EU-US Safe Harbour For Personal Data Eliminated

The European Court of Justice (CJEU) handed down a decision declaring EU-US safe harbour for personal data invalid this morning. It has far-reaching implications for cloud services in particular and may presage increased opportunity for open source solutions from non-US suppliers. Looks like a real gift to companies like Kolab.

Here’s my first reaction on reading of the sources. Let me know what I have wrong & I’ll fix it. In the Opinion of the Advocate General (who has a broader but compatible view), he said:

¶183. I am therefore of the view that Decision 2000/520 must be declared invalid since the existence of a derogation which allows in such general and imprecise terms the principles of the safe harbour scheme to be disregarded prevents in itself that scheme from being considered to ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.

The court supported that view. That decision strikes down the “Safe Harbour” arrangement that allows companies to treat the USA as equivalent to a European state for the purposes of data protection and privacy.

How The Harbour Broke

Why did they reach that decision? The discussion by the Advocate General is more enlightening than the court, which simplified the matter. The core reason for the AG is that the USA has been found to perform indiscriminate mass surveillance against non-citizens. The key discussion is in paragraphs 198-202:

¶198. I note, in that regard, that the access which the United States intelligence authorities may have to the personal data transferred covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued. (79)

¶199. Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security. (80)

¶200. Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter.

¶201. As the Parliament has correctly observed in its observations, since it is excluded for the EU legislature or the Member States to adopt legislation, contrary to the Charter, providing for mass and indiscriminate surveillance, it must follow, a fortiori, that third countries cannot under any circumstances be regarded as ensuring an adequate level of protection of personal data of citizens of the Union where their rules of law do in fact permit the mass and indiscriminate surveillance and interception of such data.

¶202. It should be emphasised, moreover, that the safe harbour scheme, as defined in Decision 2000/520, does not contain appropriate guarantees for preventing mass and generalised access to the transferred data.

Further, the AG found (and the Court agreed) that, while there are mechanisms to ensure that the declaration of safe harbour itself is valid (¶19), there is no authority ensuring that any necessary exceptions to privacy once the data is shared in the USA are appropriate and proportionate:

¶208. It should therefore be found that within the safe harbour scheme provided for by Decision 2000/520 there is no independent authority capable of verifying that the implementation of the derogations from the safe harbour principles is limited to what is strictly necessary. Yet we have seen that such control by an independent authority is, from the point of view of EU law, an essential component of the protection of individuals with regard to the processing of personal data.

He also found that there is no way for European citizens to intervene in the abuse of their personal data by the US authorities as there is for them in Europe.

¶212. Furthermore, the Commission has itself pointed out that there are no opportunities for citizens of the Union to obtain access to or rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the United States surveillance programmes.
¶213. It should be observed, last, that the United States rules on the protection of privacy may be applied differently to United States citizens and to foreign citizens.

They found that the European Commission should itself have reviewed and suspended the safe harbour, particularly in the light of the (largely undisputed) revelations by Edward Snowden of indiscriminate mass surveillance of foreign nationals by the NSA. The court also found that the lack of any competent authority to supervise the safe harbour arrangements and hear binding appeals made 2000/520 invalid anyway.

Questions directly arising

  • Can any EU company now legally engage a US supplier for cloud or web application services, given relationships with US authorities are beyond contractual remedy?
  • If they do, is consent from every data subject necessary?
  • Given US courts claim jurisdiction over any subsidiary of a US corporation regardless of location even without routine data transfer to the USA, can any EU business use the services of a US company even when the work is conducted entirely in Europe?
  • If they do, is consent from every data subject necessary?
  • If the EC made a fresh determination to replace 2000/520, would that heal everything given the existence of NSA surveillance is unlikely to disappear?
  • Can any remedy be made until the US gives EU citizens standing to challenge use of their personal data in the USA in its courts?
  • If it does, will the EC need to regularly re-evaluate its determinations?

The Storm That Broke The Harbour

The journey to that decision is itself important. The original question asked by the High Court of Ireland concerned whether the Data Protection Commission for Ireland was entitled to make any rulings at all about the efficacy of safe harbour given the European Commission had already made a Union-wide declaration, “in the light of factual developments in the meantime since that Commission Decision was first published.”

