No matter how many agreements it takes, the US and the EU will ensure that data transfer between the continents is possible. There's too much trade at risk otherwise.
This agreement puts products like Google Analytics back on firm legal footing. Bad luck for Meta that they were the one company singled out for a fine for doing what everyone else was doing in the period between agreements.
I agree with the general idea of what you say, but this is not intended to put anything on a firm legal footing.
As I understand it, EU privacy law is fundamentally incompatible with US spying requirements, both sides know it, neither side cares.
The plan is to make one illegal agreement after another, each giving about 2 years of pseudo-protection until the slow EU legal procedures catch up. Then start anew with the next agreement.
American government agencies are acting within US law when they spy on Europeans. They have legal remit, explicitly, to perform signals intelligence on foreign entities/persons. This is clearly abused in various ways (5EYES), but is also not illegal. It's only illegal for these American agencies to spy on Americans and within the boundaries of the US.
I'm not agreeing with it. I vehemently disagree with current US intelligence policy, and I think 5EYES is a travesty and clearly intended to do an end-run around legal protections for citizens of each of the signatories from their own government. It's clear the US government is acting unethically, but that does not mean their behavior is illegal, and I'm trying to clearly point out the distinction.
There's a lot of Europeans in the comments who mistakenly believe that GDPR applies outside of the EU. It does not. The US is a sovereign nation with its own laws, and it does not have any analogous legal restrictions like GDPR, nor does it have any legal restrictions against the government using it's intelligence apparatus against non-Americans.
The GDPR does apply outside the EU, it, like many laws, is extra-territorial.
That doesn't mean the non-EU countries will enforce it, it means that EU countries will enforce it even if the violation of the law happened outside of the EU.
> The GDPR does apply outside the EU, it, like many laws, is extra-territorial.
Extra-territoriality of law is a fantasy, not a reality, unless it's backed by significant soft and hard power. Any country can say their law is extra-territorial all they want, but they have no jurisdictional authority to the enforce the law in an extra-territorial way. The extra-territoriality of GDPR has never been tested, but it's pretty clear to me that the EU cannot successfully enforce GDPR against a non-EU entity in the US. It may be able to use soft-power against smaller nations, but not against the US.
If the GDPR needs to extend into the US, it has to be via treaty, which has the same force as federal law, or via analogous federal law in the US. Neither of which exist right now. In fact, the exact opposite exists. The US government has made it pretty clear with the Cloud Act and other laws that the GDPR does not and will not apply to US-based companies operating on the Internet.
The EU is welcome to try to enforce it. In some ways, I would hope it would succeed (I support GDPR privacy rights/goals), however the precedent of extra-territoriality and sovereignty is not small.
In the end, it simply means executives/owners of companies in violation will be unable to travel to/through any EU country. They'll ultimately be put on a list of people subject to arrest on arrival.
The GDPR applies to all EU citizens; so the EU may not always be able to enforce it, but if it can it usually does. So if for example a company infringes EU citizen rights in the US the EU courts can (and sometimes does) fine the company if it has a presence in the EU (i.e. it is capable of enforcing it).
My understanding is that it applies to data on people in the Union, and data on all citizens of EU countries whether or not they are physically in the union.
If the entity doing the processing is established in the Union then it applies to all of that entity's processing of personal data, regardless of where that processing takes place or the citizenship of the people whose data is being processed.
Same for entities not established in the Union but in a place where Member State law applies. The example they give in the corresponding recital is in a Member State's diplomatic mission or consular post.
For entities not established in the Union what it says it applies to data subjects who are in the Union in regard to activities related to offering them goods and services or monitoring their behavior as far as their behavior takes place in the Union.
Sounds about right, but the self-inflicted injuries seem to be US, not EU, made. The fix is straightforward: Stop the US snooping, don't disassemble EU civil rights.
The courts will strike this down as well. I don't see it ever happening as long as the U.S. doesn't change its laws regarding privacy of non US citizens and possibly US citizens as well.
Everyone in my surroundings (yes, anecdotal) is switching more and more to EU alternatives, and only uses US cloud-based software, if it can be used on-prem or inside EU datacenters.
I really don't know why the commission keeps floating these agreements in which they don't even try to address the issues raised by the court. At this point, they have zero credibility.
Its a great example how democracies fail yet again to address a threat from within. They know it to be illegal, yet they keep doing it thanks to immunity from prosecution.
> The deal, known as EU-U.S. Data Privacy Framework, revives transatlantic exchanges underpinning billions' worth of digital trade after the EU's top court struck down two previous agreements over fears of U.S. intelligence agencies' snooping.
Can someone explain to me what trade this underpins? AFAICT it's basically a one way street. Large corporations in the USA get to advertise to citizens of the EU. How does anyone in the EU benefit from this? Or even, how does any large EU corporation benefit from this?
I don't know what - but it says something that Max Schrems was still a law student when he brought on the Irish DPC, The EU Commission and an army of Facebook lawyers and got the Safe Harbor agreement invalidated.
> The European Commission adopted a so-called adequacy decision, recognizing the U.S. as a country with sufficient protection for Europeans’ personal data that's sent there, effectively sealing the agreement.
That’s such a joke. What protections? The only protections I see are in a handful of states like California along with federal regulation for healthcare and payment data.
I wish the EU had applied more pressure to US lawmakers to come up with a national data privacy law similar to GDPR and CCPA.
