1. 46

  2. 6

    Emphasis mine.

    The complaint, which goes back to October 2014, was lodged by Austrian privacy activist Max Schrems. He argued, following the Snowden revelations, that the privacy of European citizens could not be guaranteed if their data was sent to the US, given the evidence of widespread eavesdropping by the country’s National Security Agency (NSA), and the fact that the US legal system only protected the rights of US citizens.

    I mean, following the Snowden revelations, the privacy of US citizens can not be guaranteed. So everyone else is pretty much SOL.

    1. 2

      the privacy of US citizens can not be guaranteed

      This is a US problem though, so EU courts can’t help here. They are trying what they can to protect their own…

      At any rate, as you (maybe?) implied, most intelligence agencies have very little concern for foreign laws and do not seek court(s) approval in such matters. This is more of a civil rights victory for European privacy activists.

    2. 1

      How would that be enforced exactly?

      1. 4

        As I understand it the ruling is “Storing customer data in the US is not compatible with GDPR compliance”, so it would be enforced using the existing GDPR enforcement regime.

        1. 6

          Sure, but where can you store a chat conversation between European and USA citizens ?

          1. 4

            In Europe

            1. 3

              On their own devices. Use end-to-end encryption while you still can (but that’s a good question in general)

            2. 2

              The CLOUD Act seems to be removing the distinction between data stored in the USA versus data stored abroad when it comes to US companies. As far as I understand it, the act in a way extends American jurisdiction to every country where the server of an American company is located, so perhaps a more important thing EU states can do in this regard is not entering CLOUD Act agreements with the US at all? I’m only partially trolling.

            3. 0

              Why, by giving EU States complete access to their data feeds, of course.

              I wonder if I’m being paranoid by seeing this as a subtle play for warrantless surveillance?

              1. 11

                I think it’s far more likely that it will be enforced with the possibility of outlandish fines or loss of market access if found to be in violation of the law. That would (roughly) align with how other data privacy regulations are established in the EU.

                A gross expansion of warrantless surveillance seems quite unlikely in the EU, as there is a cultural belief that data about one’s self belongs to one’s self which is in contrast to the American culture where data about one’s self is typically viewed as belonging to whoever collected the data.

                1. 20

                  In case anyone’s wondering what the deal is here: lots of European countries, especially in Eastern and Central Europe, but also some Western European countries (e.g. Germany) have a bit of a… history with indiscriminate data collection and surveillance. Even those of us who are young enough not to have been under some form of special surveillance are nonetheless familiar with the concept, and had our parents or grandparents subjected to it. (And note that the bar for “young enough” is pretty low; I have a friend who was regularly tailed when he was 12). And whereas you had to do something more or less suspicious to be placed under special surveillance (which included things like having bugs planted in your house and phones being tapped), “general” surveillance was pretty much for everyone. You could generally expect that conversations in your workplace, for example, would be listened to and reported. With the added bonus of the fact that recording and surveillance equipment wasn’t as ubiquitous and cheap as it was today, so it was usually reported by informers.

                  Granted, totalitarian authorities beyond the Iron Curtain largely employed state agencies, not private companies for their surveillance operations – at least on their own territory – but that doesn’t mean the very few private enterprises, limited in scope as they were, couldn’t be coopted into any operation. And, of course, the Fascist regimes that flourished in Western Europe for a brief period of time totally partnered with private enterprises if they could. IBM is the notorious example but there were plenty of others.

                  Consequently, lots of people here are extremely suspicious about these things. Those who haven’t already experienced the consequences of indiscriminate surveillance have the cautionary tales of those who did, at least for another 20-30 years. If someone doesn’t express any real concern, it’s often either because a) they don’t realize the scope of data collection, or b) they’ve long come to terms with the idea of surveillance and are content with the fact that any amount of data collection won’t reveal anything suspicious. My parents fall in the latter category – my dad was in the air force so it’s pretty safe to assume that we were under some form of surveillance pretty much all the time. Probably even after the Iron Curtain fell, too, who knows. But most of us, who were very quickly hushed if they said the wrong thing at a family dinner or whatever because “you can’t say things like that when others are listening”, aren’t fans of this stuff at all.

                  Edit: Basically, it’s not just a question of who this data belongs to – it’s a pretty deeply-ingrained belief that collecting large swaths of data is a bad idea. The commercial purpose sort of limits the public response but the only reason why that worked well so far is that, politically, this is a hot potato, so there’s still an overall impression that the primary driving force behind data collection is private enterprise. As soon as there’s some indication that the state might get near that sort of data, tempers start running hot.

                  1. 5

                    For more details on this, Wikipedia’s entry on Stasi, the security service of East Germany, is a great read. Stasi maintained detailed files (on paper!) on millions of East Germans. Files were kept on shelves, and shelves were >100 kilometers(!) long when East Germany fell.

                    It is easy to imagine why Facebook’s data collection reminds people of Stasi files.

                    1. 1

                      There were some amazing stories floating around in 1989 – like, the Stasi were sneaking across the border into the West to buy shredders, because they couldn’t shred the documents fast enough; and the army of older ladies who have been painstakingly reassembling the bags and bags and bags of shredded documents.

                    2. 3

                      To be fair with powers shifting, companies consolidating, individuals having the same money and thereby power of whole governments, and individual companies or partnering ones not only being owrking individual sectors anymore and governments outsourcing more and more of their stuff (infrastructure (IT & non IT), security, etc. and corporations creating pretty much whole towns for their employees and oftentimes families they overall become more similar to governments, but usually with fewer guarantees by things like constitutions.

                      1. 2

                        Absolutely. There’s been talk of a “minimal state” for decades now, but no talk of a “minimal company”. Between their lack of accountability, the complete lack of transparency, and the steady increase of available funds, I think the leniency we’re granting private enterprises is short-sighted. But that’s a whole other story :).

                  2. 5

                    The US actually claims the right to warrantless surveillance of non-US citizens, through FISA. Additionally, through the CLOUD act, they claim the right to request personal information from US companies, even if this information is not stored on US soil.

                    Looking at the political side of things, many EU lawmakers are perfectly fine with engaging in a little protectionism for European IT companies, and if EU privacy law makes life difficult for FAANG, that’s perfect. On the other hand, the US is trying to use the world dominance of its IT companies as a way to extend the reach of its justice and surveillance system.

                    Then there are FAANG-paid lobbyists, who keep pushing for treaties that claim the US extends protections to EU citizens’ data, even though it clearly doesn’t. They don’t last long once they get taken to court. This is why some US tech companies, like Salesforce, are now lobbying for a data protection regime in the US - this would be one way to reconcile this difference.

                    This is a trade war, and the victims are smaller US companies that shy away from doing business in the EU.