Group items tagged

Last week’s post by Megan Graham is certainly a welcome contribution in explaining the implications of the Max Schrems case by the European Union Court of Justice, and specifically how it relates to the Safe Harbor arrangement between the US and the EU. Let me add a different perspective: Irrespective of its consequences for Safe Harbor, last week’s ruling is hugely important on a more general level, namely for the understanding of what the right to privacy entails in Europe and what this means for mass surveillance. Through its ruling in Max Schrems the EU’s highest court has established that: Mere access by public authorities to confidential or group-specific communications data constitutes an intrusion into the right to privacy, even without any further processing of that data; and While indiscriminate intrusion into “metadata” may constitute a particularly serious intrusion into the right to privacy, access to “content” data will affect the essence of the right to privacy.

These findings were made under Article 7 of the EU Charter of Fundamental Rights, a broad provision on the right to respect for one’s private life. This provision of the EU Charter, which is a part of the foundational treaty framework of the European Union, is almost identical to Article 8 of the European Convention on Human Rights, a treaty legally binding for broader Europe and routinely a part of domestic legal orders. It remains to be seen whether the guardian of the latter framework, the European Court of Human Rights, will also be courageous enough to determine that indiscriminate mass surveillance that provides access to “content” data breaches the essential core of the right to privacy. The highest EU court already took that bold step. One of the most important implications of identifying government access to content as breaching the essence of the right to privacy, is that it negates the need for a proportionality assessment. Measures that compromise the essence of privacy have already crossed a red line, and there is no need for any further “balancing” between privacy and security. Therefore, the Max Schrems ruling is a huge blow to many of the current methods of electronic mass surveillance, including those practiced by the US and several European countries (including the United Kingdom).

Several additional points from my earlier post in Verfassungsblog about this case are also worth noting. First, the EU court did not really dwell on the separate Article 8 provision of the EU Charter on Fundamental Rights, concerning the right to the protection of personal data. This was perhaps because that provision is triggered by the “processing” of data, while the general privacy (Article 7) impact comes into play through mere “access.” Another point is that while it was easy to establish the jurisdiction of the EU court over data transfers from Europe to Facebook’s servers in the US, it may be much harder to bring a case before that court concerning “upstream” methods of mass surveillance, such as the NSA’s tapping of transatlantic fiber optic telecommunications cables. Perhaps most importantly, the substantive ruling in the Schrems case is formulated in a way that it would apply to any method of mass surveillance that gives public authorities access to the content of ordinary people’s private communications, including communications intended for a group of people but not for the authorities. Hence, the ruling is a major contribution as to what the right to privacy substantively means in Europe.

While the United States continues to debate metadata collection conducted in secret by the National Security Agency, the European Union has been openly collecting the same sort of data for eight years. In the wake of terrorist attacks in Madrid (2004) and London (2005), the European Union passed a directive in 2006 requiring that all telecommunications providers retain all kinds of telephone and Internet metadata for at least six months and provide it to law enforcement upon request. According to a ruling handed down Tuesday by the European Court of Justice, that directive is now invalid. The case was brought by activists at Digital Rights Ireland and the Austrian Working Group on Data Retention. The two organizations had challenged the law as it had been imposed in their respective countries.

While the United States continues to debate metadata collection conducted in secret by the National Security Agency, the European Union has been openly collecting the same sort of data for eight years. In the wake of terrorist attacks in Madrid (2004) and London (2005), the European Union passed a directive in 2006 requiring that all telecommunications providers retain all kinds of telephone and Internet metadata for at least six months and provide it to law enforcement upon request. According to a ruling handed down Tuesday by the European Court of Justice, that directive is now invalid. The case was brought by activists at Digital Rights Ireland and the Austrian Working Group on Data Retention. The two organizations had challenged the law as it had been imposed in their respective countries.

The European judges concluded: The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance. . . . Although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.

The High Court in Ireland has referred a review of a complaint against Facebook to Europe's top court. The complaint alleges the social network shared EU users' data with the US National Security Agency.The European Court of Justice is to assess whether EU law needs to be updated in light of the PRISM revelations, which could have a knock-on effect on tech firms from Facebook to Google. <a href="http://pubads.g.doubleclick.net/gampad/jump?iu=/6978/reg_policy/government&sz=300x250%7C300x600&tile=3&c=33U6KvJawQrMoAAAUTy6EAAAJ5&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0" target="_blank"> <img src="http://pubads.g.doubleclick.net/gampad/ad?iu=/6978/reg_policy/government&sz=300x250%7C300x600&tile=3&c=33U6KvJawQrMoAAAUTy6EAAAJ5&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0" alt=""></a> Austrian law student Maximillian Schrems took Facebook to court in Ireland, where the social network’s European HQ is located, over the revelations from NSA whistleblower Edward Snowden that personal data held by tech firms like Facebook was routinely being slurped by US spooks.

Schrems first asked the Irish Data Commissioner to investigate the legality of Facebook Ireland sending his info over to the States, where it could be seen by the security services, but when the commissioner refused to investigate, he sought a judicial review at the High Court.The Commissioner had ruled that Schrems didn’t have a case because he couldn’t prove that anyone had slurped his data in particular and anyway, the EU has an agreement with the US under the “Safe Harbour” principle decided way back in 2000. This principle governs data flow from Europe to United States and allows US firms to self-certify themselves as respectful of European data protection rules.High Court Justice Gerard Hogan said Schrems did not need to prove that his own data had been spied upon to make a complaint.“Quite obviously, Mr Schrems cannot say whether his own personal data has ever been accessed or whether it would ever be accessed by the US authorities,” he wrote in his ruling.

“But even if this were considered to be unlikely, he is nonetheless certainly entitled to object to a state of affairs where his data are transferred to a jurisdiction which, to all intents and purposes, appears to provide only a limited protection against any interference with that private data by the US security authorities.”However, he said that only the European Court of Justice could decide that individual member states were allowed to look past the Safe Harbour principle or reinterpret its meaning. Hogan said that Schrems, who had filed on behalf of the Europe-v-Facebook group, really had a problem with this principle and acknowledged that there may be an argument for the idea that the rule was outdated.“The Safe Harbour Regime… may reflect a somewhat more innocent age in terms of data protection,” he said. “This Regime came into force prior to the advent of social media and, of course, before the massive terrorist attacks on American soil which took place on September 11th, 2001.”

Controversial emergency laws will be introduced into the Commons next Monday to reinforce the powers of security services to require internet and phone companies to keep records of their customers' emails and calls.The move follows private talks over the past week and the laws will have the support of Labour and the Liberal Democrats on the basis that there will be a sunset clause and a new board to oversee the functioning of the powers.Details are due to be announced at a Downing Street press conference on Thursday morning.

he laws will expire in 2016, requiring fresh legislation after the election. The Regulation of Investigatory Powers Act will be reviewed between now and 2016 to make recommendations for how it could be reformed and updated. Lib Dems insist the new legislation does not represent an extension of existing surveillance powers or the introduction of the snooper's charter sought by the Home Office and long opposed by the deputy prime minister, Nick Clegg.There will be no power to look at the content of phone calls, only location, date and the phone numbers. Government sources say they have been forced to act due to European court of justice ruling in April saying the current laws invaded individual privacy. The government says if there had been no new powers there would have been no obligation on phone and internet companies to keep records if there was a UK court challenge to the retention of data.

No 10 said the ECJ rulings had struck down regulations to retain communications data for law enforcement purposes for up to 12 months. Unless they have a business reason to hold this data, internet and phone companies will start deleting it, which has serious consequences for investigations, which can take many months and which rely on retrospectively accessing data for evidential purposes.Ministers added that some companies had already been calling for a clearer legal frameworkLabour backbencher Tom Watson described the move as a "stitch-up". He said: "There has been a deal and it had been railroaded through so my advice to MPs is there is no point turning up for work next week because there has been a political deal." He said he had not seen the detail of the legislation and promised to vote against the timetable.He added: "The government was aware of this ECJ ruling six weeks ago and what they are doing is railroading this through. No one in civil society has got a chance to be consulted." The shadow cabinet had not seen the proposals until this morning, he added.

On Tuesday, the European court of justice, Europe’s supreme court, lobbed a grenade into the cosy, quasi-monopolistic world of the giant American internet companies. It did so by declaring invalid a decision made by the European commission in 2000 that US companies complying with its “safe harbour privacy principles” would be allowed to transfer personal data from the EU to the US. This judgment may not strike you as a big deal. You may also think that it has nothing to do with you. Wrong on both counts, but to see why, some background might be useful. The key thing to understand is that European and American views about the protection of personal data are radically different. We Europeans are very hot on it, whereas our American friends are – how shall I put it? – more relaxed.

Given that personal data constitutes the fuel on which internet companies such as Google and Facebook run, this meant that their exponential growth in the US market was greatly facilitated by that country’s tolerant data-protection laws. Once these companies embarked on global expansion, however, things got stickier. It was clear that the exploitation of personal data that is the core business of these outfits would be more difficult in Europe, especially given that their cloud-computing architectures involved constantly shuttling their users’ data between server farms in different parts of the world. Since Europe is a big market and millions of its citizens wished to use Facebook et al, the European commission obligingly came up with the “safe harbour” idea, which allowed companies complying with its seven principles to process the personal data of European citizens. The circle having been thus neatly squared, Facebook and friends continued merrily on their progress towards world domination. But then in the summer of 2013, Edward Snowden broke cover and revealed what really goes on in the mysterious world of cloud computing. At which point, an Austrian Facebook user, one Maximilian Schrems, realising that some or all of the data he had entrusted to Facebook was being transferred from its Irish subsidiary to servers in the United States, lodged a complaint with the Irish data protection commissioner. Schrems argued that, in the light of the Snowden revelations, the law and practice of the United States did not offer sufficient protection against surveillance of the data transferred to that country by the government.

The Irish data commissioner rejected the complaint on the grounds that the European commission’s safe harbour decision meant that the US ensured an adequate level of protection of Schrems’s personal data. Schrems disagreed, the case went to the Irish high court and thence to the European court of justice. On Tuesday, the court decided that the safe harbour agreement was invalid. At which point the balloon went up. “This is,” writes Professor Lorna Woods, an expert on these matters, “a judgment with very far-reaching implications, not just for governments but for companies the business model of which is based on data flows. It reiterates the significance of data protection as a human right and underlines that protection must be at a high level.”

In the legal case of U.S. AWOL soldier André Shepherd (37) the European Court of Justice Advocate General, Eleanor Sharpton, today published her final opinion. This official statement contains guiding deliberations for the interpretation of the so-called Qualification Directive of the European Union. Amongst other considerations, these rules state that those endangered by prosecution or punishment for refusal to perform military service involving an illegal war or commital of war crimes, should be protected by the European Union. André Shepherd, former U.S. Army helicopter mechanic in the Iraq War, during leave in Germany, left his unit and in 2008, requested asylum in that country. 2011, the German Federal Office for Migration and Refugees refused Shepherd's application. Shepherd's resulting court action challenge resulted in the Munich Administrative Court's asking for the opinion of the European Court in Luxemburg on significant questions concerning the interpretation of the Qualification Directive. The Justice Advocate General came to the following conclusions:

- The protection guaranteed by the Qualification Directive is also applicable to soldiers not directly involved in combat, when their duties could support war crimes. The German Federal Office for Migration and Refugees has as yet failed to respect this definition. - Within the asylum application process, a deserter is not obliged to prove that he was or could be involved in war crimes, as the German Federal Office for Migration and Refugees required. Necessary is only the evidence of war crime probability, based on past occurrences. - Even a U.N. mandate for a war, in which the deserter was, or could have been involved, cannot serve as grounds for rejection of his rights as a refugee. - The deserter must prove that he either had already been involved in a military service refusal case, or that for concrete reasons, he could not take advantage of this right. - In deciding the question, whether the military service objector is a member of a social or ethnic group as defined within the framework of E.U. Refugee Rights, the national authority should not only consider the degree and importance of his convictions, but also the degree of discrimination experienced in his own country.

- The national authorities must investigate whether the asylum applicant's membership in a social or ethnic group could in probability lead to discriminative treatment as the result of a military court action or even dishonorable discharge.

When Edward Snowden disclosed details of America’s huge surveillance program two years ago, many in Europe thought that the response would be increased transparency and stronger oversight of security services. European countries, however, are moving in the opposite direction. Instead of more public scrutiny, we are getting more snooping. Pushed to respond to the atrocious attacks in Paris and Copenhagen and by the threats posed by the Islamic State to Europe’s internal security, several countries are amending their counterterrorism legislation to grant more intrusive powers to security services, especially in terms of mass electronic surveillance.

Governments now argue that to guarantee our security we have to sacrifice some rights. This is a specious argument. By shifting from targeted to mass surveillance, governments risk undermining democracy while pretending to protect it.They are also betraying a long political and judicial tradition affording broad protection to privacy in Europe, where democratic legal systems have evolved to protect individuals from arbitrary interference by the state in their private and family life. The European Court of Human Rights has long upheld the principle that surveillance interferes with the right to privacy. Although the court accepts that the use of confidential information is essential in combating terrorist threats, it has held that the collection, use and storage of such information should be authorized only under exceptional and precise conditions, and must be accompanied by adequate legal safeguards and independent supervision. The court has consistently applied this principle for decades when it was called to judge the conduct of several European countries, which were combating domestic terrorist groups.

More recently, as new technologies have offered more avenues to increase surveillance and data collection, the court has reiterated its position in a number of leading cases against several countries, including France, Romania, Russia and Britain, condemned for having infringed the right to private and family life that in the interpretation of the court covers also “the physical and psychological integrity of a person.”