Month: December 2014 (page 1 of 2)

Game of drones or the not so playful side of the use of RPAS for recreational purposes

I am watching you.

I am watching you.1)Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic

If one of the gifts you have found underneath the Christmas tree was a drone 2)The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: those which can autonomously follow pre-programmed flight routes and those which have remotely piloted aircrafts systems (RPAS). Only the latter are currently authorised for use in EU airspace., and it happens to have some camera installed on it, you should prepare yourself to embrace your new status of a data controller and face a new set of obligations regarding privacy and safety.

Indeed, whilst drones can be a lot of fun, there are serious considerations at stake which should not be ignored. In fact, the extensive range of their potential applications3)Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and government non-military activities which are more effectively or safely performed by a machine, such as such as the monitoring of rail tracks, dams, dykes or power grids., the proliferation of UAVs with a camera, the collection of data and the subsequent use of such data, namely by private individuals for personal and recreational purposes raise concerns about the impact of these technologies on the safety, security, privacy and the protection of personal data.

As a matter of fact, a drone in itself does not imply the collecting and the processing of any personal data until you attach a camera to it. However, drones are increasingly equipped with high definition optical cameras and therefore are able to capture and record images of the public space. And while there are no apparent privacy concerns regarding the recording of landscapes, having a drone filming through the sky over your neighbourhood might lead to a very different conclusion. Drones have a high potential for collateral or direct intrusion regarding privacy, considering the height at which they operate, allowing to monitor a vast area and to capture large numbers of people or specific individuals. Despite individuals may not always be directly identifiable, their identification may still be possible through the context in which the image is captured or the footage is recorded.

It must be noted that people might not even be aware that they are being filmed or by whom and, as a result, cannot take any steps to avoid being captured if such activity is not made public. People ought not to know that the device is equipped with optical imaging and has recording capabilities. Moreover, because the amateur usage of a drone may not be visible, there is a high risk of being directed to covert and voyeuristic recording of their neighbours’ lives, homes and back gardens. How would you feel if a drone was constantly looming near your windows or in your backyard? Indeed, there is no guarantee regarding the legitimacy of the end to be achieved with the use of drones. None withstanding the fact that a drone may actually pose a threat to people’s personal safety, belongings and property, considering that it may fall, its increasing popularity as a hobby outlines the issue of discriminatory targeting, as certain individuals, such as children, young people and women, are particularly vulnerable to an insidious use of RPAS. This is particularly relevant considering that the images or footage is usually intended to be made publicly available, usually on platforms such as Youtube.

Furthermore, the recording may interfere with the privacy of individuals as their whereabouts, home or workplace addresses, doings and relationships are registered. In this context, the use of drones for hobbying purposes may have a chilling effect on the use of the public space, leading individuals to adjust their behaviour as they fear their activities are being monitored.

Thus considering, the use of this type of aerial technologies is covered by Article 7 and Article 8 of the EU Charter of Fundamental Rights which respectively establish the respect for private life and protection of personal data. Taking into account the abstract nature of the concept of privacy, the main difficulty will be to define when there is a violation at stake.

In addition, there are obviously data protection implications at stake where the drone is capturing personal data. EU data protection rules generally govern the collection, processing and retention of personal data. The EU Directive 95/46/CE and the proposed General Data Protection Regulation are applicable to the collection, processing and retention of personal data, except where personal data is collected in the course of a purely personal or household activity. Hence, the recreational use of drones is a ‘grey area’ and stands almost unregulated due to this household exemption.

Nevertheless, due to the risks at stake, both to privacy and to data protection, the extent to which the ‘household‘ exemption applies in the context of a personal and private use must be questioned.

In a recent ruling, the CJEU concluded that the partial monitoring of the public space carried out by CCTV is subjected to the EU Directive 95/46, even if the camera capturing the images is “directed outwards from the private setting of the person processing the data”. As already analysed here, the CJEU considered that the processing of personal data involved did not fall within the ‘household exemption’ to data protection laws because the camera was capable of identifying individuals walking on a public footpath.