This took place during the final appeal phase of a claim in Ireland by Maximillian Schrems of Austria that the sharing of his personal data by Facebook Ireland with its parent company Facebook Inc was in breach of European data protection despite Facebook’s compliance with the safe harbour arrangements. The Irish Data Protection Commissioner had dismissed the claim, but Schrems won judicial review of the decision on the basis that the revelations of Edward Snowden revealed the safe harbour was not in fact adequate for data protection.

The Irish High Court itself found important facts. First, it established that Snowden’s revelations should be considered factual:

¶36. According to the High Court, it is clear from the extensive exhibits accompanying the affidavits filed in the main proceedings that the accuracy of much of Edward Snowden’s revelations is not in dispute. The High Court therefore concluded that, once personal data is transferred to the United States, the NSA and other United States security agencies such as the Federal Bureau of Investigation (FBI) are able to access it in the course of a mass and indiscriminate surveillance and interception of such data.

Were the only issue the law of Ireland, there would have been no need for clarification:

¶37. The High Court notes that in Irish law the importance of the constitutional rights to privacy and to inviolability of the dwelling requires that any interference with those rights be in accordance with the law and proportionate. The mass and undifferentiated accessing of personal data does not satisfy the requirement of proportionality and must therefore be considered contrary to the Constitution of Ireland.

But the Irish Commissioner had asserted that, since the European Commission had already asserted the existence of a safe harbour, he could not intervene on behalf of Schrems.

¶50. The Commissioner considered that the very existence of a Commission decision recognising that the United States ensures an adequate level of protection under the safe harbour scheme prevented him from investigating the complaint.

As a result, the CJEU had first to decide whether a national data protection authority was pre-empted by the European Commission. If it was not, it then had to decide whether, in the vase of the US safe harbour, a national authority should in fact override the EC safe harbour. as explained above, the latter decision was indeed taken;

… a decision … such as Commission Decision 2000/520/EC … on the adequacy of the protection provided by the safe harbour privacy principles … does not prevent a supervisory authority of a Member State … from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him

That has to also raise questions within Europe. Given GCHQ also allegedly engages in mass surveillance, are transfers between, say, Germany and the UK, also safe transfers? Having established that national authorities retain sovereignty, surely some could now start questioning transfers across the Union as well as those outside it?

On Equality

Extract from an imaginary equality policy:

The only life experience any of us can truly know is ourself. We perceive others as objects outside ourselves, so it’s easy to forget that we are all different selves, that we each experience life as a self isolated from all others communicating through our senses and memory, and that other people’s selves are just as real — and valid — as our own.

The principle that we are free to hold whatever views we want and to act on them to the extent they do not harm others applies universally. When we act on our own views in ways that harm or significantly affect others, it is not acceptable to assert in defense things like:

  • “they are a minority so they have to accept the majority view”,
  • “they are the majority and we are a minority that is entitled to offend”,
  • “people like us are harmed far more often than people like them”,
  • “people like them usually harm people like us”
  • “their view is so wrong I need not respect it”
  • and especially “my view has absolute authority stemming from within my belief system”.

Everyone is an individual and every individual deserves the respect we expect ourselves. We treat each person as a respected individual, not as a token of their classification in our eyes.

A good rule of thumb is that if we feel the views of others are offensive, they probably feel our own views are offensive as well, a view they are completely entitled to when they do not act on it to harm us. If we wish to have our freedom to own and express our views protected, we must also actively respect — preferably protect — the rights of others to the same freedom.

Odd Fish

We’re all odd fish

Remembering Payday

Wanting to remember to run the payroll for my company, I was amazed to discover that Google Calendar does not offer any way to create a recurring calendar entry for the last day of each month. As it turns out, this is one of the examples actually quoted in the iCalendar standard — RFC2445 (on page 43) — so it’s very surprising Google has not implemented a way to manage such entries.

Fortunately Google Calendar does actually support recurring entries for the last day of a month, so it’s possible to hand-craft an .ICS file that can then be imported into Google Calendar. Baptiste Gazul’s helpful blog post started me in the right direction and I was able to craft some entries for my needs with help from the RFC. I saved the quoted text below into a plain-text file with a .ICS suffix and then used Google Calendar’s Import Calendar function to add the entry.

To have a calendar entry for Payday on the last weekday of every month, try:

DESCRIPTION:Last weekday of each month

Change DTSTART to specify the date of the first payday.

