Group items tagged

Last week’s post by Megan Graham is certainly a welcome contribution in explaining the implications of the Max Schrems case by the European Union Court of Justice, and specifically how it relates to the Safe Harbor arrangement between the US and the EU. Let me add a different perspective: Irrespective of its consequences for Safe Harbor, last week’s ruling is hugely important on a more general level, namely for the understanding of what the right to privacy entails in Europe and what this means for mass surveillance. Through its ruling in Max Schrems the EU’s highest court has established that: Mere access by public authorities to confidential or group-specific communications data constitutes an intrusion into the right to privacy, even without any further processing of that data; and While indiscriminate intrusion into “metadata” may constitute a particularly serious intrusion into the right to privacy, access to “content” data will affect the essence of the right to privacy.

These findings were made under Article 7 of the EU Charter of Fundamental Rights, a broad provision on the right to respect for one’s private life. This provision of the EU Charter, which is a part of the foundational treaty framework of the European Union, is almost identical to Article 8 of the European Convention on Human Rights, a treaty legally binding for broader Europe and routinely a part of domestic legal orders. It remains to be seen whether the guardian of the latter framework, the European Court of Human Rights, will also be courageous enough to determine that indiscriminate mass surveillance that provides access to “content” data breaches the essential core of the right to privacy. The highest EU court already took that bold step. One of the most important implications of identifying government access to content as breaching the essence of the right to privacy, is that it negates the need for a proportionality assessment. Measures that compromise the essence of privacy have already crossed a red line, and there is no need for any further “balancing” between privacy and security. Therefore, the Max Schrems ruling is a huge blow to many of the current methods of electronic mass surveillance, including those practiced by the US and several European countries (including the United Kingdom).

Several additional points from my earlier post in Verfassungsblog about this case are also worth noting. First, the EU court did not really dwell on the separate Article 8 provision of the EU Charter on Fundamental Rights, concerning the right to the protection of personal data. This was perhaps because that provision is triggered by the “processing” of data, while the general privacy (Article 7) impact comes into play through mere “access.” Another point is that while it was easy to establish the jurisdiction of the EU court over data transfers from Europe to Facebook’s servers in the US, it may be much harder to bring a case before that court concerning “upstream” methods of mass surveillance, such as the NSA’s tapping of transatlantic fiber optic telecommunications cables. Perhaps most importantly, the substantive ruling in the Schrems case is formulated in a way that it would apply to any method of mass surveillance that gives public authorities access to the content of ordinary people’s private communications, including communications intended for a group of people but not for the authorities. Hence, the ruling is a major contribution as to what the right to privacy substantively means in Europe.

The High Court in Ireland has referred a review of a complaint against Facebook to Europe's top court. The complaint alleges the social network shared EU users' data with the US National Security Agency.The European Court of Justice is to assess whether EU law needs to be updated in light of the PRISM revelations, which could have a knock-on effect on tech firms from Facebook to Google. <a href="http://pubads.g.doubleclick.net/gampad/jump?iu=/6978/reg_policy/government&sz=300x250%7C300x600&tile=3&c=33U6KvJawQrMoAAAUTy6EAAAJ5&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0" target="_blank"> <img src="http://pubads.g.doubleclick.net/gampad/ad?iu=/6978/reg_policy/government&sz=300x250%7C300x600&tile=3&c=33U6KvJawQrMoAAAUTy6EAAAJ5&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0" alt=""></a> Austrian law student Maximillian Schrems took Facebook to court in Ireland, where the social network’s European HQ is located, over the revelations from NSA whistleblower Edward Snowden that personal data held by tech firms like Facebook was routinely being slurped by US spooks.

Schrems first asked the Irish Data Commissioner to investigate the legality of Facebook Ireland sending his info over to the States, where it could be seen by the security services, but when the commissioner refused to investigate, he sought a judicial review at the High Court.The Commissioner had ruled that Schrems didn’t have a case because he couldn’t prove that anyone had slurped his data in particular and anyway, the EU has an agreement with the US under the “Safe Harbour” principle decided way back in 2000. This principle governs data flow from Europe to United States and allows US firms to self-certify themselves as respectful of European data protection rules.High Court Justice Gerard Hogan said Schrems did not need to prove that his own data had been spied upon to make a complaint.“Quite obviously, Mr Schrems cannot say whether his own personal data has ever been accessed or whether it would ever be accessed by the US authorities,” he wrote in his ruling.

