[governance] NYT: Data Transfer Pact Between U.S. and Europe Is Ruled Invalid

Seth Johnson seth.p.johnson at gmail.com
Wed Oct 7 10:59:43 EDT 2015


A few more comments posted elsewhere by email and on facebook:

(One more helpful sentence on this paragraph)

Note that this is fundamentally different from an international treaty
on rights, which is not so rooted. You don't have fundamental rights
in the international arena. Really. That requires an act of the
people(s) setting limits on their government(s), not an act among
governments. A treaty among governments is essentially "statutory" at
best, meaning the same "legislators" who wrote a human rights treaty
can go ahead and qualify those rights through other treaties. A judge
looking at a human rights treaty and a "war on terror" treaty can't do
strict scrutiny no matter how much the human rights treaty declares
the rights are "fundamental" -- she has to apply a balancing standard
at best, weighing the treaty to fight terror against the treaty on
rights and considering that the treaty-makers intended to qualify the
rights.


(and then:)

[. . .]

It finds that the US has provided its government means for public
authorities to get to the data addressed in the Safe Harbour scheme,
because it doesn't apply to the government and public authorities have
national security and other requirements that prevail over it. It says
for that reason it clearly doesn't provide fundamental rights
protection. It's a rather nice pointing out that the US is using
private parties and the international arena to "launder" surveillance
that the US government would be barred from doing itself under the US
Constitution. They get to make that point rather nicely without
actually examining the Safe Harbour Agreement more "technically," just
by pointing out that the agreement doesn't apply to the US government.

The ruling says EU national authorities can continue to examine the
adequacy of protections despite a Commission ruling that a third party
country's protections are adequate, and it bases that argument on the
need to have recourse to the courts, concluding that the national
authorities must be able to take it to the courts if they question the
Commission's ruling. It then proceeds to examine the Commission's
ruling, saying that the Commission did not actually address whether
the Safe Harbour Agreement protects fundamental rights as they are
provided for under the EU Charter, but rather only examined the Safe
Harbour scheme.

It also says anther very nice thing:

It says that generalized collection of personal data is not limiting
to what is strictly necessary -- which is somewhat similar to finding
that the generalized collection and storage of personal data is not
"narrowly tailored" to a compelling national interest purpose, which
is the kind of formula that would be applied in relation to a
fundamental right (such as that barring unreasonable searches and
seizures) under strict scrutiny in the US. So if we want to say that
mass collection of data violates fundamental rights even though the US
government says it will only do narrow searches on the whole mass of
data, the EU is helpfully almost-saying that that don't cut it. There
are still qualifications in how it's said, but the EU is helping a
bit. smile emoticon

[. . .]

It isn't that Safe Harbour fails to do what it says should happen.
It's actually saying more that the Safe Harbour agreement doesn't do
fundamental rights protections because it carves out a role for the US
government. Which is exactly the kind of legal examination you get
from a court that is rooted in acts of the people(s) limiting their
own governments. (It's also not what you get under international
treaties; we're seeing it here solely because the EU Court bases
fundamental rights in the several EU countries' foundations, not on
more flimsy international treaty bases)

It's really just pointing out exactly how the US is doing its
circumvention of fundamental rights regarding surveillance. Pretty
sweet.


