tag:blogger.com,1999:blog-8704899696538705849.post926070639906063291..comments2024-03-29T04:53:16.437-07:00Comments on EU Law Analysis: The party’s over: EU data protection law after the Schrems Safe Harbour judgmentSteve Peershttp://www.blogger.com/profile/05869161329197244113noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-8704899696538705849.post-57096941098861406172022-02-23T02:45:26.695-08:002022-02-23T02:45:26.695-08:00This comment has been removed by a blog administrator.<a https://www.clippingpathassociate.com/our-gallery/photo-retouching-service/">360 Degree Image Editing Service</a> Are you looking at the ghost mannequin effect service? We provide the invisible manhttps://www.blogger.com/profile/18149883367084587478noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-61168818714695178132022-01-16T22:03:03.053-08:002022-01-16T22:03:03.053-08:00This comment has been removed by a blog administrator.anwarsayalhttps://www.blogger.com/profile/01359012334352661931noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-42180288535741090492021-09-20T03:48:04.945-07:002021-09-20T03:48:04.945-07:00This comment has been removed by a blog administrator.Ganesh Kumar https://www.blogger.com/profile/03790324437213209283noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-76648514453351834132015-10-23T04:37:50.013-07:002015-10-23T04:37:50.013-07:00@Anonymous: if the encryption key is never transmi...@Anonymous: if the encryption key is never transmitted to the countries where the data is, then there is no practical benefit from transmitting the data aside from backup. (Homomorphic encryption isn't as powerful as we might wish.) Why would a big company want to store data about EU nationals on US servers if those servers could never decrypt the data and were simple storage systems?<br /><br />On the other hand, if the encryption key is ever transmitted to where the data is, we're back to the original problems since local authorities could access the key (and then the data) in ways that contradict EU privacy rules.Daniel Armakhttps://www.blogger.com/profile/02908694307839822186noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-23747877632382193362015-10-22T20:47:58.960-07:002015-10-22T20:47:58.960-07:00Wouldn't transfers of personal data under the ...Wouldn't transfers of personal data under the model clauses still be legal if the personal data was (effectively) encrypted both "in motion" and "at rest"? That would appear to negate the mass surveillance?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-75669925221958956902015-10-19T04:10:18.829-07:002015-10-19T04:10:18.829-07:00Indeed. I notice that they give no legal reasoning...Indeed. I notice that they give no legal reasoning for their opinion. Technically the CJEU has not invalidated model clauses in the Schrems judgment because they were not the subject-matter of the judgment, but the point is that it is hard to distinguish them from Safe Harbour as regards the question of adequate guarantees. So while companies might wish to rely on them because they are currently valid, I think there is a reasonable chance that they would be ruled invalid if the case arose.Steve Peershttps://www.blogger.com/profile/05869161329197244113noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-52141134025430316362015-10-19T03:55:32.793-07:002015-10-19T03:55:32.793-07:00Thanks. I notice that the Article 29 Working Group...Thanks. I notice that the Article 29 Working Group has taken a position that is directly counter to yours, in that it explicitly says that transfers using the Model Clauses remain valid. See http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdfAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-16382288748577307812015-10-16T09:14:44.441-07:002015-10-16T09:14:44.441-07:00Thanks for this. This is equally as flawed as the ...Thanks for this. This is equally as flawed as the Amazon position, for exactly the same reason. Steve Peershttps://www.blogger.com/profile/05869161329197244113noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-52021697343042181432015-10-16T08:47:03.883-07:002015-10-16T08:47:03.883-07:00Google have been sending out something similar, al...Google have been sending out something similar, also based on the idea that 'everything is fine so long as you use the model clauses' as of yesterday:<br /><br />"European Safe Harbor ruling update and Google Apps<br /><br />Hello Apps Administrator,<br /><br />Please note that the update below is relevant only if you process personal data and European Data Protection laws apply to that processing. This will often be the case if your business is based in the European Union. If you are unsure whether this applies to you, we suggest you seek advice from legal counsel.