“But even if this were considered to be unlikely, he is nonetheless certainly entitled to object to a state of affairs where his data are transferred to a jurisdiction which, to all intents and purposes, appears to provide only a limited protection against any interference with that private data by the US security authorities.”However, he said that only the European Court of Justice could decide that individual member states were allowed to look past the Safe Harbour principle or reinterpret its meaning. Hogan said that Schrems, who had filed on behalf of the Europe-v-Facebook group, really had a problem with this principle and acknowledged that there may be an argument for the idea that the rule was outdated.“The Safe Harbour Regime… may reflect a somewhat more innocent age in terms of data protection,” he said. “This Regime came into force prior to the advent of social media and, of course, before the massive terrorist attacks on American soil which took place on September 11th, 2001.”

On Tuesday, the European court of justice, Europe’s supreme court, lobbed a grenade into the cosy, quasi-monopolistic world of the giant American internet companies. It did so by declaring invalid a decision made by the European commission in 2000 that US companies complying with its “safe harbour privacy principles” would be allowed to transfer personal data from the EU to the US. This judgment may not strike you as a big deal. You may also think that it has nothing to do with you. Wrong on both counts, but to see why, some background might be useful. The key thing to understand is that European and American views about the protection of personal data are radically different. We Europeans are very hot on it, whereas our American friends are – how shall I put it? – more relaxed.

Given that personal data constitutes the fuel on which internet companies such as Google and Facebook run, this meant that their exponential growth in the US market was greatly facilitated by that country’s tolerant data-protection laws. Once these companies embarked on global expansion, however, things got stickier. It was clear that the exploitation of personal data that is the core business of these outfits would be more difficult in Europe, especially given that their cloud-computing architectures involved constantly shuttling their users’ data between server farms in different parts of the world. Since Europe is a big market and millions of its citizens wished to use Facebook et al, the European commission obligingly came up with the “safe harbour” idea, which allowed companies complying with its seven principles to process the personal data of European citizens. The circle having been thus neatly squared, Facebook and friends continued merrily on their progress towards world domination. But then in the summer of 2013, Edward Snowden broke cover and revealed what really goes on in the mysterious world of cloud computing. At which point, an Austrian Facebook user, one Maximilian Schrems, realising that some or all of the data he had entrusted to Facebook was being transferred from its Irish subsidiary to servers in the United States, lodged a complaint with the Irish data protection commissioner. Schrems argued that, in the light of the Snowden revelations, the law and practice of the United States did not offer sufficient protection against surveillance of the data transferred to that country by the government.

The Irish data commissioner rejected the complaint on the grounds that the European commission’s safe harbour decision meant that the US ensured an adequate level of protection of Schrems’s personal data. Schrems disagreed, the case went to the Irish high court and thence to the European court of justice. On Tuesday, the court decided that the safe harbour agreement was invalid. At which point the balloon went up. “This is,” writes Professor Lorna Woods, an expert on these matters, “a judgment with very far-reaching implications, not just for governments but for companies the business model of which is based on data flows. It reiterates the significance of data protection as a human right and underlines that protection must be at a high level.”

The European data protection activists behind the Europe v Facebook (evf) campaign group, that has long been a thorn in Facebook’s side in Europe, have filed new complaints under regional data protection law targeting Facebook, Apple, Microsoft, Skype and Yahoo for their alleged collaboration with the NSA’s Prism data collection program. The student activist organisation is targeting the European subsidiaries of these five U.S. companies, arguing that their corporate structure means they fall fully under European privacy laws despite being U.S. headquartered companies. And yet, being as they are U.S. companies, they are required to comply with U.S. surveillance laws — putting them in the “tricky” situation of having to comply with potentially conflicting legal requirements. It’s that legal conflict evf is now probing.

