Discover and read the best of Twitter Threads about #schremsii

Most recents (22)

#SchremsII: Der Beschluss des VG Wiesbaden vom 01.12.2021 (Az. 6 L 738/21.WI) nach dem die Hochschule RheinMain auf ihrer Webseite den Dienst „Cookiebot“ nicht nutzen darf ist jetzt bei beck-online als BeckRS 2021, 37288 abrufbar (€). #DSGVO #Datenschutz

Erste Einschätzung👇
Ausgangspunkt des Verfahrens ist ein Antrag eines Nutzers, der sich nach eigener Angabe regelmäßig im Onlinekatalog der Hochschulbibliothek über Fachliteratur erkundigt. Dabei ist dem Nutzer aufgefallen, dass die Dienste „Google Tag Manager“ und „Cookiebot“ eingesetzt werden.
Er hat die Hochschule sodann zur Abgabe einer strafbewehrten Unterlassungsverpflichtung augefordert, die von der Hochschule jedoch abgelehnt wurden. Es folgte der Antrag auf einstweiligen Rechtsschutz beim VG Wiesbaden.
Read 17 tweets
#EDPB final recommendations on supplementary measures – quick thoughts on biggest changes, non-changes, and issues to explore further. Welcome thoughts on any you are focused on! #privacy #dataflows #schremsii 1/12
TIAs must (now can) assess and document practical experience with government access to data, BUT practical experience must be publicly available, relevant, verifiable, objective and reliable. Generally aligned with new SCCs. New acronym? #PARVOR adequacy assessments/TIAs? 2/12
Exporters must also consider government access to data in transit, by public authorities of the country to which it is sent (limiting factor?), even without the importer’s involvement. 3/12
Read 12 tweets
Der Urlaub endet bald, die #Schulen sind im digitalen Unterricht und ah, da sind wir schon beim Thema #Datenschutz. Das ist alles sehr komplex, aber aufgrund einer spannenden Äußerung einer Aufsichtsbehörde und einem guten Kommentar zur Skalierung, hier ein Thread: 1/x
#Datenschutz ist kein Supergrundrecht - auch wenn es sich immer wieder so anhört und wenn man meinen könnte, der EuGH habe dies mit #SchremsII jedenfalls bezüglich US-Übermittlungen doch festgehalten. Im Hinblick auf Schulen gilt der Schlachtruf "Keine bösen US-Anbieter!1!11" 2/×
Viel besser seien OpenSource Anbieter wie BigBlueButton, Jitsi etc. Das statuieren auch die Aufsichtsbehörden immer wieder gern. Übersehen werden dabei verschiedene Aspekte. A). US-Anbieter sind nicht per se so "böse" wie die mediale Berichterstattung glauben lässt. 3/x
Read 15 tweets
With just a few days left in a turbulent year, we are looking back at some of the key discussions in European surveillance politics in 2020. A central theme were attempts to regulate & roll back existing, possibly undemocratic practices of industry & state security actors. (1/57)
One of these practices is big-data or predictive policing, a method of algorithmic risk mapping that has increasingly been used by law enforcement departments around Europe. Concerns include limited effectiveness & reproduction of bias with a veneer of objectiveness. (2/57)
So is predictive policing really a good idea? What advantages does it bring? How does it sit with the right to presumption of innocence and civil liberties? We asked academics, politicians, police chiefs & business leaders these questions: (3/57)

aboutintel.eu/predictive-pol…
Read 57 tweets
Today, the European Data Protection Board issued new recommendations for companies transferring data out of the E.U., in light of #SchremsII. The recs make clearer than ever that E.U.-U.S. transfers are in trouble, given the breadth of U.S. surveillance: edpb.europa.eu/sites/edpb/fil…
The EDPB specifically calls out Section 702 of FISA, which is in conflict with E.U. law. The report states that companies can transfer data under Standard Contractual Clauses only if they ensure that U.S. government access to the data under 702 is "impossible or ineffective."
That's an extraordinarily high standard. Most companies can't meet it, even if they encrypt data at rest.
Read 4 tweets
⚠️📢Very important decision today by the top French Administrative Court @Conseil_Etat on post #SchremsII developments
The Court rejects the request of the petitioners against the hosting of the #healthdatahub by @MicrosoftEU ...
Thread (1)
👇
I will focus here on only one HUGE point in this decision re post #SchremsII developments: the Court didn't follow the French DPA @CNIL in its position that US Cloud Providers (or under 🇺🇸 Jurisdiction) should not be used as a matter of principle for hosting health data... (2)
As already explained 🇫🇷DPA @CNIL invited Court to say that providers under US jurisdiction should not be used & this even if all data (encrypted in this case!) are localized in Europe & there are no "transfers" to 🇺🇸bc US Gov might still make requests
👇
Read 13 tweets
😳 Huge #SchremsII aftershocks!
French DPA @CNIL asks not to use US Cloud providers (or other providers “under US jurisdiction”) for hosting health data. For CNIL, this is relevant even if there are no “transfers of data” to 🇺🇸 and all data are stored in 🇪🇺, because... (1)
... the US Government can still make FISA & EO123333 orders to transfer data to the US. Despite the fact that the Data are encrypted in this specific case under review (HDH), CNIL seems to consider this is not enough. This is striking as encryption has been presented as... (2)
...a potential technical solution under the “additional safeguards” possibility opened by the CJEU in #SchremsII. Instead, CNIL considers that using a European “trustee” could be a solution under some conditions. All this pending the eagerly expected @EU_EDPB guidelines... (3)
Read 4 tweets
Breaking-News für #TeamDatenschutz: Der Beschluss der #DSK zum #Datenschutz bei #Office365 mir per #IFG herausgeben: fragdenstaat.de/anfrage/bewert… Die Veröffentlichung auf der Homepage der DSK wird in Kürze erfolgen. #DSGVO
Meine erste Einschätzung: Schon die Überschrift stellt klar, dass mit Maßnahmen gegen Verantwortliche, die MS Office 365 einsetzen nicht zurechnen ist, zumindest nicht unter dem Gesichtspunkt Auftragsverarbeitung. Bei Drittstaatentransfers könnte es anders aussehen.
Read 9 tweets
Trolls & mindlessly reflexive anti-capitalist activists will celebrate, but for anyone who really cares about giving people some kind of communication, you have to wonder what kind of other outcome they expect from #SchremsII?

Mass adoption of @BriarApp?

theguardian.com/technology/202…
Lawyers who don't understand how data actually works, let alone what metadata is, ranting importantly about giving people control of data that is about them, on the flawed hypothesis that it's their data.

In general - not specific, but as a theme - it's Brexit-grade lunacy. Image
We live on planet Earth. Pale Blue Dot, that sort of thing. Countries rise and fall, but (hopefully) people remain.

If we have global population communicating with each other, data has to cross boundaries.

It has to be queryable across boundaries.
Read 3 tweets
Facebook has started Judicial Review proceedings in Ireland over the Irish Data Protection Commission's preliminary order suspending transfers of personal data to the USA. thecurrency.news/articles/23697…
This follows on from the ECJ's decision in #SchremsII which resulted in the end of privacy shield. Not only did Schrems II see an end to the (Second) agreement between the USA and the EU on data transfers, it came with some clear instructions to data protection authorities about
their responsibilities and duties (which is probably what spurred the Irish DPC to issue the preliminary order that it has). Definitely a case to keep an eye on.
Read 3 tweets
.@maxschrems: no room for a new Privacy Shield deal unless EU charter of fundamental rights changed or US change surveillance laws
Schrems says not all data flows are a problem, just to e-communication companies that fall under FISA 702 U.S. snooping law
Read 4 tweets
On July 16, the Court of Justice of the European Union (CJEU) issued its decision in the case Data Protection Commission v. Facebook Ireland, Schrems:
*No one* can move data from the EU to the US since the US does not adequately protect EU citizens' rights. #SchremsII
Yes, you read that right. Since the US gov't likes to peak👀😱 at data being sent into the US and the lack of control by EU citizens, they are changing their stance on data transactions between the EU and US.
Want the full details? Great article here: iapp.org/news/a/the-sch…
This ruling makes a major statement: Data security and privacy is critical moving forward. So how will this impact the "$7.1 trillion (trans-Atlantic) economic relationship that is so vital to our respective citizens, companies, and government(?)”

Time will tell
Read 8 tweets
So I’ve been away for a while, but finally got my head around major decision from Europe’s top court last month involving @Facebook, @maxschrems & $$ billions in data sent from EU to US.

Stay with me here, this gets weird, real quick.

<<cue thread>>
So the basics: Schrems complained to Ireland’s #privacy watchdog that FB wasn’t protecting his data when it was transferred to US. Why? Because @Snowden revelations showed US govt was tracking FB data (w/o telling anyone).

Naughty, naughty
FB balked, so did the Irish. It all got sent to court, eventually landing w/ EU's highest judges.

Questions in play: 1) Should Irish regulator stop FB from transferring data to US? 2) Does US sufficiently protecting EU citizens’ data? 3) How should data be moved outside of EU?
Read 29 tweets
Data localization a la Europea 🇪🇺. Europe's data-obsessed internal market commissioner @ThierryBreton says data should be stored in Europe. "China does it, Russia does it. We'll do it too." Is he feeling emboldened by #SchremsII? 1/3
We've already written about how companies have done a 180 following Schrems II, and are now considering limiting the flow of data out of the bloc. 2/3 politico.eu/article/privac…
And it's been clear for a while that Thierry Breton and other EU policymakers are keen for the continent to keep hold of more of its data. 3/3

politico.eu/article/europe…
Read 3 tweets
Der LfDI BW hat vorgestern eine Orientierungshilfe zum Umgang mit #SchremsII veröffentlicht. Ich bin wirklich dankbar für jedes belastbare Statement der Datenschutzbehörden, habe dazu aber ein paar kurze Anmerkungen (Thread).

baden-wuerttemberg.datenschutz.de/wp-content/upl…
Allgemein (nicht nur hier) würde ich mir wünschen, dass i.S. SchremsII mehr differenziert wird.

Der Fall, den der EuGH entschied, betraf Daten zum Privatleben von sehr vielen Personen und Fälle, in denen ein Zugriff von US-Sicherheitsbehörden durchaus wahrscheinlich ist.
Die typischen Fälle von Drittlandübermittlungen sind aber andere.

Das sind Fälle wie "unser 3rd level-Support sitzt in den USA, und manchmal muss er sich auf Produktivsysteme aufschalten".

Oder: "unsere zentrale Personalverwaltung sitzt in den USA".
Read 25 tweets
Thread on possible implications of #SchremsII for end-to-end crypto approaches to protecting personal data. Background: last week the (CJEU) issued its judgment in Case C-311/18, “Schrems II”. Amongst other things, it invalidates Privacy Shield, one of the mechanisms
enabling transfers from EU-US. This was in part because US law lacks sufficient limitations on law enforcement access to data, so the protection of data in US not 'essentially equivalent' to that in the EU. Similar arguments could apply elsewhere (e.g. UK).
The main alternative mechanism enabling transfers outside the EEA is the use of 'standard contractual clauses' (SCCs) under Article 46(2)(c) GDPR. But the Court affirmed that SCCs also need to ensure 'essentially equivalent' protection.
Read 11 tweets
Europe has delivered a definitive rebuke of U.S. surveillance powers. Now comes the hard part: deciding how far the bloc will go to protect Europeans’ data:

pro.politico.eu/news/rejection…
Following #SchremsII the U.S. is unlikely to overhaul its surveillance laws — at least in the short term. That leaves Europe with some tough choices.

politico.eu/article/reject…
*the second link is *free to view*
Read 3 tweets
My final #SchremsII 🧵 for the day begins with the mystery: Why did GDPR find little traction in the US, when it largely swept much of the rest of the world, as @paulmschwartz has demonstrated? 1/
In our paper papers.ssrn.com/sol3/papers.cf…, @BillMcGev, @MargotKaminski and I offer two explanations: (1) 1st Amendment; and (2) Safe Harbor/Privacy Shield. 2/
As cases such as Sorrell demonstrate, 1st Amendment will limit U.S. privacy law (though there is room for such law nonetheless as folks such as @MargotKaminski argue). 3/
Read 9 tweets
For those interested in a TL;DR on #SchremsII here is a quick thread highlighting and explaining the the key holdings, for more see @EPICprivacy page here epic.org/privacy/intl/d… and @NOYBeu page here noyb.eu/en/CJEU-Media-…
The case is about whether EU law permits a company like Facebook (Ireland) to transfer the personal data of EU citizens to affiliated entities in the United States. The GDPR requires that transfers fall within the authorities outlined in the regulation. curia.europa.eu/jcms/jcms/Jo2_… Paragraph 8 from the judgment, recital 101 from GDPR
This case arose from an investigation by the @DPCIreland into a complaint filed by @maxschrems against Facebook alleging that transfers of his personal data to the US violated his rights under the EU Data Protection Directive and the Charter of Fundamental Rights.
Read 20 tweets
Should I do a Twitter thread on the European Court of Justice's #PrivacyShield ruling in #SchremsII? Seems like a good thing to do and honestly who doesn’t love story time? Here we go! (Caveat: just speaking for myself here)

So basically, it's 2015 all over again! 1/n
2/ I feel 5 years younger just typing this. Today’s invalidation of Privacy Shield by the ECJ is basically what happened to the EU-U.S. Safe Harbor arrangement that preceded the Privacy Shield.
3/ This is a story about whether data controllers can move EU personal data to a non-EU country.
Read 22 tweets
Will companies simply turn to consent as the basis for cross-border data transfer? #SchremsII 1/
German government had suggested that the CJEU shouldn't hear the case because Max Schrems had possibly consented to data transfer to US. #SchremsII 2/ Image
CJEU responded Facebook didn't rely on consent, but rather SCCs, for data transfer. I'm sure Facebook meant that it thought either basis was sufficient--but lack of clarity on this doomed this argument. 3/ Image
Read 6 tweets
After having studied #SchremsII (full judgment), the following aspects are noteworthy (thread): First, CJEU discusses whether EU law applies based on material scope (Art. 2 GDPR) and does not discuss territorial scope (Art. 3) - its relationship with transfers remains mysterious
Second, the CJEU logically finds that appropriate safeguard need to offer the same fundamental rights protection as an adequacy decision, and dismisses national law as relevant for constructing that standard, unless EU law refers to it (opening clauses for #freedomofspeech?)
Third, the SCC are valid, but the CJEU drops many hints that for the specific case of the US both the Irish DPA and the controller should end data flows because in the US there is no equivalent protection meaning neither adequacy nor appropriate safeguards are currently an option
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!