Other posts in this series :
By now you should know about the EUJC ruling on the Privacy Shield. I am going to keep this one short and sweet - I believe the judgment to be more far-reaching than NOYB is explaining on their website. The reasoning is very simple.

To demonstrate this let's take a look at the questionnaire that NOYB made available for companies.
The first question is :



We can stop right there. The problem is that for every US-based company that isn't solely working with Paper and pigeons only (and even then) the answer is always YES. Your potential Data Processor in the USA is going to use Verizon / ATT / (you name it) and as such you will always have a data processor that is subject to FISA702 in the middle somewhere.  As the leaks of Edward Snowden have clearly shown, Telcos are being used as an entry vector for mass surveillance. It is irrelevant whether or not your direct counterpart is subject to surveillance laws.

Let's continue regardless :


Answer to 5a) is: You can't (Quote me on this - I know what I am talking about). There is no way to escape mass surveillance as a company in the US. You would have to build all of your communication channels on 0 knowledge type protocols. Even if they exist for your use case they are most likely not supported by other businesses you will have to communicate with, or by your remote workforce.  You also need to consider other laws, such as "Export Restrictions" and "Anti-Money Laundering" also giving the US HQ access to a lot of information, sometimes even via a direct data pipe to the EU. (A vector that NOYB is forgetting about)

The companies that can confidently answer yes to the above may exist in some niche segments or some niche use cases. As an example - I hear you say "But we use TLS" - that's a pretty naive view and ridiculous protection against a nation-state adversary given capabilities and funding for mass surveillance by law. 

So unless you can demonstrate that every digital communication is "unbreakable" by a nation-state you are still subjecting EU data subjects to mass surveillance. So even if you are using SCCs as a legal basis of transfer, unless you communicate via Pidgeons your SCCs can be challenged and likely aren't valid. 

In other words, by the end of the NOYBs'  questionnaire, you will have understood that realistically you can't use SSCs as a means to legally transfer EU Personal data in 99.9% of the cases. 

So what does that mean for inter-company transfers to the US? (Example: Apple Ireland to Apple US). Well, they are unlikely to come to the conclusion that they can't protect the data, and whoever sits on the button in Europe has been chosen to follow along with the logic of the US HQ (not just on that issue). Hint: The performance review within US Companies of EU employees is always done in the US at some level. 

How can you spot that? The Data Privacy Notice will somewhere say "You agree that your personal data is shared within the group of companies". That means you agree to transfer your data to the US. Want to object? Ask your DPA to enforce that the company can no longer transfer your personal data to the US. You will see your account closed and your agreement terminated. Why? I don't know any Big US company that would be able to offer the service without exchanging any personally identifiable (as defined in GDPR) information with the US at this point in time.

Examples:

Mastercard Data Privacy Notice 


Amazon Germany - Deep into the Reference Circle between Data Privacy Notice and
Terms and conditions


Sight, we all know how this will work out - we will just pretend we can protect the data adequately in the US. As they say in Germany "Wo kein Kläger, da kein Richter" - hence Support NOYB via Donation here.

As a summary: you are given a questionnaire that you will always end up answering negatively too if you'd answer it truthfully and equipped with known unknowns.  I liked the title too much to let go of it. Sue me. 



0 comments

Post a Comment