European Court of Justice Strikes Down Safe Harbor Agreement

I’m not going to take this thread into another pointless ping pong match. I know whatever I say you just bat it back like there. If you are really interested in why I have this perspective, either research yourself, or PM me for a genuine sharing of ideas by asking why I think that - not for point scoring. I’m not interested in that, or trying to convince you, just adding a different perspective which you can ignore if you want.

The discussions on these threads don’t go anywhere when they become about defending a point of view, and are often detrimental to the forum.

2 Likes

I agree that the reasoning here is based on protection of individual rights, and I further agree that the U.S. mass surveillance are immoral on a grand scale (though I would seriously dispute whether mass surveillance programs are actually created by law as the current provisions cited for these programs are likely unconstitutional under U.S. law for half a dozen reasons).

However, just because this is a human rights ruling does not meant this is not a decision with protectionist implications. Assuming for the sake of argument that the ECJ had NO protectionist motives at all, the real-world implication of the decision is to force the global companies Either
A. to upgrade the core infrastructure, in particular the routing infrastructure and data storage capacity of Europe OR
B. to stop offering services to the EU.

That has obvious protectionist and barrier to entry implications.

Also I am a little skeptical about whether data physically stored on EU servers is actually any less likely to be scooped up today under the joint efforts of the NSA and the GHCQ.

2 Likes

Oh noes…how low could we possibly drop if political collectives were able to take real decisions and corporations would have to obey… ironyoff

Of course it has protectionist implications - even more: protectionist intentions. Apparently you don´t like protectionism - I do, same as many other citizens of the EU. “Free market” is a label, marketed mostly by the USA and it´s mostly about corporate freedom, not about individual freedom. Hopefully things will get complicated after the ruling of the ECJ.

2 Likes

The encrypted data don’t apply the Safe Harbor Agreement:

2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament

The Safe Harbor Principles are relevant only when individually
identified records are transferred or accessed. Statistical reporting
relying on aggregate employment data and/or the use of anonymized or
pseudonymized data does not raise privacy concerns.

2 Likes

Okay, Mr. Lawyer, glad to hear that (although I’ve no clue what’s that supposed to mean in the context of SAFE network).

Can you also kindly confirm that this should be of no concern to SAFE app vendors?

Q: When data is transferred from the EU to the United States only for processing purposes, will a contract be required, regardless of participation by the processor in the safe harbor?
A: Yes. Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU. The purpose of the contract is to protect the interests of the data controller, i.e. the person or body who determines the purposes and means of processing, who retains full responsibility for the data vis-à-vis the individual(s) concerned. The contract thus specifies the processing to be carried out and any measures necessary to ensure that the data are kept secure

That’s what I’m talking about!!! States will never descend into anarchy without the help of social justice warriors!

Directive 95/46/EC

(26) Whereas the principles of protection must apply to any information
concerning an identified or identifiable person; whereas, to determine
whether a person is identifiable, account should be taken of all the
means likely reasonably to be used either by the controller or by any
other person to identify the said person; whereas the principles of
protection shall not apply to data rendered anonymous in such a way
that the data subject is no longer identifiable;

1 Like

I am not sure what is this quote supposed to mean, but I guess you’re trying to say that because SAFE data are chunked, SAFE data is not covered by this decision.

But that is not what that means. That provision is for companies to be able to transfer anonymized aggregate data for marketing and similar purposes.

@janitor is assuming the Safe Harbour provision is the only means US companies have for repatriation of EU citizen data. It’s not.

Also, he’s assuming that the issue is independent of other factors, and the basis of the ruling itself.

The reason for the ruling is that SH was not protecting privacy, because Ed Snowden revealed that it was giving the NSA GCHQ unfettered access to EU citizen, and company, data. Since SAFENetwork would prevent that, it is daft to assume it will be caught by this, and even if it is, eel there are other provisions available, which have not been touched at this point.

So long as US companies can show they are protecting users from this, I think we can expect the EU’s existing provisions to continue. It may try to insist that the USA do more than ensure companies self certify this, as is currently the case. I can’t see the U.S. conceding on this, hence very little impact for any company which can claim that data is not blatantly vulnerable to mass indiscriminate access by the NSA.

I really think @janitor needs to demonstrate how this decision somehow undermines all the provisions, especially when the basis for it would seem unlikely to apply to data protected by encryption, because this makes it inaccessible to indiscriminate surveillance.

I can see there being an impact, tighter rules, improvements in due process etc, but I really don’t see how this is going to prevent US companies from operating a service using SAFE Network. Whether they will choose to is a different question.

There are two topics on this (one related to Fortune 1000 companies’ (future) use of SAFE) and in that other topic I said something along those lines: until proven otherwise - either by way of official clarifications/warnings or in practice by smaller companies’ unchallenged use of SAFE - large companies will likely choose to wait and see.

