The proposals do not address the elephant in the room and the very reason Safe Harbor collapsed: The NSA and the ability of the US government to override any treaty to access any data using secret warrants.
It is that which killed Safe Harbor, and none of the proposals at the end of the article would be immune to that weakness again.
It would remain the case that the proposals made would not be in line with the clear ruling that the European court gave if the US government can continue to override international treaties and their own courts.
The European intelligence agencies were trading info with the NSA, so European companies can be under the same sorts of threats. It's a red herring.
But the court wasn't asked to decide about the actions of the intelligence agencies, it was asked to decide on a complaint against Facebook.
Personally I think this is really about protectionism and the NSA provides a convenient excuse given European intelligence agency involvement.
On the contrary; if anything, it was the Safe Harbour process that was supported on a convenient excuse, which the Commission allowed despite being clear from the start that the US didn't offer the necessary privacy protections to comply with the Directive. The court has just stated the obvious.
>But the court wasn't asked to decide about the actions of the intelligence agencies, it was asked to decide on a lawsuit against Facebook.
You're right, and as the basis of its ruling it decided that intelligence agency action caused a violation of the law. Given that intelligence agencies in the EU were willing partners in NSA spying in clear violation of US and EU law it stands to reason that much of the EU is similarly incompatible with these laws. Why can we store data in Germany when the BND is shipping your data to the NSA, but not America, where the NSA is doing it first hand (and might be doing it on its own in Germany anyways)?
Because a German citizen has several ways to make the BND accountable through the legal system, including voting to change such legal system; but he has no recourse against the NSA (short of starting a war).
You are mixing political responsibility and legal responsibility.
I'm not entirely clear on the EU's legal structure. Does an Italian citizen have ways to hold the BND accountable for accessing their personal data held in Germany?
I assume an Italian citizen can't vote to change Germany's legal system.
An Italian citizen can hold Germany accountable for implementing and enforcing EU privacy laws and directives (through the EU courts). If that doesn't give him sufficient legal standing he can vote for representatives to pass stricter EU legislation.
If the BND is allowed to do things that places Germany in violation of EU law, then that is an issue, yes, but it is an issue that was out of scope of what the court was asked to consider.
Why can we store data in Germany when the BND is shipping your data to the NSA, but not America, where the NSA is doing it first hand (and might be doing it on its own in Germany anyways)?
For the same reason we could store data in the US right until this decision.
EU intelligence agencies are under EU law (more or less). The US Gov/NSA is not under EU law. So you can't say that data in the US is compatible with EU law.
Both the NSA and various EU intelligence agencies were violating their various laws. Or, if you're a lawyer for one of these agencies, they had found convenient loopholes that violated the spirit of the laws and rendered them meaningless.
So if we apply the standard of intelligence agencies violating the laws mean a country is unfit for storing EU data, then many EU nations are now unfit to store this data.
> So if we apply the standard of intelligence agencies violating the laws mean a country is unfit for storing EU data, then many EU nations are now unfit to store this data
The difference is that EU citizens can hold "unfit" actors responsible, if they are from their own country (or even continent, via the ECJ); but they cannot do anything against the NSA.
Not all of Europe is part of the Five Eyes, or even it's outer orbits. And if they are, the relationship is not symmetric. They don't have first-party access to US government communications, never mind, say, POTUS's cell phone.
"They all do it" is meaningless if one nation has an NSA and Greece has a sketchy looking guy with black shoes and no socks and a tape recorder.
The Dutch, again not part of Five Eyes, tapped phone calls to pass to the US. We don't know the full extent of which nations played a role. I'm willing to bet it's more than have so far been revealed.
>They don't have first-party access to US government communications, never mind, say, POTUS's cell phone.
Germany wasn't exactly giving the US access to their government's communications either, "just" private citizens. They did assist the US in getting access to the French leadership, though.
>"They all do it" is meaningless if one nation has an NSA and Greece has a sketchy looking guy with black shoes and no socks and a tape recorder.
When the large European nations are aggressively spying on their own citizens and then passing that info around to foreign governments in exchange for special software or information, it sort of renders their complaints about the NSA kind of moot. Yeah, the NSA spied on your citizens, but you helped them.
For those nations that didn't engage in this, I have a feeling not having your data in America isn't going to prevent the NSA from getting it if they desire it. Especially since much of that data will end up in the sorts of European nations that are spying on their citizens and trading data with the NSA anyways.
> Yeah, the NSA spied on your citizens, but you helped them.
