Hacker News new | comments | show | ask | jobs | submit login
Complaint filed against Irish subsidiaries of Apple, Facebook (irishtimes.com)
181 points by dnlbyl 1487 days ago | hide | past | web | 44 comments | favorite

Article also mentioned Microsoft, Skype, and Yahoo will be targeted in other countries but there was nothing about Google or Youtube. However, found this on techcrunch:

"Google and YouTube have not been included in this first round of evf complaints being as they have a different corporate structure that does not include European subsidiaries. However it notes they do have datacenters in European countries, which will give evf a route to filing Prism-related data protection complaints against both at a later date."

Forcing these companies to give data has weakened their competitiveness globally.

I am curious to see if the business case against the NSA's power will have an effect. Right now I think things favor the bureaucracy. But if Apple, Google, Facebook, etc. make a broad push against it, we could see legislative changes which protect them.

A likely scenario is something which indemnifies them against any losses incurred as a result of foreign suits related to privacy breaches, so long as they're in accordance with US law.

A likely scenario is something which indemnifies them against any losses incurred as a result of foreign suits related to privacy breaches, so long as they're in accordance with US law.

But that would only work in USA. What if a court in Germany fines Google Germany Ltd €1,000,000, and €100,000 per day until they stop sharing data with the US Gov? Will the US government give Google €1,000,000 to pay off the fine? What if the court in Germany confiscates the Google Germany Ltd's property? Will the US Gov reimbuse Google? What if a court in Germany forces all German ISPs to block Google? Will the US Gov reimburse Google?

Remember this companies (Google/Apple/Microsoft/Facebook/etc.) have local companies, local offices, local property and local employees. They can ignore local law only if they leave the country.

Barring unusual claims of extraterritorial jurisdiction by either the United States or the European Union (or any of its member states), Google and other American tech companies may be able to comply with both US and EU law by handling data on EU users only within the EU, through EU subsidiaries.

Under that arrangement, the EU subsidiaries of US tech companies would not ordinarily be subject to US laws requiring them to hand over data to the NSA, so those subsidiaries could comply with EU privacy laws with no problem; at the same time, EU law would not reach the US parent companies, so they could give all the data to the NSA that they must in compliance with US law.

But because the Obama administration recently expanded the United States' already broad (by international standards) claims of extraterritorial jurisdiction in another matter,† it now looks like the United States might indeed claim the legal power to compel foreign subsidiaries of U.S. tech companies to hand over data they control to the NSA. In that case, those foreign subsidiaries would find themselves in an impossible situation, one in which they would be operating illegally under either EU or US law no matter what they do.

† — See my comment above, at the same level as this one's parent.

This doesn't seem easy for facebook, at least. I live in the USA and regularly read my European friends facebook pages, and they comment on mine. European facebook users can travel to the USA and access their facebook page while here. How could you implement this kind of separation?

I'm not sure claims of extraterritorial jurisdiction by the US really count as unusual in this day and age.

It will become a problem when European countries / organisations start requiring that data cannot be stored or managed at a US datacenter or by a US organisation.

You already see this happening with with datacenter locations...

> It will become a problem when European countries / organisations start requiring that data cannot be stored or managed at a US datacenter

There are already restrictions on exporting personal data outside the EU. This is under the various data protection laws.



I guess the exceptions will be tightened up now, especially if EU consumers press for it.

There is some precedent for how things might unfold in the kerfuffles that have resulted from the U.S. government's attempts to enforce its trade sanctions against countries like Cuba, Iran, and North Korea.

Under the Helms-Burton Act [0], the United States expanded its embargo on trade with Cuba to authorize sanctions against foreign firms that trade with Cuba. Mexico and the European Union responded [1] by forbidding their companies from complying with the U.S. law. This left those firms in the impossible situation of violating either U.S. or domestic law no matter what they did. After abortive attempts to negotiate a solution, nothing was done to resolve the situation, so Mexican and E.U. firms that trade with Cuba are still in a tricky situation.

As another example, the Office of Foreign Assets Control, a bureau of the Treasury Department tasked with enforcing U.S. embargoes, for decades operated under the interpretation that foreign subsidiaries of U.S. corporations were not subject to limits on trade under U.S. sanctions laws so long as no U.S. persons were involved in conducting the banned trade.† But this past February, to strengthen U.S. sanctions against Iran, President Obama issued an executive order [2] that for the first time extended the U.S. government's claimed legal jurisdiction to encompass the actions of foreign subsidiaries of U.S. corporations:

  All property and interests in property that are in the
  United States, that hereafter come within the United States,
  or that are or hereafter come within the possession or
  control of any United States person, INCLUDING ANY FOREIGN
  BRANCH, of the following persons are blocked and may not be
  transferred, paid, exported, withdrawn, or otherwise dealt
  in ... [my emphasis]
Prior to that executive order, there was no indication that the U.S. government, even in matters of national security, claimed that foreign subsidiaries of U.S. corporations must comply with U.S. law. Under that longstanding interpretation, I would not have been surprised to see companies like Google make an effort to store foreign users' data in foreign data-centers owned and operated by foreign subsidiaries. That way, the data would not be subject to seizure under FISA (or whatever other authorization the NSA claims), and Google could comply with foreign privacy laws and U.S. law at the same time.

