Max Schrems is great, and the hero we need. But I’ll believe it when I see it, that the EU parliament dares to vote against such massive business interest. GDPR was one thing, this is a totally different level.
From the article: (the EU parliament) "takes the view that the current #PrivacyShield arrangement does not provide the adequate level of protection", "calls therefore on the Commission to suspend the Privacy Shield until the US authorities comply" https://twitter.com/bendrath/status/1014832868969910273?ref_...
Yes. I really wouldn't like to be the Commission facing this one at the moment, particularly since the current US administration will presumably see this as related to the larger international trade-war.
My personal opinion is that this isn't tradewar politicing by Europe, it's the result of a genuine interest in citizen's privacy, but I can see why it could be taken as such.
> particularly since the current US administration will presumably see this as related to the larger international trade-war.
It's not just the administration. Every time the EU has levied fines against Google a lot of Americans on HN claim that the EU is doing it because they're jealous of how successful American businesses are.
And that you structure your country so that you can comply.
In the case of Karl and Walter LaGrand there was a clear violation of the Vienna Convention, a binding verdict by the International Court of Justice, a sympathetic US President, but the Governor of Arizona didn‘t care, and America just said „too bad, we signed this convention, but if a state doesn‘t want to comply, what can we do?“. And SCOTUS confirmed that stance.
> And that you structure your country so that you can comply
That really ought to be taken into account in the treaty negotiations. If a company signs an agreement the company can't legally comply with, that tends to have the effect of nullifying the agreement more than forcing the company to change. (Tends to. Generally.)
This is not a binding vote; however, it does indicate an avenue for more hardball action (specifically, giving a deadline by which it will consider the Commission non-compliant with GDPR unless it takes action).
If privacy shield gets scraped, then I might have to switch my European business to use only European third party services. At our company we use a carefully selected number of U.S. services that we believe have the interest of their customers and data at heart, but without privacy shield we might not be allowed to use them.
The massive downside for me as EU business:
1. Lost time and money having to migrate.
2. Usually european companies providing the same service are worse, leaving me and my customers worse off.
Privacy shield is just one way to satisfy GDPR requirements for a US business. EU model clauses can be used as well, so it doesn't mean you cannot use US companies any more. The question is if they offer a good enough level of protection if the US government can demand access to data anyway.
EU model clauses can be used as well, so it doesn't mean you cannot use US companies any more.
So all you would have to do is have every EU business renegotiate contracts with or review new terms with every US business they work with where personal data transfer is involved? No big deal.
The question is if they offer a good enough level of protection if the US government can demand access to data anyway.
Right. But since essentially the same concerns arise when dealing with businesses based in the EU, let's be honest and acknowledge that this isn't really an ethical question and doesn't really have much to do with either privacy or security either. It's just a matter of the EU and its privacy legislation considering EU prying to be acceptable but not US prying, which is a political decision.
Oh absolutely. In other words, you'll be in exactly the same situation US businesses are in, that rely on Chinese and other suppliers that are now subject to tariffs. Politicians, eh? Hope someone wins this trade war soon so we can get it over with.
This is not a trade-war issue. This is a long planned review of the Privacy Shield regulation. Even if all trade conflicts ended, this would continue because it is not about trade but fundamental rights.
It is possible that the resolution gained more votes because of the trade war.
In general, Members of the European Parliament have less understanding of business and trade than businesspeople and traders, and in my view[0] tend to follow their emotions more in those areas.
Some also have a streak of anti-Americanism, in varying degrees. As the heat increases, this sort of resolution may occur more frequently.
I'm sceptical of the notion that MEPs all voted according to their devotion to fundamental rights.
None of this means that I believe pursuing the resolution into legislation is a bad or a good idea. I'd have to see (and understand the consequences of) the proposed measure.
[0]This is an impression; I have no empirical data
So you don’t think passing GDPR and the previous data protection legislation going back decades, and enforcing them counts as evidence? I’m sorry, that is a bit snarky, but the EU has been pushing strongly in this direction for a long time and it’s been perfectly apparent it was going to come up hard against the US on this.
So you don’t think passing GDPR and the previous data protection legislation going back decades, and enforcing them counts as evidence?
Sure it does, but so do all the loopholes they wrote into those laws so EU member states could continue their own surveillance programmes and data seizure powers, and for that matter all the then-illegal spying programmes that were retrospectively legalised when Snowden et al brought them to light. Let's not pretend the EU and its members are whiter than white in this area, nor that the EU is above attacking the US tech sector through non-technical means.
There’s certainly plausible deniability that it isn’t, I’ll give you that. Is it extra leverage that will almost certainly come into play? Yes, it’s also that.
I think it's clear there is a relationship between the two. Perhaps incidental, but they're still bound together.