I think the irony that government action supposedly intended to protect citizens will almost certainly delay the corporate use of SAFE (and hence benefits of its built-in encryption) as well as make existing services more expensive, shouldn’t escape us.

To answer your question (based what I know about the legal cause): whether it could be considered illegal or not depends on the data that is stored. If its personal data, then an app vendor may subscribe to the Binding Corporate Rules. That´s not ultimately going to solve the problem but it´s most likely the way people will deal with it. Anyway, the ruling does not affect any service that has no access to personal data (e.g. when the data is user-end encrypted). Could you be more precise on your concerns, maybe I addressed them incorrectly.

I think they back down instantly when their profit is challenged. They also don’t want to draw more attention to them being told flat out no! This is the EU standing up to the US bullying. The whole BS house of cards could come down. No one got turned to charcoal for defying the US on extractive profit. They don’t want that getting around. I love this, its equivalent to a group of people standing up to the corporatocracy and saying: you aren’t going to do drone strikes on our citizens for profit or otherwise. Is the US going to try to run to one of its corrupt trade courts? Watch the EU ignore that and then whole line of BS trade agreements is undermined globally.

Oh no the EU wasn’t willing to allow its people to be pimped out for profit the whole religion is in jeopardy. Its wonderful: you aren’t going to exploit our citizens for profit, pack sand! Globalism is dying and we can finally get back to trying to take care of our people instead of exploiting other people in far away lands through terror. Hmmm you aren’t going spy on our people, what a novel idea. At this point if they try another 911 it’ll back fire on them, it already is. If we can get enough of a breather on crap with privacy tech we can cut the cord on neocon power permanently. The terror industry will fail. We have to do it before they can start another cold war. But we won’t be safe until we replace corporations globally with something more cooperative. When ever they were trying to spread democracy it was just corporatocracy ,its time for real democracy.

I would read the opinion a little more broadly than that.

From paragraph 73 of the opinion

"the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter.

Then Paragraph 74:

It is clear from the express wording of Article 25(6) of Directive 95/46 that it is the legal order of the third country covered by the Commission decision that must ensure an adequate level of protection.

Then in Paragraph 94

In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter

While the specific court case involved the Safe Harbor agreement, I don’t see how this reasoning would avoid being applicable to all of transfers of EU data out of the EU, including those done under Model Contracts and Binding Corporate Rules. As I’ve said, I don’t think that this necessarily will apply to the Safe Network, the obfuscation features might very well be regarded as making it anonymous. But this is a big decision, and I don’t think that it will be business as usual.

1 Like

Well, emails, calendars, messages… What data could not be personal?

Yes, I think in this case the services would need to subscribe to the Binding Corporate Rules and even then there might be problems. However, I don´t see why an app vendor should create a product where personal data is NOT user-end encrypted. Google can read your Gmail, but a “SAFEmail” app doesn´t need to do that. Why would it?

However, I don´t see why an app vendor should create a product where personal data is NOT user-end encrypted. Google can read your Gmail, but a “SAFEmail” app doesn´t need to do that. Why would it?

I don’t disagree, but I think it depends how the data is stored and who (in government’s opinion) is considered the service provider - is it the farmer, the app vendor, MaidSafe Inc., etc.

Regarding how the data is stored: what I mean by this is if you download an app and fully control it, then all farmers may be considered your storage providers. Or that may be you (the user), or even MaidSafe Inc. since they control the network (yeah we know it’s “decentralized”, but the seeding nodes are operated by MaidSafe).
There may be other ways to store user data. For example, a traditional Web app could store user data on SAFE. That account would be controlled by the Web app owner and I would think it is likely they would be considered responsible for storing data abroad (outside of the EU).

Anyone who claims that SAFE is not at all negatively impacted by his ruling is daydreaming.
HB asked me to substantiate my claims. Even if I did, it wouldn’t matter. My point is after this ruling any EU company must consider how it impacts their SAFE plans. You can’t do that without a lawyer and before you didn’t need one. How can the new way be faster or cheaper?
In some cases it might turn out to be just fine, but instead of using a Web based app the vendor would have to create a downloadable app (to avoid acting as data storage provider). That can be enough to screw up the business plan (eg the alternative model can’t make money, costs more to implement, requires a mobile dev, etc).

Let’s try to name one reason why the likes of British Telecom would help decentralized storage vendors get accepted in the enterprise? You can bet they will do everything in their power to make the SAFE adoption slower (preferably completely stop it).

1 Like

Empty again.

@janitor I’m seeing you as a constant creator of unsubstantiated negative propaganda against SAFENetwork. I’ve asked you before why you are here, and whether you support this project or are out to damage it.

