
The Safe Harbor ruling stems from an earlier decision by an Irish court - ghosh
https://www.washingtonpost.com/blogs/monkey-cage/wp/2015/10/06/this-privacy-activist-has-just-won-an-enormous-victory-against-u-s-surveillance-heres-how/
======
mtgx
> _Commission negotiators are going to find that their hands are tied by the
> court ruling. They will be simply unable to make concessions that they might
> otherwise be prepared to make, because they cannot ignore a constitutional
> ruling from the European Court of Justice without breaking the law. Any
> further negotiations will take place in the shadow of a potential veto from
> a European court which has staked out a very strong position on the
> fundamental privacy rights of E.U. citizens._

This is what I love most about this. Now the EU Commission needs to start from
a _strict standard_ of privacy imposed by the highest EU Court. The US
government or companies can't lobby their way out of this one anymore. The EC,
at least the previous one, was rather notorious for being easily manipulated
by the US influences (remember ACTA?)

Whether the new EC likes it or not, it will have to start the negotiations for
the new Safe Harbor and Data Protection Directive from the _baseline_ imposed
by the Court. Or risk having the new agreements invalidated as well a year or
two later. I bet they had already made huge concessions on the new Safe Harbor
and Data Protection Directive to the US, but now all of those will have to be
canceled.

Also, the US Congress will now be forced to take action against the FISA
Amendments Act and the Executive Order 12333, as well. That's another way in
which this Safe Harbor "problem" could be fixed from the US side.

~~~
rodgerd
> The US government or companies can't lobby their way out of this one
> anymore.

Sure they can. They can make sure multinational trade agreements treat privacy
laws as unfair trade barriers and allow companies to sue governments for
fictional damages in kangaroo courts.

------
gasull
Bad for startups and the interconnected Internet, but still damage
minimization compared to allowing the NSA dragnet.

The bad consequences are explained very well here:

[http://lucumr.pocoo.org/2015/10/6/end-of-safe-
harbor/](http://lucumr.pocoo.org/2015/10/6/end-of-safe-harbor/)

~~~
a_bonobo
I have a few questions about this:

>In a nutshell: this was the only reason any modern internet service could
keep their primary user data in the United States on services like Amazon EC2
or Heroku.

But shouldn't you be fine if you use EC2 with a European location? (Then you
can approximate by using the instance with the lowest ping to the user)

>The harder part is to figure out which user belongs to which jurisdiction.

Does the climbing website have to do store personal information in the first
place? Does a random user-name like "a_bonobo" count as private data? An
e-mail address? An e-mail address from a throwaway host? Pictures of climbing
walls? What constitutes "personal data" here?

~~~
esseti
For the first question is YES But, to be picky you have to be sure that data
are ALWAYS STORED in the EU boundaries. which Amazon cannot guarantee.

Personal data (and other data) are defined by the EU and probably US. The EU
is EU Directive 95/46/EC (citing from wikipedia) "any information relating to
an identified or identifiable natural person ("data subject"); an identifiable
person is one who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to
his physical, physiological, mental, economic, cultural or social identity;"
(art. 2 a).

~~~
a_bonobo
Thank you for that -

> ALWAYS STORED in the EU boundaries. which Amazon cannot guarantee.

That makes sense, and I fear of what we'd do to enforce this - full data
inspection just to make sure that Amazon doesn't transfer private data to the
US?

>n identifiable person is one who can be identified, directly or indirectly,
in particular by reference to an identification number or to one or more
factors specific to his physical, physiological, mental, economic, cultural or
social identity