I did not help them.
Either the German government did or the BND and VS did without orders from the German government. This needs to be investigated and punished accordingly. That is very unlikely, but at least we have parliamentary commision (NSA Untersuchungsausschuss, NSAUA) to investigate these wrongdoings. Some interesting things were already uncovered by the NSAUA.
Well, I (a person) didn't directly help the NSA, either. I didn't vote for the people who did it, either. But "I" (a citizen of the United States) did help them in that I am part of the US, and I generally support the form of government that we have.
I doubt that the BND acted without orders from the Chancellor's office, just as the NSA didn't and hasn't acted without orders from the President.
Snark aside, I agree that there isn't full reciprocity when it comes to espionage capabilities, but BND is a capable spy agency with the resources to perform its mission.
Which, to be fair, they are absolutely allowed to do. That "everyone does it" doesn't make it acceptable that the NSA does do it. And if that also makes for a convenient excuse to pry some of the data currently stored on US-based servers out of the US and into the EU where it can drive local economies, so much the better from their perspective.
The EU regulators are being selfish jerks and forcing Facebook and Google to spend their hard earned cash on a datacenter in Antwerp or whatever. That's... hardly the worst evil afoot.
Eh, I could see the Commission doing it for protectionist purposes, but why would the highest Court care about that? If it's "protectionist" it's for EU citizens' data, not for economic purposes. I've seen no evidence to the contrary so far.
If anything, it's the Commission that has been much more willing to give the US government and companies "some slack" about collecting all this data. Luckily, the Commission's hands are now tied, and the ruling sets a rather clear roadmap for the minimum requirements of privacy in any sort of new EU law or agreement with the US.
Even if the US passed identical data protection laws as the EU, the NSA would still have the ability to do what they did legally since EU data protection laws have exceptions for national defense and national security.
It appears that the EU wants the US to pass laws that are stronger than their own.
There are exemptions for national security, but they have to be proportionate (and if you read the judgment of the court, they're pointing at a high bar there) and non-discriminatory with regards to citizenship.
Part of the problem with SH was the fact that there was no legal recourse at all for EU citizens.
Also, let's not forget that the CJEU stuck down the Data Retention Directive recently - so they are enforcing this human right against EU member states. They just have to wait for the right referral to their court.
I think it would be very interesting if the civil courts of the US and EU each forced the other entity into passing stronger privacy protections than they have currently. Specifically, I'm thinking of a scenario where the collapse of Safe Harbor helps force Congress into passing meaningful privacy legislation and drastically curtailing the NSAs overbroad powers and mandates, and the US then turns around to the EU and says "ok, now it's your turn. If we can't spy on everybody, then neither can you."
The only effective solution to the problem of "NSA and the ability of the US government to override any treaty to access any data" is the furtherance of study, and application of Homomorphic encryption.
Homomorphic encryption is a type of encryption done on data, and sent to a remove server (cloud), and the data is processed in an encrypted form. It never is unencrypted during any part of processing. And when it is transmitted back to the originator, they can decrypt when they choose.
Unfortunately, right now the speed is very slow, but work in this area can allow all sorts of data to be processed in the cloud securely.
Microsoft are at the centre of another case which will really decide how badly EU-US trade is affected:
> Microsoft stands in contempt of court right now for refusing to hand over to US authorities, emails held in its Irish data centre. This case will surely go to the Supreme Court and will be an extremely important determination for the cloud business, and any company or individual using data centre storage. If Microsoft loses, US multinationals will be left scrambling to somehow, legally firewall off their EU-based data centres from US government reach.
At the moment, data can be held within the EU by US companies and it's all ok. If Microsoft is forced to hand over emails stored within the EU to the US government, then all bets are off.
In that future, it may not even be enough to have an EU-based subsidiary of a US company hold data within the EU, since it'll have been shown that the U.S. government can coerce them.
And we like to talk about large companies like Microsoft, Apple, Facebook, Google etc. But they can throw money, lawyers and engineers at this problem. But the thousands of US-based SaaS apps do not have that luxury. Likewise, there are thousands of EU-based small SaaS app that will have everything from their hosting stack, to their bug tracker, to their communications tools taken off them.
In this case, the U.S. isn't trying to get Microsoft to coerce their European subsidiary into handing over the data; it's trying to get Microsoft U.S. itself to hand over the data. The problem for Microsoft is that the parent company in the U.S. has direct access to the data, without having to involve any employees of the European subsidiary, even though the data is stored on European servers. Therefore the U.S. government's position is that a search warrant is valid and not extraterritorial: it's being served on a U.S. company, asking U.S.-based employees to turn over data they have direct access to.
