Discover and read the best of Twitter Threads about #SchremsII
Most recents (24)
1/
Avvocati e giudici tribunale di Bergamo per le videoconferenze usano Zoom. Ho paura che lo stesso avvenga in altri tribunali. Niente da dire? Va bene così?
#privacy? Sicurezza dei dati? Sentenza #SchremsII?
@prevenzione @GPDP_IT explore.zoom.us/it/privacy/
Avvocati e giudici tribunale di Bergamo per le videoconferenze usano Zoom. Ho paura che lo stesso avvenga in altri tribunali. Niente da dire? Va bene così?
#privacy? Sicurezza dei dati? Sentenza #SchremsII?
@prevenzione @GPDP_IT explore.zoom.us/it/privacy/
2/
Trasferimenti internazionali di dati
Zoom opera a livello globale, il che significa che i dati personali possono essere trasferiti e memorizzati (ad esempio in un data center), ed elaborati al di fuori del paese o della regione in cui sono stati inizialmente raccolti, dove
Trasferimenti internazionali di dati
Zoom opera a livello globale, il che significa che i dati personali possono essere trasferiti e memorizzati (ad esempio in un data center), ed elaborati al di fuori del paese o della regione in cui sono stati inizialmente raccolti, dove
3/
Zoom o i suoi fornitori di servizi hanno clienti o servizi, anche in paesi dove risiedono i partecipanti alle riunioni o i titolari dell'account che organizzano le riunioni o i webinar a cui l'Utente partecipa o in cui riceve i messaggi inviati.
Pertanto, utilizzando i
Zoom o i suoi fornitori di servizi hanno clienti o servizi, anche in paesi dove risiedono i partecipanti alle riunioni o i titolari dell'account che organizzano le riunioni o i webinar a cui l'Utente partecipa o in cui riceve i messaggi inviati.
Pertanto, utilizzando i
The Executive Order to Try to Implement the European Union-U.S. Data Privacy Framework has been announced. Will the third time be a charm? @astepanovich, who's followed the issue for years, has a good thread.
@ACLU says the EO doesn't go far enough.
"It fails to adequately protect the privacy of Americans and Europeans, and it fails to ensure that people whose privacy is violated will have their claims resolved by a wholly independent decision-maker,”
aclu.org/press-releases…
"It fails to adequately protect the privacy of Americans and Europeans, and it fails to ensure that people whose privacy is violated will have their claims resolved by a wholly independent decision-maker,”
aclu.org/press-releases…
@PrivaSense notes that the mutual recognition clause "shifts the power balance over international data transfers in favour of the US" (h/t @NSQE)
"This is the Whitehouse grabbing the (CJ)EU by the throat, while Putin is threatening to start WWIII"
linkedin.com/posts/jeroente…
"This is the Whitehouse grabbing the (CJ)EU by the throat, while Putin is threatening to start WWIII"
linkedin.com/posts/jeroente…
@suxsonica @dagoneye @AlfonsoFuggetta 1/
Buongiorno Sonia, concordo con te, non si deve fare una guerra di religione a Microsoft ma stare nel merito. Tutte le #BigTech che operano in Italia portano per l'86% i loro guadagni, prima nei paesi a tassazione agevolata, in Europa, Paesi Bassi, Irlanda, Lussemburgo, poi nei
Buongiorno Sonia, concordo con te, non si deve fare una guerra di religione a Microsoft ma stare nel merito. Tutte le #BigTech che operano in Italia portano per l'86% i loro guadagni, prima nei paesi a tassazione agevolata, in Europa, Paesi Bassi, Irlanda, Lussemburgo, poi nei
@suxsonica @dagoneye @AlfonsoFuggetta 2/
paradisi fiscali, report semestrali di Mediobanca "I giganti del web", su questi dati avevo preparato una presentazione "I padroni del web". Di fatto la PA, non aderendo al CAD art. 68 e art. 69, crea un danno erariale ogni anno di centinaia di milioni di euro.
paradisi fiscali, report semestrali di Mediobanca "I giganti del web", su questi dati avevo preparato una presentazione "I padroni del web". Di fatto la PA, non aderendo al CAD art. 68 e art. 69, crea un danno erariale ogni anno di centinaia di milioni di euro.
@suxsonica @dagoneye @AlfonsoFuggetta 3/
Poi sempre #GAFAM, fanno parte del programma Prism della NSA. Poi c'è una sentenza della Corte Europea, #SchremsII, luglio 2021, rispetto all'illecito di continuare a mandare i dati dei cittadini europei, quindi anche quelli italiani, in America. Quindi direi proprio che non è
Poi sempre #GAFAM, fanno parte del programma Prism della NSA. Poi c'è una sentenza della Corte Europea, #SchremsII, luglio 2021, rispetto all'illecito di continuare a mandare i dati dei cittadini europei, quindi anche quelli italiani, in America. Quindi direi proprio che non è
#SchremsII: Der Beschluss des VG Wiesbaden vom 01.12.2021 (Az. 6 L 738/21.WI) nach dem die Hochschule RheinMain auf ihrer Webseite den Dienst „Cookiebot“ nicht nutzen darf ist jetzt bei beck-online als BeckRS 2021, 37288 abrufbar (€). #DSGVO #Datenschutz
Erste Einschätzung👇
Erste Einschätzung👇
Ausgangspunkt des Verfahrens ist ein Antrag eines Nutzers, der sich nach eigener Angabe regelmäßig im Onlinekatalog der Hochschulbibliothek über Fachliteratur erkundigt. Dabei ist dem Nutzer aufgefallen, dass die Dienste „Google Tag Manager“ und „Cookiebot“ eingesetzt werden.
Er hat die Hochschule sodann zur Abgabe einer strafbewehrten Unterlassungsverpflichtung augefordert, die von der Hochschule jedoch abgelehnt wurden. Es folgte der Antrag auf einstweiligen Rechtsschutz beim VG Wiesbaden.
#EDPB final recommendations on supplementary measures – quick thoughts on biggest changes, non-changes, and issues to explore further. Welcome thoughts on any you are focused on! #privacy #dataflows #schremsii 1/12
TIAs must (now can) assess and document practical experience with government access to data, BUT practical experience must be publicly available, relevant, verifiable, objective and reliable. Generally aligned with new SCCs. New acronym? #PARVOR adequacy assessments/TIAs? 2/12
Exporters must also consider government access to data in transit, by public authorities of the country to which it is sent (limiting factor?), even without the importer’s involvement. 3/12
With just a few days left in a turbulent year, we are looking back at some of the key discussions in European surveillance politics in 2020. A central theme were attempts to regulate & roll back existing, possibly undemocratic practices of industry & state security actors. (1/57)
One of these practices is big-data or predictive policing, a method of algorithmic risk mapping that has increasingly been used by law enforcement departments around Europe. Concerns include limited effectiveness & reproduction of bias with a veneer of objectiveness. (2/57)
So is predictive policing really a good idea? What advantages does it bring? How does it sit with the right to presumption of innocence and civil liberties? We asked academics, politicians, police chiefs & business leaders these questions: (3/57)
aboutintel.eu/predictive-pol…
aboutintel.eu/predictive-pol…
Today, the European Data Protection Board issued new recommendations for companies transferring data out of the E.U., in light of #SchremsII. The recs make clearer than ever that E.U.-U.S. transfers are in trouble, given the breadth of U.S. surveillance: edpb.europa.eu/sites/edpb/fil…
The EDPB specifically calls out Section 702 of FISA, which is in conflict with E.U. law. The report states that companies can transfer data under Standard Contractual Clauses only if they ensure that U.S. government access to the data under 702 is "impossible or ineffective." 
That's an extraordinarily high standard. Most companies can't meet it, even if they encrypt data at rest.
⚠️📢Very important decision today by the top French Administrative Court @Conseil_Etat on post #SchremsII developments
The Court rejects the request of the petitioners against the hosting of the #healthdatahub by @MicrosoftEU ...
Thread (1)
👇
The Court rejects the request of the petitioners against the hosting of the #healthdatahub by @MicrosoftEU ...