As the RPAS operations may be quite similar to CCTV, but more intrusive, because they are mobile, cover a larger territory, collect a vaster amount of information, it is not a surprise that they may and should be subjected to the same legal obligations. Subsequent to this ruling, these technologies should be considered as potentially privacy-invasive. Consequently, private operators of drones in public spaces should be ready to comply with data protection rules.

Of course, the footage needs to contain images of natural persons that are clear enough to lead to identification. Moreover, and in my opinion, it is not workable to consider, in order for the household exemption to be applied, the images collateral and incidentally captured. Otherwise, selfies unwillingly or unknowingly including someone in the background could not be freely displayed on Facebook without complying with data protection rules. The footage must constitute a serious and systematic surveillance on individuals and their activities.

Therefore, information about the activities being undertaken and about the data processing (such as the identity of the data controller, the purposes of processing, the type of data, the duration of processing and the rights of data subjects), where it does not involve disproportionate efforts, shall be given to individuals (principle of transparency). Moreover, efforts should be made in order to minimize the amount of data obtained (data minimization). Moreover, the controller might need to ensure that the personal data collected by the drone camera is anonymised, is only used for the original purpose for which it was collected (purpose limitation), will be stored adequate and securely and will not be retained for longer than what is necessarily required.

In this context, individuals having their image captured and their activities recorded by the camera of a drone should be given guarantees regarding consent, proportionality and the exercise of their rights to access, correction and erasure.

Thus said, depending on where you are geographically located in the EU, there are obviously different rules regarding the legal aspects related to the use of drones. It is therefore important for individuals intending to operate a drone to get informed and educated about the appropriate use of these devices and the safety, privacy and data protection issues at stake in order to avoid unexpected liability.

References   [ + ]

1. Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic
2. The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: those which can autonomously follow pre-programmed flight routes and those which have remotely piloted aircrafts systems (RPAS). Only the latter are currently authorised for use in EU airspace.
3. Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and government non-military activities which are more effectively or safely performed by a machine, such as such as the monitoring of rail tracks, dams, dykes or power grids.

Season’s greetings

Heidi also wishes Happy Holidays :)

Heidi also wishes Happy Holidays :)

Dear readers,

I wish you all a very Happy Holiday season and a peaceful and prosperous New Year.

CCTV: household security or how to be a data controller at home

CCTV, walking the thin line of protecting yourself or becoming a data processor.

CCTV, walking the thin line of protecting yourself or becoming a data processor.1)Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

Having suffered several attacks, in which the windows of the family home had been broken on several occasions, by persons unknown, Mr Ryneš, a Czech citizen, installed a CCTV camera under the eaves of his home. In a fixed position, the camera recorded the entrance to his home, the public footpath and the entrance to the house opposite. The system allowed only a visual recording, which was stored on a hard disk drive. Reaching its full capacity, the device would record over the existing recording, erasing the old material. Although the images would not be monitored in real time, this video surveillance system made it possible to identify two suspects, who were subsequently prosecuted.

However, despite the happy outcome, the operation of this camera system, installed by an individual on his household, for the purposes of protecting the property, health and life of the owner and his family, raised some questions due to the continuous recording of a public space.

One of the suspects challenged the legality of Mr Ryneš recording of the images. The Czech Data Protection Authority (hereafter DPA) considered that this operation infringed data-protection rules because the data collection of persons moving along the street or entering the house opposite occurred lacked their consent; individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data; and this processing was reported to the Office as mandatory.

Mr Ryneš brought an action challenging that decision in court, which was dismissed. The case was appealed to the Czech Supreme Administrative Court which referred to the Court of Justice of the European Union (hereafter CJEU) for a preliminary ruling.

In this context, in its judgment in Case C-212/13, the CJEU addressed the application of the ‘household exception’, for the purposes of Article 3(2) of Directive 95/46/EC, which refers to the data processing carried out by a natural person in the course of a purely personal or household activity.