Microsoft would be in a stronger position if the data on its EU servers were only accessible by employees of its European subsidiary. Then Microsoft's U.S. branch could respond to a search warrant by truthfully saying that they don't have that data, and the request must be redirected to its European subsidiary. But that would complicate its technical infrastructure, so it would rather not do that. However, if the case turns out adversely, that's one possible response. They could segregate access, so that credentials for access to EU-based data are only given to EU-based Microsoft employees.
I'm not yet convinced that a multinational could have strong enough controls that 1 person on a team has the password but another person doesn't. In reality, this stuff get's mixed around a lot, even if there are official policies in place
> In that future, it may not even be enough to have an EU-based subsidiary of a US company hold data within the EU, since it'll have been shown that the U.S. government can coerce them.
Wouldn't the other way round be more sensible, then? Make Microsoft be technically headquartered in the EU and have its main operations handled by a US subsidiary. Wouldn't that work?
(Not familiar with legal/financial/etc. reasons this would be a problem.)
In that future, even an EU company may not be enough if that company does business in the US (or, in the most extreme case, accepts and/or makes a significant amount of USD payments). The US government can coerce them too (and in some cases already does today e.g. sanctions and FATCA).
I think we'll look back at this and say "That is when the whole house of cards collapsed." The notions of the Internet being "somewhere else" and the rules being coded by the body legislating the person who is accessing it, is untenable. I expect a lot of churn on the privacy, tax, and access (censorship) policies which have grown up over the years.
Consider:
* France (and China) trying to impose content
restrictions on Google results. [1]
* The EU invalidating the safe harbor privacy rules.[2]
* The recent invalidation of tax strategies in the
Netherlands and Luxembourg. [3]
These are all soverign issues. And for anyone who has ever looked at the Internet as a "place" intuitively understands how impractical it is to have the rules be based on that origin of the connection in meat space.
The depth and complexity of this particular confluence of concepts is really staggering. I can not even imagine how you would establish an institution to "rule" the Internet. I might even go so far as to assert it isn't possible. What I fear is that what is possible is the Chinese model where every country has its own "Internet" and your ability to access it from outside, or to leave it from inside, will be governed by some electronic equivalent of a passport. And that idea brings the whole "identity" question really out to the forefront of the discussion.
On the other hand, it could lead to a more fractured web, that is highly segregated based on where the host is that is serving up the data. Like US Corporate law, it could lead to a mass of companies deciding to place most or all of their servers in what would otherwise be very silly locations.
I completely agree, it could actually make "Data Havens" practical simply because the laws regarding them would be easier to parse. I've done a cursory scan of the whitepapers of various think tanks but I haven't found any that really dig into this question. If anyone sees one please link it here.
The ECJ was simply responding to a fairly obvious and fundamental problem: your private data IS NOT SAFE in the US. The US government doesn't care and has no intention of changing this, so expect the ECJ's ruling to stand for a long time.
I try very hard to never use Microsoft products, that's for sure let there be no mis-understandings about that. So I can't comment on what the most recent incarnation of Windows does but I'm well aware that Skype did not change for the better after MS took over.
Even so, saying this as not exactly a Microsoft fan (to put it very mildly) their words (not necessarily their deeds) are spot on, this is really what is needed and privacy really is a fundamental human right.
Now if they will actually act on these words it will count for something.
> I'm well aware that Skype did not change for the better after MS took over
While I'm acutely aware of the negative impact various changes had on privacy, cf the leaked documents referencing it, however I'm not sure that statement is blanketly true.
I can now have Skype running on my phone where previously it used to drain the battery in a few hours flat. That is, personally, a huge improvement.
Another thing I've noticed is I get both better video quality (when I use video, I prefer audio only) and I get less disconnects due to "network" reasons.
Privacy of European computer users requires NSA vassal companies, e.g. Microsoft, to fuck off because they aren't reliable.
Microsoft isn't going to magically become reliable only because it says it cares about privacy, nor because it actually defends the privacy of USA customers (which is remotely possible after all).
Microsoft is currently in contempt of court because they're refusing to hand over data the US government wants. They're appealing. If Microsoft isn't reliable, then nobody is. And if that's the case, then it's not a problem with Microsoft, it's a problem with everybody, everywhere, that is within the reach of the US government. Which is everyone.
