[A_Beer_Clinked]

The full ruling is available here: http://www.politico.eu/wp-content/uploads/2015/10/schrems-ju...

These bit jumped out at me: >Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

>This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

My reading (not a legal expert) is that data residency is the important bit here. Which in my view is a small step but not sufficient.

[armada651]

I think it means a lot more than just data residency. Without the safe harbor agreement you can no longer avoid EU privacy regulations by storing the data in the US.

This means that a lot of US companies are now exposed to EU privacy regulations where previously they only had to account for US privacy regulations.

The US privacy regulations are no longer considered compatible with the EU privacy regulations. That has much more impact than just data residency.

[cm2187]

What I am curious about is how do we define "doing business in the EU"? If I am american, create a blog stored in the US, and allow users to register an account to comment on the blog, am I doing business in the EU if a EU person creates an account or are my visitors more akin to foreign tourists visiting a US shop in the US and therefore outside the reach of EU regulation?

In the financial sector, the extra-territoriality of US laws has been a problem for decades. Securities issued in the EU, by EU entities and marketed to EU investors end up having some language referring to which US regulation they fall under out of fear that a US person will end up buying it, and the US applying their laws and regulations.

[pjc50]

> In the financial sector, the extra-territoriality of US laws has been a problem for decades.

This is a problem for the internet that has long been present but is increasing: multiple jurisdictions with global reach. Historically the First Amendment has shielded the internet from a lot of attempts to interfere with it, but there's no particular reason why only the US should claim that its laws apply globally. Why not Franco-German laws against Holocaust denial? English libel law? Saudi blasphemy law? Chinese censorship law?

Sooner or later someone's going to find themselves in a Kafkaesque situation where two global jurisdictions demand incompatible things.

[mcv]

> Sooner or later someone's going to find themselves in a Kafkaesque situation where two global jurisdictions demand incompatible things.

That's exactly what we're already talking about here: companies are unable to obey both EU rules concerning privacy, and US laws concerning law enforcement access to data.

And that's basically why borders between internet jurisdictions are now being drawn up.

[pjc50]

The sad thing is that Europe also has laws enabling law enforcement access to data, including (until recently) mandatory retention of certain data by ISPs. All this is about is mass surveillance without due process. All that would be required to fix it is interpreting the Fourth Amendment in the same way as Article 8, and abolishing the whole secret court infrastructure.

> The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

> Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

[kuschku]

Actually, data retention was declared illegal several times. No government can force you to do it.

[jarek]

Sooner or later? It's been happening for a while in mapping. http://www.telegraph.co.uk/technology/google/10922595/Reveal... http://qz.com/224821/see-how-borders-change-on-google-maps-d... “Google Maps makes every effort to depict disputed regions and features objectively. ... Where we have local versions, we follow local regulations for naming and borders.”

[overgryphon]

Microsoft was ordered to hand over an Irish citizen's emails stored outside of the US to US government officials in a drug case. The case is still in appeals.

http://bits.blogs.nytimes.com/2014/07/31/judge-rules-that-mi...

[happyscrappy]

It already happened and Google dumped China.

[vetinari]

And now is quietly going back:

http://arstechnica.com/gadgets/2015/09/report-google-will-co...

[lagadu]

In practical terms your blog would be outside the EU jurisdiction so no direct, effective, sanctions could be levied. However if you do take payments, for anything, from within the EU that is where they can hit you; by simply blocking European banks from making payments to you.

[moonchrome]

I'm not a bitcoin guy but this is a scenario where I can see the technology becoming popular/useful. They can theoretically block your service (like China firewall) but that's harder to pull off and sell to public.

For example it could let games circumvent online gambling laws.

[nolok]

> What I am curious about is how do we define "doing business in the EU"? If I am american, create a blog stored in the US, and allow users to register an account to comment on the blog, am I doing business in the EU if a EU person creates an account or are my visitors more akin to foreign tourists visiting a US shop in the US and therefore outside the reach of EU regulation?

De facto, it's when you take money from EU customers and/or have an official office in some EU country.

[cm2187]

so a non profit wouldn't require to follow EU regulations on personal data?

[mattlutze]

To wit, non-profit doesn't mean "doesn't take in money." IIRC, it means that the organization doesn't distribute surplus income (profit) to shareholders.

So, a non-profit that took monies from EU citizens I think would still possibly be affected, unless there's EU laws that make non-profits a different class of business subject do different laws.

