Today, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.
In 2020, European Union courts struck down the previous agreement between the EU and the US, the Privacy Shield, as the court stated it did not sufficiently protect EU user data from US government surveillance. This was obviously a big problem for companies like Facebook and Google, and ever since, the two blocks have been trying to come up with a replacement that would allow these companies to continue to operate relatively unscathed. In the meantime, though, several European countries handed out large fines to Amazon and Facebook for not taking proper care of EU user data.
So, what makes this new agreement stricter than the previous one?
The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.
I’m obviously no legal expert so take this with a grain of salt, but this kind of feels like yes, there are additional protections and safeguards, but if (let’s be real here: when) companies like Facebook violate these, don’t worry, EU citizen! You can undertake costly, complex, and long legal proceedings in misty business courts so Facebook or whatever can get fined for an amount that Zuckerberg spends on his interior decorator every week.
The courts struck down the Safe Harbor agreement in 2015, and the aforementioned Privacy Shield in 2020, so we’ll see if this new agreement stands the test of the courts.
I have no issue with this at face value, but…
US government agencies that operate in secret have a bad track record for respecting the constitution. In very rare instances of legal challenges nobody has ever lost their job or gone to prison over violations and lying about the scope of government spy operations. Even federal judges and congressional inquiries keep finding red flags, but nothing changes.
https://apnews.com/article/7d8d9b7e3f4940388e95f8b31e6212e7
The government created a secret court outside of the normal court system to avoid public records and accountability. When US government agencies operate offshore, they don’t even bother getting warrants from their secret court because they view foreign targets as fair game. So while the US might put on a privacy respecting front for the EU, going by the history I am extremely skeptical that a privacy agreement is worth the paper it’s written on. Violations will likely continue as usual and spy agencies will simply continue doing as they always have while denying that they’re doing it and prosecuting whistleblowers as traitors, just like Edward Snowden. It’s terrifying that democratic governments see it fit to give themselves such authoritarian powers over the people.
The good news is that, following the Snowden leaks, private companies have stepped up encryption. The bad news is that many of the companies we trust were complicit and given immunity deals so they wouldn’t be sued or investigated for sharing private data with the government and then lying about it. Ultimately users are free to trust whoever they want with their data, but that trust can be broken. IMHO crypto is a good solution for this, but it’s hard to know which services are using crypto correctly. For example facetime uses “end to end crypto”, which is good, but they also control the keys used for encryption, which means you have to trust them not to use encryption keys they can wiretap.
Alfman,
I agree. Unfortunately some US institutions don’t actually worry about the law too much, and only see it as “mere guidelines”.
A decade ago, Microsoft had a famous case against the Federal Government wrt. to a European user whose data was stored in Ireland. The government argued, since Microsoft was a US company it did not matter neither the subject was not a US citizen, nor the servers were outside of US jurisdiction.
https://cdt.org/insights/microsoft-ireland-case-can-a-us-warrant-compel-a-us-provider-to-disclose-data-stored-abroad/
The solution was Microsoft spinning off datacenter operations in Europe to an external entity, and not owning the physical infrastructure anymore. From operations standpoint this did not change much, except for some accounting / leasing magic.
However it shows how far these things can go.
I would have preferred US Federal Government to adhere to the laws and international cooperation (at least in spirit), and formally ask for this information from Ireland instead of trying to sidestep proper procedure.
I submitted this as a news article, but it hasn’t been posted. Given that it’s related to corporations sharing private data, it might as well be linked here.
https://www.cnn.com/2023/07/12/tech/tax-prep-companies-taxpayer-data-google-meta/index.html
Yes, but they seem to blow this thing out of promotion to get clicks:
The gist of the matter seems to be these tax companies used tracking and/or advertisement cookies on their customer facing web pages, at the same time, encoded personal information in the URLs, which can leak through referrer data.
That is a misuse on their part, not on Google or Meta, which provide advertisement platforms to any website (within certain rules). This would be akin to blaming Westinghouse and LG when some people microwaved metals and burned their home down.
Though, those tax companies should have really avoided third party cookies on sensitive pages. At best, they could have done all their tracking in house within their backends.
sukru,
IMHO the way that advertisers inject javascripts into client pages is fundamentally broken for security and privacy. This model should never be used for advertising, but for better or worse it’s become the norm for users not running a blocker. While we could blame websites for having the ads, I still think ad companies need to shoulder some of the blame for promoting and using insecure scripting models and not doing more to fix it.
Whether facebook or google are actually using using their privileged webpage access to record private data is hard to determine because their scripts are proprietary….I’ve tried looking at what they do, but they are highly obfuscated. Are you aware of any independent audits? I’d be interested in seeing that.
I agree, sensitive services should never use 3rd party trackers. Even when there are no ads, many use google analytics and users are mostly oblivious.