Already Under Attack In Top EU Court, Privacy Shield Framework For Transatlantic Data Flows Further Undermined By Trump

from the you're-not-really-helping-things,-Donald dept

A year ago, Techdirt wrote about the melodramatically-named "Privacy Shield." Under EU data protection laws, the transfer of EU citizens' personal data is only legal if the destination country meets certain basic conditions for data protection. Signing up to Privacy Shield is designed to allow US companies to meet that requirement. The earlier framework, called "Safe Harbor," was thrown out by the EU's highest court, the Court of Justice of the European Union (CJEU), largely because of NSA spying on data flows. Privacy Shield was hurriedly cobbled together because, without it, the vast flows of data across the Atlantic that occur all the time would be much harder to square with EU laws.

However, since the NSA has not stopped spying on data flows, some in the EU feel that Privacy Shield offers as little protection for personal data as Safe Harbor. This led the Irish civil liberties group Digital Rights Ireland (DRI) last October to ask the EU's General Court -- one of the more obscure courts of the CJEU -- to annul the Privacy Shield framework, arguing that it too lacks adequate privacy protections. Although there are still some procedural matters to be settled first, largely to do with whether DRI has standing to bring this legal action, the case is considered a serious enough challenge to the Privacy Shield framework that the US government is getting involved directly:

The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland against the Privacy Shield transatlantic data transfer pact.

As the article from the Irish Times explains, the US is not alone: also keen to see the framework upheld are the British, Dutch, and French governments, as well as Microsoft and the Business Software Alliance, all of whom have applied separately to join the action. DRI's basic argument is the following:

In questioning Privacy Shield's adequacy, it says its provisions are not actually fixed in US law. The privacy group will also argue that the agreement neither adequately addresses the court's specific objections to Safe Harbour, nor protects citizens' rights provided for under the EU Charter of Fundamental Rights and by the general principles of EU law.

The DRI's case may have just received a boost from an unusual quarter. As Techdirt reported, the President of the United States has signed an executive order that strips those who are not US citizens of certain rights under the Privacy Act. A spokeswoman for the European Commission told TechCrunch that Privacy Shield "does not rely on the protections under the US Privacy Act." But Jan Philipp Albrecht, a Member of the European Parliament, and the leading expert on data protection regulation there, is not so sure that the framework will escape unscathed. He wrote in a tweet that:

If this is true [about the stripping of privacy protections] @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement.

The "EU-US umbrella agreement" refers to another recently-agreed deal that puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The long thread that follows Albrecht's tweet explores to what extent the Privacy Shield framework is likely to be impacted by the new executive order. There's no clear consensus yet on that. But one thing is for sure: the general thrust of Trump's order probably indicates a broader shift in policy that makes it more likely that the CJEU will strike down Privacy Shield just as it struck down Safe Harbor.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 30 Jan 2017 @ 2:06am

    "But it's different, we're the Good Guys!"

    The earlier framework, called "Safe Harbor," was thrown out by the EU's highest court, the Court of Justice of the European Union (CJEU), largely because of NSA spying on data flows.

    ...

    However, since the NSA has not stopped spying on data flows, some in the EU feel that Privacy Shield offers as little protection for personal data as Safe Harbor.

    Any 'framework' should assume that the NSA can and will grab everything it possible can, showing absolutely no restraint whatsoever in it's obsession and 'Collect it all' mindset, and move on from there, because at this point I'd say it's probably safe to assume that the NSA will never voluntarily stop scooping up everything it can get.

    Unless the NSA is forced to stop(and at this point I don't think anything less than dissolving the agency entirely would accomplish that) they will completely and utterly ignore and 'privacy' and 'personal data' rules, because why wouldn't they?

    reply to this | link to this | view in chronology ]

  • icon
    a swiss guy (profile), 30 Jan 2017 @ 4:20am

    ... one of the more obscure courts of the CJEU ...

    reply to this | link to this | view in chronology ]

  • identicon
    Cowardly Lion, 30 Jan 2017 @ 4:22am

    And another thing

    I love how there's a question over whether the DRI has legal standing: "whether DRI has standing to bring this legal action". You know like, how dare an Irish organization challenge a European Union arrangement.