I actually have to run payroll on the Friday before the last weekday of the month; this seems to work:

SUMMARY:Run payroll
DESCRIPTION:Friday before last weekday of each month

Blocking The Fields

Dry stone walls in the Yorkshire Dales

There are people walking over the beautiful spring meadows. Most are just enjoying the beauty of it all, but some are going visiting to each other’s houses. Of those, you discover one or two of them doing things you and your supporters don’t like when they arrive, so you want to stop them.

You issue an instruction to block the fields. Your objective is just, so it must be possible, right? Your bureaucrats get to work on your demand.

They can’t block an open field, so they build a road and block that.

But people go round the roadblock, so they build a fence along the sides of the road too.

But people go round the fence, so they add a fence all around the field.

But people go round the field, so they mandate fences across the whole country. That bad thing you want to stop justifies all the expense and inconvenience, doesn’t it? Building the fences takes several years, but the whole country is now covered in obstacles of various kinds.

But there are now so many miles of fences that they are mostly out of sight of your staff. People just jump over them, so you tell the police start to arrest people who do. That bad thing is so bad you have to act tough, even though most of those people they are arresting are just trying to work round the inconvenience you have caused them for innocuous reasons.

But there aren’t enough police to patrol every fence, so you hire more and more.

But they still can’t arrest everyone, so they recruit informers.

You can’t rely on the informers, so you get them to spy on each other as well.

Turns out you can’t rely on spies, so you add security cameras as well.

You now need an army of spies, analysts and police to watch the security cameras, check on the spies and watch for people jumping fences. This is not about the bad thing you first objected to any more. It’s now about respecting the law for the sake of the law. So your people are arresting everyone regardless of their motives, checking on spies for telling lies, dealing with corruption among your informers, suppressing all the “SJW”s who whine about the loss of freedom and undermining your political opposition who are equally clueless about blocking fields but can see that what you are doing is hugely unpopular.

Congratulations! Your attempt to stop something your supporters disapprove of by mandating the impossible has created a police state. It doesn’t matter how bad the thing you were trying to stop is; people probably agree that it’s a bad thing.

By mandating the impossible, you caused collateral damage that outweighed any benefits, and by associating it with a thing no-one dares defend in public you were able to accidentally destroy society without opposition. And you didn’t notice because you never go for walks in the fields.

New Role At WiPro

I’ve news. Starting today, I will be working full time in a new role. I’m now a Director at the global consulting firm WiPro in their Open Source practice, advising both customers and implementation teams on open source issues concerning software selection, community engagement, license compliance and more. You’ll find me at a variety of conferences and events, and I’ll continue to write for InfoWorld and others.

I’ve always wondered why SIs and outsourcing consultants didn’t use more open source in their solutions. It keeps solutions more flexible for their clients, reduces the overall cost of ownership and ensures end-of-life migrations are easier. WiPro is taking the lead among high-scale consulting firms applying the insights and benefits of open source software to its customer engagements. I’m looking forward to helping WiPro’s customers worldwide gain these benefits and avoid having their software solutions unnecessarily intermediated by copyright owners.

Who Else Listens To Your TV?

Samsung’s Smart TV listens to everything you say all the time you have voice control enabled. No surprise there. But Samsung’s Terms warn that it’s likely to be sending all that audio to a service provider for analysis, rather than analysing it in your TV.

That’s got plenty of people worried, but Samsung aren’t concerned. They sent me their canned press response, which starts:

Samsung takes consumer privacy very seriously. In all of our Smart TVs, any data gathering or their use is carried out with utmost transparency and we provide meaningful options for consumers to freely choose or to opt out of a service. We employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use.

I’m sure that is all true. Samsung has a large investment in technical experts of all kinds. All the same, the key phrase there is “prevent unauthorized collection or use”. Why? Well, let’s carry on with their response.

Voice recognition, which allows the user to control the TV using voice commands, is a Samsung Smart TV feature, which can be activated or deactivated by the user. Should consumers enable the voice recognition capability, the voice data consists of TV commands, or search sentences, only. Users can easily recognize if the voice recognition feature is activated because a microphone icon appears on the screen.

That’s not exactly what the Terms say; they note that “if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted”. So we’re not just talking about the sort of data Google Now or Siri sends to their service provider (the phrase after you have started the voice recognition). Samsung also sends the commands themselves, plus any conversation around them. From that description, it seems the whole stream of conversation is likely to be sent.

