
Trump order strips privacy rights from non-U.S. citizens - iamflimflam1
https://techcrunch.com/2017/01/26/trump-order-strips-privacy-rights-from-non-u-s-citizens-could-nix-eu-us-data-flows/
======
jinushaun
The EC has already gone on record saying that this EO does not apply to the
Privacy Shield.

[https://www.theregister.co.uk/2017/01/26/trump_blows_up_tran...](https://www.theregister.co.uk/2017/01/26/trump_blows_up_transatlantic_privacy_shield/)

One of the provisions for the EU to agree to the Shield was that the Privacy
Act would be extended to citizens of the EU plus certain non-EU European
countries. The Shield and the Privacy Act extension goes into effect Feb 1.

That said, I don't think this executive order will alleviate the concerns of
ordinary European consumers giving American internet companies

------
FullMtlAlcoholc
>Except in many ways the EU was conceived by US planners to eliminate popular
control and provide a negotiating partner for the US that could be dealt with
as a whole.

Not exactly true. The EU was logical evolution of the common European trading
bloc. One of the conditions of the Marshall Plan was that European nations had
to xome together to receive aid and xould not deal with the US on a nation by
nation basis... in order to foster cooperation and not repeat the horror of
constant warfare that plagued the European continent for 1000+ years

------
aaossa
What will happen with non-EU citizens? I'm from south america. How does this
affect me?

Thanks!

------
PythonicAlpha
The so called "Privacy Shield" was from the start just a renaming of the
previous existing contract between the US and the EU. Thus it did not protect
anything more than it was protected before.

Until the EU stops to make such "show politics" for the masses, nothing will
change and we will get such contracts that essentially have no effect at all.

------
kderbe
The article has been updated:

 _The spokeswoman has now sent us a statement in which the EC asserts that
Privacy Shield “does not rely on the protections under the U.S. Privacy Act”._

Since the impetus for this article was an executive order[0] regarding the
Privacy Act, it seems that there's no immediate need for concern.

[0] _Privacy Act. Agencies shall, to the extent consistent with applicable
law, ensure that their privacy policies exclude persons who are not United
States citizens or lawful permanent residents from the protections of the
Privacy Act regarding personally identifiable information._

------
punnerud
Is there any good alternatives to Gmail? Self hosted or hosted is EU, both
works

------
mtgx
The original TechCrunch article was wrong, and they updated it with the
statement from the EU Commission that tells them it was wrong.

There's a law now called the Judicial Redress Act, and it passed as a
compromise made to the EU before enabling the Privacy Shield data-sharing deal
between the EU and the US.

I still don't think it goes far enough, because I don't think the US Privacy
Act gives "essentially the same protections" as the EU privacy laws do (per
CJEU requirement), but at least it gives non-U.S. citizens the same
protections Americans have.

So this executive order means nothing. The administration may act as if it
does, but if sued, it can be ruled unconstitutional/invalid.

I guess this could be a problem if Trump continues to sign multiple
unconstitutional executive orders every day for the rest of his term. There
are only so many lawsuits people can start against his administration, so many
of the unconstitutional executive orders may get ignored.

~~~
coldcode
The problem lies in tossing new demands out every day, how is any agency even
supposed to understand how they apply to their policies? Mass confusion might
be great in campaigns but it isn't very useful for governing a country. When
it may or may not affect interactions with foreign countries, lots of mistakes
will happen, and often those lead to wars, both economic and otherwise.

------
tzs
Based on the European Commission's guide to Privacy Shield document, it does
not appear that Trump's order affects it.

Privacy Shield sets requirements for how US _companies_ must deal with
personal data that they transfer from the EU to the US. These requirements
are:

1\. The company must inform you about:

\- the types of personal data it processes,

\- the reasons is processes personal data,

\- if it intends to transfer your data to another company and why,

\- your right to ask for access to your personal data,

\- your opt-out right to having the data used in a way "materially different"
or disclosed to another company,

\- how to contact the company if you have a complaint about the use of your
data,

\- the dispute resolution body in the EU or US where you can bring a
complaint,

\- the US government agency that is responsible for investigating and
enforcing these obligations,

\- the possibility that the company may have to respond to lawful requests
from US public authorities to disclose information about you.

2\. If the company wants to use your personal data for a different purpose
than the one for which it was originally collected or has been subsequently
authorized by you:

\- this is not allowed if the new purpose is incompatible with the original
purpose,

\- if the new purpose is different but related to the original, they may only
do so if you do not object (but in the case of "sensitive data" you have to
actually consent).

\- if the new different purpose is close enough to not be considered
"materially different" the use is permitted.

3\. They should only receive and process personal data to the extend that is
relevant for the purpose of processing, and only keep it as long as necessary
for this, with some exceptions allowing longer keeping for the public
interest, journalism, literature and art, scientific or historical research,
or statistical analysis.

4\. The company must secure the data.

5\. Protect the data if transferred to another company.

6\. Provide you with access to your data and a way to request corrections.

Trump's order says that _agencies_ , which means Federal government agencies,
have to exclude from their privacy policies people who are not US citizens and
not lawful permanent residents.

These agency privacy policies were not covered under Privacy Shield, and so
this change to them appears to be irrelevant to Privacy Shield. It doesn't
change the obligations of _companies_ under Privacy Shield.

Note that I'm basing this analysis on a document written by the EU to explain
Privacy Shield to ordinary citizens. It is possible that there are subtleties
or complexities that they left out of that document that may be relevant.

~~~
mtgx
I'm not sure how accurate that is that it doesn't affect agencies at all. The
whole reason the old Safe Harbor deal fell at the CJEU was because of
Snowden's documents and accusations that US is indiscriminately accessing
European's data through companies.

------
phantom_oracle
I'm seeing a lot of talk from Europeans about how they need European
competitors to US companies to protect their data.

The question I have to ask is:

 _What makes you think your European competitor company won 't start doing the
data-harvesting and privacy-invading methods that their US counterparts do ?_

Your answer might be: European laws and regulation

But then, just like in the US with GooFace, your European competitor will
setup their lobby groups and get their preferred candidates into Europe-
governance

~~~
mickronome
They (lobbyist) will obviously try, if they will succeed is up to the people
of the EU countries, nothing is a given. So far the right to privacy is strong
is several countries, others less so. But lobbyists appear to have a somewhat
hard time to influence the entirety of EU, maybe with the exception of
agriculture.

------
robk
At this point I can't take any Trump news seriously. Everything is "could" or
"might". I can't even tell what's real and who's just working their Trump
derangement out.

~~~
Broken_Hippo
I do understand to a point: Sometimes I can't actually tell the difference
between a piece of _actual_ trump news and satire - and this isn't a new
thing. I get the feeling Trump is playing the country like he'd play an
audience for a drama, complete with cliffhangers and reveals and plot twists.

Not to mention it all seems so very _surreal_.

And the truth is that I find this frightening. I don't want government to
mimic entertainment.

Some of the stuff _should_ be verifiable at this point: If he's signing
executive orders, surely there are copies. Not that we'd be able to see all of
them, since I'm sure some are classified. This article seems to be speculation
and worries based on something somewhat verifiable. And it is stuff like this
that somewhat helps me keep some sort of grasp on things, as much as possible.

~~~
patrickk
> Some of the stuff should be verifiable at this point: If he's signing
> executive orders, surely there are copies.

In this instance the second word in the Techcrunch article literally links to
the executive order text, hosted on whitehouse.gov:

[https://www.whitehouse.gov/the-press-
office/2017/01/25/presi...](https://www.whitehouse.gov/the-press-
office/2017/01/25/presidential-executive-order-enhancing-public-safety-
interior-united)

------
tobias3
My fear is that this gives the EU commision a justified target (US tech
companies) when they look for something to bargain with once Trump fires first
shots at EU (German) car companies (which he will).

A EU directive could look something like:

* EU citizen data must not leave the EU to the US since EU citizen privacy is not respected there

* If US tech companies are not able to segregate data (difficult for small tech companies and e.g. Facebook) they will be blocked

And there we have it. The balkanization of the (western world) Internet.

~~~
mike-cardwell
This doesn't seem like a bad thing to me. I think countries in the EU are
being incredibly stupid by allowing a foreign nation to maintain databases of
pretty much all of their citizens movements, conversations, plans, history and
relationships.

~~~
Udo
Yes, each country having its own internet is bad. When I'm as a European are
prohibited by law to talk to an American because I might transmit personally-
identifiable information, and you as an American are prohibited from talking
to me because you can't exchange data with a foreign entity that has not been
totally scrutinized by your government, that's bad.

I believe most big companies already want this, they're just waiting for an
excuse to pull the trigger. The big web companies already segregate people by
origin IP address, serving them different content. In many cases, GeoIP even
has precedence over the language settings in your user account when logged in.
Totally separating each country or region, imposing new pricing schemes and
locally-maximized restrictions on content, and preventing people from
exchanging information across borders sounds like an absolute corporate utopia
to me.

~~~
mike-cardwell
I don't feel like you addressed my concern. Which is a foreign nation having a
database of my nations citizens movements, conversations, plans, history and
relationships.

Apparently you don't see as that leading to any problems?

~~~
Udo
> Apparently you don't see as that leading to any problems?

That's not exactly a charitable assumption, and it's also untrue. First of
all, that database is already in American hands. Don't for a second assume
those "equivalent privacy" rules _actually_ apply behind the scenes. It should
be perfectly obvious how these rules cannot possibly be honored even in
principle. What's prompting the supposed withdrawal from the data exchange
agreement now is not how data is treated in _practice_ , it's merely the loss
of an already-weak public _declaration_ that provided plausible deniability up
to this point.

So yeah, I see problems from in every corner of this thing, but arguing for a
balkanized internet is not the solution either. For starters I don't quite
like the fact that my government feels the need to treat me like a child by
preventing me from sharing information on Facebook under the pretense of
"protecting" me, but then turns around and exchanges all the official data it
has on me with the American intelligence community anyway.

When it seems like every move is about shafting the private citizen, the
problem needs to be addressed on another layer. Plunging the world into a new
information dark age is not a price I'm willing to pay.

------
Beltiras
I am actually the Lead Developer at a medical device company making software
that manages patient data from EU citizens. Our answer to this is really easy:
Do not host anything in the US. We intend to use AWS. Frankfurt will do just
fine, even if it is a bit more expensive.