[LordKano]

That's a fairly succinct definition.

There are non-profits that make millions of dollars in positive cash flow. All that term means (At least in the US) is that it doesn't ever pay dividends to shareholders.

I'll be intentionally vague because I don't want to stray too far afield but there are some large organization that make a lot of money but are classified as non-profit. They can pay excess revenue as bonuses to directors and executives.

[nolok]

Note that I said "de facto", not "de jure". Nobody would bother suing a non profit that doesn't have EU offices unless you were very large and/or very prominent and/or doing something really nefarious about the data you have. And even then, suing an US company with no EU standing in front of an EU court from an EU citizen complaint is far from easy.

The same reason that if, say, Texas introduce a law that says everyone commenting on a texan website needs to be polite and I post a comment with some name calling, suing me as someone not from Texas nor the US would not be very doable, even though I technically infringe on that law.

[pjc50]

suing me as someone not from Texas nor the US would not be very doable

It's been done: https://blogs.ch.cam.ac.uk/pmr/2010/11/21/english-libels-law...

The libel situation has slightly improved since then.

[rbehrends]

Doing business in the EU should not be relevant (except insofar as it matters for establishing jurisdiction).

The relevant provisions are articles 25 and 26 of the Data Protection Directive [1] and their implementations by the member states.

[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...

[mtgx]

This is where I think Business Insider is ultimately "wrong", yet it keeps stressing in all related articles how this will create huge bureaucracy.

From what I see in the ruling, it keeps stating "under the directive" (Data Protection Directive).

The current Directive, does indeed give national governments the right to decide how it's implemented. However, the new Directive (or regulation actually, meant to pass this year) will unify the directive for all countries. So I believe this "bureaucracy" issue, at least in regards to having to follow 27 different laws, will not be an issue anymore.

[emn13]

Even the current directive likely doesn't require satisfying all nations separately; since the various schemes are supposed to be compatible (i.e. conceptually safe harbor, though it's not called that, does apply within the EU), if a business hosted its data in one country and served others from there, they'd likely be safe.

There might be some bureaucracy to ensure that you really count as being hosted there (e.g. possibly ensuring that the parent company cannot access said data - which would be problematic for some companies), but AFAIK (IANAL) there's no legal distinction between EU and non-EU companies in this kind of rule.

[mcv]

EU banks also have special rules for US persons. There are special courses on how to properly determine whether someone counts as US person or not. Nobody cares about other countries.

[thfuran]

Isn't the US the only country that taxes the foreign income of its citizens, which would probably require that the banks have some paperwork particular to US citizens with accounts?

[dirkdk]

One of my Dutch banks, a small investment bank, kicked me out because I am on a temp visa in the USA. This means I have to pay taxes here and therefore need to report my Dutch bank accounts with the IRS. They told me the US penalties for not reporting 100 % correctly on my money with them were so outrageous that they preferred to boot me.

[thfuran]

Wait, even as a non-citizen you have to report and pay taxes on income earned outside the US if you earn any income in the US?

[jarek]

Yeah, the special rules for U.S. persons are a result of U.S. forcing banks doing any business in U.S. to apply special rules to U.S. persons. https://en.wikipedia.org/wiki/Foreign_Account_Tax_Compliance...

[jcranmer]

It might not be the only country, but such taxation practice is definitely not the norm.

Unfortunately, there's little chance of normalizing the laws with international custom, since I can already see the attack ads about tax breaks for the wealthy.

[brobinson]

Estonia is the only other country which taxes citizens on foreign-earned income.

[k0htlane]

That's just not true: https://en.wikipedia.org/wiki/International_taxation

A lot of countries tax foreign-earned income, but still US is a outlier along with Eritrea, with taxing foreign income of nonresident citizens.

[ricksplat]

Similar to the Cookie banner, you'll probably have to indicate to your subscribers that their data will be resident outside the EU and will not be subject to the same data protection. Subscriber proceeding will indicate agreement with that.

[nolok]

No, the data protection directives are not something you can opt out of, even if you nicely ask your users with a banner.

Note that the original point of the cookie banner law was not to ban cookies, but to inform users about it and allow users to avoid websites storing information about them. That consequence of that law is terrible and we all know that with the banners everywhere, but at no point was it "cookie are forbidden, but you can bypass it with user approval", it was "cookie are allowed but require approval".

Storing EU citizen data without respecting the data privacy directive is forbidden, period.