Samsung does not sell voice data to third parties. If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search. At that time, the voice data is sent to a server, which searches for the requested content then returns the desired content to the TV.

The fact the data is not sold is good. I would expect no less from Samsung in this circumstance. But there is a use case that is conspicuously excluded from both their statement and the Terms.

What about requests for interception? The data may be encrypted to prevent “unauthorised collection or use” but what about authorised use, when a legal authority in one of the countries involved in the transaction requests access to the raw audio? In the USA, the Third Party Doctrine would allow security and law enforcement services to request access without a warrant. Given the service provider appears to be a US company, even if the customer is in a country where interception locally would be illegal, the NSA (or any of a myriad other US organisations) could still collect on their behalf.

Tim Cushing thinks this is at least gated by the need for the device ID but I think that overlooks the strategy used by the US & UK security services. They separate bulk data collection and later data analysis, treating only the latter as surveillance in need of a warrant. I would not be at all surprised if Samsung’s service providers at some point get an order to tee all their audio inputs through the NSA, using an order of which Samsung may not even be aware. This would not be for immediate analysis, just for pooling and later use once a device ID is obtained by other means.

I asked Samsung to clarify their position on law enforcement use of their streaming audio data, and to clarify whether they had ever received requests for it. So far I’ve had no reply to my questions. I suspect that’s because they have not considered the issue. I think more people need to ask them and their service providers, and their competitors who offer the same services.

You say you have nothing to hide? When a joke you made over dinner is flagged by an algorithm and a clipping provided to a busy police analyst out of context leads to a visit by a SWAT team “just in case”, will you still think that? We need this privacy exposure nipped in the bud, given we have police with a SWAT first and don’t apologise later attitude. Some innocent comment caught by a TV is going to lead to a tragedy otherwise.

Legislating For Unicorns

When Julian Huppert MP (Lib-Dem) asked the Home Secretary Theresa May MP (Con) if banning encryption – as the Prime Minister had been interpreted as saying – is “genuinely what the Home Secretary wants to do?”, she evaded him with her answer.

I remain convinced her and the Cabinet’s position on encryption is based on a non-technical misinterpretation of detailed advice from within the Home Office. Her response, and other responses by her colleagues and by the US government, imply that the security officialdom of the US & UK believes it can resurrect “golden key” encryption where government agencies have a privileged back door into encryption schemes. That’s what’s encoded in her replies as “there should be no safe spaces for terrorists to communicate.” Think “Clipper chip“. As Ryan Paul comments,

More telling though is the insecurity the Conservative Party exhibits on the subject. Unwilling to discuss the matter in a balanced way, party mouthpiece Julian Smith MP descends to ad hominem against deputy Prime Minister Nick Clegg MP (LD), in the process also exhibiting the hypocrisy of the unconvinced apologist. Sadly Mrs May rewards rather than rejects his question.

In a sequence of questions and answers in the same debate – which cannot conceivably have been unplanned – Conservatives ask party-political questions of the Home Secretary, to which she responds with unashamed electioneering. When this tactic is used – accusing an opponent of a fault you exhibit yourself far more than they do – it is always an attempt to conceal your own lack of validity.

Clegg’s crime was to assert that freedom and security are not inherently incompatible:

“I want to keep us safe. It’s ludicrous this idea that people who care about our freedom don’t care about our safety.

“What I will not do, because it is not proven, is say that every single man, woman and child should have data about what they get up to online kept for a year.”

For Conservative MPs to call that “disgraceful” is extremely revealing, both of their lack of comprehension of the issues and the cynicism with which they intend to manipulate the misapprehensions of Middle England for electoral gain. I’ve met no-one who seriously asserts the security services should be unable to secure warranted access to specific communications of those suspected of a crime. That capability is obviously justifiable in a democracy.

But the Communications Data Bill and proposals for “golden keys” go much further than is reasonable and balanced. What defenders of freedom seek is not insecurity; we instead seek transparency, accountability and proportionality, all in a form open to any citizen to scrutinise and challenge.

When Mrs May (and Labour’s Jack Straw MP, and others) refuse that democratic oversight and accuse its proponents of partisanship and irresponsible disregard of security, their own ad hominems and party partisanship reinforce the case rather than diminish it. It’s time for an adult debate informed by technological realities, instead of this opportunism and electioneering.


Get every new post delivered to your Inbox.

Join 7,690 other followers

%d bloggers like this: