17 comments

[ 3.5 ms ] story [ 39.6 ms ] thread
"leaving some U.S. companies concerned that they will be frozen out of the market or replaced by EU competitors."

Let's hope so. Europe needs this.

The world needs this - there has to be something that stems the excesses of the US and the world needs that changes happen in that direction.
As long as European intelligence agencies continue to cooperate with the NSA expect all change to be decorative.
Is anyone even slightly surprised that the actions of the US government would directly hurt US businesses?
Small business yes. Large business owns the government, so nope.
> called for a quick fix

Can we not do that? I would like a comprehensive reform, not a "quick fix". If that means US companies can't offer their services in the EU in the meantime, so be it. Take it up to the U.S. government and the NSA.

The ECJ didn't leave all that much room for a quick fix. Any new agreement will have to consider state access to data, which safe harbour left as a huge gap, and yet guarantee the privacy rights of EU citizens.

Those rights are incompatible with what US intelligence seems to be doing. The ECJ judgment even said it explicitly, "In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life".

Any form of self-certifying to the FTC is going to be inadequate from now on, as I read it. But it isn't just about safe harbour being poorly enforced, and completely unreviewed, the point is we now know what US intelligence does to EU consumer data. So, the ECJ gave a set up for the Irish High Court to find that data transfer between Facebook Europe and Facebook Inc is illegal. It will be interesting to see what happens when that shoe drops.

They not only set it up for the Irish High Court, but also set it up for two separate avenues of appeals on human rights grounds if the Irish High Court still decides it's ok:

The Charter of Fundamental Rights of the European Union covers privacy in article 7 and data protection in article 8 [1]. The European Convention on Human Rights [2] covers privacy (in article 8).

It's noteworthy that the ECJ made the statement it did, because the ECHR has national security exceptions that would make it easy for them find differently, whereas the Charter does not say a single word about whether or not there are legitimate exceptions and it'd be easy enough for the ECJ to infer exceptions without any uproar (on the contrary, in Europe both the ECJ and ECHR tends to cause more uproar when they expand peoples rights than when the curtail them).

But instead they explicitly referred to "access on a generalised basis" (my emphasis) which makes it fairly clear that they accept the exceptions of the ECHR but believe the exceptions can not be stretched this far, and at the same time they it might be seen as drawing a line with respect to the Charter as well.

So they've basically put everyone on notice that it's not only the EU Data Protection directive and associated national laws that are in play, and that surveillance must be considered, but that there may be legitimate claims under both the Charter of Fundamental Rights and under the European Convention on Human Rights as well.

This is going to make it extra fascinating to watch, as while the ECJ is the final arbiter of EU law, including the Charter, the final arbiter of the ECHR is the European Court of Human Rights.

If this goes to the ECHR, and ECHR agrees with the above statement from the ECJ, then that has effects far outside the borders of the EU, as the ECHR is binding on members of the Council of Europe, and the CoE includes most European states outside the EU as well. Including Russia.

[1] http://www.europarl.europa.eu/charter/pdf/text_en.pdf [2] http://www.echr.coe.int/Documents/Convention_ENG.pdf

It seems the ECJ has plenty of room to invalidate the invalidation [1], but I find this case fascinating in that the courts may be put into an impossible situation of reconciling civilian privacy law against foreign intelligence activities that will likely never formally be acknowledge.

My take away was that the main point against safe harbor is that EU citizens have no legal standing or other access to recourse against US companies accused of breaches, so it does not provide an equivalent level of protection as the charter is supposed to provide.

This knee-jerk reaction would directly harm competitive corporations that have already expressed their disdain for unregulated surveillance by American intelligence agencies. Instead of taking this up directly with the American government, of course they would simply go ahead and enforce regulations against private corporations instead.

How much manpower and money would be necessary for small companies to make sure EU user data stays in EU servers in an age where big data analytics and storage are crucial to remain relevant.

Who is "they" that should be taking this up with the American government? You seem to think this is a new policy, but it isn't.

Twenty years ago, the EU wrote the Data Protection Directive, which said that companies handling personal data of EU citizens much abide by certain rules. The US Department of Commerce developed a process that would supposedly allow US companies to comply with these rules even if they copy data to the US. Recently, the European Court of Justice said that the mentioned process, considering what is now known, is not enough to ensure those rules are followed.