According to the article, the only implementation on the US side was by presidential policy directive. So our faith in the US implementation of the 'privacy shield' is only as good as our faith in the integrity of said Directive.
Even starting from a low point where it's quite clear Trump is interested in tearing up anything Obama put his name to; his increasingly reckless approach to international relations lowers our faith in any presidential directive by the day. At this point 'privacy shield' either needs to make it into law proper, or we should just assume its days are numbered.
Fun fact: because of German paranoia, MS offers Office 365 Deutschland, which is mostly identical with Office 365 but operated by T-Systems (a German company not directly affiliated with Microsoft) and hosted in Germany.
It's obvious why Google wouldn't be interested in a similar model for their products.
> MS offers Office 365 Deutschland, which is mostly identical with Office 365 but operated by T-Systems
AWS recently wrote me an email, that because my billing address is in the EU, my contract has been transferred to a newly founded company AWS EU, which in turn has subsidiaries in most EU countries.
I have no significant business with AWS and have not investigated what this all means.
But I wouldn't be surprised if Amazon sees the risk that with the current US administration they don't want to rely on international business anymore. Having only national (or intra-EU) contracts with their EU customers seems just the safer option. Dealing with investments and profits inside a group of fully owned subsidiaries is probably much easier than dealing with two fundamentally different systems in every single customer contract. The EU striving for data-protection and the US insisting that foreigners have no rights and international treaties are bad unless they unilaterally favor the US.
An important distinction is that T-Systems (a subsidiary of Deutsche Telekom) is not a subsidiary of Microsoft. AWS EU on the other hand is presumably still a subsidiary of the American Amazon Web Services Inc the same way Amazon EU S.à.r.l. is a subsidiary of Amazon proper.
Since AWS EU presumably shares the same infrastructure as AWS US it's probably more of an accounting trick (but keep in mind any GDPR fines would apply to the entire group, not just the individual corporation, so it's not really a financial protection).
You could just call it "privacy sensitivity" but by international standards Germans tend to be more "paranoid" when it comes to protecting their data. The reason I'm using the phrase is mostly that it's not always entirely rational (e.g. the outrage about Google Street View was at times a bit absurd).
The development is certainly positive and the GDPR is also very similar to pre-existing German privacy laws in many aspects, so I'm not complaining.
Because many thousands if not millions of smaller businesses across the EU depend on US businesses as well, and sharing some sort of personal data with them is often necessary for the provision of the relevant service.
Given the hassle and costs we've all just had with GDPR, the EU going all-in on undermining Privacy Shield would not be a welcome development for businesses.
With the precedent of Safe Harbor and the Snowden revelations, I'm surprised any European company preparing for GDPR wouldn't at least have flagged US services as high risk even when they're Privacy Shield certified.
Privacy Shield is a fig leaf more than anything. Using any US company (or non-EU company from a country without adequacy) is a major risk for compliance.
This is a bit like when people complained their companies were going bankrupt because Facebook/Apple/Twitter/Google shut down an API without warning. If you build your business on such a wobbly foundation, it's a calculated risk and you need to be aware of it.
If you build your business on such a wobbly foundation, it's a calculated risk and you need to be aware of it.
It is entirely unconstructive to call US-based foundations wobbly when the EU-based equivalents (a) sometimes don't exist at all, and (b) where they do exist, suffer from analogous privacy concerns around government snooping.
The allegation here isn't that, to pick one relevant example, Stripe is abusing the personal data they process when they collect payments from our customers. The objections to Privacy Shield, like Safe Harbor before it, are mostly about the US government itself having rights under US law to gain access to that data, regardless of the actions or intentions of US-based businesses.
Now, I don't like the current heavy-handed approach to data hoarding by governments under the guise of national security any more than the next HN reader. But let's be clear: the EU and its member states do essentially the same thing, routinely writing special cases into privacy laws that exclude governments when they want to pry for supposedly security-related reasons. It is the height of hypocrisy for the EU authorities to allege that processing data in the US is unsafe because of the risk of US government interference, while at the same time turning a blind eye to what's going on in their own back yard.
In any case, since sadly there is little prospect of any of the governments involved on either side of the Atlantic giving up these powers any time soon, undermining otherwise reasonable privacy laws because of them serves no useful purpose. It just hurts businesses who are trying to do reasonable things, even if they are careful and considerate in how they handle personal data, and by extension it also hurts both their customers and the economies they operate within.
> The objections to Privacy Shield, like Safe Harbor before it, are mostly about the US government itself having rights under US law to gain access to that data
No, and I rarely hear that as the main concern.
The main concern with Safe Harbor et al. (where US businesses are dealing with EU businesses and – more importantly – EU people) is commercial abuse of data (Facebook!) and data breaches.
Government access isn't seen as particularly problematic in criminal and anti-terror cases, but in mass surveillance of Internet and telephone connections, as well as in the context of industrial espionage.
