
New European, U.S. data transfer pact agreed - Sami_Lehtinen
http://www.reuters.com/article/us-eu-dataprotection-usa-accord-idUSKCN0VB1RN
======
solidangle
Not really, it still needs to be ratified by the member states of the EU (and
even after that citizens in some of the states can start a referendum about
it) and after that it can still be shot down by the European Court. The pact
is so vague about the protection of European citizens that there's a good
chance that the European Court of Justice won't accept it, as they haven't
fixed all of the problems that were in the previous "safe haven" pact.

~~~
M2Ys4U
>Not really, it still needs to be ratified by the member states of the EU (and
even after that citizens in some of the states can start a referendum about
it)

That's not true.

Under the Data Protection Directive the Commission, acting alone, can do this.

Article 25(6):

"The Commission may find, in accordance with the procedure referred to in
Article 31 (2), that a third country ensures an adequate level of protection
within the meaning of paragraph 2 of this Article, by reason of its domestic
law or of the international commitments it has entered into, particularly upon
conclusion of the negotiations referred to in paragraph 5, for the protection
of the private lives and basic freedoms and rights of individuals.

Member States shall take the measures necessary to comply with the
Commission's decision."

>The pact is so vague about the protection of European citizens that there's a
good chance that the European Court of Justice won't accept it

I'd go as far as saying it's almost certain.

~~~
reirob
AFAIU the commission can indeed do it and sadly until now it can be considered
the most powerful institution in EU. At the same time the commission is not a
very democratic institution, because the members and the director of the
commission are not elected by the European population and the acts of the
commission are not underlying to much control from other institutions.

If I understood it, the situation got a bit better last years as the
parliament has a bit more power now - but I don't know the mechanics.

Disclaimer: This is only my uninformed understanding as an EU citizen.

~~~
germanier
The Commission needs to be voted in by the European Parliament. They can't
propose a Commission on their own (only the Council can do so which consists
of the head of states or governments). However, the parliament can vote
against the proposal and forced candidates out in the past.

It's actually not too different from how governments are elected in many
countries.

------
k-mcgrady
Maybe I'm not understanding this right but it seems like the EU has decided to
trust US government agencies to provide adequate oversight/policing of
European's data usage in the US with only very minimal EU involvement.
Impossible for us to know exactly but that's how it comes across to me in the
article. Seems like it would make more sense for the EU to police this
exclusively or to have their own ombudsman rather than relying on the US one
to be impartial.

~~~
x5n1
American companies don't do that for US citizens, or pretend to comply but
don't do so really. Seriously, Americans don't trust their own government or
any corporation with with any data. And they have very good reasons to do so,
because those corporations and the US government will use that data for
anything whatsoever that they feel is protecting whatever laws they have come
up with and instituted. Whether that's for actual criminal activities,
protecting intellectual property, or even protecting American corporate or
economic interests. American corporations will use that data to sell people
more stuff and build as detailed of a profile on them as possible. How a third
party does so is beyond insanity to me. It's not reasonable at all. Period.

~~~
serge2k
> Americans don't trust their own government or any corporation with with any
> data

wat?

Americans give so much data to companies.

~~~
progressive_dad
I believe the implication is, "Americans don't trust their own government or
any corporation to abide by their publicly stated policies on how and when
data is collected and used."

------
mtgx
> Strong obligations on companies handling Europeans' personal data and robust
> enforcement: U.S. companies wishing to import personal data from Europe will
> need to commit to robust obligations on how personal data is processed and
> individual rights are guaranteed. The Department of Commerce will monitor
> that companies publish their commitments, which makes them enforceable under
> U.S. law by the US. Federal Trade Commission.

[http://europa.eu/rapid/press-
release_IP-16-216_en.htm](http://europa.eu/rapid/press-
release_IP-16-216_en.htm)

This one reads like a big fat _nothing_. So it's the FTC who will be
monitoring if the US companies treat EU citizens' privacy well? Yeah, what
could possibly go wrong? It's not like the FTC hasn't already been virtually
impotent in punishing privacy violations from US with small fines and "20 year
privacy monitoring", which is about the same as credit rating agencies giving
big banks AAA ratings in 2008.

EDIT: Oh wait, it's actually the Department of Commerce - only the most
corporate-friendly agency in the U.S - the one that will be doing the
monitoring. Lovely.

------
spacefight
So it looks like this needs (from EU perspective) another round of lawsuits to
get this overthrown again - since the oversight by the US DoC is laughable.

~~~
zmanian
Basically the problem with Safe Harbor is Section 702 of the Foreign
Intelligence Surveillance Act and Executive Order 12333. The cumulative effect
is that all people non US persons are legitimate targets of mass surveillance
under US law.

The fix for Safe Harbor was negotiated with Department of Commerce who has no
authority to talk about reforming this policy.

Options were

1\. Immediately end the ability of US based digital companies to do business
in Europe

2\. Cave completely and have a few months of normalcy before Europe Commission
kills the deal.

~~~
carboncopy
You have a significant misunderstanding of the mechanics of this treaty, FISA,
and EO12333.

This treaty: it must be ratified by Congress in order for it to be considered
accepted by the EC. Under the U.S. Constitution, this means it would carry the
full force of the law. The Commerce Department wouldn't bear the weight of
enforcement.

FISA §702: limits collection to targeted non-U.S. persons of foreign
intelligence interest at borders (Upstream) and submission of NSLs to U.S.
organizations for data on non-U.S. persons. The Privacy Shield agreement only
prohibits mass surveillance.

EO12333 does not apply since that collection occurs outside of the United
States, and would not be in the jurisdiction of this agreement.

> Department of Commerce who has no authority to talk about reforming this
> policy.

No, this agreement was made at the behest of the Senate Committee on Commerce,
Science, and Transportation [1]. Since this will be ratified by the Senate, it
will carry the full weight of the law.

[1]
[http://www.commerce.senate.gov/public/index.cfm/pressrelease...](http://www.commerce.senate.gov/public/index.cfm/pressreleases?ID=91D1C61B-F5C7-44C4-A8A4-801D2973072E)

------
simfoo
So the U.S. Department of Commerce is to oversee and control compliance to a
directive that would hurt commerce in the U.S.?

Nothing to see here, walk on...

~~~
serge2k
A directive that if not followed would result in damage to US business
interests.

------
icebraining
_" prevent European Union regulators from restricting data transfers by
companies such as Google and Amazon across the Atlantic."_

The regulators wouldn't restrict data transfer - the existing Directive does.
The question is not whether the Data Protection agencies can or not restrict
data transfers, but whether the courts consider that this new agreement allows
companies to comply with the Directive.

------
kefka
Really?

" The word 'password' on a computer screen is magnified with a magnifying
glass in this picture illustration taken in Berlin May 21, 2013. "

Because that somehow represents a data transfer pact between the EC and the
US? I thought that was meant to be a scare-picture of 'hackers'...?

------
DyslexicAtheist
see
[https://news.ycombinator.com/item?id=11020324](https://news.ycombinator.com/item?id=11020324)

and the "European Commission may be issuing a round-trip to Luxembourg":
[http://europe-v-facebook.org/PS_update.pdf](http://europe-v-
facebook.org/PS_update.pdf) by @maxschrems

------
heydenberk
Morbidly curious about how Schrems is going to Schrems this one up.

~~~
M2Ys4U
He's already intimated that he could take this to back to court

~~~
ionised
I hope he does.

------
wcummings
If this isn't ratified, I think a lot of programmers are about to learn why
free trade agreements are a good thing.

~~~
icebraining
As a programmer, bu also a user, I'm very glad that "free" trade agreements
don't override our privacy protection laws.