<br /><br />On October 6, 2015, Europe’s highest court declared that the decision of the European Commission regarding the US-EU Safe Harbor framework―one of the legal mechanisms that enables the transfer of personal data from the EU to US companies―is invalid, on the basis that Safe Harbor doesn’t provide an adequate level of protection for personal data originating in the EU.<br /><br />Through 2015, the European Commission and the US have been negotiating a revised Safe Harbor agreement that should address these concerns, but they were not able to finalize the agreement before the court issued its ruling. Both the Commission and the US have committed to finalizing the revised agreement as soon as possible.<br /><br />In the meantime, we’d like to reassure you that we offer a compliance alternative to the Safe Harbor framework and have done so since 2012. Specifically, we offer a data processing amendment and model contract clauses as an additional means―beyond the Safe Harbor framework―of meeting the adequacy and security requirements of the EU Data Protection Directive. Model contract clauses were created specifically by the European Commission to permit the transfer of personal data from Europe.<br /><br />Many Google Apps customers have already adopted the data processing amendment and model contract clauses. If you have not already done so, we’d like to remind our Google Apps customers to consider opting-in to the data-processing amendment and model contract clauses. Instructions are available in the Help Center.<br /><br />We are committed to helping our customers address their regulatory compliance needs in this area, and we thank you for entrusting your data to Google.<br /><br />If you have additional questions, please contact your Google representative or Google Apps Support.<br /><br />Sincerely,<br />The Google Apps Team"Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-67179757349647984192015-10-15T15:31:48.843-07:002015-10-15T15:31:48.843-07:00Thanks for your question, Daniel. The Article 29 w...Thanks for your question, Daniel. The Article 29 working party is a group of national data protection regulators which issues non-binding opinions. They haven't responded to the Safe Harbour ruling yet, so Amazon is jumping the gun here. More specifically, Amazon is saying it's OK because it's using model contractual clauses. In the fourth last para above I dismiss the possible use of such clauses as a solution, because they can only be used if there are sufficient safeguards, according to the directive. It's obvious from the Court's rulings that it would regard the safeguards as insufficient, at least as long as the NSA could potentially get hold of that data. A national data protection authority has already endorsed this view, see: https://castlebridge.ie/news/2015/10/14/schleswig-holstein-model-clauses-ist-kaput-update-1Steve Peershttps://www.blogger.com/profile/05869161329197244113noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-38829927828958961672015-10-15T11:19:48.451-07:002015-10-15T11:19:48.451-07:00Amazon released a response to this ruling, which c...Amazon released a response to this ruling, which claims they are exempt:<br /><br />> we’d like to confirm for customers and partners that they can continue to use AWS to transfer their customer content from the EEA to the US, without altering workloads, and in compliance with EU law. This is possible because AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party)<br /><br />What does that mean?<br /><br />Link: https://blogs.aws.amazon.com/security/post/Tx3QAALRNBIK9K1/Customer-Update-AWS-and-EU-Safe-HarborDaniel Armakhttps://www.blogger.com/profile/02908694307839822186noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-47834402560244679252015-10-14T05:14:52.998-07:002015-10-14T05:14:52.998-07:00Thanks for informing me, I have heard this from se...Thanks for informing me, I have heard this from several other sources too. (Have you tried linking with another domain link, ie .be or .fr?). FB have also twice removed the link to this blog post from the blog FB page. As far as I can see, this only relates to this particular post, not any others. You might very well think this is suspicious; I couldn't possibly comment.. Steve Peershttps://www.blogger.com/profile/05869161329197244113noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-53348424217771047962015-10-14T04:54:14.927-07:002015-10-14T04:54:14.927-07:00Facebook does not allow me to post this page.
