undefined | Better HN

0 pointsAlanYx1y ago0 comments

I tend to agree with you about what will happen, but it illustrates the depth of legal uncertainty that exists in architecting software systems in Europe that process personal information. Corporations can't necessarily trust the EC's own published interpretations of their own laws, nor the certification processes the EC has created, so the only risk-minimizing route is a maximally pessimistic approach about what is permissible.

0 comments

pyrale1y ago

> but it illustrates the depth of legal uncertainty that exists in architecting software systems in Europe that process personal information.

Oh I agree with that. EC's behaviour in that case is appalling.

> Corporations can't necessarily trust the EC's own interpretations of their own laws

There is a way to be safe with regards to EU law, and it's to engineer systems where European data stays in Europe. Of course, the issue is that corporations would then be liable under US' FISA 702.

That's the big issue: the United States made a law that basically states that no US company should follow EU law, and the US admin manages to beat EC officials into submission every few years with another flawed agreement to keep the ball rolling.

AlanYxOP1y ago

It's not that easy really. Several European countries have FISA s.702 functional equivalents that enable intelligence to get orders for interception of personal information on servers and entities within their legal jurisdiction. (e.g., The French Law on Intelligence and the German BND Act)

It's easy to say that the US should just scrap s.702, but unless it's reciprocal with Europe scrapping their interception powers as well, that's a pretty unrealistic ask.

pyrale1y ago

> that enable intelligence to get orders for interception of personal information on servers and entities within their legal jurisdiction.

That is common indeed. What's peculiar with US law is that it can mandate companies to move data about people outside of US jurisdiction that is stored outside of US jurisdiction and turn it over to US authorities, even when it violates local law.

mananaysiempre1y ago

Hm. I was aware that French law was kind of awful on this, but never investigated the specifics. As, say, a non-EU person, would I be able to bring suit to a French court (and, if that fails, to the CJEU) regarding foreign-intelligence eavesdropping violating my privacy rights? (AFAIU the US answer is that if I’m a foreigner on foreign soil I don’t have any of those).

AlanYxOP1y ago

Yes, you could bring a suit if you knew about the interception. However, like FISA s.702, intelligence collection warrants under the French LI and German BND are generally secret, so most targets have no knowledge they are under surveillance. All three pieces of legislation have an oversight mechanism in terms of oversight bodies who have access to secret warrants and are supposed to ensure that they are being used appropriately.

j / k navigate · click thread line to collapse

0 comments

pyrale1y ago

> but it illustrates the depth of legal uncertainty that exists in architecting software systems in Europe that process personal information.

Oh I agree with that. EC's behaviour in that case is appalling.

> Corporations can't necessarily trust the EC's own interpretations of their own laws

There is a way to be safe with regards to EU law, and it's to engineer systems where European data stays in Europe. Of course, the issue is that corporations would then be liable under US' FISA 702.

AlanYxOP1y ago

It's easy to say that the US should just scrap s.702, but unless it's reciprocal with Europe scrapping their interception powers as well, that's a pretty unrealistic ask.

pyrale1y ago

> that enable intelligence to get orders for interception of personal information on servers and entities within their legal jurisdiction.

mananaysiempre1y ago

AlanYxOP1y ago

j / k navigate · click thread line to collapse