I'm not sure what you expected the court to do. It's those corporations that should take this up with their government, not the EU court, which has no business with the US government.

I never said that it was a new policy.

Let's not pretend that current generation of companies have suddenly become incredibly incompetent in maintaining privacy. This entire development was the result of Snowden's work and the general public sentiment that all their data is at the hands of the NSA. It was born out of one Austrian man's visit to SF where he was convinced going against Facebook will somehow fix everything.

Penalising corporations by imposing regulations which are implicitly directed at intelligence agencies serves no real purpose. Facebook will continue to use private data to sell ads. NSA will continue to spy on EU citizens and the rest of the world. My concern was that this namesake rebuke will only lead to more mundane work for a couple engineers in large corporations and small startups being forced to use their puny funds and grappling to deal with this new development.

You don't even need to make "EU user data" as a whole stay in the EU.

Assuming the hypothetical company question is actually affected (e.g. a company with no EU presence for the most part don't need to care):

You need to make sure privacy is respected. If you want to be able to tie your data back to the identity of an individual user, then yes, you potentially have more work. If you don't need to do that, often simply stripping personally identifiable details will be sufficient.

This means stripping names and addresses, phone numbers, e-mail addresses, and possibly - depending on context - IP addresses, but not much more.

Some filtering of your logs prior to aggregation, or adjusting database queries accordingly will get you far.

But the thing US companies with a EU presence should be more concerned about is that the ruling opens the door for people to raise claims with national data protection authorities to try to get a ruling that storing the data in Europe is insufficient.

E.g. if a US company stores data in Europe, but the hosting is in the name of the US company, then what is stopping US authorities from compelling the transfer of the data to the US?

It is at least possible to envision the possibility that US companies with sufficient exposure to the EU may end up needing a subsidiary in Europe to be responsible for the hosting and put in place processes to ensure that the EU based subsidiary maintains control of access to the data, to ensure that the US parent can't just come in and grab personally identifiable information.

It would seem to me that regardless of how this plays out, it is a good argument for thinking about privacy as part of technical architecture:

Consider what is personally identifiable information (in a legal sense; e.g. in Europe your e-mail address will generally be considered to identify you, and so be covered), what is private but possibly not personally identifiable in a legal sense (e.g. your photos) vs. what is not affected by privacy (e.g. fully anonymous data, such as performance metrics for requests made to non-private urls), and design your systems to segregate them from the outset where possible.

E.g. don't tie data back to users if you don't have to; when you have to, consider if you can anonymize it (e.g. do you need to know that record X refers to user Y that is john.smith@example.com, or is it sufficient to be able to tell that record X refers to a user Y where "Y" is a unique id that does not link back to your user data but is consistent within the given report, for example), or hash it in ways that makes the data defacto anyonymous to anyone without access to the personally identifiable data; normalize your data sets, and store links from personally identifiable data to public data separate from the public data.

In most systems I've worked on, if you start looking at this, the end result would generally be a system that is easier to secure in a meaningful way too: You end up with clearly delineated datasets with very different security requirements, and the datasets that needs to be most thoroughly secured end up being vastly smaller than if it's all smudged together in a single database and littered all over your log files etc.

I used to work on an e-mail platform where we did this around 2000. In effect it was out of naivety: We thought people actually cared about data security and that keeping such data separately was just what sensible people would do.

As a result, when users registered, most of the registration information we regularly moved to an offline system (as in: no network), where it was encrypted, burned to CDs, which were moved into a bank security box together with our backups once a day.

It just seemed to make sense, and it was not such a huge imposition or cost. It took an old PC sitting in the corner, and one guy making a short trip once a day.

It wasn't a perfect split: Since we were running an e-mail service, of course we had the e-mail addresses and peoples e...

"The larger U.S. companies may face a problem of perception that they have abetted U.S. government surveillance. They say, however, that they have broken no laws."

They probably mean to not having broken US laws. However, if they complied to US government requests they have certainly broken laws of several EU countries (at least German ones) and as well broken the Safe Harbor agreement.

That's basically the core of it. If you want to do business in the EU, you have to obey EU laws. That they are incompatible with US laws is unfortunate, but from an EU perspective mostly an American problem.
It is weird to have the article call Adobe and Autodesk mid-size companies. In Europe they would be considered giants.
Well, they're no Googles, Facebooks, Apples and Microsofts. Those are the real giants, and I don't think Europe has a lot of those.