> but it illustrates the depth of legal uncertainty that exists in architecting software systems in Europe that process personal information.
Oh I agree with that. EC's behaviour in that case is appalling.
> Corporations can't necessarily trust the EC's own interpretations of their own laws
There is a way to be safe with regards to EU law, and it's to engineer systems where European data stays in Europe. Of course, the issue is that corporations would then be liable under US' FISA 702.
That's the big issue: the United States made a law that basically states that no US company should follow EU law, and the US admin manages to beat EC officials into submission every few years with another flawed agreement to keep the ball rolling.
It's not that easy really. Several European countries have FISA s.702 functional equivalents that enable intelligence to get orders for interception of personal information on servers and entities within their legal jurisdiction. (e.g., The French Law on Intelligence and the German BND Act)
It's easy to say that the US should just scrap s.702, but unless it's reciprocal with Europe scrapping their interception powers as well, that's a pretty unrealistic ask.
> that enable intelligence to get orders for interception of personal information on servers and entities within their legal jurisdiction.
That is common indeed. What's peculiar with US law is that it can mandate companies to move data about people outside of US jurisdiction that is stored outside of US jurisdiction and turn it over to US authorities, even when it violates local law.
Hm. I was aware that French law was kind of awful on this, but never investigated the specifics. As, say, a non-EU person, would I be able to bring suit to a French court (and, if that fails, to the CJEU) regarding foreign-intelligence eavesdropping violating my privacy rights? (AFAIU the US answer is that if I’m a foreigner on foreign soil I don’t have any of those).
Yes, you could bring a suit if you knew about the interception. However, like FISA s.702, intelligence collection warrants under the French LI and German BND are generally secret, so most targets have no knowledge they are under surveillance. All three pieces of legislation have an oversight mechanism in terms of oversight bodies who have access to secret warrants and are supposed to ensure that they are being used appropriately.
Oh I agree with that. EC's behaviour in that case is appalling.
> Corporations can't necessarily trust the EC's own interpretations of their own laws
There is a way to be safe with regards to EU law, and it's to engineer systems where European data stays in Europe. Of course, the issue is that corporations would then be liable under US' FISA 702.
That's the big issue: the United States made a law that basically states that no US company should follow EU law, and the US admin manages to beat EC officials into submission every few years with another flawed agreement to keep the ball rolling.