~~~
onli
Medical data and AWS? Urks. If you host with an US-company, your data is no
more secure then if they were physically in the US. Not if preventions of
overreach like Privacy Shield (which was mostly a joke anyway) are dismantled.

Get a EU data-provider!

~~~
Beltiras
AWS is 27001 and 27018 compliant:
[https://aws.amazon.com/compliance/iso-27001-faqs/](https://aws.amazon.com/compliance/iso-27001-faqs/)

~~~
grabeh
Onli is talking about the potential for US authorities to order US companies
to disclose information hosted by them regardless of the location of their
services, not the actual security of the data. The issue of US companies being
compelled to disclose is the subject of ongoing litigation between Microsoft
and the US. I believe the Supreme Court will hear arguments this year.

Of course if you are encrypting hosted data and AWS has no access to the keys,
then that gives comfort over the disclosure. The relevant authorities/local
authorities would have to come to you for disclosure of the keys and you would
have any protections applicable under local laws...

~~~
Beltiras
That would exclude AWS from an awfully large segment of data hungry
industries. Operating in the EU AWS has to comply with GDPR for at least the
operations they have located in the EU. Frankfurt is safe.

~~~
onli
It is not. See [https://www.extremetech.com/extreme/186302-us-government-
ass...](https://www.extremetech.com/extreme/186302-us-government-asserts-
unilateral-right-to-access-private-data-even-if-its-stored-outside-the-us) for
a popular explanation why.

AWS being excluded from business is exactly what those companies are arguing.

~~~
Beltiras
Still being litigated [1]. Last ruling was for Microsoft's position.

    
    
      [1] https://en.wikipedia.org/wiki/Microsoft_Corporation_v._United_States_of_America

~~~
onli
That's a good caveat. Still: Being litigated means the US is trying to achieve
a state which is explicitly unsafe. Which for me means already that AWS-
Frankfurt is not safe. Especially for something like medical data. The
potential danger is way too big, especially since we know that the US-agencies
will siphon the data anyway, regardless of what the court rules.

Think business: Do you really want to face the media backlash when your
competitor lances the story that the medical data you collect goes directly
into the tiny little hands of Trump, and to the NSA?

~~~
Beltiras
If they are using extra-judicial means to get at the data I have no recourse
anyways. I will have to store it somewhere and a dedicated attacker will
always (eventually) find a vulnerability. The standards I have to implement do
not state that I must keep the data out of the hands of attackers. They state
principles and methods that make it less likely. When the regulators come
knocking after an 'incident' their levying of fines will depend on standards
and regulation compliance, not the leaked documents. You have an unreasonable
expectation of what can be done.

~~~
onli
Not hosting private medical data on a server controlled by a country with no
regard for privacy of those patients is not an unreasonable expectation. It is
a basic requirement for this kind of business. There will come a crackdown on
that kind of malpractice. I hope you reconsidered till then.

------
patrickk
We need to wake the fuck up in the EU and start aggressively building
European-based competitors to US tech companies that actually respect user
privacy. A good area to start would be in the data storage industry, and
perhaps social media too. Obviously, non Silicon Valley based startups face
certain challenges[1], but we should at least _try_. It would arguably benefit
US consumers also, if they could choose products that are designed to compete
on privacy, a good example being Switzerland-based ProtonMail[2] (ok, non-EU
but still).

I wasn't aware of Privacy Shield before now, but after reading a little bit
about it[3], it reads like something that only gives a fig leaf of protection
to EU citizens.

[1] [http://paulgraham.com/america.html](http://paulgraham.com/america.html)

[2] [https://protonmail.com/](https://protonmail.com/)

[3] [http://ec.europa.eu/justice/data-
protection/document/citizen...](http://ec.europa.eu/justice/data-
protection/document/citizens-guide_en.pdf)

~~~
Svip
My hope - perhaps naïvely so - is that President Trump will be the kick in our
complacency that we so desperately need. Even if for all the wrong reasons.
Both in the US and the EU.

~~~
agumonkey
I .. feel the same. Which conflicts me a lot because he's despicable in many
dimensions. But he'll act as the wall(sic) we'll hit to react. He's driven and
polarizing, even in the worst sense of the term.. that's still "coherent
energy".

ps: that said, I can't wait for the U.S to kick him out.. he seems unfit to do
anything.

~~~
raverbashing
Just a note, that's not how you use (sic)

It's usually used when quoting an original statement that's doubtful or
knowingly incorrect

I don't know which term would be more appropriate to use, probably "pun
intended"

~~~
agumonkey
True, but even Wikipedia lists irony as a usage
[https://en.wikipedia.org/wiki/Sic#The_.22ironic_use.22_of_si...](https://en.wikipedia.org/wiki/Sic#The_.22ironic_use.22_of_sic)

~~~
raverbashing
Good, I assume that was the writer's intention then

