Group items tagged

UK's High Court found the rushed Data Retention and Investigatory Powers Act (DRIPA) to be illegal under the European Convention on Human Rights and EU Charter of Fundamental Rights, both of which require respect for private and family life, as well as protection of personal data in the case of the latter. DRIPA was challenged by two members of Parliament (MPs), Labor's Tom Watson and the Conservative David Davis, who argued that the surveillance of communications wasn't limited to serious crimes, that individual notices for data collection were kept secret, and that no provision existed to protect those who need professional confidentiality, such as lawyers and journalists. DRIPA was pushed through in three days last year after the European Court of Justice ruled that the EU data retention powers were disproportionate, which invalidated the previous data retention law in the UK. The UK High Court also ruled that sections 1 and 2 of DRIPA were unlawful based on the fact that they fail to provide precise policies to ensure that data is only accessed for the purpose of investigating serious crimes. Another major point against DRIPA was that it didn't require judicial approval, which could limit access to only the data that is strictly necessary for investigations.

DRIPA passed in only three days, but the Court allowed it to continue for another nine months, to give the UK government enough time to draft new legislation. Although this almost doubles the time in which this law will exist, it might be better in the long term, as it gives the members of Parliament enough time to debate its successor, without having to rush yet another law fearing that the government's surveillance powers will expire. This court ruling arrived at the right time, as the UK government is currently preparing the draft for the Investigative Powers Bill (also called Snooper's Charter by many), which further expands the government's surveillance powers and may even request encryption backdoors. It also joins other recent reviews of the government's surveillance laws that called for much stricter oversight done by judges rather than the government's own members. "Campaigners, MPs across the political spectrum, the Government's own reviewer of terrorism legislation are all calling for judicial oversight and clearer safeguards," said James Welch, Legal Director for Liberty, a human rights organization.

On Tuesday, the European court of justice, Europe’s supreme court, lobbed a grenade into the cosy, quasi-monopolistic world of the giant American internet companies. It did so by declaring invalid a decision made by the European commission in 2000 that US companies complying with its “safe harbour privacy principles” would be allowed to transfer personal data from the EU to the US. This judgment may not strike you as a big deal. You may also think that it has nothing to do with you. Wrong on both counts, but to see why, some background might be useful. The key thing to understand is that European and American views about the protection of personal data are radically different. We Europeans are very hot on it, whereas our American friends are – how shall I put it? – more relaxed.

Given that personal data constitutes the fuel on which internet companies such as Google and Facebook run, this meant that their exponential growth in the US market was greatly facilitated by that country’s tolerant data-protection laws. Once these companies embarked on global expansion, however, things got stickier. It was clear that the exploitation of personal data that is the core business of these outfits would be more difficult in Europe, especially given that their cloud-computing architectures involved constantly shuttling their users’ data between server farms in different parts of the world. Since Europe is a big market and millions of its citizens wished to use Facebook et al, the European commission obligingly came up with the “safe harbour” idea, which allowed companies complying with its seven principles to process the personal data of European citizens. The circle having been thus neatly squared, Facebook and friends continued merrily on their progress towards world domination. But then in the summer of 2013, Edward Snowden broke cover and revealed what really goes on in the mysterious world of cloud computing. At which point, an Austrian Facebook user, one Maximilian Schrems, realising that some or all of the data he had entrusted to Facebook was being transferred from its Irish subsidiary to servers in the United States, lodged a complaint with the Irish data protection commissioner. Schrems argued that, in the light of the Snowden revelations, the law and practice of the United States did not offer sufficient protection against surveillance of the data transferred to that country by the government.

The Irish data commissioner rejected the complaint on the grounds that the European commission’s safe harbour decision meant that the US ensured an adequate level of protection of Schrems’s personal data. Schrems disagreed, the case went to the Irish high court and thence to the European court of justice. On Tuesday, the court decided that the safe harbour agreement was invalid. At which point the balloon went up. “This is,” writes Professor Lorna Woods, an expert on these matters, “a judgment with very far-reaching implications, not just for governments but for companies the business model of which is based on data flows. It reiterates the significance of data protection as a human right and underlines that protection must be at a high level.”