments? Maybe it's always done this and I never noticed.
    • After attempting a fix to get around 24-bit story IDs (many years ago, the same thing happened with comment IDs), they completely mangled the comment system (you'd post, but under many circumstances, it'd show someone else's comment from a few days ago). They appear to have reset a bunch of stuff to get it back online for now.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      How did this reach the Most Discussed section of the site when it hasn't been up for 10 minutes and there aren't any comments? Maybe it's always done this and I never noticed.

      It's the deep state dude, the deep state.

      -- Q

  • by sxpert ( 139117 ) on Friday July 17, 2020 @12:16AM (#60298863)

    The ruling states that SCCs are only valid if the country of destination has laws at least as protective of user data as the GDPR.
    hence, those SCCs are invalid for countries which dont.
    The US is not one of them.
    The UK is now out of the EU, and collaborating with the US in their spying, so, they don't qualify either.

    • What about states? Does California count, or does it need to be the whole country?
      • by Sique ( 173459 )
        As long as federal investigative powers in the U.S. trump the state's protection laws, and as long non-citizens have no way of legal recourse, this doesn't help.

        The main reason for the court ruling was that U.S. law gives U.S. agencies unlimited rights to the data of non-citizens without any habeas corpus rights for the non-citizens. No single state of the U.S. can change that.

      • The EU does not recognise individual states of the USA; they negotiate at the federal level.

    • by truedfx ( 802492 )
      It is too early to say whether the UK will qualify. Right now, we are still in the transition period. While in the transition period, things are mostly as if the UK were still in the EU. After the transition period, unless and until repealed, the Data Protection Act 2018 will remain in effect, with or without a deal. If it ends without a deal, that law still being in effect may allow the EU to conclude that the UK's data protection standards are sufficient. If it ends with a deal, further specific guarantee
      • Re:SCCs (Score:4, Insightful)

        by ludux ( 6308946 ) on Friday July 17, 2020 @02:09AM (#60298969)
        Wishful thinking. The UK has always undercut data protections even while it was an EU member and given past experiences the assumption must be made that the UK won't be able to provide any suitable protections either, limiting opportunities for UK-based companies the same way, just without the negotiating clout of the US.
    • USA is considered to be a valid destination using SCC, at least according to various tech companies...

    • by AmiMoJo ( 196126 )

      The UK is still in compliance until the end of this year, after that... Well it probably depends how bad brexit is, like many things.

      If there is some kind of trade deal then the UK might keep GDPR compliance to facilitate the trade in services with the EU. The government seems hell bent on divergence and destroying the financial services industry though (any trade deal with the US will target London and finance) and the desired outcome of the negotiations seems to be no deal, so we may lose many of the prot

    • Otherwise you end up with a perverse loophole, where a company can store data on U.S. customers in the EU, and data on EU customers in the U.S. Thereby making it impossible for either government to investigate the data the company is collecting, because the data stored there is not for "their" citizens.
  • How are they going to enforce this with general network routing? It is not completely uncommon for traffic to be routed greatly out of the way intentionally or accidentally, or to ensure it goes thru a 'data monitoring' node (not always in the US nor always by the US).
    • by mysidia ( 191772 )

      How are they going to enforce this with general network routing?

      The compliance burden is on the companies, but they can encrypt data using strong cryptography and following necessary security practices to protect the data so that only the source and destination of the data and the security of the cryptography and keys will end up mattering.

    • by Sique ( 173459 )
      Their users have the right to claim damages if the companies don't comply.
      • How are they going to enforce this with general network routing? It is not completely uncommon for traffic to be routed greatly out of the way intentionally or accidentally, or to ensure it goes thru a 'data monitoring' node (not always in the US nor always by the US).

        Their users have the right to claim damages if the companies don't comply.

        In other words, some US-American ideas, like extreme litigiousness, aren't that bad when used in a targeted fashion against corporations by lots of pissed off citizens.