The CJEU considered that the image of a person recorded by a camera constitutes personal data within the meaning of the Directive 95/46 inasmuch as it makes it possible to identify the person concerned.

Moreover, the Court considered that video surveillance falls within the scope of the above mentioned directive in so far as it constitutes automatic processing, i.e., an operation which is performed upon personal data, such as collection, recording, storage.

Considering that the main goal of the this Directive is to guarantee a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, as foreseen in article 7 of the EU Charter of Fundamental Rights, the CJEU recalled that derogations and limitations must be strictly necessary.

Therefore, the Court deemed that the ‘household exception’ must be narrowly construed and applicable when the data processing activity is carried out ‘purely’ private and household context, even if it incidentally concerns the private life of other persons, such as correspondence and the keeping of address books.

In this context, the CJEU concluded as follows:

(…)the second indent of Article 3(2) of Directive 95/46 must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.

However, Mr Ryneš’s concerns, which motivated the installation of the camera, were not overlooked by the CJEU. Indeed, the Court outlined that the Directive itself allows, where appropriate, to consider the legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself. This reflection is in line with the Opinion of the Article 29 Working Party in this regard as security was mentioned as an example of a legitimate interest of the data controller.

This implies that, even if the household exception is not applicable in this very particular case, a CCTV camera recording activity such as the one in the proceedings is lawful in the light of article 7(f) of the Directive. Thus said, the referring Court will now have to take this interpretative guidance into consideration and decide if the recording and processing at stake were legitimate, for instance, in regards of article 10 of the instrument. It is possible that the Czech Court may still consider that because no information regarding the recording was provided to the public (individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data) and considering that this processing was not reported to the Office constitute a breach of the data protection rules.

This is particularly relevant considering that, precisely for security purposes, individuals are equipping their households with CCTV systems which capture public space. Only time will tell how this decision will be applied to individuals in practice. Most certainly, DPAs across the EU will update their recommendations regarding the weighing between the necessity of the recording and storing of the data to pursue an interest deemed legitimate and the interests for fundamental rights and freedoms of the data subject.

At this point, it is expectable that householders who have surveillance cameras that capture public space will need to ensure that their collection and further use of any footage which contains images of identifiable individuals complies with the data protection requirements. Thus, they will have, for instance, to at least inform people of this monitoring and ensure that no footage is illegally retained.

References   [ + ]

1. Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

The not so privacy orientated new privacy policy of Facebook

Am I really in charge?

Am I really in charge?

Following all the criticism regarding the complexity of its terms of service and privacy policy, and allegedly in order to get more people actually reading and understanding the terms which must be agreed on for the use of the service, Facebook has announced, last month, an update (yes, again) of this privacy policy. But this time it is a visually clearer, shorter, linguistically simplified and more understandable version. If you have a Facebook user account, you certainly have already received a notification regarding this update, which will enter into force on the 1st January 2015.

In a section entitled ‘Privacy Basics’, users are told how to control what is to be shown to others, how they might interact with others and what may be shown in their news feed, how to control the visibility of their profile, and how to deactivate or delete their account. This new policy even includes a childlike assistant to guide users through these explanations.

On the terminological side, ‘public information’, which was previously defined as “the information you choose to make public, as well as information that is always publicly available“, is now defined as “any information you share with a public audience, as well as information in your Public Profile, or content you share on a Facebook Page or another public forum”.

However, not much changes, actually. Indeed, this more user friendly appearance does not really give users more control over their data. In fact, it does not give much. Users might control their data regarding others but Facebook and its commercial partners are certainly not included in the concept of ‘others’. The reading of the data policy regarding the type of data which is collected and the use of such data is quite self explanatory in this regard.

To be sure, the users’ settings haven’t been changed. Nevertheless, on a positive note, the user gets now to better understand how Facebook tracks its users. For instance, it is specified that Facebook may collect location information from users on its mobile apps through GPS, Bluetooth or WiFi networks.

