Posted on

Facebook May Be Ordered to Change Data Practices in Europe

Facebook is facing the prospect of not being able to move data about its European users to the United States, after European regulators raised concerns that such transfers do not adequately protect the information from American government surveillance.

The social network said on Wednesday that the Irish Data Protection Commission had begun an inquiry into its movement of data on European users to the United States. The Irish regulator oversees Facebook’s data practices in Europe and can fine it up to 4 percent of its global revenue for breaking European data protection laws.

The Silicon Valley company may now have to overhaul its operations to keep data on Europeans stored within the European Union, an immensely complicated task given the way that Facebook moves data among data centers around the world.

The inquiry, earlier reported by The Wall Street Journal, is the first major fallout of a European Union high court decision in July that invalidated a key trans-Atlantic agreement called Privacy Shield. That agreement between the United States and European Union had allowed businesses to send data between the two regions, but the court struck it down, saying Europeans did not have sufficient protections from American spy agencies.

The ruling affects thousands of businesses, but Facebook’s data-sharing practices have been under particular scrutiny by European authorities. Facebook had argued that the court allowed certain kinds of legal contracts to continue transferring data, but Irish regulators disagreed and said those arrangements were invalid.

Facebook has until later this month to respond to Ireland’s complaint, then the Irish regulator will make a final decision toward the end of the year. Facebook could challenge that judgment in court.

“A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the E.U., just as we seek a recovery from Covid-19,” Nick Clegg, Facebook’s vice president of global affairs, said of the moves. “The impact would be felt by businesses large and small, across multiple sectors.”

Ireland’s Data Protection Commission declined to comment.

Facebook’s experience will be closely watched by other major tech companies, like Google, that also depend on transferring data between the United States and Europe.

American and European officials have expressed a desire to work out a new data-sharing agreement. But legal experts have said complying with the European court ruling will require substantive changes to American surveillance laws to give Europeans added privacy protections.

Posted on

Legal clouds gather over US cloud services, after CJEU ruling

In the wake of yesterday’s landmark ruling by Europe’s top court — striking down a flagship transatlantic data transfer framework called Privacy Shield, and cranking up the legal uncertainty around processing EU citizens’ data in the U.S. in the process — Europe’s lead data protection regulator has fired its own warning shot at the region’s data protection authorities (DPAs), essentially telling them to get on and do the job of intervening to stop people’s data flowing to third countries where it’s at risk.

Countries like the U.S.

The original complaint that led to the Court of Justice of the EU (CJEU) ruling focused on Facebook’s use of a data transfer mechanism called Standard Contractual Clauses (SCCs) to authorize moving EU users’ data to the U.S. for processing.

Complainant Max Schrems asked the Irish Data Protection Commission (DPC) to suspend Facebook’s SCC data transfers in light of U.S. government mass surveillance programs. Instead, the regulator went to court to raise wider concerns about the legality of the transfer mechanism.

That in turn led Europe’s top judges to nuke the Commission’s adequacy decision, which underpinned the EU-U.S. Privacy Shield — meaning the U.S. no longer has a special arrangement greasing the flow of personal data from the EU. Yet, at the time of writing, Facebook is still using SCCs to process EU users’ data in the U.S. Much has changed, but the data hasn’t stopped flowing — yet.

Yesterday the tech giant said it would “carefully consider” the findings and implications of the CJEU decision on Privacy Shield, adding that it looked forward to “regulatory guidance.” It certainly didn’t offer to proactively flip a kill switch and stop the processing itself.

Ireland’s DPA, meanwhile, which is Facebook’s lead data regulator in the region, sidestepped questions over what action it would be taking in the wake of yesterday’s ruling — saying it (also) needed (more) time to study the legal nuances.

The DPC’s statement also only went so far as to say the use of SCCs for taking data to the U.S. for processing is “questionable” — adding that case by case analysis would be key.

The regulator remains the focus of sustained criticism in Europe over its enforcement record for major cross-border data protection complaints — with still zero decisions issued more than two years after the EU’s General Data Protection Regulation (GDPR) came into force, and an ever-growing backlog of open investigations into the data processing activities of platform giants.

In May, the DPC finally submitted to other DPAs for review its first draft decision on a cross-border case (an investigation into a Twitter security breach), saying it hoped the decision would be finalized in July. At the time of writing we’re still waiting for the bloc’s regulators to reach consensus on that.

The painstaking pace of enforcement around Europe’s flagship data protection framework remains a problem for EU lawmakers — whose two-year review last month called for uniformly “vigorous” enforcement by regulators.

The European Data Protection Supervisor (EDPS) made a similar call today, in the wake of the Schrems II ruling — which only looks set to further complicate the process of regulating data flows by piling yet more work on the desks of underfunded DPAs.

“European supervisory authorities have the duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country,” writes EDPS Wojciech Wiewiórowski, in a statement, which warns against further dithering or can-kicking on the intervention front.

“The EDPS will continue to strive, as a member of the European Data Protection Board (EDPB), to achieve the necessary coherent approach among the European supervisory authorities in the implementation of the EU framework for international transfers of personal data,” he goes on, calling for more joint working by the bloc’s DPAs.

Wiewiórowski’s statement also highlights what he dubs “welcome clarifications” regarding the responsibilities of data controllers and European DPAs — to “take into account the risks linked to the access to personal data by the public authorities of third countries.”

“As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. The example of the recent EDPS’ own-initiative investigation into European institutions’ use of Microsoft products and services confirms the importance of this challenge,” he adds.

Part of the complexity of enforcement of Europe’s data protection rules is the lack of a single authority; a varied patchwork of supervisory authorities responsible for investigating complaints and issuing decisions.

Now, with a CJEU ruling that calls for regulators to assess third countries themselves — to determine whether the use of SCCs is valid in a particular use-case and country — there’s a risk of further fragmentation should different DPAs jump to different conclusions.

Yesterday, in its response to the CJEU decision, Hamburg’s DPA criticized the judges for not also striking down SCCs, saying it was “inconsistent” for them to invalidate Privacy Shield yet allow this other mechanism for international transfers. Supervisory authorities in Germany and Europe must now quickly agree how to deal with companies that continue to rely illegally on the Privacy Shield, the DPA warned.

In the statement, Hamburg’s data commissioner, Johannes Caspar, added: “Difficult times are looming for international data traffic.”

He also shot off a blunt warning that: “Data transmission to countries without an adequate level of data protection will… no longer be permitted in the future.”

Compare and contrast that with the Irish DPC talking about use of SCCs being “questionable,” case by case. (Or the U.K.’s ICO offering this bare minimum.)

Caspar also emphasized the challenge facing the bloc’s patchwork of DPAs to develop and implement a “common strategy” toward dealing with SCCs in the wake of the CJEU ruling.

In a press note today, Berlin’s DPA also took a tough line, warning that data transfers to third countries would only be permitted if they have a level of data protection essentially equivalent to that offered within the EU.

In the case of the U.S. — home to the largest and most used cloud services — Europe’s top judges yesterday reiterated very clearly that that is not in fact the case.

“The CJEU has made it clear that the export of data is not just about the economy but people’s fundamental rights must be paramount,” Berlin data commissioner Maja Smoltczyk said in a statement [which we’ve translated using Google Translate].

“The times when personal data could be transferred to the U.S. for convenience or cost savings are over after this judgment,” she added.

Both DPAs warned the ruling has implications for the use of cloud services where data is processed in other third countries where the protection of EU citizens’ data also cannot be guaranteed too, i.e. not just the U.S.

On this front, Smoltczyk name-checked China, Russia and India as countries EU DPAs will have to assess for similar problems.

“Now is the time for Europe’s digital independence,” she added.

Some commentators (including Schrems himself) have also suggested the ruling could see companies switching to local processing of EU users’ data. Though it’s also interesting to note the judges chose not to invalidate SCCs — thereby offering a path to legal international data transfers, but only provided the necessary protections are in place in that given third country.

Also issuing a response to the CJEU ruling today was the European Data Protection Board (EDPB). AKA the body made up of representatives from DPAs across the bloc. Chair Andrea Jelinek put out an emollient statement, writing that: “The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.”

Short of radical changes to U.S. surveillance law, it’s tough to see how any new framework could be made to legally stick, though. Privacy Shield’s predecessor arrangement, Safe Harbour, stood for around 15 years. Its shiny “new and improved” replacement didn’t even last five.

In the wake of the CJEU ruling, data exporters and importers are required to carry out an assessment of a country’s data regime to assess adequacy with EU legal standards before using SCCs to transfer data there.

“When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR,” Jelinek writes.

“If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.”

Again, it’s not clear what “additional measures” a platform could plausibly deploy to “fix” the gaping lack of redress afforded to foreigners by U.S. surveillance law. Major legal surgery does seem to be required to square this circle.

Jelinek said the EDPB would be studying the judgement with the aim of putting out more granular guidance in the future. But her statement warns data exporters they have an obligation to suspend data transfers or terminate SCCs if contractual obligations are not or cannot be complied with, or else to notify a relevant supervisory authority if it intends to continue transferring data.

In her roundabout way, she also warns that DPAs now have a clear obligation to terminate SCCs where the safety of data cannot be guaranteed in a third country.

“The EDPB takes note of the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer,” Jelinek writes.

One thing is crystal clear: Any sense of legal certainty U.S. cloud services were deriving from the existence of the EU-U.S. Privacy Shield — with its flawed claim of data protection adequacy — has vanished like summer rain.

In its place, a sense of déjà vu and a lot more work for lawyers.

Read More

Posted on

European Workers Draw Paychecks. American Workers Scrounge for Food.

LONDON — In the southeast corner of Ireland, Brian Byrne’s event-planning business was confronting a calamity. It was the middle of March, and the coronavirus pandemic was nearing peak lethality. As the government barred gatherings like music festivals, his revenue disappeared, forcing him to consider laying off his four full-time workers.

But a swiftly arranged government program spared their jobs. It provided 70 to 85 percent of their wages, enabling Mr. Byrne to keep them employed.

“It oddly hasn’t been a stressful time,” he said. “I can keep the team together, keep them motivated. We’re basically doing everything we can to be ready for when the restrictions are eased.”

Across the Atlantic in New York, the pandemic cost Salvador Dominguez his job selling Manhattan real estate. He eventually qualified for an emergency expansion of federal unemployment benefits, but not before 72 agonizing days of waiting. He borrowed from friends and family members to pay his rent, and he harvested food from the trash at a high-end grocery store.

“How can I describe it?” said Mr. Dominguez, 39, taking a breath. “It was very tough.” He added, “I didn’t feel alone, because I knew a lot of people like me were doing it.”

The pandemic has ravaged Europeans and Americans alike, but the economic pain has played out in starkly different fashion. The United States has relied on a significant expansion of unemployment insurance, cushioning the blow for tens of millions of people who have lost their jobs, with the assumption that they will be swiftly rehired once normality returns. European countries — among them Denmark, Ireland, Britain, France, the Netherlands, Spain and Austria — have prevented joblessness by effectively nationalizing payrolls, heavily subsidizing wages and enabling paychecks to continue uninterrupted.

Image
Credit…Hiroko Masuike/The New York Times

As cases increase at an alarming rate in much of the United States, the reliance on an overwhelmed unemployment system — the next infusion of money perpetually subject to the whims of Washington — leaves Americans uniquely exposed to a deepening crisis of joblessness. Europe appears poised to spring back from the catastrophe faster, whenever commerce resumes, because its companies need not rehire workers.

“You just send an email, and that’s it — you’re ready to go,” said Jonathan Rothwell, principal economist at Gallup, the American polling firm, and a nonresident senior fellow at the Brookings Institution. “There’s no recruitment or negotiation.”

Some have argued that the differing approaches are functionally equivalent. European taxpayers are writing checks to employers who wind up paying workers. American taxpayers are furnishing relief through unemployment payments.

“I think it’s a real open question,” said Jason Furman, an economic adviser to President Barack Obama, “which of those will be better in the long term. They might be more similar than everyone thinks.” He was speaking during a recent discussion with Stephanie Flanders of Bloomberg.

But conversations with recipients of government relief in Europe and the United States reveal one substantial difference: In many European countries, wage subsidies have enabled paychecks to continue without a hitch, sparing people the anxiety of managing bills while awaiting relief. For Americans, hellish tangles with bureaucracy have become legion as tens of millions of people have deluged the unemployment system, crashing websites, tying up phone systems and standing in parking lots for hours outside benefits offices.

Image

Credit…Audra Melton for The New York Times

Far from an accident, this reflects the values animating American capitalism, in which social safety nets are minimal, leaving people to struggle with scant relief. The pandemic “exposes the fact that we have a system problem,” said Joseph Stiglitz, the Nobel laureate economist. “A system where 50 percent of the people are on the edge is not a resilient system.”

The American Paycheck Protection Program has similarities to Europe’s wage subsidy programs. It has directed $520 billion in loans through private banks to small businesses. If American employers limit layoffs, they do not have to repay the money. Five million businesses have received funding, but bewildering rules and technical glitches have limited broader participation.

Washington also increased standard unemployment benefits by $600 a week, often giving recipients more than they earned in their jobs. But in requiring that workers transition from payrolls to the unemployment system, the government effectively consigned people to torturous delays.

Image

Credit…Bryan Denton for The New York Times

Jobless data reveals how the pandemic has assailed American workers with exceptional force. The unemployment rate in the United States has soared nearly eight percentage points since February — it registered 11.1 percent in June — while France, Germany, Ireland and the Netherlands have all limited increases in the jobless rate to less than one percentage point.

“By and large, the European social model has proved quite adept and robust for this kind of crisis,” said Jacob F. Kirkegaard, a senior fellow at the Peterson Institute for International Economics in Washington.

None of this offers guarantees about the future. In many countries, the United States included, pandemic aid programs are set to expire in coming months. Given persistent fears about the virus, an abrupt elimination of relief would be damaging.

In Britain, nine million workers have officially been furloughed while continuing to draw paychecks under a government program. But as many as a fourth are at risk of being fired when the government reduces the subsidy in September, according to Bloomberg. In the United States, extra jobless benefits expire at the end of July, prompting worries that the removal of this aid will spell a loss of spending, further damaging businesses and producing another spike in unemployment.

For Americans, the risks are heightened by the fact that the nation lacks a national medical system — a feature taken as a given in Europe — leaving most people reliant on their jobs for access to health care.

For now, European programs are insulating workers from the consequences.

In Spain, the terrifying spread of the virus prompted the government to order a halt to nonessential services in mid-March. That threatened the livelihood of Ana Ascaso, a mother of three who works as a waitress at a popular bar in the center of Zaragoza, a city of 700,000 people in the northeast of the country. Her husband had been out of work for more than a year.

Image

Credit…Edu Bayer for The New York Times
Image

Credit…Edu Bayer for The New York Times

Within hours of announcing the state of alarm, the Spanish government also approved an “act of God” wage subsidy program. Ms. Ascaso and the other eight employees at the bar would technically be furloughed — their jobs awaiting their return — while the government paid 70 percent of their wages.

“It was very sad seeing the rising death rate, but I felt lucky that the only thing I had to worry about was my health and the health of my loved ones,” she said.

The bar where Ms. Ascaso works reopened late last month. The tables are set farther apart than before. She wears a mask as she serves drinks and tapas.

“For me, the wage subsidy was a gift,” she said.

Isabel Santander, who has long worked in a Zaragoza factory that makes automobile dashboards, endured a two-month delay for her government-furnished wage subsidy. But her bank advanced the money while she waited.

Image

Credit…Edu Bayer for The New York Times

“I was able to feel relaxed at home,” she said. She spent time with her two daughters. Her company plans to resume production in early July, bringing back all 200 employees.

  • Frequently Asked Questions and Advice

    Updated June 30, 2020

    • What are the symptoms of coronavirus?

      Common symptoms include fever, a dry cough, fatigue and difficulty breathing or shortness of breath. Some of these symptoms overlap with those of the flu, making detection difficult, but runny noses and stuffy sinuses are less common. The C.D.C. has also added chills, muscle pain, sore throat, headache and a new loss of the sense of taste or smell as symptoms to look out for. Most people fall ill five to seven days after exposure, but symptoms may appear in as few as two days or as many as 14 days.

    • Is it harder to exercise while wearing a mask?

      A commentary published this month on the website of the British Journal of Sports Medicine points out that covering your face during exercise “comes with issues of potential breathing restriction and discomfort” and requires “balancing benefits versus possible adverse events.” Masks do alter exercise, says Cedric X. Bryant, the president and chief science officer of the American Council on Exercise, a nonprofit organization that funds exercise research and certifies fitness professionals. “In my personal experience,” he says, “heart rates are higher at the same relative intensity when you wear a mask.” Some people also could experience lightheadedness during familiar workouts while masked, says Len Kravitz, a professor of exercise science at the University of New Mexico.

    • I’ve heard about a treatment called dexamethasone. Does it work?

      The steroid, dexamethasone, is the first treatment shown to reduce mortality in severely ill patients, according to scientists in Britain. The drug appears to reduce inflammation caused by the immune system, protecting the tissues. In the study, dexamethasone reduced deaths of patients on ventilators by one-third, and deaths of patients on oxygen by one-fifth.

    • What is pandemic paid leave?

      The coronavirus emergency relief package gives many American workers paid leave if they need to take time off because of the virus. It gives qualified workers two weeks of paid sick leave if they are ill, quarantined or seeking diagnosis or preventive care for coronavirus, or if they are caring for sick family members. It gives 12 weeks of paid leave to people caring for children whose schools are closed or whose child care provider is unavailable because of the coronavirus. It is the first time the United States has had widespread federally mandated paid leave, and includes people who don’t typically get such benefits, like part-time and gig economy workers. But the measure excludes at least half of private-sector workers, including those at the country’s largest employers, and gives small employers significant leeway to deny leave.

    • Does asymptomatic transmission of Covid-19 happen?

      So far, the evidence seems to show it does. A widely cited paper published in April suggests that people are most infectious about two days before the onset of coronavirus symptoms and estimated that 44 percent of new infections were a result of transmission from people who were not yet showing symptoms. Recently, a top expert at the World Health Organization stated that transmission of the coronavirus by people who did not have symptoms was “very rare,” but she later walked back that statement.

    • What’s the risk of catching coronavirus from a surface?

      Touching contaminated objects and then infecting ourselves with the germs is not typically how the virus spreads. But it can happen. A number of studies of flu, rhinovirus, coronavirus and other microbes have shown that respiratory illnesses, including the new coronavirus, can spread by touching contaminated surfaces, particularly in places like day care centers, offices and hospitals. But a long chain of events has to happen for the disease to spread that way. The best way to protect yourself from coronavirus — whether it’s surface transmission or close human contact — is still social distancing, washing your hands, not touching your face and wearing masks.

    • How does blood type influence coronavirus?

      A study by European scientists is the first to document a strong statistical link between genetic variations and Covid-19, the illness caused by the coronavirus. Having Type A blood was linked to a 50 percent increase in the likelihood that a patient would need to get oxygen or to go on a ventilator, according to the new study.

    • How many people have lost their jobs due to coronavirus in the U.S.?

      The unemployment rate fell to 13.3 percent in May, the Labor Department said on June 5, an unexpected improvement in the nation’s job market as hiring rebounded faster than economists expected. Economists had forecast the unemployment rate to increase to as much as 20 percent, after it hit 14.7 percent in April, which was the highest since the government began keeping official statistics after World War II. But the unemployment rate dipped instead, with employers adding 2.5 million jobs, after more than 20 million jobs were lost in April.

    • How can I protect myself while flying?

      If air travel is unavoidable, there are some steps you can take to protect yourself. Most important: Wash your hands often, and stop touching your face. If possible, choose a window seat. A study from Emory University found that during flu season, the safest place to sit on a plane is by a window, as people sitting in window seats had less contact with potentially sick people. Disinfect hard surfaces. When you get to your seat and your hands are clean, use disinfecting wipes to clean the hard surfaces at your seat like the head and arm rest, the seatbelt buckle, the remote, screen, seat back pocket and the tray table. If the seat is hard and nonporous or leather or pleather, you can wipe that down, too. (Using wipes on upholstered seats could lead to a wet seat and spreading of germs rather than killing them.)

    • What should I do if I feel sick?

      If you’ve been exposed to the coronavirus or think you have, and have a fever or symptoms like a cough or difficulty breathing, call a doctor. They should give you advice on whether you should be tested, how to get tested, and how to seek medical treatment without potentially infecting or exposing others.


fbpx