So a username like "a_bonobo" wouldn't fall under personal data as it's not
really identifiable (but what if I research bonobos? My username gives a clue
to my job, if that would be my job!). So under gasull's link I think that a
lot of what the climbing community would save isn't directly personal data, as
you don't need much information from your users to run such a site (except if
you want to have Facebook's business model). Or am I wrong? I mean, you can
even identify someone based on their writing patterns.

~~~
esseti
(sorry for the late reply)

You can't guarantee that AWS is doing. You have to belive it. That's why
hospitals & co keep the data in their own servers. And, if in the cloud, they
try to avoid US companies as much as they can.

the username if not directly linked to someone (e.g., not an email) usually
does not fall into personal data. But, since many usernames are reused by
people they may identify the person. This is a a case which, honestly, i would
not know how to deal with. I'll try to get an answer.

------
Intermernet
Something that's confusing me: How will companies like Facebook store inter-
country friendship / chat data? If I'm in the EU and I'm friends with someone
in the US, and we communicate using FB, where does that data live under this
ruling? Do my transmissions to them get stored in an EU data center and their
transmissions to me get stored in a US data center? Or will it be decided on
something else (Who started the conversation, who initiated the friend request
etc.)?

Apart from the political implications of this decision, technically, how will
global "social" companies decide where each piece of data is stored?

Email providers like Gmail will probably just store a copy in each location
(and they can claim fairly accurately that that's a side effect of the
protocols being used) but real-time, centralized communications (FB chat ,
Google Hangouts etc.) seem to already break the logical definitions of a
geographic boundary so I have no idea how the data would be logically
segregated across these boundaries.

Has this been discussed elsewhere? I couldn't find anything with a quick
search, but I'm not sure what terms I should be searching for.

------
DanielBMarkham
I am missing the part where this is a victory against U.S. surveillance. Why
would U.S. surveillance care where the data sits? In fact it'd be much easier
to have the allies pick up the data in their home country -- plus there are
less complications. Hell, I'd call it a win.

Yep, it's a hit on operations for large companies. But it's not the end of the
world. Lots of cash and severe growth mode means they'll just use lawyers to
stall while they do some major re-architecture work over the next few years.
Not a disaster.

The loss is for small/medium U.S. companies -- the kind of companies that go
on to be Facebooks. The kind we need to make the economy grow. They're in a
hell of a mess. They don't have the cash or momentum to weather the storm, and
competitors overseas are now sitting pretty on a more locked-up local market.

As far as I can tell, this article has exactly nothing to do with U.S.
surveillance. In fact, the results of the ruling, if anything, could be said
to have exactly opposite effects of those promised in the headline. (Geesh,
WP)

~~~
mtgx
It's a statement that mass surveillance is illegal and violates European law.
It also hurts American companies, which is _good_ , if it ends up making the
US government change its stance on mass surveillance due to such economic
losses. This also comes right before the TTIP needs to be concluded, and Obama
at least cares dearly about passing that agreement with the EU.

The NSA did all of this mass surveillance because it thought it's "easy" and
there are "no consequences" \- so why not? Now it's learning that there are
consequences to such spying.

------
LoSboccacc
tu quoque washington post?

"Smart judge put Safe Harbor under the right light to be axed by the European
Court"

but then if the whole title contains most the content, what's left on page
views, mright?

And interestingly what that right light was is in another page altogether,
here [http://www.washingtonpost.com/blogs/monkey-
cage/wp/2014/06/2...](http://www.washingtonpost.com/blogs/monkey-
cage/wp/2014/06/20/the-case-that-might-cripple-facebook/)

------
cromwellian
I'm preparing for a big vote down on this one.

I don't understand why this is a blow against U.S. surveillance, isn't it in
fact, the opposite? U.S. law supposedly doesn't allow the NSA to conduct
domestic intercept on US citizens except through "legal" means. There is no
such protection for the NSA monitoring overseas communications. Didn't the NSA
and GCHQ have to get each other to spy on each other's domestic data?

But in a European datacenter, wouldn't the "gloves be off" with respect to NSA
intercept? There wouldn't even be a need for a kangaroo FISA court or NSL.

To me, this all seems like a total break with the spirit of the internet. I
grew up on the internet in the 80s, where we actually imagined it transcending
national concerns and local politics. Remember John Perry Barlow's Cyberspace
Declaration of Independence? ([https://projects.eff.org/~barlow/Declaration-
Final.html](https://projects.eff.org/~barlow/Declaration-Final.html))

The whole point around federated decentralized networking, was common carriage
of data, non-discrimination, and the fact that you could host a server and
serve anyone from all around the world without having to worry about hundreds
of different legal regimes stepping on your toes.

Now it seems we've got the exact opposite of the internet imagined in the 80s
and 90s, free of political interference. Instead, if you set up a server on
the internet these days, you'll have to worry about European "rights to be
forgotten" and privacy laws, Chinese or Russia censorship, Thai insults to the
King, and on and on.

