Hacker News new | past | comments | ask | show | jobs | submit login
European Court of Justice invalidates US-EU privacy agreement [pdf] (europa.eu)
15 points by mrleiter 28 days ago | hide | past | favorite | 3 comments

I think this statement is saying that the US surveillance laws grant the US authorities unlimited access to the personal data of non-US citizens being processed in the US, and those surveillance programs do not respect the privacy rights of EU citizens. Which seems fairly obvious...

> In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.

> On the basis of the findings made in that decision, the Court pointed out that, in respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons. The Court adds that, although those provisions lay down requirements with which the US authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the US authorities.

This is going to be interesting, as this renders a number of high-profile service providers (Microsoft, Amazon, etc) unsuitable for anything related to personal data in the EU. I suspect there will be multiple attempts at getting a new treaty in place before there are any actual consequences, though.

That interpretation depends heavily on how much trust you place in the regional concept of data processing. AWS claims compliance with e.g. CISPE [1] which explicitly certifies specific cloud services such as EC2 or EBS to "Enable(s) data storage and processing exclusively within the EU". AFAIK this agreement applies to the transfer of data out of the EU for processing in the US.

Note that not all AWS services are covered by CISPE. It's intentionally only scoped to low-level IaaS services like EC2/EBS.

[1] https://aws.amazon.com/compliance/cispe/

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact