The assertion breaks down at this point:
"So, Slicklizzard U.S. Corp. instructs its subsidiary—which it wholly owns, and therefore can order its London-based subsidiary to carry out actions, without reason or prior warning, to send all of Doe's data from its Dublin data center to its U.S.-based data center."
This involves ordering UK employees to move personal data out of the UK, and assumes that they're willing to be complicit. Most of the teams I've worked with would rather obey the law than a potentially illegal request from their US colleagues.
Per the article, it is not against the laws- under the safe harbor act.
A lawyer could argue that the FISA potential creates a situation where the USA is /never/ a safe harbor, but a third tier IS/Abuse/CST goon question a request for a legitimate type of report from above?
Ok, let's suppose it's not illegal to send the data to the US because of the safe harbor act.
What is the legal ground that prevents me, let's say, uk employee of an UK subsidiary of an US company, to tell the press that my UK company has been orderd by it's US owner to hand over private data to the US.
I mean, I cannot be possibly forced to abide by the FISA warrant, right?
But can my company be in trouble (and hence fire/sue me? *) for this kind of action of an employee? I mean, how can the US law hold responsible an US company for an non-illegal action performed by a non US employee of a non US branch of that company?
There are certainly cases where it is not permissible notwithstanding Safe Harbor. For some clients, data can't leave our country. We drill data protection into our people and encourage everyone to ensure everything they do with personal data is ethically and lawfully sound. That means asking questions.
> Former Microsoft privacy chief Caspar Bowden, speaking at a panel discussion in Brussels this week, warned that U.S. law allows the government to spy on non-U.S. citizens files and documents, and that new Europe-wide data protection law proposals specifically allow such surveillance.
The ancient ECHELON programme tells us that the US (and others) have no problem spying on citizens, using loopholes to spy on their own citizens.
The horrible state of encryption means that most people can't justify encrypted cloud storage because the cost : risk : reward and threat modelling stuff is unfavourable.
It's pretty scary that all this stuff is ending up on random servers across the world.
What do you mean by horrible state of encryption? why is it high cost to make a truecrypt container and use that as your interface? the only thing I can think of is it's inconvenient to be unable to simultaneously mount content from multiple places at once. That doesn't seem like an enormous cost, did you mean something else?
What if Slicklizzard US is the subsidiary, could the US still request the information from Slicklizzard UK? Is any kind of presence in the US enough to enforce the FISA warrant?
I would assume that, if the US subsidiary decided to comply, but the UK parent did not want them to, then the UK parent could say "no thanks" and there's nothing the US subsidiary could do.
To punish the parent, the US government could presumably prosecute the US subsidiary for noncompliance and, if successful, shut down all the company's US parts (including US-based domain names like .com) and seize US bank accounts etc.
And maybe even brand them as a terrorist organization since, clearly, if the US government says it's a matter of terrorism, if you don't help them then you're a terrorist (never mind that doing so would involve breaking the law of the UK jurisdiction where you're based).
And maybe even brand them as a terrorist organization
They are saving that for ideological enemies, such as people who hold traditional American political values (e.g. freedom of speech, freedom from excessive taxation).
All data that is not under your direct control must be assumed to be immediately accessible by the authorities.
Thinking at the extremes is a really useful thought model because it makes stuff like the above relatively unsurprising. It also modifies one's behavior to protect oneself from the most likely worst case scenario.
Yep, I've always assumed if it's not encrypted by a key you yourself hold privately (and not feudal security cloud encryption) wherever that data is kept is subject to some sort of backdoor shady process by either copyright lawyers, US feds or even worse some dangerous government posing as the US and spoofing some faxes that look legit to steal all your emails and data.
That doesn't't mean citizens shouldn't fight for better privacy rights, or at least enforce the ones they have, though. Comments like that always sound defeatist to me.
It's not defeatist because it doesn't imply you just can't do anything about it, it implies you should be responsible for your own key management and encrypt sensitive data appropriately. Government agencies silently seizing an appropriately setup truecrypt container are not a threat.
Binding corporate rules for data processors was inserted into the European Commission’s data protection regulation proposal with loopholes built-in which allow for FISAAA surveillance.
This involves ordering UK employees to move personal data out of the UK, and assumes that they're willing to be complicit. Most of the teams I've worked with would rather obey the law than a potentially illegal request from their US colleagues.