
U.S. And European Negotiators Near Deadline for Data Transfer Deal - jstoiko
http://www.nytimes.com/2016/02/01/technology/us-european-data-transfer-deal.html
======
sandworm101
The continuation of safe harbour required substantial legal reform, by one
side or the other. The legislative deadlines for that passed long ago.

We have to question whether the US could have done anything. The real issue
seems to be pervasive unlawfulness in the US. What assurance is any new law
when various agencies have demonstrated histories of breaking them so
casually? I think it will take a generation or more before Europeans have any
trust in US privacy laws.

~~~
BogusIKnow
The real problem is the image the EU has of itself.

The EuGH decided that personal data in the US is not safe but it is safe in
the EU.

When in reality at least the UK, French and German secret agencies have spied
and are spying on internet communications and data.

~~~
sandworm101
Yes, but Europeans are free to deal with those issues through local channels.
If the germans are acting illegally against a French citizen then there is a
place for that to be resolved. An EU citizen cannot go after NSA. That;s one
of the big sticking points. It's not about how the countries act so much as it
is about the rights of citizens to challenge that action through legal
process.

~~~
BogusIKnow
Where is the place for a French citizen to 'resolve' the issue when being
spied upon by the GCHQ? Where is the place for a UK citizen to 'resolve' the
issue with the BND?

~~~
sandworm101
My french isn't great, but in the UK you can file with the ICO. You might not
be happy with the outcome, but it is the start of the legal process. The
reason safe harbour is falling apart today is precisely because a determined
EU citizen filed such a complaint against a US corp.

[https://www.gov.uk/data-protection/make-a-complaint](https://www.gov.uk/data-
protection/make-a-complaint)

~~~
BogusIKnow
From my understanding the reason safe harbor is falling apart is because a
citizen went to court because the Irish data protection agency didn't want to
investigate the data transfer of Facebook in detail. Not because a determined
citizen files a complaint against an US corp.

------
BogusIKnow
Tonight the deadline set by EU data protection agencies ends.

On Monday it will be illegal to transfer personal data to the US for EU
startups based on safe harbor. Main impact is on email marketing.

Currently not clear if exiting BCR and standard clauses are impacted too.

It might be the case that EU startups also no longer can use Google Mail or
Google apps.

~~~
Animats
_" On Monday it will be illegal to transfer personal data to the US for EU
startups based on safe harbor. Main impact is on email marketing."_

Sounds like a feature, not a bug.

The US "Safe Harbor" was always a joke. It was a work-around because the US
refuses to enact data protection laws that give Internet users strong rights
against businesses.

Read the EU Data Protection Directive.[1] EU citizens have have the right to
demand some things of the "data controller" who collected data about you. They
can demand a copy of the data. They can demand corrections. They can demand to
know of any other parties possessing copies of the data. They can demand to
know what other parties are doing with it. These rights cannot be waived.
"Data controllers" have to register with their country's data protection
authority, and list what data they are keeping about individuals. Individuals
can complain to the data protection authority if there are violations; they
don't have to sue.

Consent must be explicit. An EULA is not enough. "Every consent must be given
in an unambiguous way. This means that there should be no reasonable doubt
that the data subject wanted to communicate his or her agreement to allow
processing of his or her data. Deducing consent from mere inactivity is not
capable of delivering unambiguous consent, for example. Where data to be
processed are sensitive, explicit consent is mandatory and must be
unambiguous."

An individual's consent to share personal data can be withdrawn at any time.
"Example: A customer agrees to receive promotional mail to an address he or
she provides to a data controller. Should the customer withdraw consent, the
controller must immediately stop sending promotional mail. No punitive
consequences such as fees should be imposed. If the customer was receiving a
5% reduction on the cost of a hotel room in return for agreeing to the use of
his or her data for promotional mail, the withdrawal of consent to receiving
promotional mail at a later stage should not result in having to pay back
those reductions."[2]

Incidentally, this applies only to "natural persons", not corporations or
businesses. Businesses come under the European Directive on Electronic
Commerce, which requires disclosure, not privacy.

Since the entire EU has been under these rules for over twenty years now, this
is not impossible. But it's something US companies now have to get used to.

It's not a problem for companies which collect customer data for internal use
only. It's a big problem for companies which sell that data. That data isn't
theirs to sell under EU law. The individual has ownership of their own data.

[1] [http://eur-lex.europa.eu/legal-
content/en/TXT/?uri=CELEX:319...](http://eur-lex.europa.eu/legal-
content/en/TXT/?uri=CELEX:31995L0046) [2]
[http://fra.europa.eu/sites/default/files/fra-2014-handbook-d...](http://fra.europa.eu/sites/default/files/fra-2014-handbook-
data-protection-law-2nd-ed_en.pdf)

~~~
M2Ys4U
It's worth noting that the Data Protection Directive will be replaced by the
General Data Protection Regulation[0] soon, probably in 2018.[1]

This Regulation (which will apply automatically across the EU, unlike the
previous Directive which had to be manually ported ('transposed') into
national law by the member states) will toughen up the rules on consent, data
portability, liability and enforcement.

One of the biggest headlines is that companies can be fined up to 4% of their
_global_ turnover for breaches of the GDPR.

[0]
[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)

[1] [http://www.scmagazineuk.com/european-parliament-
informally-a...](http://www.scmagazineuk.com/european-parliament-informally-
agrees-gdpr-to-come-into-power-by-2018/article/463353/)

