Month: December 2015

The ‘Safe Harbor’ Decision ruled invalid by the CJEU

Safe harbor?!? Not anymore.

Safe harbor?!? Not anymore.

Unfortunately, I hadn’t had the time to address the ruling of the CJEU issue last October, by which the ‘Safe Harbour’ scheme, enabling transatlantic transfers of data from the EU to the US, was deemed invalid.

However, due to its importance, and because this blog is primarily intended to be about privacy and data protection, it would be shameful to finish the year without addressing the issue.

As you may be well aware, article 25(1) of Directive 95/46 establishes that the transfer of personal data from an EU Member State to a third country may occur provided that the latter ensures an adequate level of protection. According to article 25(6) of the abovementioned Directive, the EU Commission may find that a third country ensures an adequate level of protection (i.e., a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter of Fundamental Rights) by reason of its domestic law or of its international commitments.

Thus said, the EU Commission adopted its Decision 2000/520, by which it concluded that the “Safe Harbour Principles” issued by the US Department of Commerce ensure an adequate level of protection for personal data transferred from the EU to companies established in the US.

Accordingly, under this framework, Facebook has been transferring the data provided by its users residing in the EU from its subsidiary in Ireland to its servers located in the US, for further processing.

These transfers and, unavoidably, the Decision had been challenged by the reference to the CJEU (judgment in Case C-362/14) following the complaint filed by Max Schrems, a Facebook user, before the Irish DPA and subsequently before the Irish High Court. The main argument was that, considering the access electronic communications conducted by its public authorities, the US did not ensure adequate protection of the thus transferred personal data.

According to the AG’s opinion, “the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data”.

Despite considering that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU, the CJEU considered that the decision fails to comply with the requirements established in Article 25(6) of Directive and that the Commission did not make a proper finding of adequacy but merely examined the safe harbour scheme.

The facts that the scheme’s ambit is restricted to adhering US companies, thus excluding public authorities, and that national security, public interest and law enforcement requirements, to which US companies are also bound, prevail over the safe harbour principles, were deemed particularly decisive in the assessment of the scheme’s validity.

In practice, this would amount to enable the US authorities to access the personal data transferred from the EU to the US and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.

As a result, the Court concluded that enabling public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

The Court stated that the decision disregards the existence of such negative interference on fundamental rights, and that the lack of provision of limitations and effective legal protections violates the fundamental right to effective judicial protection.

Upon issuance of this ruling, the Art29WP met and concluded that data transfers from the EU to the US could no longer be legitimized by the ‘Safe Harbor’ decision and, if occurring, would be unlawful.
While its practical implications remain unclear, the ruling undoubtedly means that companies relying on the ‘Safe Harbor’ framework for the transfer of personal data from the EU to the US need to rely, instead, on another basis.

In this regard, considering that not all Member States accept the consent of the data subject or an adequacy self-assessment as a legitimizing legal ground for such cross-border transfers, Model Contractual Clauses incorporated into contracts and Binding Corporate Rules (BCR) for intragroup transfers seem to be the most reliable alternatives in certain cases.

Restrictions on data transfers are obviously also foreseen in the GDPR, which, besides BCRs, Standard Contracts and adequacy decisions, includes new data transfer mechanisms such as certification schemes.

You can find the complete version of the ruling here.

Opinion of the EDPS on the dissemination and use of intrusive surveillance technologies

We need some more surveillance here!

We need some more surveillance here! 1)Copyright by Quevaal under the Creative Commons Attribution-Share Alike 3.0 Unported

In a recently published opinion, the EDPS addressed its concerns in regards of the dissemination and use of intrusive surveillance technologies, which are described as aiming “to remotely infiltrate IT systems (usually over the Internet) in order to covertly monitor the activities of those IT systems and over time, send data back to the user of the surveillance tools.”

The opinion specifically refers to surveillance tools which are designed, marketed and sold for mass surveillance, intrusion and exfiltration.

The data accessed and collected through intrusive surveillance tools may contain “any data processed by the target such as browsing data from any browser used on that target, e-mails sent and received, files residing on the hard drives accessible to the target (files located either on the target itself or on other IT systems to which the target has access), all logs recorded, all keys pressed on the keyboard (this would allow collecting passwords), screenshots of what the user of the target sees, capture the video and audio feeds of webcams and microphones connected to the target, etc.

Therefore these tools may be adequately used for human rights violations, such as censorship, surveillance, unauthorised access to devices, jamming, interception, or tracking of individuals.

This is particularly worrisome considering that software designed for intrusive surveillance has been known to have been sold as well to governments conducting hostile surveillance of citizens, activists and journalists.

