The Collapse of the US-EU Safe Harbor
The proposals do not address the elephant in the room and the very reason Safe Harbor collapsed: The NSA and the ability of the US government to override any treaty to access any data using secret warrants.
It is that which killed Safe Harbor, and none of the proposals at the end of the article would be immune to that weakness again.
It would remain the case that the proposals made would not be in line with the clear ruling that the European court gave if the US government can continue to override international treaties and their own courts.
Microsoft are at the centre of another case which will really decide how badly EU-US trade is affected:
> Microsoft stands in contempt of court right now for refusing to hand over to US authorities, emails held in its Irish data centre. This case will surely go to the Supreme Court and will be an extremely important determination for the cloud business, and any company or individual using data centre storage. If Microsoft loses, US multinationals will be left scrambling to somehow, legally firewall off their EU-based data centres from US government reach.
— from http://www.irishtimes.com/business/ecj-ruling-on-irish-priva...
At the moment, data can be held within the EU by US companies and it's all ok. If Microsoft is forced to hand over emails stored within the EU to the US government, then all bets are off.
In that future, it may not even be enough to have an EU-based subsidiary of a US company hold data within the EU, since it'll have been shown that the U.S. government can coerce them.
And we like to talk about large companies like Microsoft, Apple, Facebook, Google etc. But they can throw money, lawyers and engineers at this problem. But the thousands of US-based SaaS apps do not have that luxury. Likewise, there are thousands of EU-based small SaaS app that will have everything from their hosting stack, to their bug tracker, to their communications tools taken off them.
I think we'll look back at this and say "That is when the whole house of cards collapsed." The notions of the Internet being "somewhere else" and the rules being coded by the body legislating the person who is accessing it, is untenable. I expect a lot of churn on the privacy, tax, and access (censorship) policies which have grown up over the years.
Consider:
These are all soverign issues. And for anyone who has ever looked at the Internet as a "place" intuitively understands how impractical it is to have the rules be based on that origin of the connection in meat space.* France (and China) trying to impose content restrictions on Google results. [1] * The EU invalidating the safe harbor privacy rules.[2] * The recent invalidation of tax strategies in the Netherlands and Luxembourg. [3]The depth and complexity of this particular confluence of concepts is really staggering. I can not even imagine how you would establish an institution to "rule" the Internet. I might even go so far as to assert it isn't possible. What I fear is that what is possible is the Chinese model where every country has its own "Internet" and your ability to access it from outside, or to leave it from inside, will be governed by some electronic equivalent of a passport. And that idea brings the whole "identity" question really out to the forefront of the discussion.
Very interesting challenges ahead.
[1] http://www.teleread.com/chris-meadows/france-demands-google-...
[2] http://www.natlawreview.com/article/european-court-justice-i...
[3] http://www.thisismoney.co.uk/money/news/article-3062128/Appl...
http://www.wsj.com/articles/googles-tax-setup-faces-french-c...
http://www.reuters.com/article/2015/10/21/us-eu-taxavoidance...
The ECJ was simply responding to a fairly obvious and fundamental problem: your private data IS NOT SAFE in the US. The US government doesn't care and has no intention of changing this, so expect the ECJ's ruling to stand for a long time.
Color me impressed with the no-nonsense and respectful way in which Microsoft tackles this. Looking forward to other tech giants following suit.
The 'privacy is dead' crowd should really take notice of this article.
Site seems down. Copy/paste from google-cache here (too big to submit as a comment): http://pastebin.com/0jLCA65D
Google cache: http://webcache.googleusercontent.com/search?q=cache:0BKIRj9...
I'm getting an Internal Server Error on the original page.
To me the key idea from Brad Smith's post, which I don't neccessarily agree with, was this:
What he really arguing is that EU should not invalidate the Safe Harbor in that it breaks the Internet and Microsoft will provide its customers data access for U.S. and EU governments under "in the most limited circumstances". In that sense, it's not something out of ordinary than what typical Microsoft's position is in this issue. They can certainly do better than that, I.E. throwing away the server side encryption key like Apple does for iOS devices so that they don't have the technical capability to give out user data even if summoned to.Third, there should be an exception to this approach for citizens who move physically across the Atlantic. For example, the U.S. government should be permitted to turn solely to its own courts under U.S. law to obtain data about EU citizens that move to the United States...He makes the issue more complex than necessary for the benefit of his employer. There is no reason why private information needs to move across borders without the express consent of the individual involved. At that point the individual agrees to be bound by the rules of the country where the data is going or no transaction is done.
Let each country have it's own set of rules and have all countries respect those rules for data located in the hosting country.
The idea that each country must be exactly the same and data is by default available for transmission across borders is only to the benefit of multinational companies.
As a small company, stuff like this scares the shit out of me. It would be expensive, but companies like Microsoft can survive things like this. But how can a small company do anything but ignore it?
> Government officials in Washington and Brussels will need to act quickly, and we should all hope that Congress will enact promptly the Judicial Redress Act, so European citizens have appropriate access to American courts.
Well, Microsoft is wrong here to believe that the Judicial Redress Act [1] will be sufficient. The CJEU has required "essentially equivalent" privacy protections for EU citizens as they get in the EU.
The US Privacy Act does not give them that, so this Judicial Redress Act is a hit and a miss.
The US needs to pass a much stronger privacy law that is "at least" as good as the one in the EU, if it wants its companies to continue to get EU citizen data (and I assume it does). It can start by finally reforming the ECPA for the 21st century.
[1] http://judiciary.house.gov/index.cfm/press-releases?id=9455F...
The excuse that the legal rules are obsolete is a red herring.
It depends on the rules.
For example: privacy of communications has no intrinsic dependence on technology. Security of personal data requires the verification of said security (or the commitment to it), etc...
I do not know about this specific law. But just because a law is old does not mean that it is bad. And this is what Microsoft is saying.
After hundreds of years of slavery, it was abolished in the US in a single day. So what? Is this bad?