[ricksplat]

Actually, the fundamental rule of data protection legislation is that an organisation can store data on its subscribers and can not except in limited legally prescribed instances (e.g. lawful intercept, insurance fraud) share it with another organisation.

The issue at the core of the Schrems case is that Facebook for example is not bound to respect this, or any other fundaments of EU data protection law.

However, if you register with a website that is clearly and overtly outside your data protection jurisdiction then it is "you" who is freely providing that data. Just as you might give personal information over a transatlantic phone call.

The EU has no jurisdiction where the company is not in the EU, and cannot prevent an individual from sending their private information outside the jurisdiction if they want to.

But various of these multinationals such as Facebook are in the EU for various operational reasons and as such the EU does have jurisdiction over them.

[e12e]

Perhaps more relevant to the data retention laws, would be a site sharing passport numbers, names and addresses of EU citizens, perhaps collected at stays at motels/hotels across the US? The site might host them for free - but keeping/sharing that data without consent wouldn't be allowed under EU law. The particular example would probably also be illegal according one or more US laws (state or federal) -- but I think it is still more interesting than the rather silly things people get hung up on?

[gsnedders]

If it's a US organisation (and not a multinational like FB), with data collected in the US, the Data Protection Directive does not apply. The fact it's merely EU citizens is irrelevant.

[richmarr]

> Without the safe harbor agreement you can no longer avoid EU privacy regulations by storing the data in the US.

Maybe I'm missing something here.

My understanding is that the Safe Harbour agreement wasn't a mechanism for US companies to avoid EU data protection regulations... it was a certification that they did comply with EU data protection (particularly in situations where that data was transmitted outside the EU).

Now it's gone, EU customer data held by US companies will be governed by national data protection laws instead, so may end up having to be stored within the EU.

> The US privacy regulations are no longer considered compatible with the EU privacy regulations

I don't think they ever were, which is why the Safe Harbour needed to exist in the first place.

[flexie]

No, you are more or less right. The general rule is that personal data may only be transferred to organizations in third countries such as the US if they comply with the EU rules on data protection. See chapter IV of the data protection directive: http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:319...

In order to avoid that each EU member state would have to approve Google, Microsoft etc. one by one, the safe harbour framework was set up to let US companies self certify that they complied with the rules:

"In order to bridge these differences and provide a streamlined and cost-effective means for U.S. organizations to satisfy the Directive’s “adequacy” requirement, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU in 2000, is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws. Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides "adequate" privacy protection, as defined by the Directive."

http://www.export.gov/safeharbor/eu/eg_main_018476.asp

That was obviously a broken system, partially because the certified companies didn't live up to the EU standards, partially because the US government violated the rules systematically through CIA, NSA etc.

The fault here is really European as much as American. By relying on the wolf to guard the sheep we very much had it coming.

[WhoBeI]

US privacy regulations where not considered compatible with EU ones before the ruling either.

The agreement was that US companies sign a list with the US Dept. of Commerce that they considered themselves in compliance with EU regulations when handling EU citizen data and that would give legal immunity to them and their subsidiaries in the EU.

This ruling means that EU countries are now allowed to check if they are lying or not.

[throwaway7767]

The end of the article makes it sound like just adding a clause to the terms & conditions saying the user agrees to his data being stored in the US would be enough to bypass this. They just can't assume they have that right under safe harbour.

Hopefully they'll restrict that and require a higher threshold for consent than someone clicking "I agree" to 100 pages of dense legalese.

[7952]

>> require a higher threshold for consent than someone clicking "I agree" to 100 pages of dense legalese.

You could just add it to the cookie permission widget!

[kuschku]

This is going to be funny. Time to sue every website that includes Google Analytics today.

As, obviously, this ruling means no one – not even your website – may give out my data to US entities, including Google. So any type of tracking like that is now illegal.

IANAL.

[lwyr]

That's the press release, which is a good summary, but not the actual judgment. The judgment is available at: http://curia.europa.eu/juris/documents.jsf?num=C-362/14

[junto]

Did anyone else notice the following as a distinct bias?

  Max Schrems, an Austrian lawyer and privacy activist, has 
  done everything he can over the last several years to be a 
  thorn in Facebook’s side. 

My alternative perspective:

  Max Schrems, an Austrian lawyer and privacy activist, has 
  done everything he can over the last several years to protect the
  rights of European citizens whose privacy has been abused and
  invaded by US firms.