Evf takes the view that the law needs clarifying — and it using these new data protection complaints as the vehicle to obtain clarification from the various regional data protection agencies. Facebook and Apple; Microsoft and Skype; and Yahoo have subsidiaries in Ireland, Luxembourg and Germany respectively. ”We want a clear statement by the authorities if a European company may simply give foreign intelligence agencies access to its customer data. If this turns out to be legal, then we might have to change the laws,” noted evf speaker, Max Schrems, in a statement. The key question, as evf sees it, is whether “mass transfer” of personal data from to a foreign intelligence agency is legal under European law.  ”Many journalists have asked us in recent weeks if PRISM is legal from a EU perspective. We have looked at that a little closer. The result was – after consulting with legal experts – that it is very likely illegal under EU data protection laws, because of the corporate structure of the companies,” added Schrems. Google and YouTube have not been included in this first round of evf complaints being as they have a different corporate structure that does not include European subsidiaries. However it notes they do have datacenters in European countries, which will give evf a route to filing Prism-related data protection complaints against both at a later date.

Writing in a press notice announcing its new action, evf added: If a European subsidiary sends user data to the American parent company, this is considered an “export” of personal data. Under EU law, an export of data is only allowed if the European subsidiary can ensure an “adequate level or protection” in the foreign country. After the recent disclosures on the “PRISM” program such trust in an “adequate level of protection” by the involved companies can hardly be upheld. There can in no way be an adequate level of protection if they cooperate with the NSA on the other end of the line. Right now an export of data to the US must be seen as illegal if the involved companies cannot disprove the reports on the PRISM program. According to evf, the subsidiaries being targeted by these complaints have “the burden of proof” — to either “credibly assure” that the Prism program is a hoax, or “explain how mass access by a foreign intelligence agency interplays with EU data protection laws”. Evf cites a 2006 case precedent involving payment processor SWIFT which had forwarded transaction details to U.S. authorities. In that case it says a group of EU data protection authorities decided that such a mass data transfer is illegal under EU law, leading to SWIFT to move European data to a server in Switzerland. The case also led to an agreement between the U.S. and the EU on the use of payment data to combat crime.

The Irish High Court has ordered a review of the decision by the Office of the Data Protection Commissioner (ODPC) not to investigate Facebook’s links To PRISM and the US National Security Agency (NSA), after it was contested by a group of law students from Austria. The group calling itself ‘Europe-v-Facebook’ had previously demanded a full investigation into the relationship between Internet companies and the US intelligence agency as it accuses Facebook of breaking the law in supplying NSA with personal information about its European users.

The Irish High Court has ordered a review of the decision by the Office of the Data Protection Commissioner (ODPC) not to investigate Facebook’s links To PRISM and the US National Security Agency (NSA), after it was contested by a group of law students from Austria. The group calling itself ‘Europe-v-Facebook’ had previously demanded a full investigation into the relationship between Internet companies and the US intelligence agency as it accuses Facebook of breaking the law in supplying NSA with personal information about its European users.

The Irish High Court has ordered a review of the decision by the Office of the Data Protection Commissioner (ODPC) not to investigate Facebook’s links To PRISM and the US National Security Agency (NSA), after it was contested by a group of law students from Austria. The group calling itself ‘Europe-v-Facebook’ had previously demanded a full investigation into the relationship between Internet companies and the US intelligence agency as it accuses Facebook of breaking the law in supplying NSA with personal information about its European users.

European privacy regulators are putting U.S. surveillance practices under the microscope, this time with a crucial transatlantic data deal hanging in the balance.Legal and privacy advocates say European nations are poised to strike down the deal if they decide the U.S. hasn't done enough to reform its spying programs.The new test comes after the European Commission and the Commerce Department — after months of tense negotiations — reached a deal this week permitting Facebook, Google and thousands of other companies to continue legally handling Europeans’ personal data.ADVERTISEMENTCritics though have long warned that unless the U.S. overhauls its privacy and national security laws, there is no legal framework that can stand up in European court, where privacy is considered a fundamental right under the EU Charter.A working group of 28 EU nations’ data protection authorities — domestic entities separate from the Commission that will be in charge of enforcing the new agreement — may now cast the deciding vote.The group is spending the next few months picking through the so-called Privacy Shield agreement to determine if it adequately protects the personal data of European citizens.

“The Commission has said, ‘We’re satisfied. We believe them. We believe the U.S. has substantially changed its practices,’ and they are no longer going off the [Edward] Snowden revelations in the media,” said Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S.“Whether the working group will go along with it is another question.”The privacy advocate whose complaint against Facebook brought down the Privacy Shield’s 15-year-old predecessor agreement is already questioning the new deal’s validity.“With all due respect ... a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit U.S. law allowing mass surveillance,” Max Schrems of Austria said in a statement Tuesday.The United States has been fighting against the perception that it tramples on civil liberties after ex-National Security Agency contractor Edward Snowden revealed the breadth of the agency’s snooping.One sticking point in the Privacy Shield negotiations was over the scope of an exception allowing surveillance for national security purposes.

In announcing the deal, Commission officials insisted that the U.S. had provided “detailed written assurances” that surveillance of Europeans’ data by intelligence agencies would be subject to appropriate limitations.“The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans,” Andrus Ansip, Vice President for the Digital Single Market on the European Commission, said Tuesday.The U.S. has also agreed to create an office in the State Department, to address complaints from EU citizens who feel their data has been inappropriately accessed by intelligence authorities.Complicating the working group’s approval of the deal is the hodgepodge of competing regulators in Europe. Each nation has an agency in charge of its own country’s regulation. Some countries — such as Germany — are seen as tougher on privacy than others, like France or the U.K.While some countries consider U.S. privacy protections to be satisfactory, in others they are seen as woefully inadequate.

In a seminal decision updating and consolidating its previous jurisprudence on surveillance, the Grand Chamber of the European Court of Human Rights took a sideways swing at mass surveillance programs last week, reiterating the centrality of “reasonable suspicion” to the authorization process and the need to ensure interception warrants are targeted to an individual or premises. The decision in Zakharov v. Russia — coming on the heels of the European Court of Justice’s strongly-worded condemnation in Schrems of interception systems that provide States with “generalised access” to the content of communications — is another blow to governments across Europe and the United States that continue to argue for the legitimacy and lawfulness of bulk collection programs. It also provoked the ire of the Russian government, prompting an immediate legislative move to give the Russian constitution precedence over Strasbourg judgments. The Grand Chamber’s judgment in Zakharov is especially notable because its subject matter — the Russian SORM system of interception, which includes the installation of equipment on telecommunications networks that subsequently enables the State direct access to the communications transiting through those networks — is similar in many ways to the interception systems currently enjoying public and judicial scrutiny in the United States, France, and the United Kingdom. Zakharov also provides a timely opportunity to compare the differences between UK and Russian law: Namely, Russian law requires prior independent authorization of interception measures, whereas neither the proposed UK law nor the existing legislative framework do.

The decision is lengthy and comprises a useful restatement and harmonization of the Court’s approach to standing (which it calls “victim status”) in surveillance cases, which is markedly different from that taken by the US Supreme Court. (Indeed, Judge Dedov’s separate but concurring opinion notes the contrast with Clapper v. Amnesty International.) It also addresses at length issues of supervision and oversight, as well as the role played by notification in ensuring the effectiveness of remedies. (Marko Milanovic discusses many of these issues here.) For the purpose of the ongoing debate around the legitimacy of bulk surveillance regimes under international human rights law, however, three particular conclusions of the Court are critical.

The Court took issue with legislation permitting the interception of communications for broad national, military, or economic security purposes (as well as for “ecological security” in the Russian case), absent any indication of the particular circumstances under which an individual’s communications may be intercepted. It said that such broadly worded statutes confer an “almost unlimited degree of discretion in determining which events or acts constitute such a threat and whether that threat is serious enough to justify secret surveillance” (para. 248). Such discretion cannot be unbounded. It can be limited through the requirement for prior judicial authorization of interception measures (para. 249). Non-judicial authorities may also be competent to authorize interception, provided they are sufficiently independent from the executive (para. 258). What is important, the Court said, is that the entity authorizing interception must be “capable of verifying the existence of a reasonable suspicion against the person concerned, in particular, whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures, such as, for example, acts endangering national security” (para. 260). This finding clearly constitutes a significant threshold which a number of existing and pending European surveillance laws would not meet. For example, the existence of individualized reasonable suspicion runs contrary to the premise of signals intelligence programs where communications are intercepted in bulk; by definition, those programs collect information without any consideration of individualized suspicion. Yet the Court was clearly articulating the principle with national security-driven surveillance in mind, and with the knowledge that interception of communications in Russia is conducted by Russian intelligence on behalf of law enforcement agencies.

Privacy Shield is the proposed new deal between the EU and the US that is supposed to safeguard all personal data on EU citizens held on computer systems in the US from being subject to mass surveillance by the US National Security Agency. The data can refer to any transaction — web purchases, cars or clothing — involving an EU citizen whose data is held on US servers. Privacy groups say Privacy Shield — which replaces the Safe Harbor agreement ruled unlawful in October 2015 — does not meet strict EU standard on the use of personal data. Monique Goyens, Director General of the European Consumer Organization (BEUC) told Sputnik: “We consider that the shield is cracked beyond repair and is unlikely to stand scrutiny by the European Court of Justice. A fundamental problem remains that the US side of the shield is made of clay, not iron.”

The agreement has been under negotiation for months ever since the because the European Court of Justice ruled in October 2015 that the previous EU-US data agreement — Safe Harbor — was invalid. The issue arises from the strict EU laws — enshrined in the Charter of Fundamental Rights of the European Union — to the privacy of their personal data.

The Safe Harbor agreement was a quasi-judicial understanding that the US undertook to agree that it would ensure that EU citizens’ data on US servers would be held and protected under the same restrictions as it would be under EU law and directives. The data covers a huge array of information — from Internet and communications usage, to sales transactions, import and exports.

The first (and thus far only) roll-back of post-9/11 surveillance authorities was implemented over the weekend: The National Security Agency shuttered its program for collecting and holding the metadata of Americans’ phone calls under Section 215 of the Patriot Act. While bulk collection under Section 215 has ended, the government can obtain access to this information under the procedures specified in the USA Freedom Act. Indeed, some experts have argued that the Agency likely has access to more metadata because its earlier dragnet didn’t cover cell phones or Internet calling. In addition, the metadata of calls made by an individual in the United States to someone overseas and vice versa can still be collected in bulk — this takes place abroad under Executive Order 12333. No doubt the NSA wishes that this was the end of the surveillance reform story and the Paris attacks initially gave them an opening. John Brennan, the Director of the CIA, implied that the attacks were somehow related to “hand wringing” about spying and Sen. Tom Cotton (R-Ark.) introduced a bill to delay the shut down of the 215 program. Opponents of encryption were quick to say: “I told you so.”

But the facts that have emerged thus far tell a different story. It appears that much of the planning took place IRL (that’s “in real life” for those of you who don’t have teenagers). The attackers, several of whom were on law enforcement’s radar, communicated openly over the Internet. If France ever has a 9/11 Commission-type inquiry, it could well conclude that the Paris attacks were a failure of the intelligence agencies rather than a failure of intelligence authorities. Despite the passage of the USA Freedom Act, US surveillance authorities have remained largely intact. Section 702 of the FISA Amendments Act — which is the basis of programs like PRISM and the NSA’s Upstream collection of information from Internet cables — sunsets in the summer of 2017. While it’s difficult to predict the political environment that far out, meaningful reform of Section 702 faces significant obstacles. Unlike the Section 215 program, which was clearly aimed at Americans, Section 702 is supposedly targeted at foreigners and only picks up information about Americans “incidentally.” The NSA has refused to provide an estimate of how many Americans’ information it collects under Section 702, despite repeated requests from lawmakers and most recently a large cohort of advocates. The Section 215 program was held illegal by two federal courts (here and here), but civil attempts to challenge Section 702 have run into standing barriers. Finally, while two review panels concluded that the Section 215 program provided little counterterrorism benefit (here and here), they found that the Section 702 program had been useful.

There is, nonetheless, some pressure to narrow the reach of Section 702. The recent decision by the European Court of Justice in the safe harbor case suggests that data flows between Europe and the US may be restricted unless the PRISM program is modified to protect the information of Europeans (see here, here, and here for discussion of the decision and reform options). Pressure from Internet companies whose business is suffering — estimates run to the tune of $35 to 180 billion — as a result of disclosures about NSA spying may also nudge lawmakers towards reform. One of the courts currently considering criminal cases which rely on evidence derived from Section 702 surveillance may hold the program unconstitutional either on the basis of the Fourth Amendment or Article III for the reasons set out in this Brennan Center report. A federal district court in Colorado recently rejected such a challenge, although as explained in Steve’s post, the decision did not seriously explore the issues. Further litigation in the European courts too could have an impact on the debate.