The simplicity of "here's my site/app, if you don't like it, please don't use
it", has been replaced with "please track the geo-ip of your users, make sure
you host copies of your server in the EU, Russia, China, and elsewhere, and
route traffic appropriately. Be ready to comply with 50 different national
internet regulations, some of them contradictory."

The internet of my teen years has become one giant bifurcated mess, and I fear
what was once a kind of global village, will become a nation-by-nation silo.

Sure, there may be very good reasons to want these regulations. But it's not
clear to me that the ends justifies the means. It's not even clear to me that
the state snooping has been as damaging as cyberattacks by criminal gangs
stealing people's data. Every week passwords, credit cards, and other
information is being compromised by hackers and sold on the black market.
Millions of smartphones and PCs are infected with viruses, keyloggers,
backdoors. And yet, all of the focus is on the government snoops.

What's the right to privacy and data protection if your data is forced to be
hosted locally in your nation, but compromised by hackers, and then sold to
governments?

Is the original idea of the internet and web worth preserving, a kind of
autonomous zone, a wild wild west, or do we need to lock it down, and turn it
into national highways with freeway cops and political speed limits?

~~~
empressplay
The NSA doesn't need any sort of court order to access domestic data on non-US
citizens / residents. While it's true that offshoring the data of US citizens
could make it easier for the NSA to access that data, the court case concerns
the ability of the NSA to access data of non-citizens, and while there may be
agreements in place with European countries to facilitate this, at the very
least this forces the NSA to go through those outside channels, rather than
just getting the data directly from say, Facebook.

~~~
cromwellian
But to get data from say, Facebook in the US, the NSA must get a secret court
order. This requires Facebook's cooperation.

To get data from European data centers, the NSA can intercept data from direct
network taps in the ground, under the sea, at peering points. They can
intercept router or server hardware during data center construction and plant
backdoors. In short, they can take all sorts of action that might be illegal
domestically, but which they can't be prosecuted for in the US if done
overseas.

At best, European police/counter-intelligence could catch them in the act and
arrest them as spies. So basically, European data held on domestic US soil has
a greater level of bureaucracy get, compared to say, European data held on
foreign soil, where all bets are off.

Remember the Echelon scares of the 90s? That was the NSA using SIGINT
interception of European cellular traffic with zero oversight or regulation.

My point is, this seems to be solving a non-problem. It makes creating new
companies harder and more expensive, won't actually decrease net
snooping/surveillance, and threatens to silo the internet.

~~~
yardie
You are thinking of the FBI. The FBI gets a court order to look for a specific
subject and it outlines who they are interested (even if it is a John Doe) and
what they are allowed to take. No judge is going to sign off on big data
search. It's going to get punted in court or leaves any case made from it open
to appeal.

There are hundreds of datacentera throughout Europe. The equipment necessary
to do all that would be very visible. And you would need the cooperation of
all the employees to not say anything. You can tap a router or a switch it a
server but a datacentet has thousands of these. You can't tap them all. If you
did your customers would ask questions and the smart ones would be gone in an
hour. We have a disaster recovery plan you know.

American exceptionalism strikes again. How about you read their laws rather
than assume ours are better.

Anyone can listen into the airwaves. It's public property. Now they encrypt
phone calls. They can do all these extra legal things knowing it's not
admissible in court.

You want to do business you follow the law. It's how it's always worked.

~~~
cromwellian
I'm an entrepreneur, I want sensible laws, not laws that open up a hornets net
of regulatory burden.

Almost every new breakthrough startup in recent years did so by breaking
existing conventions and laws. Should Uber or AirBnB not exist because
existing regulatory capture by protected industries?

Besides worrying about being sued by any jackass with a shitty patent and a
lawyer, now you'll have additional regional specific worry. To me that means,
if I was launching a startup today, I'd simply launch it US only.

Don't you love how when music or media services launch in the US, you don't
get to watch them in every country? How Netflix or say, Spotify, are blocked
for certain regions?

Get ready for a lot more of that, a balkanized internet, where a URL or IP
address is no longer a uniform, universal access.

------
dang
We changed the linkbait title to a representative sentence from the article.
If anyone can suggest a better (i.e. accurate and netural) title we can change
it again.