In this regard, although users can decline or opt out of sharing information with third party applications or for targeted advertising purposes, which are based on their browsing habits off of the network, they have no control regarding the information that is collected and shared. To be true, no changes were made regarding how much data Facebook collects from its users.

In fact, Facebook has entire access to all the information made available about their users, both provided by users themselves while updating their profiles and by their friends. Moreover, Facebook can use this information namely to provide and develop its Services (yes, with a capital letter) and to promote and evaluate successful advertising. Unless entirely unconnected from the platform, as it does not suffice to close the tab, Facebook is therefore able to access all information provided in websites or applications which use its Services, gathering data on websites visited by its users and their behaviour on those websites. It will be, for instance, the case of Instagram or Whatsapp.

Likewise, as Facebook now accepts payments to be made on the platform, it can use information people share regarding their purchases and financial transactions to better target advertisements. For example, according to the update, the company collects information on each purchase, including payment information such as credit or debit card data, account authentication information, billing, shipping, and contact details. In addition, users are not given the option to control what information is being used for advertising purposes.

Furthermore, users can customize their ads preferences in order to make the advertisements which are shown to them more relevant. Therefore, a user will be able to decide whether or not to see advertisements based on a peculiar interest. While most users may appreciate this new option, the main beneficiary is ultimately Facebook itself as it allows advertisers to differentiate among successful and irrelevant ads. However, it must be noted that users will still not be able to control the data collection resulting from targeted advertising, but only to control how much targeted advertising is presented to them.

What is more, Facebook continues to get location information in order to allegedly present more relevant information regarding, for instance, friends or restaurants nearby. As you may know already, if you at some point read the previous version of the terms of service, advertisements were usually presented based on the location listed in a user’s profile. Facebook now proposes to enable advertisers to target users based on their actual location.

Thus said, Facebook has always been associated with issues regarding its privacy policy and terms of service, which were always deemed to be too complex for the common user. However, I believe that this complexity was not the main cause why most of its users are not aware of the use purposes of their data. My experience tells me that, disregarding how simple they are, and contrary to their best interests, not many people will actually read any terms and conditions of any service. Similarly, these updates on the terms and conditions will certainly not be read by many. And for those who will, it will surely not make them turn away from the social platform.

Facebook is already a very relevant part of its users’ lives, businesses and online interactions. Perhaps most users have accepted that, beyond being a space where friends and family can interact, it is primarily a business intended to deliver effective advertisements by using the information provided by its users. Or perhaps people just don’t care.

Nevertheless, it must be noted that the consent given by users do little in regards of their privacy. Individual consent is rarely exercised as a meaningful choice. And by ‘meaningful’ I mean with awareness and understanding of the implications and consequences of their consent.

Either way, the outcome is as follows: while people continue to use Facebook to interact with their family and friends, Facebook is not the product. Users are.

(Un)Safe Harbour

Safe harbour for who?

Safe harbour for who?

As a general rule, the EU Data Protection Directive (Directive 95/46/EC) prevents businesses from transferring personal data from the EU to third-countries. Therefore, EU citizens’ personal data cannot be processed or hosted outside the EU, except if those countries do provide an adequate level of data protection. This adequacy requirement is met only when the European Commission recognize the data recipient country as providing an adequate level of protection. These decisions are commonly referred to as ‘adequacy decisions’.

It is deemed that the USA do not meet the above mentioned EU adequacy requirement, i.e., do not provide an adequate level of protection for data transfers to be accepted. Nevertheless, data can still be transferred from companies located in the EU on the basis of the Safe Harbour mechanism. In fact, by reason of the EU Data Protection Directive, the European Commission adopted a Decision (the “Safe Harbour decision”) recognising that the Safe Harbour Privacy Principles and the ‘Frequently Asked Questions’ provide an adequate protection for the purposes of personal data transfers from the EU to the USA.

