Safe Harbor, or why PRISM is largely redundant

[Irbis]

Recently, in multiple threads on PRISM, people repeat this weird and baseless claim that 'EU citizens enjoy rights to privacy'. Yeah right. Want to hear a tale of how this actually looks in practice on the net?

Let's start with one example - Safe Harbor. What it is? When Internet was created and companies started to exploit it in commercial activities, US companies started having problems with this weird entity known as EU. Unlike USA with one federal privacy law, every state in EU tried to enact their own, creating massive headache for US companies, too lazy to deal with these pretentious microstates. To solve this, good ol' Uncle Sam summoned European leaders and in conciliatory manner befitting his allies, simply threw them ready text telling them to sign or get lost from the net.

Thus, Safe Harbor was born - a set of laws supposed to protect online privacy of EU citizens US companies could easily enact so that they could offer their services in EU without excess hassle. On paper, this is a good idea. Increased commerce and good protection - but then again, Constitution of the Soviet Union also offered excellent human laws protection, on paper, at least.

How this works in practice? Why, in 2008 Galexia report (available in full here for interested) researchers came to an interesting conclusion - that among 1597 companies queried, 348 meet the basic test. What was the test? Oh, it wasn't checking if anyone bothers to protect privacy - Galexia had no means to test it. Instead, they tested if the company even bothered to copy-paste EU privacy policy and information page into their website (mandated by law).

Yes, only about 20% of companies did barest minimum, never mind actually protecting the data they have. It's like police brutality check-up finding 4 out of every 5 cops has dried blood traces on their gloves, gun, or mace. But then again, seeing no one actually checks the compliance on site, or even has any rights to, as USA doesn't allow inspection from vassal countries in the first place, why should they bother?

To make the 20% figure even funnier, only 54 companies out of 1597 (about 3%) promised to protect all data they collect, not just part of it, according to Safe Harbor's 7 principles. To extend the police analogy above, only 3 out of 100 cops said straightforward 'yes' asked if they never beaten an innocent before.

The treaty is largely toothless, too - had CEO of Google appeared tomorrow on TV handing Biden printouts of every single mail sent by EU citizens last month, actually proving any part of treaty was broken, never mind reaching sentence, would take years at best, if it even was successful at all. USA doesn't need PRISM, had the companies didn't resist they could just collect it all directly at the source and no one could use Safe Harbor given protection to do anything about it.

And to put final nail in the coffin of the effectiveness of Safe Harbor, even such limited, useless protection was apparently too much, as USA undermined it (despite protests) by forcing laws such as Passenger Name Record, blowing big holes in already weak privacy laws and allowing US agencies to collect more and more data.

Of course, there had been attempts at fixing the law. The talks about it had been going strong last seven years, so far producing no concrete results whatsoever. For one, because every time EU tried to start something, USA, who likes status quo very much, always let out threatening growl to remind vassals of their place in the line. For another, because UK, acting both on order of the USA, and to protect their privileged ECHELON access, always torpedoed reform attempts. Recent NSA scandal might change that, but seeing Germany already is trying to apologize to USA for letting the whole affair see daylight, perhaps not. Experts remain sceptic.

So, really, why people act oh so upset about PRISM? It does nothing ECHELON didn't. And even these two pale next to gaping hole that is Safe Harbor. Somehow, no one minds. EU privacy protection is a sham, something that sometimes catches little fishes but does nothing to big time violations by key players. None of this is secret - you don't need Snowden to realize any of this. European politicians have to be aware of this - yet all they do about it is repeating old, tired phrases about commitment to defence of privacy. This means they are either grossly incompetent, or think the voters are grossly incompetent, unless someone has better explanation.

[K. A. Pital]

Aren't they right that the voters are grossly incompetent? This situation did not arise yesterday.

[Welf]

Interesting that we do have "privacy laws" and how they don't bother to even apply to the minimum standards.

I'm not sure if the European governments back down so easily because they are afraid of the US government. In the end this is something that is of use for our elites and governments. They can lower the standards and blame the evil US for making us do so. Trade agreements and supernational rules are a popular instrument against parliaments and the people.

[Thanas]

Actually, our Constitutional Court did create the freedom to decide about information gathering. Basically the citizen has the right to decide what happens with his data. Which is also why any attempt of Merkel to copy Obama will be pretty much toppled in short order by the same court.

[Welf]

Maybe, but any law or ruling is only as good as it's execution*. And as Irbis said even the rulings we already have are ignored.

*I'm pretty sure for example US officials may not seize people on German territory because Germany is a sovereign state and shit like that. But they still do. And they will be doing that since German security agencies are staunch US allies and will cover them.

[Thanas]

What they did was blatantly unconstitutional in my eyes and I wonder why the guy's lawyer simply did not get an injunction.

[Welf]

My guess: The German officials obscured the whole affair and a friendly judge believed them. They are supposedly trustworthy German officials sworn on the German constitution after all.

[Siege]

It's probably worth pointing out that the EU actually recognizes that the current framework is insufficient. That's why the General Data Protection Regulation is set to supersede Data Protection Directive 95/46/EC (of which Safe Harbor is an extension) in 2016. That number set should tell you something about how ancient the current framework is by the way: the current directive was signed on 24 October 1995. In terms of EU development that's like centuries ago. The new Regulation among other things requires each member state to set up a supervisory authority to monitor data protection and beat down on people and companies that violate the regulation. Probably not perfect, but to turn around and dismiss the idea that EU citizens have a right to privacy is a bit silly when article 8 of the ECHR specifically defines what the right to privacy entails in the EU.

[Irbis]

Actually, our Constitutional Court did create the freedom to decide about information gathering. Basically the citizen has the right to decide what happens with his data.

How many of 500 million metadata lines gathered by BND were sent to USA with consent of the involved? Was this done with Merkel knowledge? If these were, as BND claims, non German data, whose metadata BND exactly acquired in the middle of Germany? Is Merkel lying, or is BND spying on EU partners for US agencies?

So far, German authorities turned out to be complicit in every single shady US activity, from espionage to sending people to torture prisons run by CIA, and yet, you still keep hope much lesser transgression didn't happen?

[Irbis]

So, I guess BND really seeked approval of everyone involved and 500 million figure is just a slander

...

Anyway, I heard interesting interview in radio this week, ones being questioned were Polish minister of digital infrastructure, along with Neelie Kroes, EU Commissioner for Digital Agenda. Among the questions was Safe Harbor one - namely, what EU can do if foreign company starts violating EU law. Answer was immensely simple and optimistic: "wait".

When asked for what, the longer reply was basically "until the problem goes away somehow, or the company grows to the point it starts to have EU dealings or assets, like Microsoft, as only then we can do anything even remotely effective. Entirely foreign company? Forget it, we don't really have any reliable means now".

I'll look if I can't find a transcript, still, it was refreshing to hear at least two politicians are uncomfortable with the SH issue, even if it doesn't change situation one bit

[Thanas]

Actually, our Constitutional Court did create the freedom to decide about information gathering. Basically the citizen has the right to decide what happens with his data.

How many of 500 million metadata lines gathered by BND were sent to USA with consent of the involved? Was this done with Merkel knowledge? If these were, as BND claims, non German data, whose metadata BND exactly acquired in the middle of Germany? Is Merkel lying, or is BND spying on EU partners for US agencies?

I was unable to find a source for it at Spiegel online. In fact, the only Spiegel article which I have found which concerns the 500 million number mentioned only the NSA and the one mentioning the BND cooperating with the NSA explicitly says that it strips out German data before sending it to USA.

So where is that Spiegel report RT claims to source? Is it possible they mistranslated it from German?