Bonum Certa Men Certa

EPO and Microsoft Collude to Break the Law -- Part VII: Lipstick on a Pig…

Previous parts:



Safe Harbour pig
The Privacy Shield was derided by its critics as "lipstick on a pig"



Summary: The Schrems II judgment has significant implications for "cloud computing" services

As we saw in the last part, following the invalidation of the Safe Harbour by the CJEU in its "Schrems I" judgment a revised framework for regulating transatlantic exchanges of personal data was pulled out of the hat in the form of the Privacy Shield.



From its very inception the robustness of this arrangement was questioned and it was derided by its critics as "lipstick on a pig".

The hurried manner in which the Privacy Shield was cobbled together meant that it always smacked of being a flaky and legally unsound last minute political compromise between the EU and the Obama Administration.

In the eyes of its critics it was nothing more than a comfort blanket to calm post-NSA revelations nerves among non-US cloud services buyers, rather than a legally sound framework to protect data from intrusive examination by American intelligence services.

"The hurried manner in which the Privacy Shield was cobbled together meant that it always smacked of being a flaky and legally unsound last minute political compromise between the EU and the Obama Administration."The first signs that the revised arrangement might not last very long came in January 2017 during the early days of the Trump Administration when the incoming POTUS signed off on a new Executive Order on "Enhancing Public Safety in the Interior of the U.S."

Among other elements, this Executive Order directed US government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information".

This prompted certain commentators, such as MEP Jan-Philipp Albrecht, to express concerns about the tenability of the Privacy Shield and to call for its suspension pending clarification of the legal implications of Trump's Executive Order.

The European Commission was quick to dismiss these concerns.

Others who remained sceptical about the tenability of the Privacy Shield arrangement confidently - and accurately - predicted that its days were numbered.

"The Schrems II judgment has significant implications for "cloud computing" services."The final nail in the coffin came in 16 July 2020 when the CJEU delivered its judgment in the case of Facebook Ireland Ltd. v. Maximillian Schrems – known as "Schrems II" – which not only invalidated the Privacy Shield agreement but also put other data transfer mechanisms into significant doubt.

The CJEU found that due to the possibility of access to personal data of EU citizens by US authorities, the Privacy Shield infringed EU data protection regulations because it did not provide adequate GDPR‑compliant protection of personal data.

Privacy Shield
The Schrems II judgment has significant implications for "cloud computing" services



The Schrems II judgment has significant implications for "cloud computing" services.

Private companies and public sector bodies have increasingly started to make use of cloud services in recent years and this trend is likely to continue in future. The majority of cloud services are provided by vendors located in the US. The servers for the purchased services are partly located in the US, partly in Europe.

And this is where it gets interesting.

Even if a server is located in the EU, US authorities may access the stored data. This access is possible because of the FISA (Foreign Intelligence Surveillance Act) 702 and the EO (Executive Order) 12.333 which apply to all Electronic Communication Service Providers headquartered in the US.

"The majority of cloud services are provided by vendors located in the US. The servers for the purchased services are partly located in the US, partly in Europe."Merely relocating the data to an EU-based region in these clouds is not sufficient, because the problem is not geographical in nature.

The decisive issue here is that US-owned cloud vendors are subject to US jurisdiction and US legislation can be used to them to hand out customer data to the US government, even if the servers storing that data happen to be located on foreign soil.

USA spying on EU
Even if a server is located in the EU, US authorities may access the stored data via FISA (Foreign Intelligence Surveillance Act) 702 and the EO (Executive Order) 12.333 which apply to all Electronic Communication Service Providers headquartered in the US.



In essence, the Schrems II judgment means that US-based cloud providers such as Google, Amazon Web Services (AWS), and Microsoft Azure cannot be used to store data about European citizens in a GDPR-compliant manner.

In December 2020 it was reported that the Swedish data protection authority had imposed the first GDPR-based fine for lack of adequate protection of sensitive data stored in a US‑based cloud platform after the Schrems II decision.

"In December 2020 it was reported that the Swedish data protection authority had imposed the first GDPR-based fine for lack of adequate protection of sensitive data stored in a US‑based cloud platform after the Schrems II decision."In that case the UmeÃ¥ University in Sweden was fined SEK 550,000 (approx. € 54,000) because it was found to have processed special categories of personal data concerning sexual life and health using storage in a cloud service of a US-based provider, without sufficiently protecting the relevant data.

The Swedish data protection authority referred to the Schrems II judgment and took the stance that per se a data transfer to the US triggers a high risk for personal data because data subjects are limited in protecting and enforcing their privacy rights.

In the next part we take a further look at the fallout from Schrems II in Europe and how the judgment has given new impetus to the discussion about European "data sovereignty".

Recent Techrights' Posts

Imposters Inheriting Institutions
Dealing with the "imposter syndrome"
[Meme] The Ponzi Scheme That Eats Rivals (by Paying Them to Stop Competing)
Why compete when you can bribe and defang antitrust authorities?
In 2006 We Had a Novell Problem and Now We Have Several Novells
Microsoft thorns inside the community
Richard M. Stallman (RMS) Debunks Misconceptions About What Free Software Means and Explains How It Works
Free software means people (including users and developers) exercise control over the program, not the programmers
 