The EU-USA Safe Harbour is an agreement concluded in 2000 which enables European data controllers to transfer personal data for commercial purposes, from companies located in the EU to companies in the USA that have signed up to the Principles. The framework aims to ensure that such transfers dully comply with the EU data protection law. To that end, USA companies pretending to lawfully receive personal data from the EU are required to self certificate the compliance of their personal data policies and practices to the Safe Harbour. Companies which voluntarily adhere to a set of principles issued by the Federal Trade Commission (FTC) are therefore presumed to qualify for the Safe Harbour ‘adequacy’.

This Framework has been greatly criticized since its implementation. Indeed, the Safe Harbour scheme has been used for the transfer of the personal data of EU citizens from the EU to the USA by companies required to give in data to USA intelligence agencies under the USA intelligence collection programmes. Moreover, some EU Data Protection Authorities manifested strong reservations about the rigour of the Safe Harbour framework, namely regarding the self-certification requirement. These concerns were echoed in the opinion of the Article 29 Working Party on Cloud Computing issued in July 2012, where it was suggested that EU data exporters could not rely on cloud provider’s self-certification regarding compliance.

As a result, it is no surprise that the framework has been reviewed twice, back in 2002 and 2004. Nevertheless, the Safe Harbour framework was endorsed by the European Commission, in January 2012, regarding the draft Data Protection Regulation, where adequacy decisions taken under the current Directive 95/46/CE would remain in effect unless amended, repealed or replaced by the Commission.

By contrast, the European Parliament’s LIBE (Civil Liberties, Justice and Home Affairs) Committee has proposed amending the proposal so that such adequacy decisions would only remain in force for five years after the Regulation comes into effect.

In the wake of the Snowden revelations regarding the USA covert surveillance programme, PRISM, for the interception and access to the electronic communications of EU citizens on a large scale, namely personal data that was transferred to online service providers in the USA under the Safe Harbour, the European Data Protection Authorities (DPAs) and the European Commission have been increasingly manifesting serious concerns regarding the safety of this agreement.

This led Viviane Reding, former Justice Commissioner, to argue that “the Safe Harbor agreement may not be so safe after all” and that it “could be a loophole for data transfers because it allows data transfers from EU to U.S. companies – although US data protection standards are lower than our European ones.” Vivian Reding further announced that the Commission would conduct an assessment of the EU-USA Safe Harbour agreement.

In July 2013 the European Parliament considered that the PRISM program constituted a “serious violation” of the Safe Harbour agreement and called on the European Commission to review the framework. Last March, following its report on mass surveillance activities, the European Parliament approved a resolution calling for the reversion or suspension of the EU-USA Safe Harbour scheme, considering that it fails to provide adequate protection for EU citizens.

Instead, in November 2013, the European Commission put forward a series of 13 recommendations for the USA to put into practice, which would make the Safe Harbour safer, if implemented. Nevertheless, the most controversial features of the framework, such as the voluntary adherence, were not adequately addressed. The expected conclusion of the discussions on the 13 recommendations proposed by the European Commission was set for the end of last summer. The deadline passed without any further developments.

Last June, following a complaint brought by the Austrian campaign group Europe v Facebook regarding the company’s part on NSA’s mass electronic surveillance programme, a Irish court (the Facebook’s international headquarters are in Ireland) referred to the Court of Justice of the EU on the compliance of the Safe Harbour with the EU Charter of Fundamental Rights.

There has been extensive debate regarding the future of the Safe Harbour, considering that some DPAs no longer recognize it as a valid data transfer mechanism. DPAs can exceptionally suspend data transfers based on the Safe Harbour, namely when it is likely that the Safe Harbour Principles are being violated. To date, no DPA has done so. Considering the serious economic implications, I think that it is very unlikely that the Safe Harbour will be suspended or reversed. In the meantime, the decision of the European Commission on the adequacy of Safe Harbour remains in force, until specifically repealed or changed.

Věra Jourová, the new Justice Commissioner, already expressed strong doubts on the security of the Safe Harbour mechanism. However, she did not favour a suspension or a cancellation of the programme. Andrus Ansip, the new Commissioner for the Digital Internal Market, for its turn, did not exclude that possibility.