    And I love how the USA feels totally free to blunder just right on in, like everyone else should just give a crap: "The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland". Because Screaming Eagles.

    Team America World Police. It's a thing.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Jan 2017 @ 4:35am

      Re: And another thing

      "And I love how the USA feels totally free to blunder just right on in, like everyone else should just give a crap: "

      "Other countries that have applied to join the case include France, the UK and the Netherlands.

      Microsoft and the Business Software Alliance, which represents the global software industry, have separately applied to join the action."

      Looks like Team France, UK, and Netherlands are joining the fray. Lets toss in Team Microsoft and the GLOBAL Business Software Alliance" for good measure.

      Should anyone give a crap about these?

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 30 Jan 2017 @ 4:56am

      Re: And another thing

      And I love how the USA feels totally free to blunder just right on in, like everyone else should just give a crap: "The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland". Because Screaming Eagles.

      Team America World Police. It's a thing.

      It gets even better when you consider that it was a USG agency that was responsible for 'Safe Harbor' being thrown out, and now 'Privacy Shield' being challenged.

      The NSA's 'Collect it all' fetish undermined the first to the point that it was tossed, and now it's doing the exact same thing again with the replacement, and yet the US is filing in defense of the thing, in which I have no doubt that they'll completely ignore the NSA's role and go on and on about how the DRI is making mountains out of molehills, because if there's one thing the USG and it's agencies value and hold sacred above all other things it's the privacy of non-US citizens.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Jan 2017 @ 4:59am

        Re: Re: And another thing

        Should we lump in France, the UK, and the Netherlands as well? Lets give equal players equal under the buss time no?

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 30 Jan 2017 @ 5:29am

          Re: Re: Re: And another thing

          The UK's NSA equivalent(GCHQ I think it was?) certainly displays the same level of 'respect' towards privacy(and right, and laws, and anything that might otherwise prohibit them from doing whatever they want...) that the NSA does, but given the Safe Harbor and now Privacy Shield deal with data going between Europe and the US I'm not sure how much impact their actions would have towards Safe Harbor/Privacy Shield, though the cozy relationship between them and the NSA certainly doesn't help.

          Don't know enough about the French and Netherlands equivalents to say either way, but again, both of those are European countries so probably not much impact in this case.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 30 Jan 2017 @ 5:33am

            Re: Re: Re: Re: And another thing

            I'm just thinking that it appears people are bashing the U.S. over this, when in reality they are just one of many players. Doesn't seem fair to me.

            reply to this | link to this | view in chronology ]

            • icon
              That One Guy (profile), 30 Jan 2017 @ 5:47am

              Re: Re: Re: Re: Re: And another thing

              Given the NSA's actions seems to have been a driving force in both, I don't think any 'USG bashing' is unwarranted here. If the NSA hadn't been caught grabbing everything they could get the original Safe Harbor likely would have been seen as plenty.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 30 Jan 2017 @ 5:53am

                Re: Re: Re: Re: Re: Re: And another thing

                "I don't think any 'USG bashing' is unwarranted here."

                Well, my point was lets just remember the USG is not alone. This train was moving before the US got on, and again they are only one of MANY players involved.

                reply to this | link to this | view in chronology ]

                • icon
                  That One Guy (profile), 30 Jan 2017 @ 5:59am

                  Re: Re: Re: Re: Re: Re: Re: And another thing

                  They're not the only ones openly displaying contempt for those pesky 'rights' and 'laws' and concepts like 'privacy', no, not hardly, but in this case a US agency seems to hold the most blame for what has and continues to happen due to the European-US nature of the issue that makes the NSA's actions of more immediate impact, even if other European agencies are just as bad in general.

                  reply to this | link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 30 Jan 2017 @ 6:46am

                    Re: Re: Re: Re: Re: Re: Re: Re: And another thing

                    Governments are the tools of your corporate overlords, bought and paid for they are.