I also went ahead to not help anyone to install, fix, or do any type of support for such systems; instead I always have with me a usb drive ready to live-test linux, and to replace that ugly thing.
I hope you realize a huge multi-billion dollar company such as Microsoft isn't one unified entity. Chances are the PR/politics guys never even talked to the team responsible for that telemetry update and have very different agendas.
Furthermore, this kind of article is the last place where they would want to bullshit you, seeing how it is a prime target for their critics.
> I hope you realize a huge multi-billion dollar company such as Microsoft isn't one unified entity. Chances are the PR/politics guys never even talked to the team responsible for that telemetry update and have very different agendas.
The article was not written by "some PR guy", the author is stated as "Brad Smith, the President and Chief Legal Officer". I don't think someone with that position would be blissfully unaware of the telemetry/spying issue. Actions speak louder than words.
Microsoft fired their chief privacy advisor (Caspar Bowden) in 2011 for saying “If you sell Microsoft cloud computing to your own governments than this law (FISA) means that NSA can conduct unlimited mass surveillance on that data” to an internal meeting of regional managers.[0]
He later tweeted that Brad Smith's "posturing as conscientious is nauseating cynicism"[1] about this very case.
I miss Caspar, he was ahead of his time in recognising the dangers of cloud computing (especially in the US wrt FISA etc.). RIP :(
If there is one challenge that Nadella is facing then it is that one: to get a single unified set of goals that Microsoft will strive to achieve. As long as 'the team responsible for the telemetry update' can screw up their long term prospects they're not looking good. Note how the GP writes "I really wanted to believe in the new Microsoft".
And then some out-of-control arm of the company comes along and wrecks that (assuming it really is out-of-control rather than that it is a case of saying one thing and doing another).
This is why having technical management (or at least technical-understanding) is key once you grow past a certain size, I think.
There was a link here a few months back about some MS tiger team that upper management convened to solve a cross-department issue (something about a webpage in updates?). Additional department heads kept getting added to the call everytime someone said "It's not my issue, it's X's!" (ah, here's the link -- http://blog.seattlepi.com/microsoft/files/library/2003Jangat...)
I think that's what it takes nowadays: "I have the authority to make you and anyone else necessary resolve this" + "I recognize this is a problem"
Too often it's one without the other.
PS: Side tip. I think one great thing large organizations can do is have a more outside-the-org-chart independent problem solver. Problems get reported, they summarize the issue and get priority/sign-off from only above themselves, then they're empowered to pull who they need to fix it. Otherwise "that's an issue that only affects our users (aka not dev)" seems all too common.
Which reminds me, I assume now Microsoft can't collect most if not all of that data through Windows 10 from EU citizens?
I just hope it won't use that "third-party trick", where it routes the data through another EU company first, because that would definitely be illegal under the recent ruling, too, but Microsoft may wrongfully believe it's "grey area", so it might just do that. If it does try to use that trick, and then later it's once again confirmed that what it's been doing is illegal, I hope it's sued for all its worth.
It's not only Windows 10 : the telemetry patches were backported for Windows 7 and Windows 8 too.
Not long ago they were saying that Internet Explorer and DirectX could not be backported to previous Windows versions. I guess with the right incentives nothing is impossible ...
I was also overall impressed with the tone of the article. However, there were a few phrases which somewhat worried me. Specifically, "there is a broad recognition on both sides of the Atlantic that we live in dangerous times" and "if governments are going to prevent and investigate threats to public safety in the real world, they need timely and appropriate access to data that is stored online".
The first is somewhat debatable (there obviously is danger, but more or less than there used to be?), and even if completely true, "dangerous times" have been used to justify a lot of very bad things, so nebulous references worry me.
The second is also a sentence that by itself is fairly straightforward and uncontroversial, but is highly dependent on "timely" and "appropriate". After all, if "timely" means "as soon as we need/want it", and "appropriate" means "we swear we won't look at it unless we need to, honest", then many NSA programs could be loosely described as a way to get "timely and appropriate access to data that is stored online".
It is possible that neither of these sentences is meant to weasel in these sorts of meanings, and that I'm simply reacting to anti-privacy advocates having used otherwise innocuous phrases to justify bad behavior.
"Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to my butt."
Are you sure it's from google cache?
To be fair, at this very moment a large number of people have their mobile device in their back pocket, separated from their butt by only a thin layer of clothing, and in fact can feel it there.
I completely forgot I had the plugin installed for months until I started gliding -all of a sudden I was trying to read about butts in a non-computer context and everything got extremely confusing.