I’m asking you again, because I don’t see your posts as constructive critique or supportive, because they just tail off when you’ve been challenged to stand them up. You don’t establish the case for a change, nor get involved in developing positive ideas to counter the flaws you portray. Your posts give me the impression that you are just here to create damage.

I’d love to hear you on SAFE crossroads. How about it @fergish :wink:

If you happen to object to the project, it would be fine for you to explain why and even convince others here, but attempting to undermine or sabotage it with incessant fear mongering is not ok IMO. Is that what you are doing? If not, then what do you think you are doing here?

1 Like

@kirkion we are very much in agreement. I don’t disagree that this has wider implications, my expectation though, is that political considerations will lead to a fudge, and I don’t expect that to include significant changes to the data protection regime inside the USA. I think it’s much more likely to consist of assurances - look at the kind of response Obama produced to address the evident lawbreaking of the NSA and others. So far, nothing has changed there, and the U.S. government will no doubt try the same in this instance.

Obviously the EU will seek more than that, but I’m doubtful that they have the guts to stand up to the USA when it comes to it. If they did, Americans would benefit too, so I hope, but don’t expect.

Ironically for @janitor’s position, the less the USA gives in this struggle, the better the case for companies to use SAFE. Again, I don’t say they will, I just maintain that this ruling is not going to prevent, or significantly discourage them.

@happybeing we don’t like the example because its the opposite of freedom in many ways but China already stood up to the US when it booted Google. They already had their great firewall. But there is recent precedent of booting US firms from a major market and having it stand. Weather the US stock market crashed or not was recently attributed in the US 's own media to actions of China. This has to embolden the EU.

1 Like

I don’t know about whether the EU as a whole will do something but I think that there are certain elements within it that would strongly benefit from pursuing this path.

First, the European Court of Justice, has staked its credibility on this decision. The U.S. Supreme Court grew enormously more powerful (some say to become the most powerful branch of government), during the Warren Court years, because of its de facto control of the educational system, which is an enormously significant institution in society as a whole. Control over the rules and behavior of company related to personal data, with the ECJ positioned as the (monarchesch) guardian of the common man as against the (aristorcratic/oligarchic), could promote the ECJ to the same position within its own system, a system which has seen its moral authority decline ferociously as the EU infrastructure has become seen to be the instrument of the favorite bugaboo of the month, whether that is distant bureaucrats in Brussels, menacing German politicians and financiers, or rapacious U.S. companies.
By contrast if the Court backs down, or is seen to back down from this decision catering to those same bugaboos, it’s power and influence will be enormously reduced, if only because people will take their complaints to the European Court of Human Rights.

The economic consequences of seeing this policy shift through will result as I’ve said above, in millions or billions of dollars poured into the communications infrastructure of Europe to allow for compliance without relying on U.S. or Chinese server capacity. This means that there will be local economic interests who would be powerfully motivated to support such a shift.

In the larger political climate, the major fact of this decade so far is the decline of U.S. power (please lets not argue about the reasons for that). Russia and China are unlikely to do anything to stop the EU from hampering the reach of the U.S. surveillance structures. Barring some major terrorist attack which creates a massive change in the political climate of the EU, this is going to be an enormously powerful decision.

I think that its not an overstatement to say that the ECJ might have committed the remaining legitimacy of the EU itself to this issue. While its hard to know for sure, I see powerful forces in Europe which will back this move, and I don’t think that it will be the business as usual which the big tech companies are hoping for in their press releases.

One of the interesting features of the BCRs and Model Contracts is that they put the burden of proof on the tech company. That means that simply by accusing Google or Facebook of participating in PRISM, ordinary people in the street can get paid unless the companies can prove that their specific data was never accessed. Once this sinks in there will be hundreds or thousands of cases, as people start wanting their share of the payout.

So while of course Big Tech is making confident statements now (to avoid conceding the issue), they must be running scared.

3 Likes

When put that way it is a sovereignty issue for the EU, how could the EU not pursue it to the limit. And putting the burden on the foreign tech company shows how serious they are. Its a security issue for the EU, they can’t have their servers in the US, this is decentralization. Japan just got its sovereignty back, the EU is pushing for its.

The US seems to be destabilizing, how could the EU rely on US data centers? Look at the people its running for office on one side. Look at its military expenditures over a long period. It either preparing for a major war in a nuclear era (?) or is it unsustainable corporate welfare to the max and lingering wars? What are they getting for those defense dollars? Is it mainly an attempt to starve the actual welfare state. Its spending on defense at tin pot dictator levels. Its been chomping at the bit over Iran. Look at its puffed up GNP. How much of its economy is truly viable?