&qu...Facebook does not allow me to post this page.<br /><br />"You can't post this because it has a blocked link<br /><br /> The content you're trying to share includes a link that our security systems detected to be unsafe:<br /><br /> http://eulawanalysis.blogspot.com/2015/10/the-partys-over-eu-data-protection-law.html<br /><br /> Please remove this link to continue.<br /> If you think you're seeing this by mistake, please let us know."<br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-40316779483014765052015-10-14T00:52:59.399-07:002015-10-14T00:52:59.399-07:00Thanks for your comments, Joseph. Yes, there will ...Thanks for your comments, Joseph. Yes, there will always be the problem of detecting breaches, though it applies in many different contexts. I don't know an easy way to solve it. Secondly, people will have to keep complaining and litigating about care data and other alleged breaches of data protection law. It's now clear enough from CJEU case law that the law is much stricter than was previously thought, and the ICO and courts in the UK (and elsewhere) ought to be taking this into account.Steve Peershttps://www.blogger.com/profile/05869161329197244113noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-86331853744839768402015-10-13T15:04:14.808-07:002015-10-13T15:04:14.808-07:00Thanks for providing an interesting and well-thoug...Thanks for providing an interesting and well-thought out piece Steve. Two quick observations: (i) Taking Pieter's point, does the ruling which in effect externalises the costs onto individuals not leave us with the perennial problem of detecting breaches in the first instance? (ii) it seems odd that while we celebrate the striking down of the Commission's Decision, we seem almost powerless when it comes to Care.data and not dissimilar marginalisation of our fundamental rights.Josephhttps://www.blogger.com/profile/13060362818013765148noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-55524630684968197682015-10-08T08:06:10.632-07:002015-10-08T08:06:10.632-07:00Thanks, Paul. A 'Spookie' notice could per...Thanks, Paul. A 'Spookie' notice could perhaps work, but only if the full extent of the programme is clear - and the US is saying that the Advocate-General's conclusions were unfounded: http://www.euractiv.com/sections/infosociety/us-slams-ecj-advisors-safe-harbour-opinion-318042Steve Peershttps://www.blogger.com/profile/05869161329197244113noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-67497458556745061802015-10-08T08:02:04.276-07:002015-10-08T08:02:04.276-07:00Thanks for your comments, Pieter. The Directive re...Thanks for your comments, Pieter. The Directive requires 'unambiguous' consent for the derogation re transfers of data despite inadequate protection in third countries to apply. I think this means that the risks must be specified to some extent. Also I have trouble seeing how separate data centres could work for those with Facebook friends etc in the USA - there would have to be some data processing there in that case. Would the PRISM programme extend even to payroll data and all companies' marketing data? Hard to know when the US says that the allegations are inaccurate anyway. Steve Peershttps://www.blogger.com/profile/05869161329197244113noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-59171732889979819072015-10-08T06:09:19.866-07:002015-10-08T06:09:19.866-07:00In terms of consent, one could argue that signing ...In terms of consent, one could argue that signing up to Facebook means one is prepared to take certain risks. <br /><br />Just for those who think this ruling is a bad thing for Facebook, Ben Wright makes clear it may actually be a good thing, as the "big boys", like Facebook, can afford the extra requirements: <br />"Certainly consumers may end up paying a price for the ECJ ruling. The largest digital companies will be able to afford to set up data centres and, potentially, separate operations in Europe. However, without “safe harbour”, it will take longer for smaller companies and start-ups to spread across the pond. It could also hit companies doing things as mundane as transferring payroll data or information for marketing campaigns. The political ramifications could spread even wider; the already fraught negotiations on the US-EU trade pact will now be fraughter still."<br /><br />http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/digital-media/11915673/Do-you-want-free-Facebook-or-a-say-in-where-your-personal-data-is-stored-its-unlikely-you-will-have-both.html<br />Pieter Cleppehttps://www.blogger.com/profile/02734540537594484016noreply@blogger.comtag:blogger.com,1999:blog-8704899696538705849.post-31348062867379240672015-10-08T01:21:39.905-07:002015-10-08T01:21:39.905-07:00Thanks for useful analysis. I suspect we are looki...Thanks for useful analysis. I suspect we are looking down the barrel of a Spookie notice on every website that permits data surveillance, like a cookie notice, requiring user waiver of privacy rights as condition of active use (eg to post a comment). Paul Magrathhttps://www.blogger.com/profile/03211478237248036942noreply@blogger.com