In other news, I feel someone really should write a "butt to cl0ud" plugin, aimed specificity at Proctologists ;)
To me the key idea from Brad Smith's post, which I don't neccessarily agree with, was this:
Third, there should be an exception to this approach for citizens who move physically
across the Atlantic. For example, the U.S. government should be permitted to turn
solely to its own courts under U.S. law to obtain data about EU citizens that move to
the United States...
What he really arguing is that EU should not invalidate the Safe Harbor in that it breaks the Internet and Microsoft will provide its customers data access for U.S. and EU governments under "in the most limited circumstances". In that sense, it's not something out of ordinary than what typical Microsoft's position is in this issue. They can certainly do better than that, I.E. throwing away the server side encryption key like Apple does for iOS devices so that they don't have the technical capability to give out user data even if summoned to.
To me the quote you use from the original post talks about people who move (physically) from the EU to the US. These people remain EU citizens, but can hardly be distinguished from US people, as they have a US address. As EU citizens they have more rights to privacy than their US neighbors.
He makes the issue more complex than necessary for the benefit of his employer. There is no reason why private information needs to move across borders without the express consent of the individual involved. At that point the individual agrees to be bound by the rules of the country where the data is going or no transaction is done.
Let each country have it's own set of rules and have all countries respect those rules for data located in the hosting country.
The idea that each country must be exactly the same and data is by default available for transmission across borders is only to the benefit of multinational companies.
In many jurisdictions, some rights cannot be legally signed away. Often the requirements on a non-negotiated contract are even higher. Lastly the US government is currently trying to coerce Microsoft into revealing data stored overseas, so even storing data in the country of origin may be insufficient protection.
I'm not saying that no changes are needed. What I am saying is that the proposals put forth by Smith are more complex than necessary and that the purpose of the added complexity is to benefit his employer and not individuals.
In many jurisdictions, some rights cannot be legally signed away
In those jurisdictions there would have to be changes to allow individuals to provide permission to move their information across borders.
Lastly the US government is currently trying to coerce Microsoft into revealing data stored overseas, so even storing data in the country of origin may be insufficient protection.
Which is why I said "Let each country have it's own set of rules and have all countries respect those rules for data located in the hosting country."
> At that point the individual agrees to be bound by the rules of the country where the data is going or no transaction is done
What does this look like? Another section in a EULA? A popup/banner thing like for cookies? An extra tickbox on the registration page?
To me this feels like moving the problem of choosing sensible data protection juristiction onto the customer, rather than making a sensible choice yourself.
Personally I prefer to keep all personal data within the EU and avoid bothering my end users with this stuff, and that rules out any services that aren't available here... reducing choice & competition, which sucks. In that respect I was a fan of the Safe Harbour.
I think you're overestimating the amount of times that data needs to move across borders to complete a transaction.
As an example, you're buying an airline ticket to a foreign destination. There is a check box next to the purchase button. The check box says that to complete the transaction you agree that information will be transferred to the destination country.
> I think you're overestimating the amount of times that data needs to move across borders to complete a transaction.
The word need in this context is an oversimplification.
For example, if I want to build an app where data doesn't leave the UK I have very little choice in providers, so have to compromise other things, like convenience, cost, security, etc.
If I accept that data will move across some borders (and the EU is really really really valuable in this regard) then I can locate the data in eu-west-1 in Dublin and many more options open up.
That said... if I want to use any SaaS services that don't offer an EU hosting option then I still can't unless I want to accept much more variation in data protection law. That rules out plenty of analytics packages, centralised logging services, PaaS providers, etc.
Every compromise choice subtracts value and reduces competitiveness, which affects the end-user.
Do we need to move data across borders? No. Does it make sense to? Yes, frequently.
For purposes of this discussion I would say the EU is one entity. If all citizens of the EU are sharing the same rights and those rights are defined in a single legal framework then I would say (for data privacy anyway) the EU is a single entity without borders.
As far as the difference between need and sense I think what you're talking about is actually cost. If citizens want data privacy there will be a cost. If they think the cost is too high then they will decide that it doesn't make sense. They should have the opportunity to decide.
"Opportunity to decide" implies that end users are prepared and waiting to make that decision, which I'd suggest is broadly untrue.
When you say "have the opportunity to decide"... I hear "be forced to learn about then make a decision on a complicated thing in the middle of a buying decision".
EU companies already have to inform users if personal data leaves the EU. Nobody reads it. People don't read T&Cs.
