
EU data protection law after the Safe Harbour judgment - robin_reala
http://eulawanalysis.blogspot.com/2015/10/the-partys-over-eu-data-protection-law.html
======
PeterStuer
Interesting tidbit: If you try to refer to this article with a link on
Facebook, they will block you from posting it.

~~~
domas
Very intresting. This is what I've got when trying to post it on facebook:

You can't post this because it has a blocked link The content you're trying to
share includes a link that our security systems detected to be unsafe:

[http://eulawanalysis.blogspot.com/2015/10/the-partys-over-
eu...](http://eulawanalysis.blogspot.com/2015/10/the-partys-over-eu-data-
protection-law.html)

Please remove this link to continue. If you think you're seeing this by
mistake, please let us know.

~~~
kruczek
And other entries from the same guy can be posted without any problems. FB is
saying that their "security systems" detected the link "to be unsafe", but
comparing source of that particular post with other posts, I don't see any
significant difference (except for the text, of course). Sounds like the text
itself contains information which is unsafe (for FB).

~~~
tomp
> And other entries from the same guy can be posted without any problems.

Well, other entries don't bad-mouth Facebook.

------
jamesblonde
In general, this is a very good thing. The main outcome will be that more
engineers will be needed to do more work to ensure that data is handled more
carefully. The cost will be slightly reduced profits at companies that handle
large volumes of data globally. What's bad about that?

~~~
JoshTriplett
> The main outcome will be that more engineers will be needed to do more work

[https://en.wikipedia.org/wiki/Parable_of_the_broken_window](https://en.wikipedia.org/wiki/Parable_of_the_broken_window)

Artificially creating additional work by imposing additional requirements does
not necessarily improve the situation just because it employs people to do
that work, whether you personally like those requirements or not.

~~~
jeremysmyth
The parable of the broken window weighs what is seen (the payment to the
glazier) with what is not seen (the missed payments to other things that
could've been purchased had the window not been broken).

In the case of safe harbour, _the window was already broken_. Data being
passed from Europe to the US was not being handled correctly, despite the
promises inherent in Safe Harbor.

If protections had already been in place (i.e. if data service providers were
actually adhering to the promises of safe harbour) then service providers
_have already fixed the window_. Those that were safeguarding data correctly
have no further engineering work to do (although there might be further
regulatory/compliance effort to prove it depending on how individual nations
implement the stopgap safeguard laws to replace Safe Harbor).

The only engineering work required to "fix the window" is work that should
already have been done according to the safe harbour agreements, and threads
like this prove how broken Safe Harbor was to begin with.

------
fauigerzigerk
There is one key issue that is routinely ignored. The US and other countries
have two sets of data protection rules that govern police and security
services. One set of rules for residents of that country (e.g. US persons) or
domestic data and another much less stringent set or rules for everyone else.

So even if data protection rules were perfectly adequate in every single
country on this planet, there would still be justified concern about
transferring data across borders.

That's a situation that must change, and it can change without taking away the
bowl of sweets from security agencies altogether (which will never happen).

~~~
the_hangman
> The US and other countries have two sets of data protection rules that
> govern police and security services. One set of rules for residents of that
> country (e.g. US persons) or domestic data and another much less stringent
> set or rules for everyone else.

This is going to be generally true of most countries. If it weren't the case,
most forms of espionage would be subject to prosecution in the spy's home
state.

------
pjc50
I think there's a bit of a rush to panic about data balkanisation here;
remember, this is not a ruling that applies directly to Facebook, but to the
information commissioner of Ireland.

There's no new policy and no court orders to do particular things. What's
likely to happen is an extensive legal limbo. We may even end up with a
special Snowden version of the cookie warning: "Data stored on this system is
subject to mass surveillance and may be accessed by the security services
without a warrant or due process".

~~~
rmc
> We may even end up with a special Snowden version of the cookie warning

Depends. The courts might rule that that sort of "click-through" agreement is
invalid and doesn't count as consent.

 _Update_ : Already happening. DPA of Schleswig Holstein: Transfer on the
basis of Model Clauses unlawful. from
[https://twitter.com/CarloPiltz/status/654214641975984128](https://twitter.com/CarloPiltz/status/654214641975984128)

~~~
Silhouette
I don't believe such a ruling will be allowed to stand for long, if it really
is effectively a blanket ban that can't be overridden by reasonable consent.
Enforcing something like that really would have the potential to block
international trade on an economy-damaging scale.

~~~
rmc
The party who broke the deal was the USA, with it's unrelentent mass spying of
as many people as possible. If you want change, start there.

~~~
yuhong
That doesn't change the issue of data transfers to third countries that are
not approved though.

------
mtgx
> Since the Court refers frequently to the primary law rules in the Charter,
> there’s no real chance to escape what it says by signing new treaties (even
> the planned TTIP or TiSA)

Oh good, I was worried a little about that one.

> Undoubtedly (as the CJEU accepted) national security interests are
> legitimate, but in the context of defining adequacy, they do not justify
> mass surveillance or insufficient safeguards.

Another good thing. I wasn't sure if this ruling affects spy agencies, too, or
just companies.

------
tajen
Question: If Facebook manages data within Europe, what are the safeguards in
place to ensure that there won't be mass surveillance, e.g. face recognition,
shadow profiles, friend graph browsing?

~~~
pjc50
That's use of the data to which you've "consented" by their EULA. "Mass
surveillance" specifically refers to warrantless bulk access to that data by
security agencies.

(Shadow profiles are plainly a violation of data protection law; do they exist
for EU users?)

~~~
JupiterMoon
Yes they do.

~~~
pjc50
Hmm. It seems that a process is ongoing about this, since 2011:
[http://europe-v-facebook.org/EN/Complaints/complaints.html](http://europe-v-
facebook.org/EN/Complaints/complaints.html)

(Irish Data Protection Commissioner is clearly running this at the slowest
speed they can get away with)