Seth

On Tue, Oct 6, 2015 at 11:17 PM, Seth Johnson <seth.p.johnson at gmail.com> wrote:
> (small clarification below)
>
> On Tue, Oct 6, 2015 at 11:13 PM, Seth Johnson <seth.p.johnson at gmail.com> wrote:
>> Data Transfer Pact Between U.S. and Europe Is Ruled Invalid:
>> http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html
>>
>> Court of Justice Declares Irish Data Protection Commissioner's US Safe
>> Harbour Decision Invalid:
>> http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf
>>
>>
>> This is great, because it illustrates how a fundamental rights
>> framework of a sorta-federalized type (in the EU) gives you a real
>> basis for actual recourse -- courts are rooted properly, so, as in
>> this case, they are a check assuring the priority of the people(s)'
>> fundamental rights in relation to the government(s) (the Irish Data
>> Protection Commissioner in this case).  (The EU's Charter of
>> Fundamental Rights, crafted to acknowledge the fundamental rights the
>> people[s] of the EU have claimed for themselves.)
>>
>> Note that this is fundamentally different from an international treaty
>> on rights, which is not so rooted.  You don't have fundamental rights
>> in the international arena.  Really.  That requires an act of the
>> people setting limits on their governments, not among governments.
>
> Correction:
> That requires an act of the people (setting limits on their
> government[s]), not an act among governments.
>
> (That's what gets you a fundamental right "trump card," which is what
> I explain in the next sentence)
>
> (eoi)
>
>>  A
>> treaty among governments is essentially "statutory" at best, meaning
>> the same "legislators" who wrote a human rights treaty can go ahead and
>> qualify those rights through other treaties.
>>
>> Opinion:
>> http://curia.europa.eu/juris/document/document.jsf?text=&docid=168421&doclang=EN
>>
>>
>> Seth
>>
>> On Tue, Oct 6, 2015 at 1:46 PM, Joly MacFie <joly at punkcast.com> wrote:
>>> http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html
>>> Europe’s highest court on Tuesday struck down an international agreement
>>> that allowed companies to move people’s digital data between the European
>>> Union and the United States, leaving the international operations of
>>> companies like Google and Facebook in a sort of legal limbo.
>>>
>>> The ruling, by the European Court of Justice, said the so-called safe harbor
>>> agreement was flawed because it allowed American government authorities to
>>> gain routine access to Europeans’ online information. The court said leaks
>>> from Edward J. Snowden, the former contractor for the National Security
>>> Agency, made it clear that American intelligence agencies had almost
>>> unfettered access to the data, infringing on Europeans’ rights to privacy.
>>>
>>> The court said data protection regulators in each of the European Union’s 28
>>> countries should have oversight over how companies collect and use online
>>> information of their countries’ citizens. Many European countries have
>>> widely varying stances towards privacy.
>>>
>>> Data protection advocates hailed the ruling. Industry executives and trade
>>> groups, though, said the decision left a huge amount of uncertainty for big
>>> companies. They called on the European Commission to complete a new safe
>>> agreement with the United States, a deal that has been negotiated for more
>>> than two years.
>>>
>>> Some European officials and many of the big technology companies, including
>>> Facebook and Microsoft, tried to play down the impact of the ruling, saying
>>> side agreements with the European Union should allow the companies to
>>> continue moving data across borders.
>>>
>>> But some of Europe’s national privacy watchdogs are expected to make it hard
>>> for large companies like Facebook to transfer Europeans’ information
>>> overseas under the current data arrangements. And the ruling appeared to
>>> leave smaller companies with fewer legal resources vulnerable to potential
>>> privacy violations.
>>>
>>> “We can’t assume that anything is now safe,” Brian Hengesbaugh, a privacy
>>> lawyer with Baker & McKenzie in Chicago who helped to negotiate the original
>>> safe harbor agreement. “The ruling is so sweepingly broad that any mechanism
>>> used to transfer data from Europe could be under threat.”
>>>
>>> At issue is the sort of personal data that people create when they post
>>> something on Facebook or other social media; when they do web searches on
>>> Google; or when they order products or buy movies from Amazon or Apple. Such
>>> data is hugely valuable to companies, which use it in a broad range of ways,
>>> including tailoring advertisements to individuals and promoting products or
>>> services based on users’ online activities.
>>>
>>> The data-transfer ruling does not apply solely to tech companies. It also
>>> affects any organization with international operations, such as when a
>>> company has employees in more than one region and needs to transfer payroll
>>> information or allow workers to manage their employee benefits online.
>>>
>>> Frans Timmermans, the first vice president for the European Commission,
>>> which will be charged with carrying out the ruling, tried to ease the
>>> concerns of companies on Tuesday. He said businesses could still move
>>> European data to the United States through other existing treaties.
>>>
>>> He added that the European Commission would work with national privacy
>>> regulators to ensure that the court’s decision was carried out in a uniform
>>> fashion across the entire region.
>>>
>>> “Citizens need robust safeguards,” said Mr. Timmermans. “And companies need
>>> certainty.”
>>>
>>> But it was unclear how bulletproof those treaties would be under the new
>>> ruling, which cannot be appealed and went into effect immediately. Europe’s
>>> privacy watchdogs, for example, remain divided over how to police American
>>> tech companies.
>>>
>>> France and Germany, where companies like Facebook and Google have huge
>>> numbers of users and have already been subject to other privacy rulings, are
>>> among the countries that have sought more aggressive protections for their
>>> citizens’ personal data. Britain and Ireland, among others, have been
>>> supportive of Safe Harbor, and many large American tech companies have set
>>> up overseas headquarters in Ireland.
>>>
>>> “For those who are willing to take on big companies, this ruling will have
>>> empowered them to act,” said Ot van Daalen, a Dutch privacy lawyer at
>>> Project Moore, who has been a vocal advocate for stricter data protection
>>> rules.
>>>
>>> The safe harbor agreement has been in place since 2000, enabling American
>>> tech companies to compile data generated by their European clients in web
>>> searches, social media posts and other online activities.
>>>
>>> Under the deal, more than 4,000 European and American companies had been
>>> expected to treat the information moved outside the European Union with the
>>> same privacy protections the data had inside the region. The United States
>>> government had lobbied aggressively in Brussels in recent months to keep the
>>> agreement in place.
>>>
>>> The United States and the European Union have worked for roughly two years
>>> on a new safe harbor agreement. The court’s ruling now puts pressure on
>>> negotiators to complete an agreement, but it may also complicate matters.
>>>
>>> Any new deal had already been expected to give Europeans greater say over
>>> how their online information is collected, transferred and managed by tech
>>> companies. But the talks have stalled over what type of access to European
>>> data American intelligence agencies should be given, according to several
>>> people with direct knowledge of the matter, who spoke on the condition of
>>> anonymity.
>>>
>>> In addition, legal experts said that even if a new deal is reached, the
>>> court’s decision would would still give the national privacy regulators some
>>> say over the transfer of data.
>>>
>>> Penny Pritzker, the American secretary of commerce, said she was
>>> disappointed about the European court’s decision, adding she would work with
>>> the European Commission to finalize the new safe harbor agreement.In its
>>> ruling, the European court noted that the region’s 500 million citizens did
>>> not have the right to bring legal cases in United States courts if they
>>> believed their privacy had been infringed by American companies or by the
>>> United States government. A bill to provide this legal recourse is being
>>> debated in Congress, though analysts said it was unlikely to become law
>>> before the American elections next year.
>>>
>>> The legal ruling “puts at risk the thriving transatlantic digital economy,”
>>> she said in a statement on Tuesday.
>>>
>>> The lengthy negotiations have highlighted the different approaches to online
>>> data protection. In the United States, privacy is viewed as a consumer
>>> protection issue; in Europe, privacy is almost on a par with such
>>> fundamental rights as freedom of expression. Last year, Europe’s top court
>>> ruled that anyone with connections to the region could ask search engines
>>> like Google to remove links about themselves from online results. European
>>> campaigners said this so-called right to be forgotten ruling would help
>>> protect people’s online privacy, while many in the United States said the
>>> decision would curtail online freedom of speech.
>>>
>>> Those differences became more pronounced after Mr. Snowden revealed how
>>> American and British intelligence agencies had seemingly unfettered access
>>> to people’s online activities.
>>>
>>> “The United States safe harbor scheme thus enables interference, by United
>>> States public authorities, with the fundamental rights of persons,” the
>>> judges said in a statement on Tuesday, referring to access to European data
>>> by American intelligence agencies.
>>>
>>> The case reviewed by the European Court of Justice related to a complaint
>>> brought by Max Schrems, a 27-year-old Austrian graduate student, who argued
>>> that Europeans’ online data was misused when Facebook was said to have
>>> cooperated with the N.S.A.’s Prism program.
>>>
>>> That program is reported to have given the American agency significant
>>> access to data collected by several American tech companies. Facebook denies
>>> that the United States government had unlimited access to its users’ data.
>>>
>>> Mr. Snowden on Tuesday, after the court ruling, posted a message on Twitter
>>> praising Mr. Schrems: ‘‘Congratulations, @maxschrems. You’ve changed the
>>> world for the better.’’
>>>
>>> In a statement on Tuesday, Mr. Schrems, who is pursuing a separate civil
>>> class-action lawsuit against Facebook in an Austrian court, praised the
>>> decision.
>>>
>>> “Governments and businesses cannot simply ignore our fundamental right to
>>> privacy,” he said, “but must abide by the law and enforce it.”
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> ---------------------------------------------------------------
>>> Joly MacFie  218 565 9365 Skype:punkcast
>>> --------------------------------------------------------------
>>> -
>>>
>>>
>>> _______________________________________________
>>> To manage your ISOC subscriptions or unsubscribe,
>>> please log into the ISOC Member Portal:
>>> https://portal.isoc.org/
>>> Then choose Interests & Subscriptions from the My Account menu.

-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list