Already Under Attack In Top EU Court, Privacy Shield Framework For Transatlantic Data Flows Further Undermined By Trump

from the you're-not-really-helping-things,-Donald dept

A year ago, Techdirt wrote about the melodramatically-named “Privacy Shield.” Under EU data protection laws, the transfer of EU citizens’ personal data is only legal if the destination country meets certain basic conditions for data protection. Signing up to Privacy Shield is designed to allow US companies to meet that requirement. The earlier framework, called “Safe Harbor,” was thrown out by the EU’s highest court, the Court of Justice of the European Union (CJEU), largely because of NSA spying on data flows. Privacy Shield was hurriedly cobbled together because, without it, the vast flows of data across the Atlantic that occur all the time would be much harder to square with EU laws.

However, since the NSA has not stopped spying on data flows, some in the EU feel that Privacy Shield offers as little protection for personal data as Safe Harbor. This led the Irish civil liberties group Digital Rights Ireland (DRI) last October to ask the EU’s General Court — one of the more obscure courts of the CJEU — to annul the Privacy Shield framework, arguing that it too lacks adequate privacy protections. Although there are still some procedural matters to be settled first, largely to do with whether DRI has standing to bring this legal action, the case is considered a serious enough challenge to the Privacy Shield framework that the US government is getting involved directly:

The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland against the Privacy Shield transatlantic data transfer pact.

As the article from the Irish Times explains, the US is not alone: also keen to see the framework upheld are the British, Dutch, and French governments, as well as Microsoft and the Business Software Alliance, all of whom have applied separately to join the action. DRI’s basic argument is the following:

In questioning Privacy Shield’s adequacy, it says its provisions are not actually fixed in US law. The privacy group will also argue that the agreement neither adequately addresses the court’s specific objections to Safe Harbour, nor protects citizens’ rights provided for under the EU Charter of Fundamental Rights and by the general principles of EU law.

The DRI’s case may have just received a boost from an unusual quarter. As Techdirt reported, the President of the United States has signed an executive order that strips those who are not US citizens of certain rights under the Privacy Act. A spokeswoman for the European Commission told TechCrunch that Privacy Shield “does not rely on the protections under the US Privacy Act.” But Jan Philipp Albrecht, a Member of the European Parliament, and the leading expert on data protection regulation there, is not so sure that the framework will escape unscathed. He wrote in a tweet that:

If this is true [about the stripping of privacy protections] @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement.

The “EU-US umbrella agreement” refers to another recently-agreed deal that puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The long thread that follows Albrecht’s tweet explores to what extent the Privacy Shield framework is likely to be impacted by the new executive order. There’s no clear consensus yet on that. But one thing is for sure: the general thrust of Trump’s order probably indicates a broader shift in policy that makes it more likely that the CJEU will strike down Privacy Shield just as it struck down Safe Harbor.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Already Under Attack In Top EU Court, Privacy Shield Framework For Transatlantic Data Flows Further Undermined By Trump”

Subscribe: RSS Leave a comment
21 Comments
That One Guy (profile) says:

"But it's different, we're the Good Guys!"

The earlier framework, called "Safe Harbor," was thrown out by the EU’s highest court, the Court of Justice of the European Union (CJEU), largely because of NSA spying on data flows.

However, since the NSA has not stopped spying on data flows, some in the EU feel that Privacy Shield offers as little protection for personal data as Safe Harbor.

Any ‘framework’ should assume that the NSA can and will grab everything it possible can, showing absolutely no restraint whatsoever in it’s obsession and ‘Collect it all’ mindset, and move on from there, because at this point I’d say it’s probably safe to assume that the NSA will never voluntarily stop scooping up everything it can get.

Unless the NSA is forced to stop(and at this point I don’t think anything less than dissolving the agency entirely would accomplish that) they will completely and utterly ignore and ‘privacy’ and ‘personal data’ rules, because why wouldn’t they?

Cowardly Lion says:

And another thing

I love how there’s a question over whether the DRI has legal standing: "whether DRI has standing to bring this legal action". You know like, how dare an Irish organization challenge a European Union arrangement.

And I love how the USA feels totally free to blunder just right on in, like everyone else should just give a crap: "The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland". Because Screaming Eagles.

Team America World Police. It’s a thing.

Anonymous Coward says:

Re: And another thing

“And I love how the USA feels totally free to blunder just right on in, like everyone else should just give a crap: “

“Other countries that have applied to join the case include France, the UK and the Netherlands.

Microsoft and the Business Software Alliance, which represents the global software industry, have separately applied to join the action.”

Looks like Team France, UK, and Netherlands are joining the fray. Lets toss in Team Microsoft and the GLOBAL Business Software Alliance” for good measure.