But now, it seems, that may be out the window. It may well be that the U.S. government claims jurisdiction over data held by foreign subsidiaries of U.S. tech companies, in which case those companies will truly be between a rock and a hard place. Unlike the situation with Helms-Burton, however, things will surely come to a head; these major corporations have extensive operations both in the United States and in the E.U., where domestic privacy laws would outlaw compliance with U.S. laws requiring that they turn over data to the NSA.

So this should be fun. ...

† — In this matter and others, the U.S. government claims jurisdiction over U.S. persons—citizens, greencard-holders, and companies incorporated in the United States—no matter where they are in the world.

0. http://en.wikipedia.org/wiki/Helms%E2%80%93Burton_Act

1. http://europa.eu/rapid/press-release_IP-96-732_en.htm

2. http://www.treasury.gov/resource-center/sanctions/Programs/D... [PDF]

companies like Google make an effort to store foreign users' data in foreign data-centers owned and operated by foreign subsidiaries.

Can confirm that while working on the EU rollout for Office 365 a few years ago, this was certainly the case. EU customer data had to stay in Ireland, and there were even rules/debates about how much of the 'metadata' (i.e. to answer "does this user exist?") that could come back to the US.

At the time the reasoning was for EU Privacy Directive and not explicitly based on US law or precedents, but I bet a few realized the alignment and ensured the engineers stayed on this path.

If they were paying taxes in the US then maybe they could feel a little annoyed that the US might cause them business troubles elsewhere.

Instead, they're in that awful predicament where the senators they pay are screwing them, but the government as a representation of the people doesn't care.

Google certainly appears to have at least one European subsidiary (Google UK Limited, Company #03977902) and I'd be pretty surprised if they didn't have subsidiaries in most European countries.

I hope we can finally see big businesses use all their political clout for the public good for once (well, at least indirectly).

The lawsuit targets the Irish subsidiary because that's where the money is. If they move they will probably pay higher taxes. Quite clever!

> The group’s complaint draws on the precedent set in 2006, which found that a mass transfer of data to the US authorities was illegal under EU law... The Swift case was closed when the company moved its data centre from Belgium to Switzerland.

(a) It's not a lawsuit, but a complaint to the Irish Data Protection Commissioner, which is like a type of court. The DPC can force companies to reveal what they hold on people, and can require them to do (or not do) a thing if it breaks Irish data protection law.

(b) Facebook Ireland Ltd (an Irish company) was targetted, not because it's "where the money is", but because if you sign up to Facebook and you're not in the USA or Canada, then you have a legal relationship with Facebook Ireland Ltd, and fall under Irish data protection law.

(cf. section 19 of https://www.facebook.com/legal/terms )

>The DPC can force [Irish] companies to reveal what they hold on people, and can require them to do (or not do) a thing if it breaks Irish data protection law.

>if you sign up to Facebook and you're not in the USA or Canada, then you have a legal relationship with Facebook Ireland Ltd, and fall under Irish data protection law.

Facebook can choose to change this, but they won't because they benefit from the double Irish; because that's "where the money is."

This brings up an interesting issue with multinationals... How do you react when you receive compulsory orders in one country of operation that violates laws of another?

There's a solution to that. Do not store data from a customer from one country, in another region. Actually, the biggest european hosting company, OVH, is doing just that in order to launch in North America, and protect its European, Canadian, and USA customers: http://translate.google.com/translate?sl=auto&tl=en&js=n&pre...

Well this is going to be interesting. And don't forget guys this is the EU we're talking about not US. It is a lot more difficult for companies to make changes in their favor since every country has its on system and it's own ways. Just the amount of paper pushers in Europe is exponentially higher. Makes "convincing" any one of them less effective due to their limited power.

Not really. The thing is, people in Europe want privacy, and will go to great lengths to retain it.

It's going to come down to what kind of business the Irish company carries out on behalf of the parent company or whether the Irish company is the parent. There are so many ways the relationship could be set up and figuring it all out could take a loooong time. First they have to work that out before they can determine whether they are responsible for following EU law and what laws they are obliged to follow. The Irish company may not have anything to do with data which would pretty much let them off the hook I'm guessing.

Well anyone who signs up to Facebook who's not in USA or Canada is technically signing an agreement with Facebook Ireland Ltd. So, the Irish company is responsible for the data of hundreds of millions of Facebook users.

(cf. section 19 of https://www.facebook.com/legal/terms )

Let me see if I understand this correctly. It's OK for the state to have 120 cameras on each street corner watching your every move (see London), but it's not OK to share your Facebook posts?

Disclaimer: I'm very much against any invasion of privacy, and am only being facetious to point out the obvious, which is that people should stand up for their rights when it becomes obvious, not just when it becomes sensational news

The vast majority of CCTV cameras in the UK are privately owned and have no connection to the state.