You could force companies to summarise their privacy/data policies during the buying decision, but you'd have to compress so much you'd mislead as much as inform.
Besides, I think if people cared enough about this stuff then P3P would still be a thing. The ones that DO care enough can read the privacy policy that already explains it.
As I said before:
There is a check box next to the purchase button. The check box says that to complete the transaction you agree that information will be transferred to the destination country.
A checkbox isn't complicated in itself, but there are a few things about it that are complicated.
(1) All the thinking the customer needs to do once they see the checkbox in order to understand exactly what information is shared with which legal entities in which territories. A checkbox that says "personal data shared with companies in the US" that might mean recording your email address with a centralised logging system in a comparatively secure datacentre... or it might mean sharing your photo, location data & bank balance with a mob front. If you don't include that detail you're not giving the customer a basis to make a sound decision... but if you do communicate it you're dumping a ton of cognitive load onto them while they're trying to transact, and hence shitting on your own conversion rate.
(2) All the thinking in the creation & maintenance of that checkbox... involving web ops, legal, product management, most likely marketing & biz dev too as they're also likely candidates for using personal data in SaaS tools. Then add in work done by regulators & auditors to verify that the checkbox is actually represented truthfully... because I don't see how a sane P/L owner would agree to reduce their conversion rate voluntarily with no promise of a boost to LTV or CAC
(3) Change management, when you have a database full of people who've consented to their data being stored in Ireland and your marketing team is screaming to use some shit-hot new CRM from Israel or wherever and you need to get in touch with every single one before being able to use it. In reality you'd just have to be allowed to just make 'reasonable effort' to contact them, which in reality would just be an email or a letter notifying them of intent... but still, rather than just being allowed to run your IT you now have to inform your customers how you're running your IT and expect them all to understand, risking misunderstandings and reduced LTV.
Don't misunderstand, I like privacy, I'm a fan of Snowden, I want customers to own their own data. I just don't buy this checkbox idea.
Does routing work like that? I mean once data is stable on a machine, it won't move, but getting that data there, man that seems hard. I mean, copying a file between 2 London datacenters might go through New York, if conditions are right.
I always thought moving between two machines to the fastest route, not the shortest route. I guess you could set up some fancy geolocation rules to ensure IPs of a certain range are only routable to other specific IPs. Still, there's no guarantee about the physical location of a given address.
It is to the benefit of anyone running an interactive website that wants to accept visitors from outside the hosting country. Multinationals, which have a physical presence in many countries that could handle local hosting if necessary, and the legal resources to work through the privacy laws of N different countries, are in many ways the least affected.
As a small company, stuff like this scares the shit out of me. It would be expensive, but companies like Microsoft can survive things like this. But how can a small company do anything but ignore it?
I work for a missions organization with ministries all over the world. We are trying to centralize for cost and due to lack of resources but everything we collect is pretty sensitive since it gets tied back to religious stuff. I think we'll need to hire lawyers in every EU country to get an idea of what we need to do - and then we'll probably need to duplicate a lot of effort to comply and we may just not use certain tools because it will become impossible.
> Government officials in Washington and Brussels will need to act quickly, and we should all hope that Congress will enact promptly the Judicial Redress Act, so European citizens have appropriate access to American courts.
Well, Microsoft is wrong here to believe that the Judicial Redress Act [1] will be sufficient. The CJEU has required "essentially equivalent" privacy protections for EU citizens as they get in the EU.
The US Privacy Act does not give them that, so this Judicial Redress Act is a hit and a miss.
The US needs to pass a much stronger privacy law that is "at least" as good as the one in the EU, if it wants its companies to continue to get EU citizen data (and I assume it does). It can start by finally reforming the ECPA for the 21st century.
From the rest of the article, I don't think he's suggesting that only the Judicial Redress Act is sufficient as a replacement for Safe Harbour? Just that it's a useful first step that congress can take soon.
The excuse that the legal rules are obsolete is a red herring.
It depends on the rules.
For example: privacy of communications has no intrinsic dependence on technology. Security of personal data requires the verification of said security (or the commitment to it), etc...
I do not know about this specific law. But just because a law is old does not mean that it is bad. And this is what Microsoft is saying.
After hundreds of years of slavery, it was abolished in the US in a single day. So what? Is this bad?
It is that which killed Safe Harbor, and none of the proposals at the end of the article would be immune to that weakness again.
It would remain the case that the proposals made would not be in line with the clear ruling that the European court gave if the US government can continue to override international treaties and their own courts.