Should anyone give a crap about these?

That One Guy (profile) says:

Re: And another thing

And I love how the USA feels totally free to blunder just right on in, like everyone else should just give a crap: "The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland". Because Screaming Eagles.

Team America World Police. It’s a thing.

It gets even better when you consider that it was a USG agency that was responsible for ‘Safe Harbor’ being thrown out, and now ‘Privacy Shield’ being challenged.

The NSA’s ‘Collect it all’ fetish undermined the first to the point that it was tossed, and now it’s doing the exact same thing again with the replacement, and yet the US is filing in defense of the thing, in which I have no doubt that they’ll completely ignore the NSA’s role and go on and on about how the DRI is making mountains out of molehills, because if there’s one thing the USG and it’s agencies value and hold sacred above all other things it’s the privacy of non-US citizens.

That One Guy (profile) says:

Re: Re: Re: And another thing

The UK’s NSA equivalent(GCHQ I think it was?) certainly displays the same level of ‘respect’ towards privacy(and right, and laws, and anything that might otherwise prohibit them from doing whatever they want…) that the NSA does, but given the Safe Harbor and now Privacy Shield deal with data going between Europe and the US I’m not sure how much impact their actions would have towards Safe Harbor/Privacy Shield, though the cozy relationship between them and the NSA certainly doesn’t help.

Don’t know enough about the French and Netherlands equivalents to say either way, but again, both of those are European countries so probably not much impact in this case.

That One Guy (profile) says:

Re: Re: Re:5 And another thing

They’re not the only ones openly displaying contempt for those pesky ‘rights’ and ‘laws’ and concepts like ‘privacy’, no, not hardly, but in this case a US agency seems to hold the most blame for what has and continues to happen due to the European-US nature of the issue that makes the NSA’s actions of more immediate impact, even if other European agencies are just as bad in general.

Anonymous Coward says:

No, no entity is entitled to an individuals data however unobrusive it may be, without the consent of that individual

Thats not how the world works

Thats, HOW, the world should work

Defeatism leads to subserviance, when we should be argueing their right to our data, our information, our lives, so called supporters of human rights are talking about the best way to implement it in a minimised form. Its the INITIAL implementation thats wrong and dangerous, you accept it, it gets normalised in our lives, then they push the envelope further

The saying “give them an inch, and they take a mile” comes to mind

I wonder if the future generations were offloading this on, will be just like us, or evolved enough to rightly wonder why the fuck we just watched while it happened, those that cared enough to notice, those that noticed but didnt care, not to mention the mentality of the crazies actually driving the crazy bus down to crazytown, you now, the too big to jail folks

One mans leader is another mans tyrant

Theres a reason why the americans constitution makes mention of non interference……….to minimize the risk of the tyrant fork on the road our leaders will inevitably come across…….at least in this day and age

History lesson
1-We learn something profound through hardship
2-Humans look forward
3-Time passes
4-We forget that something profound
5-Humans stall, or go backwards
6-Hardship makes us relearn why number one was profound
7-Goto number 2

Its why, in one particular case, some folks decided to make a sticky note of some of it, and then proceeded to call it a constitution or bill of rights, to protect and as im realising, remind future generations that didnt go through the hardships that created it, or fail to recognise the signs of an overbearing government, or its next entity slogan change

Im disatisfied……can you tell

Mason Wheeler (profile) says:

As the article from the Irish Times explains, the US is not alone: also keen to see the framework upheld are the British, Dutch, and French governments, as well as Microsoft and the Business Software Alliance, all of whom have applied separately to join the action.

They say you can judge a man by the company he keeps. I say it’s not just men. If Microsoft and the BSA (a notorious Microsoft front group whose main purpose in life is promoting the progress of copyright abuse, particularly by Microsoft) think it’s such a good idea, that’s at the very least, a good reason to wonder if we might not be better off without it.

Anonymous Coward says:

Re: Microsoft (and other companies) are in it for convenience

It is far more economical for them to keep all the data in one country and have Privacy Shield or an equivalent as legal approval to move all the data to that country, than it is for them to operate data centers positioned to abide by the privacy laws that Privacy Shield overrides. If Privacy Shield is struck down and not replaced, then data that Microsoft (and other companies) currently transfer out of the EU as an ordinary part of business would instead be required to stay, if not within EU borders, then at least outside US borders. It’s much easier and cheaper for them to intervene and have this challenge struck down than to change their business model to account for more restrictive privacy rules. In particular, some parts of their business may require more than just standing up region-isolated data centers. If their current design assumes that all data centers can always talk to all others (barring transient network errors), and the new laws preclude that, then they not only need to build and staff new data centers, but also change how the software works.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...