For the record, we have heard very different concerns then. One big concern I have seen expressed, particularly in the more recent context of the GDPR, is that the government surveillance powers constitute a legal obligation on businesses, but only EU versions of such powers are recognised as legal obligations on EU businesses. Thus EU businesses cannot avail themselves of that lawful basis for processing if they export data they control to a US business (even one covered by Safe Harbor before or Privacy Shield now) for processing and the US government then grabs the data.
The logical conclusion if all such schemes are struck down is that exporting any personal data to the US for any reason will become illegal, with obvious catastrophic consequences if the law is then enforced to the letter.
The main concern with Safe Harbor et al. (where US businesses are dealing with EU businesses and – more importantly – EU people) is commercial abuse of data (Facebook!) and data breaches.
The entire point of Privacy Shield, like Safe Harbor before it, is to give EU businesses reassurance that they are not breaking data protection law by transferring personal data to a compliant US business. Businesses that are doing things with the data that would not be permitted under the stronger EU regulatory regime aren't supposed to qualify for Safe Harbor/Privacy Shield status in the first place.
Just to be clear, Privacy Shield is a self-certification. The certification process consists of filling out a few fields with generic company data to generate a policy and then paying money.
It doesn't prove a business implements privacy by design or takes any steps to ensure data protection. It just proves the business was willing to pay the registration fee and sign a bunch of legal documents that may or may not result in fines if proven to be violated.
> The entire point of Privacy Shield, like Safe Harbor before it
Exactly, I didn't mean that Privacy Shield is the problem, but that it is trying to address that problem, but I can see that I expressed myself ambiguously.
> The logical conclusion if all such schemes are struck down is that exporting any personal data to the US for any reason will become illegal
But that's good! Not in the sense that we should wish for that outcome, but in the sense that the US should offer real assurances to us that allow us to enter such an agreement..
But that's good! Not in the sense that we should wish for that outcome, but in the sense that the US should offer real assurances to us that allow us to enter such an agreement..
I understand the principle you're aiming for. However, as a practical matter, it is constitutionally impossible for the US to enter into the sort of binding agreements that would give you the assurances you seek, and there is no realistic prospect of literally amending the Constitution of the United States to make it more subservient to international interests so that it could give those assurances. Pursuing the strategy you advocate could only end in crippling large numbers of EU businesses, setting back the already lagging development of our tech and creative sectors by years more, and catastrophic effects on our economies.
A good general tries to fight only battles he knows he will win, but it's a crazy general who tries to fight battles he knows he can't win.
If and when that happens, perhaps we'll consider switching, but as with other issues like Brexit, you can't just replace a huge amount of established infrastructure overnight.
> The parliament is also calling for “evidence and legally binding commitments” to ensure that data collection under FISA Section 702 is not “indiscriminate
Ha...this I doubt will ever be provided. And if it is provided, will it be seen by the citizenry? They're either going to have to cave on the "no indiscriminate collection" requirement, accept an invalid definition of "indiscriminate" or "collection", or flat never re-agree to the agreement. Because, sadly, indiscriminate collection of data isn't stopping.
I live in the US; I have many friends in Europe; how exactly is Facebook/Google/etc going to separate our data geographically while still displaying it in our feeds/inboxes/etc?
There really seems to be only one realistic endgame: The end of the multinational corporation. Pick a jurisdiction, keep your servers & employees inside, and tell the rest of the world to get soaked. If Europe really wants to control their citizen's data, they're going to have to start firewalling, China-style.
I'm guessing privacy advocates imagine the world will homogenize on a set of Euro-compatible policies and everyone will live happily ever after? That seems far less likely than a set of mutually-incompatible enforcement regimes, like we already see with China and Russia.
So what does Facebook/Google do? Disallow friending/email/communication across political boundaries?
There is another endgame that I will concede is considerably less likely to happen, but I will maintain remains possible: the end of the modern-day nation-state.
My evidence for this claim? Very few nation-states if any are growing as fast (in terms of net worth) as the largest multinationals, but the multinationals are still relatively agile (read as able to mobilize their strength behind a common agenda). Sure at the moment, the largest multinationals have only as much net worth as some of the poorest countries. However, look at how cities and states try to out compete each other in order to have companies like Amazon and Foxconn set up their headquarters. How soon will it be until countries start competing with each other for something similar (building your next regional data center in EMEA? here are the contenders). If the multinationals really wanted to milk it, then they could totally make a game show out of it à la Eurovision.
States partition the surface of the world and each person withing their borders is subject to their law (even foreign people passing by.) They have exclusive access to people.
Multinationals don't have borders and don't have exclusive access to people and they don't (currently) wish to because they sell different products and it would be pointless for them and for people to be able to buy from only one company.
So that endgame would work only if multinationals take over and rule the world together. That happened in Continuum https://en.wikipedia.org/wiki/Continuum_(TV_series) a Canadian dystopian sci-fi TV series.
Kind of a tangent (secant?), and this is a rather broad discussion topic, but is anybody else also worried that the EU is going to lose some of its teeth with Brexit and such coming up? I'm wondering how all these regulations will play out in the next few years if members decide the EU isn't serving their interests. Will serious enforcement take place, or not? Because if not, it seems likely to me that companies might try to "wait it out" and avoid full compliance with regulation for a while, to see what happens.
No; if anything, they will gain teeth. For many years, the UK has been a strong influence in a variety of directions (pro-swpat, for example, but often anti-regulation), many of which were not well-aligned with their continental cousins.
The EU27 are better aligned without the UK, and will move forwards more quickly in many areas the UK would have held them back. Ongoing integration is very much still the plan.
In the meantime, the UK will have to stay very close to EU rules in order to continue to trade with its largest market. However, it already has little/no say in future rules, and that will stop altogether in March.
Thanks! But note that by teeth I meant the ability to enforce, not the ability to legislate. I expect the more countries leave or lose interest, the easier it is to legislate, but the less leverage they have for actual enforcement, so I'm wondering how that balances out.
If any other country was going to do it, it might have been Greece during the financial crisis, but ultimately the same pressures apply: no country can pull up the drawbridge. Dependency on trade, investment, and migration of skilled staff is the backbone of a modern society. And leaving the EU does not make Europe go away, it just removes that country from the decision-making process.
The only thing, I think, that might change this, would be if the UK against all odds manages to make Brexit successful. I personally don't think there's any chance of that, but if that were to happen, anti-EU sentiments elsewhere in Europe might grow. I think the reverse is more likely: That Brexit will serve to firm up EU support even more once the full effects become clear... I live in the UK, so I hope I'm wrong and that things will work out ok...
Ever wondered why the other EU countries didn't make much of a fuss over Brexit? It's because the UK had many privileges from the times when it was needed to establish the EU... and then it didn't even join the Euro. The UK has been an entry point for English speaking businesses into the European market, but it kept all the benefits from that behind an exchange barrier, which is not in the interest of the rest of EU countries. Now, many of those businesses will leave the UK and establish operations in the EU-Eurozone proper, directly contributing to strengthening the Euro instead of the GBP, which will become a further incentive for countries to stay in the EU.
As for the UK, there are other ways for it to survive and even thrive, but whether it will be good or not so much for most of its citizens, remains to be seen.
But to be honest it is in the interest of the other countries who want the EU to stay to make this really really hard on the UK. And the UK has almost no leverage (or has none to be precise).
So while I absolutely hate to see it happen because I've got lots of friends in the UK, this is either going to hurt badly (hard Brexit), or the UK will simply lose any ability to shape the future of the EU while accepting most of its rules. Don't see any middle ground as the middle ground would massively hurt all other EU countries so its not going to happen.
More than that, the UK was kind of detached from continental issues, anyway. And it will still go through a potentially painful transition.
For most other members of the EU, leaving it would be extremely painful, due to much higher levels of integration. Issue a new currency, which will probably rated worse than the Euro, see bond rates spike, have to close borders again, for both people and capital. For most EU members leaving the EU would send their GDP tumbling double digit figures.
Italy is helmed by Eurosceptical parties. They're committed to playing nice for now. But if their economic policies hit the rocks, it may be easier to blame the EU than structurally re-organise the Italian south.
But leaving the EU will solve none of Italy's problems. Immigration pressure will continue (without any Frontex help) and likely rise with actually closed borders in the north, funding for poorer regions via EU programmes be removed, working labour markets in the north will be closed off to Italian immigrants, tourism will suffer etc etc.
At least the UK could argue that it may get better trade deals, but what's in it for Italy?
Being rational doesn't have anything to do with it sadly - at least beyond politician logic of "Does it help me gain/keep power?" sense. The big bad EU works well as a domestic scapegoat like Greece claiming being able to print drachma would help when several subcrisises were related to lack of foreign exchange currency for inputs like pharmaceuticals.
Well, this was completely predictable. Privacy Shield seemed extremely flaky considering how suddenly Safe Harbor was shot down. I hope most European companies were smart enough to drop hard dependencies on US companies for privacy relevant data during their GDPR audits.
Well, considering the US is invading and bombing counties all over the world for various reasons, the EU way is a bit less aggressive, don't you think?
I also never understood why Americans think that is bad. The EU is making their market less attractive, so shouldn't Americans be happy about that?
As a European, I'm quite happy the EU wants to protect my personal data from being arbitrarily raided over without any warrant by your government for the simple crime of not being American, but thank you very much for your concern.