All of that said, this agreement was inevitable. If data can’t be transferred between the EU and US, I don’t think it’s hyperbole to call that situation an economic disaster. The US and EU have too much commercial intermingling to have the EU actually cut off data movement to US data centers.
> I don’t think it’s hyperbole to call that situation an economic disaster. The US and EU have too much commercial intermingling to have the EU actually cut off data movement to US data centers.
It hasn't been an economic disaster so far, why would it be now?
And it is not that they will seal off datacenters. It just makes US companies liable for handling EU-user data in EU-jurisdiction. If they are caught red-handed exporting data to US, fines will be on the way.
The only beneficiaries from this are FANG (lower costs) and 3-letter US agencies (they info they need at the reach of their hand).
Read between the lines: it means EU got the access gateways to this data, probably for free (until they discover they actually don't have access to all of it).
For instance the DNA database of the EU ppl stored in the US (you know the "where are your ancestry from" DNA stuff from the US, which were actually used by the "services", caught right handed).
Urban legends say\ they can "find" somebody who got one of his/her relative do such DNA sampling.
I guess this is the end of Data Protection now that data can freely flow to the country of the Patriot Act and government agencies that aren't the most trustworthy.
The EU should just drop all Data Protection laws to make it fair, otherwise all they are doing is increasing the advantage of those agencies that play fast and loose with people's data.
The article says "The U.S. government on July 3 said it had fulfilled its requirements under the agreement." But the article detailing that "fulfillment" is behind a paywall. Does anyone know what changes the US made?
It would be encouraging if pressure from the EU actually resulted in improved privacy protections in the US.
The decision from the Commission lists what the US did (linked from the article).[0] Although, I'll admit, I am not great at reading language that verbose.
So, reading section 3.2.1, which details the legal basis for collection under national security purposes, all of it seems to hang on EO 14086, which "replaces Presidential Policy Directive (PPD-28) to a large extent, strengthens the conditions, limitations and safeguards that apply to all signals intelligence activities (i.e. on the basis of FISA and EO 12333), regardless of where they take place, and establishes a new redress mechanism through which these safeguards can be invoked and enforced by individuals (see in more detail
recitals 176-194). In doing so, it implements in U.S. law the outcome of the talks that took place between the EU and U.S. following the invalidation of the Commission’s adequacy decision on the Privacy Shield by the Court of Justice (see recital 6). It is, therefore, a particularly important element of the legal framework assessed in this Decision."
A short check tells me that any current or future president can revoke an executive order at any time. So, the commissions decision in regards to FISA (which this is mainly about) hangs on Bidens word that neither he nor one of his successors will change it? Yeah ... I don't see how that's gonna fly with the EUCJ.
(The article also stated it, but I wanted to check in the original documents if that's really all they base their "all is good with FISA now" decision on)
One key issue was that European citizens should have a way to make complaints (it wasn't clear which US agency was responsible and if they'd act), another that intelligence agencies don't get a blank check looking at all data.
If the EU wants to be able to not have to rely on US data they need to have a substantially more business friendly environment for nascent EU startups and heavily subsidize them. Right now the European software market is tiny and almost entirely legacy software.
I'm aware of the Marshall plan. Parent's comment could have been read as "continues to fund the EU" which I don't think is a thing other than the usual, trade, etc.
Thanks for sharing the link to the ECSC, it's been a while since I read about that. I wouldn't say though that the US founded the EU (https://en.wikipedia.org/wiki/European_Union), at least not in the literal sense of the word.
The EU-US data transfer deal is yet another instance of the EU bending over for the US. The US oversteps, the EU retaliates, they negotiate, rinse and repeat. It's frustrating to see the EU continually put trade over privacy and trusting the US not to enforce the Cloud Act.
It's not just about the big names like Google or Meta. What about EU startups? They're left in limbo, unsure of what this means for them or the cost involved with complying with an additional set of rules. The final decision is with the court on a case by case basis, just as before!
Honestly, I doubt this will make any company at ease about EU to US data transfers - there's too much risk & cost for EU companies.
The US is a sovereign nation. US law explicitly allows them to snoop on foreign entities/persons/data.
GDPR doesn't have jurisdiction outside the EU.
I wish it were otherwise, but it is not. The EU isn't a world government, it's a regional government/alliance, somewhat analogous to the US. The US often manipulates other nations to agreeing to pass laws that align to their policy goals globally, but ultimately it's a decision of sovereign nations to pass laws. I don't think the EU wants to call into question the entire concept of sovereignty in a policy conflict with the US, since the US is the a hegemony and one of only two global superpowers (and arguably the only one).
The GDPR applies to EU citizens regardless of where they are, and if the EU courts can apply fines (for example the company has a presence in the EU) then the court will probably fine the company.
By EU law there has to be “essentially equivalent protection” in the destination country, so this might as well be clickbait by the EU Commission as FISA 702 is absolutely incompatible with GDPR. One of those two needs to go before CJEU will allow this. This is likely Big Business and Three Letter Agency lobbyism at work, to try to draw out the final break-up of the very one-sided data transfers. It won't stick unless US gives non-US citizens constitutional rights (as if).
cool so in cloudland, Azure ca finally face some strong competition as orgs who were only using its crappy stuff solely bc it seemed to be a "safer" bet from a EU regulatory perspective get to do more AWS and GCP now...
This agreement puts products like Google Analytics back on firm legal footing. Bad luck for Meta that they were the one company singled out for a fine for doing what everyone else was doing in the period between agreements.