The 4 million+ cameras in the UK statistic which has been floating around for about 10 years now was extrapolated from two streets in Wandsworth and was only ever really media bait. If you believed all these statistics the number of cameras in the UK would have dropped by more than half (over the past 10 years), since the last large scale estimate was under 2 million.

Sure, but what if I place a camera on each side of your property (outside the property line) of your house, pointing to the edge of your property, then use your tax dollars to pay employees to watch you on the cameras every time you leave your property? Would you enjoy that? If not, why would you put up with it? It's your state, not the government's state. The government are your employees, not your owners, so you have to decide which rights you want, not just which rights can still be defended by existing laws.

I'm not sure if you're serious here. The UK government doesn't own the vast majority of the cameras in the UK which make up this 'huge' number. The vast majority of CCTV cameras in the UK are not connected to a grand network. The majority of cameras are in small shops / stores and are used to provide evidence for shoplifting or other types of theft. It's the owners choice as to whether they are there or not.

The UK government doesn't employ vast numbers of people to watch the live output of the minority of CCTV cameras they do own. The state owned CCTV is almost never used in a proactive sense. You can probably safely commit most crimes in full view of a CCTV camera in the UK. If someone reports you or you leave obvious evidence of the crime the CCTV tapes will be reviewed.

There is a massive difference between the man power requirements of analysing video footage compared to analysis of text.

There is no right to privacy in public spaces and no expectation thereof either. The only thing those cameras do is replace police officers. Another thing you are also forgetting is that people were aware of those cameras the second they were installed. No secret court bullshit. With personal correspondences on the other hand, people expect the contents of their messages to be entirely private. That secrecy should only be invaded upon within the confines of a morally justifiable law, especially when a foreign agency is doing the invading.

I think you mean there is no reasonable legal expectation of privacy on a public street. I certainly expect that you will not follow me around videotaping me.

People can't follow me around and videotape me, even in a public place. That's stalking or harassment.

But somehow if it's online, done by robots (no less creepy), and at the direction of the government, such laws don't apply.

I don't know about the EU, but in the U.S. your statement is simply not true. Somebody absolutely can follow you around taking photos or videos, as long as you are in a public space and they can come up with any non-malicious excuse (i.e. it's an art project!).

Stalking laws vary state-to-state, but you generally have to prove it is specifically "for the purpose of harassing and intimidating".

See also: paparazzi

See also: http://www.victimsofcrime.org/our-programs/stalking-resource...

> I don't know about the EU, but in the U.S. your statement is simply not true.

Ah, I forgot that we are taking US data protection laws into account when an Austrian group files a complaint against an Irish subsidiary.

E.g. in Germany it is forbidden to take photos in public where people who did not agree to it are the main subject – you can still photograph buildings, scenes etc., just not individual people.

Very late response: this comment thread was a general discussion about privacy, it wasn't specifically about the article.

And a maaku on HN could easily be this maaku on github from California: https://github.com/maaku

And the 'online robots' and 'direction of the government' almost certainly refer to the recent NSA case, which is an American issue.

So, yes, the US data protection laws do seem relevant to the conversation.

Your are in a public space, people can videotape you the same way they can look at you instead of everyone closing their eyes the moment put your feet on a side-walk.

Just look at all the photos you have taken, how many strangers are in them?

Sure, my point is that there is a technical legal argument and then there are social mores. We shouldn't let the legal argument start leading our values.

I invite you to actively start photographing or videotaping some strangers if you think such behavior is entirely within people's expectations.

I thought it was linked from HN somewhere but I can't find it. There are several videos from this guy.


Some of them he is clearly in a school or something, which may not be public. In others he is outside.

I believe this is how you expected people to react?

Edit: found it. https://news.ycombinator.com/item?id=4739152

It gets murky.

I can sue you for using my likeness depending on how you utilize your footage.

You certainly don't have carte blanche to use images of me you took in public.

That's why i said "videotape" not "videotape and sell/distribute it".

But even if you publish it (in Facebook for example) you are protected by some "fair game" clauses, just as you have the right to request that particular photo to be taken down. Either way nothing is absolute and as you said, it gets murky pretty fast.

I will point out that this complaint against Facebook was filed in Ireland with the Irish Data Protection Commissioner, whereas you're talking about a different country, the UK.

Obviously the Austrian student group who filed this lawsuit are total hypocrites based on what the UK does.

Guys, that was sarcasm. I wasn't claiming that the Austrian students are responsible for UK CCTV policy.

I'm sorry but there is a very obvious and clear distinction between these two forms of surveillance. The first monitors public space, the second does not.

To me it is not obvious that "my rights" have been affected by the monitoring of public spaces.

I disagree with the "CCTV everywhere" movement, but I agree that it is preferable to the invasions put forth by the NSA/US Government.

UK is not representative of the whole EU.

especially when it comes to EU-wide things or EU law. UK often implements the mininum, or opts out of parts (e.g. euro)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact