thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Monday, April 11, 2016

Minutes from EU Court of Justice on #CanadaPNR

On 5th April, I attended the oral hearing of the Court of Justice of the European Union (CJEU) on the draft agreement between the EU and Canada on the transfer, use, and retention of air passenger data (EU-Canada PNR agreement). The European Parliament has submitted this agreement to the Court in November 2014.

It was my first time at the Court, and the Grand Chamber is really impressive. However, I watched the hearing from the press room next door in order to be able to use the laptop and wifi.

Colleague Thomas van der Valk was also tweeting.

Here are my tweets in chronological order and with some typos corrected:

EU Court of Justice hearing on EU-Canada PNR agreement about to start. I'll tweet from there.
"The Court is in session". Two short judgements are announced first, then #CanadaPNR hearing in a few minutes. #CJEU
hearing started. First: legal service of @Europarl_EN, which submitted the agreement to the Court.
.: 2 questions: lack of data protection rights, wrong legal basis of the agreement. Candadian law only allows Canadians remedy.
 . questions compatibility with Art. 8 of the Charter of Fundamental Rights (data protection): independent oversight?
. is also live-tweeting from the hearing at the
.: Article 47 of the Charter (judicial redress / legal remedies) not met with the PNR agreement?
.@Europarl_EN: Article 52 of the Charter (proportionality and necessity) not met either, see judgement?
. lists the several typed of processing of PNR data: transfer, access, analysis, retention, onward transfer.
 .: systematic analysis of all passenger data (profiling) not yet covered by case law such as or .
.: Canadian privacy Commissioner has been critical about large-scale PNR data analysis. "mega-data" not "meta-data"
.: PNR data will be transferred to US authorities under the "beyond the border" agreement,
Now: Council legal service, defending the agreement. " also accepted PNR agreements with USA and Australia."
(Reason for to submit agreement was CJEU judgement. It came after USA and Australia PNR agreements.)
Council now on legal arguments about opt-out options for Denmark, Ireland and UK, Court had asked about this as well.

Labels: , , , , ,

Monday, May 11, 2015

Trade Agreements and the Internet - and the Zombies

I had the pleasure of speaking about what trade agreements such as TTIP or TiSA may do to the internet at re:publica, the greatest European conference about the digital society. The talk was together with Estelle Massé, Gaelle Krikorian, and Sanya Reid Smith.

Here are the slides, and here is the video recording. They may contain Plants and Zombies.

Labels: , , , , , , ,

Saturday, February 28, 2015

White House releases draft Consumer Privacy Bill

The US "Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015" was released yesterday. It follows up to the 2012 "Consumer Privacy Bill of Rights" from President Obama. 

The draft bill sets out some basic definitions and principles, such as "reasonable" collection of personal data, and consumer rights, such as access to their own data. For enforcement, it gives the Federal Trade Commission the powers to approve and enforce Codes of Conduct submitted by different industry sectors. So far, the FTC has enforced certain data protection rules under Title V of the FTC act, which prohibits "unfair and deceptive trade practices".

At first glance, the draft has a number of serious issues, especially if you look at it from an EU data protection perspective. A few points are worth mentioning:

1) The bill exempts "Cybersecurity data" from the scope:
The term “personal data” shall not include cyber threat indicators collected, processed, created, used, retained, or disclosed in order to investigate, mitigate, or otherwise respond to a cybersecurity threat or incident, when processed for those purposes."
This does not make any sense. It may be reasonable to allow the processing of personal data for IT security purposes (as certain drafts of the planned EU data protection regulation do), but with this approach, things such as IP addresses are removed from the scope of the privacy bill.

2) The bill is contradictory. It states in section 103:
"If a covered entity processes personal data in a manner that is reasonable in light of context, this section does not apply",
and then in section 104, it says
"Each covered entity may only collect, retain, and use personal data in a manner that is reasonable in light of context."
To me it is completely unclear when section 103 would apply at all...

3) Title III of the bill recycles the "Safe Harbor" term and the idea of self-certification which has consistently been criticised by the European Parliament and privacy experts from around the world since the EU Commission and the US Department of Commerce came up with the Safe Harbor approach in 2000:
"Safe Harbor Protection.—In any suit or action brought under Title II of this Act for alleged violations of Title I of this Act, the defendant shall have a complete defense to each alleged violation of Title I of this Act if it demonstrates with respect to such an alleged violation that it has maintained a public commitment to adhere to a Commission-approved code of conduct that covers the practices that underlie the suit or action and is in compliance with such code of conduct."
At least compliance is required, not just the mere committment, but the underlying problem is that the FTC would only be able to review submitted codes, not develop and issue their own ones.

4) The draft would preempt state laws, some of which, such as the Californian one, are stronger than the White House proposal.

5) The bill would exempt start-ups from data privacy requirements for the first 18 months. This will encourage an approach such as "grow quickly and ruthlessly while collecting as much data as you can, and sell to the highest bidder after 18 months". I don't think this is good for a sustainable long-term business strategy.

6) The penalties section (203) is quite interesting, however:
"(1) The civil penalty shall be calculated by multiplying the number of days that the covered entity violates the Act by an amount not to exceed $35,000; or
(2) If the Commission provides notice to a covered entity, stated with particularity, that identifies a violation of this Act, the civil penalty shall be calculated by multiplying the number of directly affected consumers by an amount not to exceed $5,000 (...)"
This could easily exceed the 5% annual global turnover which the European Parliament has set as the maximum penalty in its version of the coming Data Protection Regulation.

This Washington Post article gives a good summary of the reactions (in short: The FTC is not happy, the NGOs are not happy, industry is partially happy, except for the libertarians).

The White House apparently did not manage to find bipartisan congressional sponsors before releasing it, so this and the timing (Friday afternoon) has lead some observers to believe already that it's "dead in the water".

Senator Ed Markey, known as a strong privacy defender, has criticised the draft for not doing enough  for consumers here. As a result, he has announced that he will present his own draft next week (!).

There will be loads of things to discuss for the European Parliament delegation that will visit Washington mid-March. Among the MEPs taking part are Jan Philipp Albrecht, vice-chair of the Civil Liberties, Justice and Home Affairs Committee and rapporteur for the EU Data Protection Regulation and for the EU-US Data Protection Umbrella Agreement, and Claude Moraes, chair of the same committee and rapporteur for the NSA mass surveillance inquiry and its upcoming follow-up.

Labels: , ,

Friday, October 03, 2014

The Ballad of Google Spain

The judgement of the European Court of Justice in the case Google Spain from May 2014 has caused a very diverse and intense debate that is not finished by far. Though the ruling does not contain this, it has become known as the "right to be forgotten"-ruling, or #R2BF.

The best summary by far has been provided by Paul Bernal. The analysis is very much to the point, but even better: For the national poetry day yesterday, he wrote it in the form of a poem!
The Ballad of Google Spain

There was a case, called ‘Google Spain’
That caused us all no end of pain
Do we have a right to be forgotten?
Are Google’s profits a touch ill-gotten?

read the full poem

Labels: , , , , , ,

TTIP and TiSA: big pressure to trade away privacy

I have been asked by Statewatch before the summer to contribute to their collection of essays and analyses on transatlantic relations. I wrote an analysis of the pressure on European data protection and privacy rules, including strategic discourses and lobbying around it. It is based on the documents that are available so far.

The paper has finally been published in September, very timely after the end of the Brussels and Washington summer break.
TTIP and TiSA: big pressure to trade away privacy, Statewatch Analysis 257, September 2014

Labels: , , , , , ,

Saturday, December 14, 2013

layers of the struggle privacy vs surveillance, in my picture of the year

This is the picture of the year for me, on so many different layers: 
Stewart Baker, ex-NSA general counsel, and Jacob Appelbaum, internet freedom activist/hacker/journalist (left, right).
Eingebetteter Bild-Link
  • They pretty much symbolise the two sides of the global scandal of the year.
  • They also symbolise the attitudes of both sides.
  • This struggle has defined a large part of my professional life in 2013.
  • I was involved in defining much of this struggle (at least on the EU Parliament side) as a large part of my professional life in 2013.
  • I was on a panel with both of them yesterday, which was one of the most unlikely things I ever imagined in my life.
  • This picture was one of the more unlikely pictures in my life of which I imagined to be there when they were taken. 
  • But hey, I was involved in pulling that panel together.
  • Most basic question that says it all: With whom of these guys would you prefer to hang out and collaborate and try to change the world? The answers to this one again can be on many layers, but they actually converge to the same answer.
  • [fill in your own layer in the comments / shares] 
(picture by Omer Tene, who also moderated the panel) 

Update, 6 April 2014: Jake and Stewart now finally got into the heated discussion they were supposed to have back in December. 

Labels: ,

Sunday, December 09, 2012

EU Commission: No new law enforcement databases needed

In a communication and a press release, somewhat hidden on a Saturday Friday for whatever reasons, European Union Home Affairs Commissioner Cecilia Malmström announced that her services had done an assessment of EU-wide law enforcement information exchange mechanisms. She concluded that
information exchange generally works well, and no new EU-level law enforcement databases are therefore needed at this stage.
This is the first time in a long while that a top-level home affairs official has said that they don't need more new databases. Emphasis is added in the quote for a reason!

This conclusion is based on an "Overview of information management in the area of freedom, security and justice" which the Commission had released in 2010 and which introduced a number of criteria for further policy development in this field:
  • Safeguarding fundamental rights, in particular the right to privacy and data protection
  • Necessity
  • Subsidiarity
  • Accurate risk management
  • Cost-effectiveness
  • Bottom-up policy design
  • Clear allocation of responsibilities
  • Review and sunset clauses
In the new communication, the Commission examines a number of EU-wide information exchange instruments among law enforcement agencies. Oddly enough, they mix existing EU stuff such as Europol and the Schengen Information System (SIS) with projects started by a number of member states which have not yet been Europeanised, such as the Püm Decision or the European Border Surveillance System EUROSUR.

The Commission does also not address a number of other initiatives and databases that are currently in the legislative pipeline:
  • Eurodac, the database of fingerprints of asylum seekers, where Parliament and Council are currently debating law enforcement access;
  • EU-PNR, the proposed system of EU-wide gathering, profiling, and retention of data on all air passengers entering or leaving Europe (and with an extension to inner-European flights under discussion);
  • Smart Borders, a legislative package probably coming in early 2013, which would collect data about everbody entering and leaving the EU, including fingerprints (Entry-Exit System) and which would allow easier entering of the EU if travellers were pre-checked and profiled.
The Commission is to be applauded for such a sober look at the state of play in information exchange. Members of the European Parliament as well as several stakeholders had repretedly asked "when is it enough?" after the Commission in alliance with the Member States had pushed through massive surveillance projects such as telecommunications data retention, bulk bank data transfers to U.S.  financial intelligence services through the SWIFT agreement or air passenger mass surveillance through the PNR-agreements with Australia and the U.S. Good to finally see a red line here.

However, this raises urgent questions about the need for the above-mentioned measures still in the pipeline. The European Parliament is about to vote on the negotiation mandate for EU-PNR and Eurosur, and on the final agreements for law enforcement access to Eurodac. And one can wonder how the Commission will justify its "smart borders" package next year.

It seems the EU institutions should stop current initiatives and have a more general debate on further databases and information exchange in the field of justice and home affairs. It would make sense to align this with the debates on the work programme of the upcoming Irish Council presidency as well as the legislative reports from the Parliament on the EU data protection reform, which both will be debated in the Civil Liberties, Justice and Home Affairs Committee on 10th January 2013.