Thread (1)
👇
I will focus here on only one HUGE point in this decision re post #SchremsII developments: the Court didn't follow the French DPA @CNIL in its position that US Cloud Providers (or under 🇺🇸 Jurisdiction) should not be used as a matter of principle for hosting health data... (2)
As already explained 🇫🇷DPA @CNIL invited Court to say that providers under US jurisdiction should not be used & this even if all data (encrypted in this case!) are localized in Europe & there are no "transfers" to 🇺🇸bc US Gov might still make requests
👇
👇
😳 Huge #SchremsII aftershocks!
French DPA @CNIL asks not to use US Cloud providers (or other providers “under US jurisdiction”) for hosting health data. For CNIL, this is relevant even if there are no “transfers of data” to 🇺🇸 and all data are stored in 🇪🇺, because... (1)
French DPA @CNIL asks not to use US Cloud providers (or other providers “under US jurisdiction”) for hosting health data. For CNIL, this is relevant even if there are no “transfers of data” to 🇺🇸 and all data are stored in 🇪🇺, because... (1)
... the US Government can still make FISA & EO123333 orders to transfer data to the US. Despite the fact that the Data are encrypted in this specific case under review (HDH), CNIL seems to consider this is not enough. This is striking as encryption has been presented as... (2)
...a potential technical solution under the “additional safeguards” possibility opened by the CJEU in #SchremsII. Instead, CNIL considers that using a European “trustee” could be a solution under some conditions. All this pending the eagerly expected @EU_EDPB guidelines... (3)
Breaking-News für #TeamDatenschutz: Der Beschluss der #DSK zum #Datenschutz bei #Office365 mir per #IFG herausgeben: fragdenstaat.de/anfrage/bewert… Die Veröffentlichung auf der Homepage der DSK wird in Kürze erfolgen. #DSGVO
FYI @WebschauDS @DS_Stiftung @Telemedicus @bvd_datenschutz @offenenetze @GDD_eV @kleibold23 @TimWybitul @sayho @RAinDiercks @PiracyByDesign @Ra_Koellner @winfriedveil @FranzOnBrands @datenreiserecht @Dr_Datenschutz @dsnotizen @nhaerting @JoNehlsen @AdOrgaSolutions @stephanschmidt
Meine erste Einschätzung: Schon die Überschrift stellt klar, dass mit Maßnahmen gegen Verantwortliche, die MS Office 365 einsetzen nicht zurechnen ist, zumindest nicht unter dem Gesichtspunkt Auftragsverarbeitung. Bei Drittstaatentransfers könnte es anders aussehen.
Trolls & mindlessly reflexive anti-capitalist activists will celebrate, but for anyone who really cares about giving people some kind of communication, you have to wonder what kind of other outcome they expect from #SchremsII?
Mass adoption of @BriarApp?
theguardian.com/technology/202…
Mass adoption of @BriarApp?
theguardian.com/technology/202…
Lawyers who don't understand how data actually works, let alone what metadata is, ranting importantly about giving people control of data that is about them, on the flawed hypothesis that it's their data.
In general - not specific, but as a theme - it's Brexit-grade lunacy.
In general - not specific, but as a theme - it's Brexit-grade lunacy.
We live on planet Earth. Pale Blue Dot, that sort of thing. Countries rise and fall, but (hopefully) people remain.
If we have global population communicating with each other, data has to cross boundaries.
It has to be queryable across boundaries.
If we have global population communicating with each other, data has to cross boundaries.
It has to be queryable across boundaries.
Facebook has started Judicial Review proceedings in Ireland over the Irish Data Protection Commission's preliminary order suspending transfers of personal data to the USA. thecurrency.news/articles/23697…
This follows on from the ECJ's decision in #SchremsII which resulted in the end of privacy shield. Not only did Schrems II see an end to the (Second) agreement between the USA and the EU on data transfers, it came with some clear instructions to data protection authorities about
their responsibilities and duties (which is probably what spurred the Irish DPC to issue the preliminary order that it has). Definitely a case to keep an eye on.
Happening now: @dreynders, @maxschrems and @EU_EDPB chair Andrea Jelinek talk #SchremsII #PrivacyShield: multimedia.europarl.europa.eu/en/committee-o…
.@maxschrems: no room for a new Privacy Shield deal unless EU charter of fundamental rights changed or US change surveillance laws
Schrems says not all data flows are a problem, just to e-communication companies that fall under FISA 702 U.S. snooping law
On July 16, the Court of Justice of the European Union (CJEU) issued its decision in the case Data Protection Commission v. Facebook Ireland, Schrems:
*No one* can move data from the EU to the US since the US does not adequately protect EU citizens' rights. #SchremsII
*No one* can move data from the EU to the US since the US does not adequately protect EU citizens' rights. #SchremsII
Yes, you read that right. Since the US gov't likes to peak👀😱 at data being sent into the US and the lack of control by EU citizens, they are changing their stance on data transactions between the EU and US.
Want the full details? Great article here: iapp.org/news/a/the-sch…
Want the full details? Great article here: iapp.org/news/a/the-sch…
This ruling makes a major statement: Data security and privacy is critical moving forward. So how will this impact the "$7.1 trillion (trans-Atlantic) economic relationship that is so vital to our respective citizens, companies, and government(?)”
Time will tell
Time will tell
So I’ve been away for a while, but finally got my head around major decision from Europe’s top court last month involving @Facebook, @maxschrems & $$ billions in data sent from EU to US.
Stay with me here, this gets weird, real quick.
<<cue thread>>
Stay with me here, this gets weird, real quick.
<<cue thread>>
So the basics: Schrems complained to Ireland’s #privacy watchdog that FB wasn’t protecting his data when it was transferred to US. Why? Because @Snowden revelations showed US govt was tracking FB data (w/o telling anyone).
Naughty, naughty
Naughty, naughty
FB balked, so did the Irish. It all got sent to court, eventually landing w/ EU's highest judges.
Questions in play: 1) Should Irish regulator stop FB from transferring data to US? 2) Does US sufficiently protecting EU citizens’ data? 3) How should data be moved outside of EU?
Questions in play: 1) Should Irish regulator stop FB from transferring data to US? 2) Does US sufficiently protecting EU citizens’ data? 3) How should data be moved outside of EU?
Data localization a la Europea 🇪🇺. Europe's data-obsessed internal market commissioner @ThierryBreton says data should be stored in Europe. "China does it, Russia does it. We'll do it too." Is he feeling emboldened by #SchremsII? 1/3
We've already written about how companies have done a 180 following Schrems II, and are now considering limiting the flow of data out of the bloc. 2/3 politico.eu/article/privac…
And it's been clear for a while that Thierry Breton and other EU policymakers are keen for the continent to keep hold of more of its data. 3/3
politico.eu/article/europe…
politico.eu/article/europe…
Der LfDI BW hat vorgestern eine Orientierungshilfe zum Umgang mit #SchremsII veröffentlicht. Ich bin wirklich dankbar für jedes belastbare Statement der Datenschutzbehörden, habe dazu aber ein paar kurze Anmerkungen (Thread).
baden-wuerttemberg.datenschutz.de/wp-content/upl…
baden-wuerttemberg.datenschutz.de/wp-content/upl…
Allgemein (nicht nur hier) würde ich mir wünschen, dass i.S. SchremsII mehr differenziert wird.
Der Fall, den der EuGH entschied, betraf Daten zum Privatleben von sehr vielen Personen und Fälle, in denen ein Zugriff von US-Sicherheitsbehörden durchaus wahrscheinlich ist.
Der Fall, den der EuGH entschied, betraf Daten zum Privatleben von sehr vielen Personen und Fälle, in denen ein Zugriff von US-Sicherheitsbehörden durchaus wahrscheinlich ist.
Die typischen Fälle von Drittlandübermittlungen sind aber andere.
Das sind Fälle wie "unser 3rd level-Support sitzt in den USA, und manchmal muss er sich auf Produktivsysteme aufschalten".
Oder: "unsere zentrale Personalverwaltung sitzt in den USA".
Das sind Fälle wie "unser 3rd level-Support sitzt in den USA, und manchmal muss er sich auf Produktivsysteme aufschalten".
Oder: "unsere zentrale Personalverwaltung sitzt in den USA".
Thread on possible implications of #SchremsII for end-to-end crypto approaches to protecting personal data. Background: last week the (CJEU) issued its judgment in Case C-311/18, “Schrems II”. Amongst other things, it invalidates Privacy Shield, one of the mechanisms
enabling transfers from EU-US. This was in part because US law lacks sufficient limitations on law enforcement access to data, so the protection of data in US not 'essentially equivalent' to that in the EU. Similar arguments could apply elsewhere (e.g. UK).
The main alternative mechanism enabling transfers outside the EEA is the use of 'standard contractual clauses' (SCCs) under Article 46(2)(c) GDPR. But the Court affirmed that SCCs also need to ensure 'essentially equivalent' protection.
Europe has delivered a definitive rebuke of U.S. surveillance powers. Now comes the hard part: deciding how far the bloc will go to protect Europeans’ data:
pro.politico.eu/news/rejection…
pro.politico.eu/news/rejection…
Following #SchremsII the U.S. is unlikely to overhaul its surveillance laws — at least in the short term. That leaves Europe with some tough choices.
politico.eu/article/reject…
politico.eu/article/reject…
*the second link is *free to view*
My final #SchremsII 🧵 for the day begins with the mystery: Why did GDPR find little traction in the US, when it largely swept much of the rest of the world, as @paulmschwartz has demonstrated? 1/
In our paper papers.ssrn.com/sol3/papers.cf…, @BillMcGev, @MargotKaminski and I offer two explanations: (1) 1st Amendment; and (2) Safe Harbor/Privacy Shield. 2/
As cases such as Sorrell demonstrate, 1st Amendment will limit U.S. privacy law (though there is room for such law nonetheless as folks such as @MargotKaminski argue). 3/
For those interested in a TL;DR on #SchremsII here is a quick thread highlighting and explaining the the key holdings, for more see @EPICprivacy page here epic.org/privacy/intl/d… and @NOYBeu page here noyb.eu/en/CJEU-Media-…
The case is about whether EU law permits a company like Facebook (Ireland) to transfer the personal data of EU citizens to affiliated entities in the United States. The GDPR requires that transfers fall within the authorities outlined in the regulation. curia.europa.eu/jcms/jcms/Jo2_…
This case arose from an investigation by the @DPCIreland into a complaint filed by @maxschrems against Facebook alleging that transfers of his personal data to the US violated his rights under the EU Data Protection Directive and the Charter of Fundamental Rights.
Should I do a Twitter thread on the European Court of Justice's #PrivacyShield ruling in #SchremsII? Seems like a good thing to do and honestly who doesn’t love story time? Here we go! (Caveat: just speaking for myself here)
So basically, it's 2015 all over again! 1/n
So basically, it's 2015 all over again! 1/n
2/ I feel 5 years younger just typing this. Today’s invalidation of Privacy Shield by the ECJ is basically what happened to the EU-U.S. Safe Harbor arrangement that preceded the Privacy Shield.
3/ This is a story about whether data controllers can move EU personal data to a non-EU country.
Will companies simply turn to consent as the basis for cross-border data transfer? #SchremsII 1/
German government had suggested that the CJEU shouldn't hear the case because Max Schrems had possibly consented to data transfer to US. #SchremsII 2/
CJEU responded Facebook didn't rely on consent, but rather SCCs, for data transfer. I'm sure Facebook meant that it thought either basis was sufficient--but lack of clarity on this doomed this argument. 3/
After having studied #SchremsII (full judgment), the following aspects are noteworthy (thread): First, CJEU discusses whether EU law applies based on material scope (Art. 2 GDPR) and does not discuss territorial scope (Art. 3) - its relationship with transfers remains mysterious
Second, the CJEU logically finds that appropriate safeguard need to offer the same fundamental rights protection as an adequacy decision, and dismisses national law as relevant for constructing that standard, unless EU law refers to it (opening clauses for #freedomofspeech?)
Third, the SCC are valid, but the CJEU drops many hints that for the specific case of the US both the Irish DPA and the controller should end data flows because in the US there is no equivalent protection meaning neither adequacy nor appropriate safeguards are currently an option
