EU And US Come To 'Agreement' On Safe Harbor, But If It Doesn't Stop Mass Surveillance, It Won't Fly
from the separate-out-the-issues dept
Back in October, we noted that it was a really big deal that the European Court of Justice had said that the EU/US Safe Harbor framework violated data protection rules, because it had become clear that the NSA was scooping up lots of the data. The issue, if you’re not aware of it, is that under the safe harbor framework, US internet companies could have European customers and users, with their information and data stored on US servers. Without the safe harbor framework, there are at least some cases where many companies would be forced to set up separate data centers in Europe, and make sure European information is kept there.
Many privacy activists are actually supportive of keeping the data in Europe altogether, but I still think that would be a disaster for lots of internet companies and services — especially smaller ones. The big guys — Google, Facebook, Microsoft, Yahoo, Twitter, etc. — can afford to have separate European data centers. A small company — like Techdirt — cannot. Requiring separate data centers and careful separation of the data would ensure less competition and fewer startups to take on the big guys. That’s a problem. Beyond that, having those separate data centers could actually lead to even less privacy in the long run, because having many jurisdictions in which data is kept means that, inevitably, some of those jurisdictions will fall into states that have even worse surveillance and fewer data protections — and also leaves open the opportunity for different data center setups, which may lead to more vulnerabilities. Remember, when the NSA broke into Google and Yahoo’s datacenters, they were the ones outside the US, which may have had weaker security. And, despite many Europeans not wishing to believe this, many European countries have many fewer restrictions on the kind of surveillance their intelligence agencies are able to do on local data and citizens.
The real issue here is mass surveillance overall. The only real way to fix this issue is to stop mass surveillance and go back to saying that intelligence agencies and law enforcement need to go back to doing targeted surveillance using warrants and true oversight. But, instead, the EU and the US keep trying to paper over this by coming up with a new agreement. That agreement was supposed to have been concluded by a fake “deadline” set for yesterday, but after missing that and claiming that progress had been made on a new agreement, a new deal was finally announced a few hours ago, with the ridiculous name “The EU-US Privacy Shield.”
Here’s the key part of the announcement:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
The key thing here? The claim that the US “has ruled out indiscriminate mass surveillance on the personal data transferred to the US.” I’m curious about how much bullshit the NSA will be able to sneak under “indiscriminate.” I’m also curious as to what kind of real oversight there will be. The EU Commission and the Department of Commerce will be able to review, but we all know how good the NSA is at hiding what it’s actually doing from oversight bodies. Finally, the “ombudsperson” only matters if they have actual power, and that seems incredibly unlikely.
And as Max Schrems, who brought the original case that took down the safe harbors, is saying (over and over again), as it stands right now, it looks like this new deal will lose again in the EU courts.
And that brings us back to the underlying point. The effort to kill off the safe harbor agreement wasn’t really about the safe harbor agreement at all, but to force the hand of the US government (and hopefully European governments as well) to recognize that they need to stop doing mass surveillance. The claim above about no indiscriminate mass surveillance pays lip service to that idea, but there needs to be some real and concrete change to make that happen. And that’s going to take more than an “exchange of letters” between the EU and the US, as the basis of this deal. It’s going to need actual surveillance reform, not just the “surveillance reform lite” we saw with the USA FREEDOM Act.
Again, I think having the ability to transfer data from the EU to the US is hugely important — which not everyone agrees with. Fragmenting the internet by requiring that data stays in certain countries seems as silly to me as geoblocking content. But the underlying issue here is not about where the data is stored — it’s about mass surveillance. Focusing the agreement on how to allow data transfers without actually tackling how to stop mass surveillance is inevitably a fake solution.
Filed Under: data protection, data transfers, eu, mass surveillance, privacy, privacy shield, safe harbor, us
Comments on “EU And US Come To 'Agreement' On Safe Harbor, But If It Doesn't Stop Mass Surveillance, It Won't Fly”
ha ha ha
If anyone is dumb enough to believe that nations are going to actually adhere to these they are ripe…
Nations already spy on each other at a level that would likely start wars if the full truth became known on the steps each have taken to gain the upper hand.