As they are also used by law enforcement bodies and intelligence agencies, this is a timely document, considering the security concerns dictating the legislative amendments intended to be implemented in several Member States. Indeed, as pointed by the EDPS, although cybersecurity must not be used for disproportionate impact on privacy and processing of personal data, intelligence services and police may indeed adopt intrusive technological measures (including intrusive surveillance technology), in order to make their investigations better targeted and more effective.

It is evident that the principles of necessity and proportionality should dictate the use of intrusion and surveillance technologies. However, it remains to be assessed where to draw the line between what is proportional and necessary and disproportional and unnecessary. That is the core of the problem.

Regarding the export of surveillance and interception technologies to third countries, the EDPS considered that, despite not addressing all the questions concerning the dissemination and use of surveillance technologies, “the EU dual use regime fails to fully address the issue of export of all ICT technologies to a country where all appropriate safeguards regarding the use of this technology are not provided. Therefore, the current revision of the ‘dual-use’ regulation should be seen as an opportunity to limit the export of potentially harmful devices, services and information to third countries presenting a risk for human rights.

As this document relates to the EU cybersecurity strategy and the data protection framework, I would recommend its reading for those interested in those questions. You can find the document here.

References   [ + ]

1. Copyright by Quevaal under the Creative Commons Attribution-Share Alike 3.0 Unported

What do your Internet connection records reveal about you?

Not anymore!

Not anymore!

When I brought up in a conversation the issue regarding the measures intended to be taken by some governments, in particular the access to Internet connection records foreseen in the UK draft Investigatory Powers Bill, I was quite surprised to realise that some people around me seemed to accept that online privacy should be curtailed in order to ensure stronger security, a view with which I strongly disagree.

But more importantly for this post, they did not consider it excessively intrusive.

And then I just realised that, none withstanding the fact that Internet is an intrinsic part of our daily lives, many are simply clueless about the detailed digital fingerprint they leave behind, website after website visited, and how much revealing that is.

It never ceases to amaze me how, in this Internet dependent era, so many people actually ignore how much information regarding their lives, habits, and ultimately, their privacy is at stake.

One thing is to ponder the pros and cons of registering in a website or downloading an app and take a decision accordingly. Another completely different is to simply be unaware of the risks, to not wonder: what is done with this information?… And subsequently take completely unaware decisions and form and convincingly express their opinions on flawed grounds.

Let’s be clear here: to have access to someone’s Internet connection records is to have access to their Internet browsing history!

Yes, the very same some people delete for the most various reasons, but that essentially amounts to one and only: for it not to be known.

Now consider that there is little in our real life that does not reflect in our online activities. From booking flights and hotels, buying books and clothes, or other less random items, online dating, participating in discussion groups and forums, ‘googling’ in general… Imagine, for instance, googling a specific health condition that is worrying you…

And what can be inferred and the correlations which can be made from those searches and websites accessed… From your interests, to your lifestyle, to your personal life and your health…

And, yes, that includes the most embarrassing little details that your browsing history can reveal.

In this context, I would say that the time and amount of times you visited a website would be the less worrisome but even these can be quite informative, if a pattern emerges.

Only someone who is not familiar at all with the concept of ‘profiling’ of interests and behaviour and the detailed conclusions which can be reached can argue that the access to the browsing history is not sufficiently revealing and intrusive to raise any concerns from a privacy viewpoint.

This is not about having ‘something to hide’ or ‘anything to be ashamed of’. It is about unwilling exposure and the complete unaware loss of privacy. Even for those who truly believe to be utter uninteresting, there is certainly something they would rather keep secret. And it is that little bit that should be considered before taking a stance on the issue of government surveillance.

Tech companies: The new assistants of police and security services

Yes, these guys!

Yes, these guys!

It seems that tech companies are what is left standing between citizen’s privacy rights and governments’ surveillance…

This has been demonstrated in the past by Microsoft stance in regards of the access to the tech companies networks by intelligence agencies and law enforcement authorities, in order to collect information about its users.

More recently, it has been the turn of Apple, which has expressed substantial objections to the proposals intended to update UK’s surveillance laws in its written submission to the Joint Committee on the Draft Investigatory Powers Bill.

According to the draft, police and security services will be able to access the Internet browsing history of UK citizens, without prior judicial authorisation being required. Moreover, in order to comply with a judicial order, companies could be required to hack devices and accounts to acquire information.

Apple argues convincingly that such measures amount to implement a ‘back door’, which will weaken the end-to-end encryption methods used by tech companies precisely to protect communications between devices and the associated customer data, thus allowing for an easier interception by third parties. As put by Tim Cook himself, “any back door is a back door for everyone”.

One would dare to think that, considering all the news regarding data breaches and hacking, implementing ‘back doors’ would be spontaneously deemed an foolish idea and automatically excluded from discussion.

Apparently not.

It is a common view of many national governments, fuelled by the successive terrorist attacks in Paris, that the strengthening of the capabilities of law-enforcement agencies is required in order to prevent terrorist attacks.

However, the view that privacy should be traded for increased and stronger national security is exaggeratedly one-dimensional, as they are not forcefully as closely related as some want them to appear.

Considering that the terrorists involved in those attacks were already well-known from the competent authorities, it is difficult to accept how more privacy-intrusive tools, directed to everyone, and which actually entail further exposing citizens to online threats, will help preventing future attacks.

The General Data Protection Regulation – Start the countdown!

Start the countdown.

Start the countdown. 1)Copyright by Julian Lim under the Creative Commons Attribution 2.0 Generic

After years and years of lengthy drafting and negotiating, the European Commission, the European Parliament and the EU Council, following the final negotiations between the three institutions (the so-called “trilogue negotiations”) have, at last, reached a political agreement on the data protection reform package, which includes the General Data Protection Regulation (“GDPR”) and the Data Protection Directive for the police and criminal justice sector, as the Civil Liberties (LIBE) Committee of the European Parliament also approved the text on 17 December.

A formal adoption from the European Parliament and the EU Council is still required though, currently foreseen to take place at the beginning of 2016.

At this pace, and optimistically, the Regulation will finally be published somewhere in the middle of 2016.

So let the countdown begin…

References   [ + ]

1. Copyright by Julian Lim under the Creative Commons Attribution 2.0 Generic

Those who have copies of torrid homemade videos, beware!

Safe enough!

Safe enough! Not.

As a comeback after this very long pause, I would like to address a recent ruling of a Portuguese court, which followed the complaint of a woman against her ex-boyfriend, alleging revenge porn due to the online release of an intimate video on related websites.

Grosso modo, the details of the case are as follows: the woman and the man had a relationship. During that period, they mutually agreed to video record sexual interactions, on the condition that that record would never be watched by anyone else.

The quality and the angles of the images allowed for a clear identification of the complainant. The man retained a copy of the record and saved it in his personal computer.

After having ended the relationship, the woman found out that the video had been published and further divulged online, where it was freely available, and easily found by a simple and adequate terminological search. Moreover, it was argued that it was visualized by people who personally knew the complainant, namely from her area of residence and workplace.

It was not demonstrated in court that the man was the author of the original online release of the video. As a result, it was not demonstrated that this was a case of revenge porn. However, he admitted that the computer where a copy of the video was saved was frequently used by friends and family members.

Thus considering, the court concluded that the man was – due to the abovementioned pre-existing verbal agreement – obliged to keep safe the copy of the video he retained and to practice according necessary acts.

Therefore, by unrestrainedly permitting the access to the computer where a copy of the aforesaid recording was saved, it was deemed that he consequently had violated the duty of appropriately guarding it, i.e., by lacking to practice the acts he was obligated to.

The court hence ruled that this omission of properly secure sensitive information regarding the complainant entitled the latter to a pecuniary compensation.

In my opinion, this unprecedented ruling is very welcomed as a necessary judicial answer to the proliferation of revenge porn in the online context.

However, while I am fully aware that it is very difficult to judicially sustain allegations of revenge porn and that neither the responsibility of its authors nor the moral damages of the victims should go unanswered, I am really not sure if the procedence of such claims should rely on the ‘omission’ of an agreed act of keeping a given information secure.

It is evident that nowadays, particularly in regards of computerized information, privacy cannot be dissociated from security. However, recent history demonstrates that even large firms, processing information as sensitive, with far more resources and despite spending millions on security diligence, are unable to keep personal and sensitive data safe.

Therefore, it must be asked: what can qualify as such an omission when individuals are involved, specifically when demonstrated that an individual has no particular knowledge regarding ICT security or is convinced that all the appropriate measures were taken?

In the particular case at stake, it seems that it was the negligence – the permission of access to the computer where a copy of the video was saved – that was deemed determinant to qualify the conduct as a relevant omission.

Nevertheless, considering the lack of objective criteria, would it make a difference if the video was saved on the desktop as ‘wildnightsexwith(girlfriend’sname).mp4’ or if it was in a personal account in the computer and he forgot to log off, thus enabling others to access his personal files?

Anyway, as this is certainly the first of many ruling on similar factual issues, the courts will have plenty of opportunities to clarify the unanswered questions and to define objective criteria – or at least try – in this regard.

© 2017 The Public Privacy

Theme by Anders NorenUp ↑