        • by Sique ( 173459 )
          No. Data protection falls at first into civil law. It's primae faci a contractual issue. Thus one of the contractual parties has to claim breach of contract for the courts to become active. The data protection officer additionally is allowed to step in on behalf of the users.
        • by mvdwege ( 243851 ) <mvdwege@mail.com> on Friday July 17, 2020 @05:58AM (#60299237) Homepage Journal

          Nice little sidestep you're doing there, by false equivalencing a right to sue with extreme litigiousness.

          What does making a right to sue too extreme for you?

    • by U0K ( 6195040 )
      That would be a matter of passing judgement in a court though, don't you think?
      One consequence could be the often proposed EU-net or whatever you want to call it. An internet infrastructure independent of the outside.
      We've seen this trend popping up in various other parts of the world like China, Russia, Iran, or India I think. I'm not perfectly sure on the latter two other than having read news that they shut down parts of their internet for some time, meaning that the state has far reaching control over
  • Just block all European IPs from US websites.
    Problem solved
    • Re:Solution (Score:5, Insightful)

      by hcs_$reboot ( 1536101 ) on Friday July 17, 2020 @01:24AM (#60298931)
      You're adamant. So you want to close the US even more? That way of thinking is a clear indicator of where you vote, the current trend in the US.
      Cutting Europe from US websites would be a notable decrease in US revenues, and, in the longer run, force Europe to build their own infrastructure, meaning much less US dependencies.
      You can't see past your nose.
      • by AmiMoJo ( 196126 )

        Occasionally I see a link on Slashdot but when I open it the site tells me that I isn't GDPR compliant and I can't come in. I can never be bothered to walk around the blockade with my VPN.

        A lot more sites are just non-compliant but no-one has got around to making a complaint yet. When I have time I throw one in.

        • by Jahta ( 1141213 )

          Occasionally I see a link on Slashdot but when I open it the site tells me that I isn't GDPR compliant and I can't come in. I can never be bothered to walk around the blockade with my VPN.

          Agreed. The thing that amuses me is that GDPR is concerned with the capture and storage of personal data [europa.eu]. So unless your site requires a login account, or you are deploying some sort of covert tracking mechanism, you don't have a GDPR issue.

          • by AmiMoJo ( 196126 )

            Most sites are deploying some sort of covert tracking mechanism, so they can profile you for ads.

      • Cutting Europe from US websites would be a notable decrease in US revenues, and, in the longer run, force Europe to build their own infrastructure, meaning much less US dependencies.

        so what anyone should be doing anyway, backup infrastructure instead of just a single point of failure.

    • by pjt33 ( 739471 )

      Is e.g. google.co.uk a US website or a UK website?

      • by nzkbuk ( 773506 )

        As it targets people who are currently part of Europe it's considered a European site (from a GDPR point of view)

        From my understanding GDPR generally says "If you're targeting / selling to Europeans, or have obtained a significant percentage of European customers, then you need to follow the GDPR rules"

        After the end of the year who knows

        • by pjt33 ( 739471 )

          It was a rhetorical question. My point is that blocking "European IPs from US websites" is in the realm of category error rather than just non-solution. (FWIW I'm sure it wasn't intended to be taken seriously).

    • Gee, what are Europeans going to do without Facebook, Twitter, Fox News?... That'll be a real Cat Astrophe, I'm telling you...

    • by Sique ( 173459 )
      ... which means for the likes of Google and Facebook to lose at least 30% of their advertising revenue.
    • Just block all European IPs from US websites. Problem solved

      ... sure, so your plan is to go home, you lock yourself in your basement hideout and sulk? Meanwhile your competitors are busy hoovering up your market share and the profits that go with it which you voluntarily abandoned in order to go home and sulk? This is why you haven't become a billionaire yet, people who became billionaires didn't get there by giving up as easily as you do. Good business people find a way to work within the new rules.

    • by Gabest ( 852807 )

      TikTok: Just ban Indian and US IPs!

    • by Tom ( 822 )

      Ah, the usual troll that always shows up when there's anything about the EU on /.