Re: ha ha ha
As long as they don’t spy on the rich people. Not necessarily the people in power — but the ones who pay their bribes.
Re: ha ha ha
This is not about nations. This is about jurisdiction and sovereignty.
NSA will still fool the oversight bodies by playing law word-feud with the politicians and judges such as arguing that “surveillance” happens when data is accessed by a person etc.
When that is said, the treaty seems to guarantee that the plausible deniability nonsense US politicians have used since Watergate is finally cracking. These obligations basically cannot be met without politicians taking some further responsibility for NSA actions. Also, US politicians are forced to debate data protection and how to get around this agreement.
No, this treaty is irrelevant for national security, somewhat obligating for politicians and restrictive on companies and agencies. I would call this a good start, but it is not a treaty, but merely a transitional intention-agreement. After implementing these in 2-10 years, they need to make actual commitments and a new treaty.
Only if you are collecting user data. Perhaps startups will focus on data minimization, not collecting this personal data in the first place.
Re: That's funny
Remember the EU policy on cookies. That’s the kind of craziness we’re talking about.
For those who don’t remember. That’s where the first time you visit a site it says it’s going to set a cookie. The idea was for people to be able to say “no thanks”. What instead happened is anyone with browsers set to not remember cookies couldn’t visit those sites anymore. The exact opposite of what the EU was trying to accomplish.
This is the NSA stealing data from foreign data centers because it’s not on US soil. The EU reaction is to make sure that data stays off US soil.
It’s doubly funny because the EU doesn’t like geo-blocking, but the only way to make sure data stays inside the EU is to use geo-blocking and geo-redirecting.
The spies already ONLY engage in Targeted surveillance
It’s just that they target everyone.
And the surveillance is not indiscriminate. They specifically only collect information on persons whose data they are actually technically able to collect. Person’s whose data does not fall within their capability to collect do not have their data collected.
I’m sure true practitioners of Orwellian doublespeak could do a better job with this than I have.
Re: The spies already ONLY engage in Targeted surveillance
Worse, they only collect info on persons whose data could be collected by one of the five partners in the Five Eyes consortium. In practice, that’s indistinguishable from all of it.
Until that thing gets flushed down the toilet, the NSA (or any of them) can happily rely on Britain or Canada or New Zealand or Japan (or is it Australia?) to sidestep any limitations we wave at them. It’s absolutely correct to view this thing with a heavy dose of skepticism.
No one I see has mentioned that more data centers scattered across different countries opens up hacker accessible access. When you start having multiple places, not every one of them are going to go to the same level of protection.
If there is anything that on line presence of data has shown, it is there are those willing and able to go for the data. If it is there, then it will at some point be accessed as long as encryption is ignored as a storage method, once access is gained, it’s all over with but the crying, scapegoating, and recriminations.
next steps
If the Article 29 Working Party doesn’t reject this out of hand, I expect this will lead to:
– another court challenge from Max Schrems
– Data Protection Authorities will do their job and start taking unilateral action
– the legal departments of some American companies will start a flurry of click-through privacy policy rewriting, since most of them have been couched in terms of we’ll do whatever we consider reasonable with your data in order to not be actionable, and now these will be subject to obligations and rights guarantees that are actionable under the Alternative Dispute Resolution mechanism
– the “annual joint review” kangaroo court, since it has no authority or enforcement provisions, being dropped entirely because nobody will want to take on the Sisyphean task of being the NSA police without a big gun
“Requiring separate data centers and careful separation of the data” ...
Does this not sound like a job for a setup like Tahoe LAFS? Your data is distributed across multiple servers which can be placed across multiple jurisdictions—as many as you like. Even if some x number of those servers are compromised (with an upper limit on x that you get to choose), you can still be assured of the privacy and integrity of your data.
The Department of Commerce will monitor that companies publish their commitments
And since they are totally against commerce they will make sure american companies don’t violate the agreement. Makes perfect sense.