                    reply to this | link to this | view in chronology ]

                • icon
                  orbitalinsertion (profile), 30 Jan 2017 @ 2:49pm

                  Re: Re: Re: Re: Re: Re: Re: And another thing

                  The challenged agreement is between the US and EU. The spying of other parties is not even relevant. The USG is making it impossible, and that is the problem for the agreement.

                  reply to this | link to this | view in chronology ]

    • icon
      Wyrm (profile), 30 Jan 2017 @ 9:08am

      Re: And another thing

      It's a US-EU agreement being challenged, so I'd say they have a good reason getting involved. Particularly since it's being challenged because of its behavior.

      That's one if the rare cases where I find it legitimate for the USA to get involved.

      reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 30 Jan 2017 @ 6:15am

    I think I now know how Germans felt when a certain crazed lunatic came to power. It's like watching a train come barreling toward you and not being able to move.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2017 @ 6:16am

    Window Dressing

    The agreements have been violated in the past and the data didn't stop flowing. They'll be violated in the future and it won't stop flowing. This is all just window dressing.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2017 @ 6:28am

    No, no entity is entitled to an individuals data however unobrusive it may be, without the consent of that individual

    Thats not how the world works

    Thats, HOW, the world should work

    Defeatism leads to subserviance, when we should be argueing their right to our data, our information, our lives, so called supporters of human rights are talking about the best way to implement it in a minimised form. Its the INITIAL implementation thats wrong and dangerous, you accept it, it gets normalised in our lives, then they push the envelope further

    The saying "give them an inch, and they take a mile" comes to mind

    I wonder if the future generations were offloading this on, will be just like us, or evolved enough to rightly wonder why the fuck we just watched while it happened, those that cared enough to notice, those that noticed but didnt care, not to mention the mentality of the crazies actually driving the crazy bus down to crazytown, you now, the too big to jail folks


    One mans leader is another mans tyrant

    Theres a reason why the americans constitution makes mention of non interference..........to minimize the risk of the tyrant fork on the road our leaders will inevitably come across.......at least in this day and age

    History lesson
    1-We learn something profound through hardship
    2-Humans look forward
    3-Time passes
    4-We forget that something profound
    5-Humans stall, or go backwards
    6-Hardship makes us relearn why number one was profound
    7-Goto number 2

    Its why, in one particular case, some folks decided to make a sticky note of some of it, and then proceeded to call it a constitution or bill of rights, to protect and as im realising, remind future generations that didnt go through the hardships that created it, or fail to recognise the signs of an overbearing government, or its next entity slogan change

    Im disatisfied......can you tell

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 30 Jan 2017 @ 6:57am

    As the article from the Irish Times explains, the US is not alone: also keen to see the framework upheld are the British, Dutch, and French governments, as well as Microsoft and the Business Software Alliance, all of whom have applied separately to join the action.

    They say you can judge a man by the company he keeps. I say it's not just men. If Microsoft and the BSA (a notorious Microsoft front group whose main purpose in life is promoting the progress of copyright abuse, particularly by Microsoft) think it's such a good idea, that's at the very least, a good reason to wonder if we might not be better off without it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Jan 2017 @ 8:08am

      Microsoft (and other companies) are in it for convenience

      It is far more economical for them to keep all the data in one country and have Privacy Shield or an equivalent as legal approval to move all the data to that country, than it is for them to operate data centers positioned to abide by the privacy laws that Privacy Shield overrides. If Privacy Shield is struck down and not replaced, then data that Microsoft (and other companies) currently transfer out of the EU as an ordinary part of business would instead be required to stay, if not within EU borders, then at least outside US borders. It's much easier and cheaper for them to intervene and have this challenge struck down than to change their business model to account for more restrictive privacy rules. In particular, some parts of their business may require more than just standing up region-isolated data centers. If their current design assumes that all data centers can always talk to all others (barring transient network errors), and the new laws preclude that, then they not only need to build and staff new data centers, but also change how the software works.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.