      Facebook made 4.25 Billion in Europe in Q1 2020, compared to 8.56 Billion in North America (USA+Canada). - https://businessquant.com/face... [businessquant.com]

      Go ahead, throw away a quarter of your revenue.

      Google makes almost a third of it's revenue in the EMEA region - https://www.statista.com/stati... [statista.com]

      Most other US online companies have similar figures. Some make more money in the EU than in the USA.

      This is a pipe dream that hasn't yet realized

  • failed to adequately protect Europeans' data from US surveillance and security laws

    Does the EU have laws to protect data against Chinese surveillance, too?

    • Re:The bigger threat (Score:5, Informative)

      by Corbets ( 169101 ) on Friday July 17, 2020 @02:54AM (#60299029) Homepage

      failed to adequately protect Europeans' data from US surveillance and security laws

      Does the EU have laws to protect data against Chinese surveillance, too?

      Yes. The same laws apply. The difference is that there was never any “safe harbor” or “privacy shield” agreement in place with China to provide the illusion of privacy.

    • failed to adequately protect Europeans' data from US surveillance and security laws

      Does the EU have laws to protect data against Chinese surveillance, too?

      Does the EU have laws to protect data against US surveillance, too? Yes, but in the case of US surveillance it has (a) been proven to exist and (b) be far more pervasive than anything the Chinese are doing and (c) the part of this surveillance that is being perpetrated by corporate entities can at least be dealt with through legislation and law suits, lots and lots of law suits.

    • by Tom ( 822 )

      Does the EU have laws to protect data against Chinese surveillance, too?

      Yes, it does. In fact, the EU-US relations are the ones that are special in that the EU has repeatedly attempted to create laws that basically say "don't apply protection laws to US companies, they're almost as good as EU ones when it comes to data privacy" - and as any idiot could've told, they've been repeatedly struck down because, well, they aren't.

      There are no such deals when it comes to any other countries.

    • Considering that many EU members are Belt and Road countries now, China doesn't have to ask permission. If they mention a Chinese company name while talking about permission, they have to send a C-level as a human sacrifice to Pooh Bear.

  • and the creation of a new treaty, the EU/US "privacy shield." This latest ruling has overturned that policy too.

    Treaties are not "policy". They are higher on the totem pole than general laws. If it conflicts with general laws, the laws lose. Only basic rights in a constitution itself are higher, not mere statutorily-created rights.

    Now if one wants to say there isn't such a structure in the EU, I'm sure it's news to politicians over there to be schooled in how treaties actually work, severed from millenia of practice.

    • In this respect they are. Both the EU and the US government know that privacy will never be respected, so they use treaties to circumvent the law. Both the "safe harbor" and the "privacy shield" were meant to allow US companies to mine EU citizen's privacy. Expect a third such treaty with the same content and a different name. It has worked twice already, and everyone knows beforehand that

      • The new treaty is as bad as the old one, because it is basically the same.
      • The new treaty can be used for a few years un
  • the most unsurprising court verdict since a court ruled against the paternity suit against the viking Olaf No-Nuts.

  • "could be prevented from sending data back to the US,"

    Sounds like a golden opportunity to freelancers to me. Start hiring people in the EU to make lots and LOTS of friends on Facebook. Copy all of "their" data on "their" personal media, because they can -- after all, you can't access it elsewhere. Then take an all-expense-paid trip someplace Magical Kingdom-ish with their own personal media. Once they return "empty-handed", they pick up right where they left off, even describing the wonderful times and great places they had with pictures and phone numbers

  • and the fact that the US legal system only protected the rights of US citizens.

    Technically that's not true. For example, Visa holders and greencard holders are regularly afforded the full protection of US law. It's debatable rather than being a "fact".

    Rights apply to non-citizens in both civil and criminal courts. Technically anyone, even those outside of the US or those who are in the US without permission, have equal rights. In practice it's a bit of a mess because US agencies trample on the rights of those who have no recourse. But if you do make it into a courtroom, generally a ju

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...