
European Court of Justice invalidates US-EU privacy agreement [pdf] - mrleiter
https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf
======
terom
I think this statement is saying that the US surveillance laws grant the US
authorities unlimited access to the personal data of non-US citizens being
processed in the US, and those surveillance programs do not respect the
privacy rights of EU citizens. Which seems fairly obvious...

> In the view of the Court, the limitations on the protection of personal data
> arising from the domestic law of the United States on the access and use by
> US public authorities of such data transferred from the European Union to
> that third country, which the Commission assessed in Decision 2016/1250, are
> not circumscribed in a way that satisfies requirements that are essentially
> equivalent to those required under EU law, by the principle of
> proportionality, in so far as the surveillance programmes based on those
> provisions are not limited to what is strictly necessary.

> On the basis of the findings made in that decision, the Court pointed out
> that, in respect of certain surveillance programmes, those provisions do not
> indicate any limitations on the power they confer to implement those
> programmes, or the existence of guarantees for potentially targeted non-US
> persons. The Court adds that, although those provisions lay down
> requirements with which the US authorities must comply when implementing the
> surveillance programmes in question, the provisions do not grant data
> subjects actionable rights before the courts against the US authorities.

------
menybuvico
This is going to be interesting, as this renders a number of high-profile
service providers (Microsoft, Amazon, etc) unsuitable for anything related to
personal data in the EU. I suspect there will be multiple attempts at getting
a new treaty in place before there are any actual consequences, though.

~~~
terom
That interpretation depends heavily on how much trust you place in the
regional concept of data processing. AWS claims compliance with e.g. CISPE [1]
which explicitly certifies specific cloud services such as to "Enable(s) data
storage and processing exclusively within the EU". AFAIK this agreement
applies to the transfer of data out of the EU for processing in the US.

Note that not all AWS services are covered by CISPE. It's intentionally only
scoped to low-level IaaS services like EC2/EBS.

[1]
[https://aws.amazon.com/compliance/cispe/](https://aws.amazon.com/compliance/cispe/)