 

The impact of the CJEU ruling
invalidating the EU Data
Retention Directive

Data retention heh!? Tricky business.

Data retention heh!? Tricky business.

Data retention has been increasingly perceived as a criminal justice and law enforcement tool in the EU in the past years. As a matter of fact, the EU Data Retention Directive (the Directive 2006/24/EC) was adopted in the wake of the London bombing attacks, back in 2005, despite the fact that data retention would not actually have any relevant effect on the tragic event.

Nevertheless, the Directive requires EU Member States to compel telecommunications and Internet service providers to retain considerable amounts of communications data – including landline phones, mobile, fax and email – regarding individuals within the EU, even those never suspected of committing a crime, for a minimum period of six months and up to two years, for law enforcement purposes, namely regarding investigations of serious crimes and terrorism.

The data thus collected and retained allows for the identification of all the people with whom a user has communicated, the means employed, the time, the place and the frequency of those communications. Therefore, despite not permitting the access to the content of the communications as such, this data nonetheless provides detailed information on the private lives of individuals, in an evident interference in the private sphere of their lives.

The question to be asked, then, was: is this interference acceptable in the light of the EU Charter of Fundamental Rights?

In this regard, article 52 of the Charter states that restrictions upon the rights foreseen in the Charter must be established by law, respect the core of the right, be subjected to the principles of proportionality and necessity, aimed to fulfil public interest objectives and balanced with the rights and freedoms of others individuals.

As you certainly well remember, last April, the Court of Justice of the European Union (hereafter CJEU) ruled on the entire invalidity of the abovementioned Directive, in the light of the EU Charter of Fundamental Rights, namely the rights to privacy and data protection, respectively foreseen in its Articles 7 and 8.

Having this in consideration, recognising that there was a public safety interest subjacent to such intrusion, the Court focused, instead, on whether such interference could be somehow justified. In this regard, the Court concluded that such a collecting, processing and accessing of personal data by authorities did not comply with the principles of necessity and proportionality and, therefore, constituted an unjustified and serious interference with the fundamental rights to privacy and data protection. Indeed, while requiring the mass retention of all communication traffic of all individuals in the EU, including innocent or not suspect of any crime, the instrument was considered to go beyond what is strictly necessary for a criminal investigation.

In this context, the broad scope of the Directive, given that it refers to all means of electronic communication; the broad time period set for retention; the lack of clear rules limiting the access and use of data by authorities; the absence of an obligation to destroy the data once the retention period expires; the dissatisfying level of protection of the data from unlawful access and use; and the possibility of storage outside the EU territory were deemed particularly problematic.

This ruling has a far-reaching impact at many levels. As a direct consequence, the Data Retention Directive is deemed to be void and a new Directive will have to be built from scratch. Moreover, this ruling seems to oppose the practice of mass surveillance related to the existing EU legislation and the ongoing reforms, with an obvious direct effect on agreements concluded by the EU with third countries. To be true, it raised some practical issues regarding the data retention laws implemented by EU Member States and the validity of international agreements which require the retention of personal data, such as the PNR frameworks.

One of the main issues at stake is that, despite long years have passed since the foreseen deadline for its implementation, the Directive has still not been fully implemented by all Member States. In fact, several Member States were subjected to infringement proceedings for failing to implement national legislation on due time. Nevertheless, those which have fully implemented the Directive weren’t able to achieve a full harmonization due to the abstraction of concepts such as ‘competent national authorities’ and ‘serious crime’ and the broad scope of the time data retention period. So long for the intended harmonization.

Moreover, as the Data Retention Directive amended the e-Privacy Directive to remove prohibitions on data retention, this invalidation implies that the previous version of the e-Privacy Directive is again applicable. Member States no longer have the obligation to retain data pursuant to the Data Retention Directive. In fact, national measures transposing the Directive will need to be amended.

Where a national Court has doubts about the compatibility of the national law with the EU law, the proceeding for a preliminary ruling by the CJEU must be initiated. Alternatively, once exhausted the domestic remedies, a claim could be addressed to the ECtHR. Anyway, the European Commission or another Member State are entitled to initiate an infringement procedure in case of violation of EU law by national measures or of incomplete, inadequate transposition or non-transposition.

Furthermore, in 2011, the European Commission published a proposal for the EU Passenger Name Record (PNR) Directive, which would require air carriers operating flights between the EU and third countries to transfer PNR data to the national authorities in the Member State of departure or arrival, and is currently under negotiation. In the light of the above mentioned ruling, the envisaged text will not be able to stand. For instance, the data retention period of five years is clearly not acceptable.

Additionally, the legality of several already in force and proposed international agreements which include data retention schemes has been questioned. For instance, an Irish court referred to the CJEU, asking whether the EU ‘Safe Harbour’ arrangement on data protection with the USA is compatible with the rights to privacy and data protection

Last month, the European Parliament voted to refer the EU-Canada PNR agreement, which is currently being renegotiated, to the CJEU, for an opinion, in order to assess its compliance with the EU Charter of Fundamental Rights. The Treaty of Lisbon allows the European Parliament to refer to the CJEU regarding the compatibility with EU law of a draft agreement to be concluded by the EU with third States on police or criminal law cooperation. In this regard, the EU-Canada agreement may not be concluded before a ruling on its compatibility with the EU law is issued because the consent of the European Parliament is now required for the conclusion of such international agreements.

Where does all this leave us?

Well, currently the EU has negotiated PNR data sharing agreements with the USA, Australia, and Canada.

In the light of Snowden’s revelations regarding the extent of spying by the American National Security Agency (NSA), the agreement with the USA, regarding the transfer of air passengers’ data for flights from the EU to the USA, has raised serious concerns within the EU, namely due to the access of the PNR database by the USA government for purposes other than fighting terrorism.

In this context, the ruling requested by the European Parliament regarding the EU-Canada agreement would indirectly establish if the EU/USA and EU/Australia agreements and the proposed EU PNR Directive do or do not violate those rights as well.

Subsequently to the rulings regarding the Data Retention Directive and the ‘right to be forgotten’, future judgements regarding data collection, processing and transfers are most certainly welcomed as they are expected to cast some light regarding the legality or illegality of the existing or upcoming PNR frameworks.

What would happen if the CJEU would rule that all these international agreements are in breach of the rights to privacy and data protection? The application of such agreements would need to be challenged, now that they are already in force, by individuals via their national courts or the European Parliament would have to require the other EU institutions to ensure the full respect on the EU Charter of Fundamental Rights by denouncing the agreements at stake.

Consequently, all instruments dealing with data retention will have to be subjected to necessity and proportionality tests in order to assess their compliance with the EU Charter of Fundamental Rights. Therefore, the requirements set in the ruling might unavoidably challenge the EU PNR proposal. Similarly, other EU-USA agreements, such as the agreement on the access to financial data under the USA Terrorist Finance Tracking Programme (TFTP), will need to be tested for compliance with the judgement standards.

Moreover, an analysis regarding the compliance of other legislative proposals might need to be conducted regarding the proposals for an entry-exit system to track non-EU nationals crossing EU borders, for the European Terrorist Financing Tracking System and for the governments’ access to the Eurodac database.

History has shown us that PNR data has turned into an attractive source for governments to obtain personal data regarding individuals. EU institutions should therefore question the necessity and proportionality of these and similar schemes of data collecting, data retention and bulk transfers to third countries and review the draft and existing legislation, frameworks and agreements to ensure that they do comply with the EU Charter of Fundamental Rights.

(On this subject, I recommend the reading of the following study,commissioned by the Group of the Greens/EFA in the European Parliament on initiative of the MEP Jan Philipp Albrecht)

Update: The title was modified because, due to a lapse, it referred to the Data Protection Directive, instead of the Data Retention Directive.

The very predictable end of the Google News service in Spain

This web page in Spain... no más!

This web page in Spain… no más!

Google has announced that, in a few days, it will remove Spanish news publishers’ content from its Google News service and close this service in Spain.

Well, this really does not get any nearer of being a surprise. In fact, it actually was the most expectable outcome, considering the amendments to the Spanish intellectual property law passed last October. As you might well remember, this law imposes on Spanish publishers to charge a compulsory licensing fee for the use of snippets of text from their articles by news aggregators. As a consequence, not only newspapers would get to choose to have their publications be included on Google News (after all, it is free publicity and generates traffic and revenues), this law also now compels them to be paid for it.

This extraordinary piece of legislation was intended to succeed where a similar German law (the ancillary copyright law), introduced in 2013, had previously failed. Pretending to avoid that, once they realized the loss of traffic associated with not being indexed on Google News, publishers would voluntarily waived their right to a licensing fee, a unprecedented inalienable right to payment was therefore created, meaning that no one could allow the use of snippets for free. However, considering that, from the very first draft, it was particularly directed to Google, this law is now pre-empted before even entering into force on the first day of January.

Thus said, it is quite easy to predict that 2015 will not start well for Spanish publishers. Not only won’t they be able to obtain from Google the desirable fees for the use of excerpts from their publications, but they won’t be able to benefit either from the traffic directed to their websites and the revenues which are associated to advertising. This will certainly affect the most the weakest existing publishing businesses or the startups intending to enter the publishing market.

Perhaps learning something from this would not be such a bad new year’s resolution for the EU and for other Member States regarding similar legislative initiatives.

The Sony data breach: when
fiction meets reality?

You better believe SONY. You have been HACKED!

You better believe SONY. You have been HACKED!

It is not the first time that Sony suffers a massive cyber attack. Back in 2011, due to some vulnerabilities found in its data servers, a hacking of its Play Station online network service enabled the theft of names, addresses and credit card data belonging to 77 million user accounts.

A few days ago, Sony Pictures computer systems were hacked again allegedly by a group of hackers calling themselves Guardians of Peace. As a consequence, a humongous amount of data, including confidential details, such as medical information, salaries, home addresses, social security numbers, regarding 47 thousands of Sony employees and former employees, namely Hollywood stars, as well as contracts, budgets, layoffs strategies, scripts for movies not yet in production, full length unreleased movies and thousands of passwords were leaked to the Internet.

The reason remains unclear. Despite the denial of a North Korea representative regarding a possible involvement of that country, it is being speculated that this attack is a retaliation from the North Korea government as a response to an upcoming Sony comedy, ‘The Interview’, starring actors Seth Rogen and James Franco, which depicts an assassination attempt against the North Korea’s leader Kim Jong-un. If Hollywood comedies are now deemed a sufficient reason to conduct cyber-attacks on real life, fiction and reality are meeting in a very wrong way.

Anyway, considering the volume and the sensitive nature of the information disclosed, this can actually be one of the largest corporate cyber attacks which has ever been known of.

It is a sharp reminder that hacking attacks can be directed to any company and can take all forms, equally damaging. This attack demonstrates once again that not only critical infrastructure is at risk. Sony Pictures Entertainment is one of the largest studios in Hollywood. It is really not the expected victim of a cyber-attack. However, it was an easy prey as its business decisions regarding information security have been publicly stated in previous occasions. Despite their ludicrous nature, I guess someone took those comments seriously.

Considerations regarding the absurdity of having a file directory named ‘Passwords’ aside, this attack outlines that data breach is one of the major threats that companies face nowadays. Cyber attacks are conducted against companies of all sizes. Large companies do eventually recover from these breaches. Small businesses generally hardly pull through after suffering a cyber-attack. It is therefore essential that businesses implement a solid cyber-security programme, namely conducting regular self-hacking exercises to assess the vulnerabilities of their security systems in order to prevent a potential breach.

What about Sony? Well, the value of the damages regarding its employees is incalculable considering that their identities may be stolen, their bank accounts may be compromised and their houses may be robbed. Only time will tell if and how it will recover.

Older posts

© 2017 The Public Privacy

Theme by Anders NorenUp ↑