Anniversaries Coming Up
Probably the funnest year of our lives, and definitely the most productive
In Europe, Vista 11 Grew Only 3% (Relative to Other Windows Versions) This Year
That's a huge problem for Microsoft
Google's YouTube Censorship Has Gotten a Lot Worse and Anti-scientific (for Commercial Reasons)
By today's standards, YouTube is not something RMS can (or would) use
Google Appears to Have Broken Every Single Instance of Invidious. It's a Wake-up Call, Please Stop Uploading Videos to YouTube.
Including videos of Free software events
[Meme] Video Uploads Improved
The tools are all in our self-hosted Git repository and the licence is, as usual, AGPLv3
Apple Event as Fine Example of the "IT" Circus
It's not clear if the enemy of Free software is a company like Apple is simply public ignorance that Apple keeps fostering
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, September 11, 2024
IRC logs for Wednesday, September 11, 2024
Gemini Links 12/09/2024: Clean Island and VCFMW19
Links for the day
Links 11/09/2024: EPO Patents Tossed Out by Courts, Software Patent Reveals Ford "Tech That Listens to Driver Conversations to Serve Ads"
Links for the day
More "Linux" SEO SPAM, Wrapped Up as Clown Computing, Composed by a "Bullshit Generator" (LLM)
linuxsecurity.com at it again this week
"Linux" and Linux.com Diploma Mill
The front page of Linux.com right now is the usual nonsense
Links 11/09/2024: ROOPHLOCH Report, Small Web Experiences, and Cohost Effectively Dead
Links for the day
Links 11/09/2024: Russia Enters Latvia With Drone, Truth Social Stock Crashes
Links for the day
Certificate Authority Let's Encrypt Has Fallen From 12% in Geminispace to Just 1.2% in Two Years (Capsules Usually Self-Sign Their Certificates)
Don't ask the imposters about security
The "IT Industry" is Full of Imposters (It's a Growing Crisis)
They often manage the companies
Richard Stallman Explains Stochastic Parrots (LLMs)
From his latest talk
The Toys of Today's Kids and Coordination Woes, Not to Mention a Lack of Social Skills
Too much time indoors, too much screen time
Dispelling the Notion That Microsoft is Political Left
Microsoft not only got bailed out (several times) by Donald Trump but also approached him to take over TikTok without paying for it
Linus Torvalds, the Son of a Politician, Tries to Stay Out of Politics (or Political Topics)
"I'm just a geek" has its limits in practice
Richard Stallman Still Deals With Politics
Stallman's gonna Stallman
GAFAM Not Invincible
The US has an election very soon and Microsoft is already bribing candidates for deregulation and favours, based on press reports
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, September 10, 2024
IRC logs for Tuesday, September 10, 2024
The Greatest Show on Earth (Buzzwords Circus)
What next? Being denied medical service because you don't have a Facebook account?
Gemini Links 11/09/2024: Happiness, Improvised Nebuliser, and olden Age of Palm OS
Links for the day
Julian Assange's Father Turns 80 and They Show Themselves in Melbourne
Will he be active in Wikileaks soon?
Slow But Ongoing Mass Layoffs at EPO, Estimates That Nearly Half of the FOs Will be Made Redundant Soon
When you cease to care about validity and quality of patents you're granting why bother with humans at all?
[Teaser] EPO Tightening Its Belt
who didn't see this coming?
Are Lawsuits Over EPO Corruption Next?
Why does the mainstream media not cover it?
Europe's Second Largest Institution, the EPO, Exploits Lack of Oversight to Commit Crimes Every Day
Immunity begets impunity, which in turn begets crime
[Video] Richard Stallman's New Talk in Germany Covers What Free Software Means, Why LLMs are "Bullshit", and Lots More (Web3 Summit 2024 Berlin)
Closing Keynote Day 3 - Dr. Richard Stallman - Web3 Summit 2024 Berlin
Transcript of Latest Public Talk by Dr. Richard M. Stallman (RMS), Delivered Last Month at Web3 Summit 2024 Berlin
quick-and-dirty transcription
Links 10/09/2024: Big Brother Awards Germany 2024 and Telling the Unemployed to 'Drive Uber'
Links for the day
Gemini Links 10/09/2024: DUIs and Useless Analytics
Links for the day
The Peril of the Electronic Frontier Foundation (EFF) Illuminates the Dangers of Founders Leaving or Being Forced Out
Whatever you may think they stand for, you risk being fixated on what they originally were and perhaps what their Web sites still say
Difficult Times at Soylent News
We hope that Soylent News will recover from this
New Article in redhat.com: How to Install Microsoft Windows
That's just about as bad as that sounds...
Crimes of the EPO Are Costing Everybody in Europe
Since virtually everyone in Europe is a user of software (almost nobody is a forest dweller like in countries near the equator), this impacts everybody
OSI's Blog is Still 100% Microsoft-Sponsored Attacks on Free/Open Source Software
OSI is a compromised, defunct body. It exists to serve the enemies of its original mission.
A Decade Ago Things Became So Bad at the European Patent Office (EPO) That Staff Jumped Out the Window During Working Hours
Colleagues saw the suicide; the EPO's response wasn't to tackle the causes but to bolt down the windows (like factories in China installing controversial 'suicide nets')
Red Hat is Suing to Protect From Patent Trolls
Why doesn't Red Hat (IBM) also lobby to eliminate all software patents once and for all?
COVID-19 Ushered in Attacks on Human Rights and Things They Said They Had Introduced Temporarily Are Still in Effect/Operation Today
COVID-19 changed a lot of things
Quitting Academia When Its IT Systems Are Dominated by Clowns Who Outsource
It seems like a common trajectory
Why the Free Software Foundation (FSF) Owning or Renting Office Space Mattered
"In the long term, the FSF needs to own its future office space, but then the deadly risk is that the property ownership becomes the end goal rather than software freedom."
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, September 09, 2024
IRC logs for Monday, September 09, 2024
Free Software Foundation (FSF) Probably Has No Choice But to Shut Down Its Office
Net Income -$686,366
Nearly Two Years After Quitting My Job
My colleagues and I were bullied by managers (grievance complaint got filed) who didn't even know what "Linux" was
Terms of Service (TOS) Under Scrutiny - Part XVIII - In Conclusion
Many activities can be done offline without having to sign anything