Bye, bye, Miss American Pie

Oops. Well, not unexpected, but Max Schrems case was upheld, the EU courts have supported his view, that the Privacy Shield, the replacement for Safe Harbour, is not valid and does not provide the required protection of EU citizens’ data, when it is transferred to the USA.

Given that the US Government never really took it seriously (they were supposed to have a permanent Ombudsman in place by 2016 to deal with issues relating to Privacy Shield, they were reprimanded in 2016, 2017, 2018, 2019 and 2020 for not complying with this key term for the validity of Privacy Shield) and FISA Courts, NSLs, the Patriot Act etc. make a mockery of any such agreement anyway - especially given that the US TLAs seem to think that they have jurisdiction in Europe anyway, just because a company happens to have an office in the USA, let alone be headquartered in the USA.

Microsoft is about the only company that has tried to stand up to the US Government over this, but they haven’t had any real success.

Interestingly, I signed up to the birthday offer from Strato last week, 1TB of cloud storage, hosted in Europe for 1€ in the first year (75€ or thereabouts thereafter). Looks like it is time to shift my data from OneDrive and I’ll be looking at setting up my own NextCloud + Email solution, instead of MS365 and Outlook.com…

Edit: for clarification, if an EU citizen’s data is held in the US, the data owner cannot pass that data onto a foreign entity (police, CIA, FBI, another company etc.) without the express written permission of the EU citizen. That means, that either the data owner has to break EU law and face fines and imprisonment (up to 4% of global turnover) or has to refuse a US court subpoena, National Security Letter etc. and face fines and imprisonment in the USA.

And, if I am a company in Europe and I store my data in, say Google Cloud, Azure, AWS etc. and Google, Amazon or Microsoft hand over the data, I am liable under EU law for the data breach.

The US IT and Innovation Foundation (ITIF), meanwhile, complained the ruling was “irresponsible” and would treat the US with a “double standard”.

Well, no, the US Government was irresponsible for not taking Privacy Shield seriously. You can’t lay the blame at the EU court’s door, if your own government has done everything it can to ensure that PS is sabotaged.

Chivot made the point that US laws on government access to personal data were not “unique”, seemingly calling on the EU to reject other countries’ data access laws in the same way.

Idiot. All countries are held to the same standards. The whole point of Privacy Shield was to give US companies a free-pass to transfer data to the US, on the understanding that the US Government would ensure that the data was held to standards equivalent to those in the EU (GDPR etc.). Again, it is the US Government’s failure to follow through on its promises in Privacy Shield that are the problem.

The EU court couldn’t have come to any other conclusion, as long as the US refuses to keep its end of the bargain!

And, it looks like Vera Jourová didn’t tell the truth. SCCs are not valid where US gov by US law gets to see the traffic. So not Facebook etc. For bank transactions, fine.

That’s some catch, that catch-22. The best there is.

I’ve had a little different view on the whole thing ever since I started using the Internet back in 1995. It’s a global environment. Accept it or leave it. Please, stop trying to draw borders which you won’t be able to control anyway.

I cannot watch how the EU is blaming other countries, companies, etc. for their own failure. The only result of this is restricting their citizens’ access to the technology. It’s like, “we failed to create it, so you don’t get to use it, either.” Or, “we’ve created a similar solution for you, it’s not as good, but it’s your only choice.” Seriously. Wake up.

As an EU citizen, I am happy that the EU has put privacy and the right to decide who can have what data about me at the forefront.

If companies and other countries can’t provide me that control, I won’t use their services or let my data be stored in those countries I’m all for a single, international Internet, but it should respect the rights of the individual above data collection and greed.

The Germans have 2 words that sums up Google and Facebook, Datenwahn and Sammelwut, data insanity and collection fury.

I understand your point, and it’s perfectly legitimate.

I, as an EU citizen, however, feel severely restricted in the way I can access and promote the technology. My point was, let me decide if I wanna pay the price and sell my data in one way or the other. It’s like you said, if the company doesn’t meet my needs, I won’t use their services. But let it be my needs.

In my opinion, it’s a common belief that the Internet is some sort of an unexplored territory, whereas it’s nothing else that a faster way to reach each other. Not much different than a street or a highway. If I’m able to take a flight across the pond, purchase a product, and come back home, why should I be not allowed to do the same over the Internet?

The last part is obviously beyond the scope of the discussion, and the whole subject is much more complex than that, but what I’ve been trying to say is, it’s still me who’s in the captain’s seat, so please, let me navigate the way I find right. The government might or should provide me with some navigation aids, like requiring companies to publish detailed terms of their services, but it’s my responsibility to sail.

Surely, it takes time and effort to become a captain, just as it takes time to get your driver’s license. It also takes time to learn how to navigate the Internet. But I must learn all those skills first. And, I as said in my previous post, I may not go wine to the authorities and blame them for what it is my failure. I should ask them for help, not to do things for me.

I’m sorry that I’ve drifted away from the subject but the issue is very important to me.

And that is what I see the EU is doing. They are letting you decide to be the captain of your own boat, not a slave sitting at the oars of someone else’s war galleon.

Well, my point was, I’m not required to board that galleon. It’s not easy, and it’s tempting, but I don’t need to. And when I do board it, then definitely not as a slave.

It’s a difficult situation, because people realized it just before it was too late, that those galleons are the most prominent ships out there, and navigating their little boats between them isn’t a piece of cake, but I might rather take the challenge that pass the steering wheel.

But like I said, I perfectly understand and respect your point of view.

Kinda related. But as someone that lives in the states I wish I had the power to ask companies to delete my data like GDPR gives EU citizens the right to do. Don’t get me wrong, I would let companies like Google keep my data because they provide me with useful services with that data. However there are many companies who’s products and services I do not use anymore and I don’t want them to to profit by selling my data. I get way too much physical spam mail from companies I have never done business with. I feel some countries do too much, and others don’t do enough. I feel there should be some middle ground. And with the US playing musical chairs with the Presidency every eight years, it is hard for the US to have a consistent line on international relations.

Do you remember the Columbia House music service? (They used to mail physical records then CDs then DVDs.) They weren’t actually making their money from the media (at least not on your initial signup where you could get like 14 for $10 or so.) They made their biggest bucks from selling your info. I think it would be great if we could come up with a system that would let us easily make pseudonyms that we could create and destroy with ease. That will never work online though, at least not until we can get everyone switched to IPv6 where you can use a different IP address per second (or even nanosecond really) if you wanted.

That is the other part of GDPR, those companies cannot sell your data without your written consent.