The Europeans say a new agreement with the U.S. means it’s OK to transfer data westwards again. Two previous decisions had been struck down by the EU’s judicial branch, due to the risk of NSA surveillance under FISA§702. But third time’s a charm.
But, while all eyes are on privacy, how can you guarantee security of user data, given the lousy state of supply chain security? It’s not enough to simply trust antiquated app sec and data sec practices: Does the agreement mean EU users can sue you if you don’t properly protect their data from theft?
This time it’ll stick, right? In this week’s Secure Software Blogwatch, we fear it won’t — not if Max Schrems has his way.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Crowspiracy.
EU and US try yet again
What’s the craic? Javier Espinoza reports — “EU-US data-sharing deal comes into force”:
“Provided enough safeguards”
[It’s] a move designed to reassure thousands of companies over the transfer of personal information between Europe and the US, even as the measures face legal challenges. The European Commission … said its decision meant global companies could move data safely according to the new regime, which included requirements on the responsible handling and deletion of personal information.
…
The EU carried out its own assessment and unilaterally decided that the latest US concessions were legally sound and provided enough safeguards. … Biden’s executive order included new privacy guarantees, including the requirement to delete personal data when it was no longer needed, protections when such information was shared with third parties, and the possibility for EU citizens to seek damages if their personal data was mishandled.
Smells fishy? Kim Mackrael jumps into the harbor — “Agreement allows U.S. tech giants to continue data transfers”:
“Data Protection Review Court”
The issue has been a concern for some of the world’s biggest tech companies, including Meta Platforms and Alphabet’s Google, which have faced legal challenges to data transfers that are central to their business in Europe. … Two previous data agreements, known as Safe Harbor and Privacy Shield, were struck down by European courts.
…
The agreement requires the U.S. to create … the Data Protection Review Court, [which] will have the authority to handle EU individuals’ claims and impose remedies if it finds that U.S. laws were violated. … The U.S. has also committed to limiting the collection of signals intelligence.
So what’s the problem? Max Schrems complains it “will be likely back at the Court of Justice (CJEU) in a matter of months”:
“Almost a literal copy”
They say the definition of insanity is doing the same thing over and over … expecting a different result. … Despite the European Commission's public relations efforts, there is little change in US law or the approach taken by the EU. The fundamental problem with … FISA 702 and EO 12.333 … was not addressed by the US … hence a violation of [our] right to privacy is not covered by the 4th Amendment.
…
The EU and the US were able to claim that they agreed on the same word ("proportionate") — even when there is no agreement on the meaning of the word. [The] so-called "Court" … is not a court, but a partly independent executive body. … The "judgment" of this "Court" is … known even before a case is brought. … It seems unthinkable that [CJEU] would accept this.
…
We've now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' — but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. … All EU-US deals were declared invalid retroactively, making all past data transfers … illegal — we just seem to have added another two years of this ping-pong.
ELI5? How does an EU decision get “declared invalid retroactively”? Kallisti explains:
The GDPR gives the European Commission the right to determine that another country has adequate privacy protections, giving the legal right to transfer data to those countries. Only the Court of Justice of the European Union can invalidate that adequacy decision by the European Commission.
…
Nothing in the deal touches on the key finding by the CJEU. The court concluded that [only] US citizens and residents have … rights to adjudicate privacy complaints. [But] that's a requirement from the EU human rights charter.
…
The main thing is that the particular surveillance has to be authorized in law (not executive decision) and it has to have independent review outside the executive branch. Neither have been resolved in the new deal. This means that the CJEU will have to find the deal as unlawful as the previous deals.
…
What we're seeing is a sort of constitutional crisis, EU style. The commission has essentially dared the court [to] strike down [this] decision.
But EU persons’ data will be safe, right? ReptileMan sounds slightly sarcastic:
The NSA will keep all of it safe. And it won't leak out.
It’s the wrong jurisdiction. So says Doctor Syntax:
I think the central weakness of all these arrangements is that any disputes are to be heard in a US court. … If, for instance some transaction takes place between a customer in Germany … and a multinational trading company [with] a data centre in the US where the data is misused by anyone — US intelligence, some adtech company or a malware-wielding North Korean gang — it is the multinational who answers to the customer in a German court.
And it’s wrong in other ways. HBI is about ready to give up:
[GDPR] created the requirement to keep commercial data in the EU or another state that had commensurate privacy protections. … What was the point of GDPR if not to shield people in the EU from US government surveillance and commercial misuse of their data in the US? With this, we might as well not have bothered.
And u/_eG3LN28ui6dF, too:
Same ****, different year. Data protection for non-citizens is non-existent in the US. Deals, treaties and promises are worthless.
Meanwhile, with this excellent aphoristic mashup, here’s abwizz:
Fool me once, shame on you.
Fool me twice, shame on me.
Fool me thrice, …
???
Profit.
And Finally:
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: DPP Law (cc:by; leveled and cropped)
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.