privacy shield – Techdirt (original) (raw)

We Shouldn’t Allow A New Super Secret Surveillance Court Cover Up The Civil Liberties Problems Of The Old Super Secret Surveillance Court

from the not-fixing-the-problem dept

For years now we’ve been covering the big ongoing fights between the US and the EU regarding the transfer of user data across the Atlantic. The main issue was that due to somewhat different data protection/privacy laws between the EU and the US, the two keep trying to work out a “deal” that allows (mostly) US companies to stores data from EU users on servers in the US. This transatlantic data flow agreement is important. It would be difficult for many US companies to offer services to EU citizens without it.

But it’s been a fucking mess for over a decade. Almost entirely because of US surveillance programs.

The agreements to handle this have gone by various names, starting with the EU/US Privacy “safe harbor,” and then later the “Privacy Shield.” In both cases, those agreements were eventually rejected by the EU Court of Justice, almost entirely because of the very big problem of the US’s surveillance activities, mostly overseen by the secretive FISA Court. (As a side note, EU government surveillance is in many ways worse than the US’s similar surveillance efforts, but somehow that never comes up in any of these discussions… but, I digress…).

Back in the fall of 2022, the EU and the US excitedly announced a new agreement to replace the old rejected agreements. Yet, as we pointed out at the time, unless they agreed to stop NSA surveillance on basically all electronic communications outside of the US, it wasn’t clear how it would actually fix the underlying reason these agreements keep getting thrown out.

As Politico recently detailed, the way the US has “fixed” this in the new privacy agreement… is to set up an entirely new, entirely secretive surveillance court. What could go wrong?

Officially known as the Data Protection Review Court, it was authorized in an October 2022 executive order to fix a collision of European and American law that had been blocking the lucrative flow of consumer data between American and European companies for three years.

The court’s eight judges were named last November, including former U.S. Attorney General Eric Holder. Its existence has allowed companies to resume the lucrative transatlantic data trade with the blessing of EU officials.

The details get blurry after that.

The court’s location is a secret, and the Department of Justice will not say if it has taken a case yet, or when it will. Though the court has a clear mandate — ensuring Europeans their privacy rights under U.S. law — its decisions will also be kept a secret, from both the EU residents petitioning the court and the federal agencies tasked with following the law. Plaintiffs are not allowed to appear in person and are represented by a special advocate, appointed by the U.S. attorney general.

That doesn’t seem that great.

Also, this new quasi-court has some other oddities, including that it is open to Europeans, but not Americans.

U.S. residents who suspect they are under improper surveillance cannot go to the Data Protection Review Court. Under U.S. law, they can go to a federal court — but only if they can show a concrete wrong or harm that gives them legal standing, which presents a Catch-22, since they can’t prove what they don’t know.

Adam Klein, former chair of the Privacy and Civil Liberties Oversight Board, an independent agency within the Executive Branch, pointed to former Trump campaign adviser Carter Page as the type of individual who could have benefited from a mechanism like the DPRC. Page was surveilled by the FBI during the 2016 presidential election as part of a probe into Russian influence in U.S. politics — and Justice Department inspector general investigation later found a swath of errors and material omissions in the documents used to seek the surveillance warrant. An FBI lawyer ultimately pleaded guilty to altering a document used for that warrant.

But Page himself had little recourse. He filed a lawsuit in 2020 seeking $75 million from the government and several current and former FBI and DOJ officials for violating his constitutional rights. A federal judge called the FBI’s conduct “troubling,” but ultimately found the law bars Page from pursuing a civil lawsuit. An appeal is pending.

Now, with the DPRC in place, “We’re in an odd place when non-residents have easier access to a place to raise their concerns about U.S. government surveillance than Americans do,” said Klein.

But even Europeans have no clear path to using this court that is so secretive no one’s even entirely sure if it’s actually opened for business.

According to the executive order, getting before the DPRC starts with a long preliminary process: a citizen complaint first has to shuttle between an EU data protection official and the U.S.’ Office of the Director of National Intelligence, which decides whether there was a civil rights violation from the data collection.

Regardless of the results, the response to the initial complaint will neither confirm or deny that the EU resident was under U.S. surveillance. The response will say there either was no violation found, or that there was a violation found and that the U.S. government took appropriate steps to resolve it. It won’t specify which one.

The EU resident can then appeal directly to the DPRC in America, — with the assistance of a court-appointed special advocate. That advocate will have the details from the underlying ODNI decision — although that decision remains off-limits to the person making the appeal.

“What are you going to write in the appeal? Nothing, because you don’t know what the answer is,” Schrems said. “As a lawyer, it’s really hard that you’ll ever win a case by saying ‘I appeal’ without saying what your problem is with the decision.”

While this seems to be a setup designed to make bureaucrats on either side of the Atlantic pretend they’re doing something useful, it’s hard to see how it will actually solve the underlying problems. Which, again, are because of NSA surveillance rubber stamped by the other secretive court, the FISA Court.

Stacking up more secretive courts does not seem like a real solution. Fixing overly broad, mass surveillance is.

But apparently that’s off the table.

Filed Under: data protection review court, eu, nsa, privacy shield, secrecy, surveillance, transatlantic data flows

The Massive Fine The EU Hit Meta With… Is Really About The NSA, Not Meta

from the privacy-or-privacy dept

You may have heard the news that the EU hit Meta with a $1.3 billion fine for violating EU “data privacy rules” and assumed that this was just Meta being Meta and being bad about your privacy. But that’s not really an accurate portrayal of what happened, and it hides how this fine is actually pretty problematic for a lot of reasons that have nothing to do with Meta whatsoever, and a lot to do with the NSA.

Also, it may actually be a total disaster for privacy.

And on top of that, it makes US politicians trying to ban TikTok over fears of China spying on users appear to be total hypocrites.

The Backstory:

Some background is in order. First, almost exactly a decade ago, Ed Snowden first revealed the existence of PRISM, which unfortunately was widely misreported in the original articles about it. The original reports suggested that it was a story of tech companies giving full access to their backend data for the intel community to search. The reality, which came out a few days later, was that it was more of a system for the intel community to request data via a (HIGHLY QUESTIONABLE) legal process, and for the companies to deliver that info. It was still extremely problematic, but not in the ways it was originally reported.

Still, the revelation of the program raised many reasonable concerns, including how it was that these very same companies who had been handling “data transfers” of EU user data to US data centers under what was called the data protection “safe harbor” agreement were doing so. Part of the safe harbor agreement between the US and the EU was that the US companies would protect the data of EU users, and this didn’t seem to be happening.

Privacy activist Max Schrems sued over this, and a few years later, the EU Court of Justice tossed out the “safe harbor” agreement between the US and the EU, saying that because of the PRISM revelations and NSA’s snooping, that the agreement did not comport with EU data protection laws. Sometime after this, the EU and the US came to a new agreement, which became known as the “privacy shield” to again allow data transfers from the EU to the US. But, as we noted, the problem wasn’t the agreement, the problem was the NSA’s surveillance. And if that didn’t change, we didn’t see how the “privacy shield” was any better than the privacy “safe harbor” agreement.

Once again, Schrems sued. And once again, the court said that the agreement was invalid. Last year, the US and the EU announced yet another deal on transatlantic data flows. And, as we noted at the time (once again!) the lack of any changes to NSA surveillance meant it seemed unlikely to survive yet again.

In the midst of all this, Schrems also went after Meta directly, claiming that because these US/EU data transfer agreements were bogus, that Meta had violated data protection laws in transferring EU user data to US servers.

And that’s what this fine is about. The European Data Protection Board fined Meta all this money based on the fact that it transferred some EU user data to US servers. And, because, in theory, the NSA could then access the data. That’s basically it. The real culprit here is the US being unwilling to curb the NSA’s ability to demand data from US companies.

So, this isn’t about Meta doing anything particularly egregious on its own (I mean, it likely has, but that’s not the crux of this ruling).

The Damage to Privacy

Of course, the end result of all this could actually be hugely problematic for privacy around the globe. That might sound counterintuitive, seeing as here is Meta being dinged for a data protection failure. But, when you realize what the ruling is actually saying, it’s a de facto data localization mandate.

And data localization is the tool most frequently used by authoritarian regimes to force foreign internet companies (i.e., US internet companies) to host user data within their own borders where the authoritarian government can snoop through it freely. Over the years, we’ve seen lots of countries do this, from Russia to Turkey to India to Vietnam.

And, now, because of this ruling, they (and others) can continue to justify the demands for privacy-destroying data localization by pointing to the EU decision.

There are different privacy interests at play here. And while some will cheer this on simply because it dings Meta/Facebook, the reality is that for much of the world, getting their user data out of their local country and onto Meta’s US servers actually is much more protective of their privacy.

Of course, there’s a simple way to solve much of this: the US could cut back on NSA surveillance. What a concept.

The Hypocrisy Issue

It’s kind of amazing that all this is playing out against the backdrop of bipartisan efforts all around the US to “ban TikTok,” claiming that there’s a (still unproven) direct link enabling the Chinese government to access TikTok data. Nevermind that the US has already pressured TikTok into localizing US user data in the US under “Project Texas” (which, as we’ve already described, might also undermine US national security).

So, just as we’re forcing TikTok to locate US user data in the US and freaking out that the Chinese government might access TikTok US user data… the EU is slapping Meta with a large fine and effectively forcing it to locate EU data in the EU and freaking out that the US government might access Meta EU user data.

Basically, we’re doing exactly what we’re freaking out and claiming China is doing. Maybe we should stop?

And, of course, there are some simple ways to fix this: seriously cut back the NSA’s access to data from US companies without a valid reason. The fishing expeditions need to stop. They were an affront to the 4th Amendment all along and now they’re having a large, negative impact on US internet companies.

And then, pass a real federal privacy law that is focused on actual privacy violations, not some nonsense that simply empowers the biggest companies (i.e., Meta) to gain more control over the market, and ends up with something silly and useless like more cookie popups.

But, instead, the US will go on freaking out about TikTok, pushing garbage, broken, fake “privacy” fixes (often on a state by state business where those laws will conflict with one another), and refusing to admit that maybe the powers we gave the NSA are the problem?

Filed Under: data localization, data protection, data transfers, eu, fines, hypocrisy, localization, nsa, prism, privacy, privacy shield, surveillance, us
Companies: meta

Biden’s Executive Order On Surveillance Doesn’t Do Nearly Enough To Protect Privacy; Playing Word Games Doesn’t Actually Limit NSA Surveillance

from the that's-not-going-to-fly dept

Back in March, we noted that the EU and US had announced that they had come to an agreement on transatlantic data flows. This is actually a really big and important story that gets almost no attention, because “transatlantic data flows” sounds boring. However, it’s really, really big and matters for the future of a global internet as opposed to an extremely splintered regional set of internets. People within Facebook have suggested that this is the single biggest issue facing the future of the company, which might be slight hyperbole, but just… slight.

It’s a big deal.

And, back in March when the initial agreement was announced, it seemed like the US government was going through the motions, rather than fixing the real issue. That’s because for the past few years, whenever people talked about the issue with transatlantic data flows, they focused on boring claims about “data protection,” and kept leaving out the very thing that created these problems: the NSA spying on all sorts of internet traffic and data indiscriminately.

I know, I know this sounds boring, but stick with it and this is actually pretty interesting. Years back, the EU and the US set up a “safe harbor” provision, that basically said that American internet companies could collect data on EU citizens and residents so long as the American companies took certain steps to comply with some fairly straightforward protections for the data of those EU citizens. There was a certification process (as an American company, we even went through it ourselves) to make sure that we protected the data of EU users.

However, when Ed Snowden revealed the details of the NSA’s mass surveillance program, Max Schrems, a privacy advocate from Austria, noted that American companies could no longer actually claim that they were keeping data from the EU safe, because the NSA was snarfing it up. Valid point.

The way to actually fix this was for the NSA to stop all the snarfing. But that’s not what happened. Instead, after the EU Court of Justice agreed with Schrems and tossed out the privacy safe harbor, the EU and the US went back to the drawing board and announced… the “privacy shield.” Which was basically just the privacy safe harbor with a new badass name. Schrems went back to the Court of Justice and the Court of Justice said, “yo, that agreement does nothing about NSA spying.” And, thus, the privacy shield was also tossed out.

So, then we get to this year, and I fully expected yet another weak agreement, based on the announcement back in March. So I’m a little surprised that the final Executive Order from President Biden actually suggests a change in strategy to NSA surveillance. That’s because for years in covering the various debates about transatlantic data flows, I felt like I was one of the few people who remembered we were actually talking about NSA surveillance. It felt like politicians in both countries would just trot out bland nonsense about “data protection,” and “proportionality,” without addressing the only issue that really mattered: the NSA scooping up so much data on people in the EU.

So, at the very least, the new executive order actually is focused on NSA surveillance. And, to be sure, there’s some nice language in there, like:

(ii) Signals intelligence activities shall be subject to appropriate safeguards, which shall ensure that privacy and civil liberties are integral considerations in the planning and implementation of such activities so that:

(A) signals intelligence activities shall be conducted only following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority, although signals intelligence does not have to be the sole means available or used for advancing aspects of the validated intelligence priority; and

(B) signals intelligence activities shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized, with the aim of achieving a proper balance between the importance of the validated intelligence priority being advanced and the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.

(iii) Signals intelligence activities shall be subjected to rigorous oversight in order to ensure that they comport with the principles identified above.

But this is the Intelligence Community that we’re talking about, and in the more than two decades we’ve spent covering the IC, we’ve long learned that if you give them even the smallest of loopholes, including the ability to come up with their own made up definitions of common English words, then they will use those loopholes to keep on spying.

Of course, part of this new executive order is the partial revocation of a problematic Obama Presidential Policy Directive, that was an earlier weak attempt to pretend that he was somehow putting some limits on the surveillance powers of the NSA when it was yet another cover story for more surveillance.

So at the very least, the fact that rather than just putting a fresh coat of paint on a random agreement on privacy to allow data flows, it’s a positive step that attempts to address the NSA and its surveillance activities.

But… that’s about all the good that can be said about this. Because it doesn’t actually address the underlying NSA surveillance. Instead, it’s more of a pinky promise that the NSA will be better now, without putting much behind actually making that happen.

Specifically, while the new EO talks about “necessary” and “proportionate” surveillance (two words the EU law requires), it seems pretty clear to basically everyone that the NSA and the White House are up to the old trick where they’ll say those words, but define them how they want them defined, rather than the way everyone else in the world uses them.

Max Schrems, who helped kill off the last two deals, has put out a statement highlighting how this is just words games, rather than actual change:

Bulk surveillance continues via two types of “proportionality”. The US highlights, that the new executive order uses the wording of EU law (“necessary” and “proportionate” as in Article 52 CFR) instead of the previous term “as tailored as feasible” used in Section 1(d) of PPD-28. This could solve the problem, if the US would follow the same understanding and also apply the proportionality test of the CJEU.

However, despite changing these words, there is no indication that US mass surveillance will change in practice. So-called “bulk surveillance” will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not “proportionate” (under the European understanding of the word) twice.

How is this possible? It seems, the EU and the US agreed to copy the words “necessary” and “proportionate” into the Executive Order, but did not agree that it will have the same legal meaning. If it would have the same meaning, the US would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of “proportionate” surveillance.

So, yes, the White House is now acknowledging that the NSA surveillance is the problem, and making noises about how it’s fixing it, but the reality is that it’s playing word games to pretend it’s fixing it, when it is not. And everyone seems to see that.

The ACLU has also called out how this is not nearly enough:

“President Biden’s executive order does not go far enough. It fails to adequately protect the privacy of Americans and Europeans, and it fails to ensure that people whose privacy is violated will have their claims resolved by a wholly independent decision-maker,” said Ashley Gorski, senior staff attorney with the ACLU National Security Project. “Although the executive order is a step in the right direction, it does not meet basic legal requirements in the EU, leaving EU-U.S. data transfers in jeopardy going forward.”

[….]

“The problems with the U.S. surveillance regime cannot be cured by an executive order alone,” said Gorski. “To protect our privacy and to put transatlantic data transfers on a sound legal footing, Congress must enact meaningful surveillance reform. Until that happens, U.S. businesses and individuals will continue to pay the price.”

TACD, the Trans Atlantic Consumer Dialogue, also put out a statement saying, nice try, but not enough.

The Transatlantic Consumer Dialogue’s (TACD) first analysis of the announced measures reveals that the new provisions would not adequately protect European consumers’ fundamental rights to privacy and data protection, as established in the EU Charter of Fundamental Rights and the General Data Protection Regulation (GDPR), seen in the light of the CJEU’s decision on Privacy Shield

For one, the measures do not seem to solve the issue of the lack of proportionality of the U.S. surveillance laws and practices – one of the main elements that render the current system incompatible with EU law, according to the CJEU. The Executive Order refers to new safeguards and includes the wording “proportionate” as in Article 52 of the EU Charter of Fundamental Rights (EU Charter), but it does not establish any mechanisms to limit the U.S. mass surveillance systems in place. For another, it seems like the Executive Order still does not provide for real judicial redress to European consumers.

The Order establishes a two-step procedure that includes an officer under the Director of National Intelligence and a so-called “Data Protection Review Court”. However, it seems that the latter might not be a judicial body as foreseen under Article 47 of the EU Charter or the US Constitution, but a body within the US government’s executive branch. The procedures before these two bodies will need to be closely analysed before a final statement can be made, but the structure currently looks closer to the “Ombudsperson” position that had existed under the previous framework, Privacy Shield. The CJEU has already proclaimed such form of executive bodies as being in breach of the essence of Article 47 of the EU Charter and reiterated a need for judicial review or approval by an actual court.

The first analysis of the measures shows that the Executive Order does not provide the necessary basis for a decision that the U.S. offers effective and meaningful data protection. Together with the above shortcomings, the failure of the U.S. to have a robust overarching data protection law that ensures the privacy of its own citizens and consumers creates a barrier to any serious consideration on adequacy.

As we’ve been saying for almost a decade now: there is one way to fix this and that’s to stop the NSA’s mass surveillance program. The powers that be (Congress and the President) simply seem incapable of admitting that, and thus we go through this same dance every few years.

Filed Under: eu, executive order, max schrems, nsa, privacy shield, surveillance, transatlantic data flows, us

EU Commission Sued For Violating Its Own Data Protection Rules

from the if-even-the-bureaucrats-can't-comply... dept

We’ve highlighted for years the problems with the data protection regime in the EU, mainly the GDPR, but other aspects as well. The underlying idea — that people have a right to have their data protected — may seem sound and logical, but in practice it’s generally been a total mess*, that has likely caused much more harm than its solved. We recently wrote about the surprising news that the EU’s top data protection official was finally admitting that the GDPR really hasn’t worked out the way anyone expected, which was so surprising since it’s become important for EU “data protection” experts to prop up the myth that the GDPR has been a success.

Of course, rather than recognize that it’s the entire framework of the GDPR that is the problem, the official insisted that the real problem was not enough enforcement by data protection authorities. Basically “it’s not the law that’s wrong, it’s the fact that we haven’t punished more companies.” The logic there could make sense if the real problem were that companies don’t actually care about how they make use of our data (which may be true in some cases, but actually seems much rarer than most people believe).

But, that belief that more enforcement is the answer starts to look a lot more questionable when the actual issue might be that the rules and the framework of the GDPR are impossible to comply with.

And, just to put an exclamation point on that, the EU Commission itself has now been sued for violating its data protection rules. This is not technically the GDPR, as (of course) the Commission is exempt from the GDPR itself, but does have other, mostly similar, data protection rules it must follow.

The litigation regards the website of the Conference of the Future of Europe, a conference meant to engage EU citizens in deciding the future of the bloc and its member states.

Amazon Web Services host the website, hence when registering for the event, personal data such as the IP address is transferred to the United States.

Moreover, the Commission’s website also allows users to log in via their Facebook accounts. The US-based social media has also been challenged for illegally transferring personal data to the US, and a complaint in this regard is currently being looked into by the Irish Data Protection Commissioner.

As the European Commission is the website’s operator, the plaintiff asked for information on how personal data is processed in two inquiries. According to the lawsuit, one of the inquiries was answered incompletely, and the other was not answered at all, violating the information rights under the data protection law.

There are a few things to comment on here. First, the underlying issue is the failure of the successive EU/US agreements on data sharing/transfers, which, as we’ve noted, really has a single issue at the crux: the NSA’s spying on the internet. The US could fix all that by stopping such overly intrusive mass surveillance, but instead has basically hung the US internet sector out to dry by pretending the real problem is their data protection practices (which are often way better than just about any other industry).

But, as it stands, right now it’s effectively a violation of EU data protection laws to use the most widely used American internet services.

The second, more important point, is that this (once again) shows how the problem is not necessarily the lack of enforcement, but rather the ridiculous nature of the framework, in which no one can actually comply with the rules in a reasonable manner. Even the EU Commission itself.

And this isn’t the first time this kind of thing has been pointed out. Soon after the GDPR went into effect, people noticed that the EU Parliament’s own website likely violated the law.

This should lead people to recognize that maybe the framework we have here is wrong. The issue isn’t that we need more fines and more aggressive enforcement — because all that does is drive up compliance costs on a system that is impossible to fully comply with no matter what anyone does. And the biggest companies can easily pay off these fines.

For everyone else: you’re basically screwed. Anyone who wants to cause trouble for basically anyone with a website in the EU can find some way in which a website is not in compliance and then basically create a huge hassle for them.

Should we find better ways for people to keep their data safe and away from misuse? Absolutely. Is that answer to create a cumbersome, impossible to comply with, system of confusing laws that requires expensive lawyers to constantly give you non-committal answers on how to minimize your risk? It doesn’t seem like it. Is the answer to make sure that no one in the EU can actually make use of useful online services? Also doesn’t seem like it.

There has to be a better way. But, rather than look for the better way, so many people seem content with assuming that this is the way things have to be done: by creating ridiculously complex laws that basically make it legally risky to have a website. And, of course, it’s spreading. In many ways, the California privacy law is modeled on a similar framework to the GDPR and has already created messes for businesses in California. And other states are looking to do the same.

The very fact that the EU Commission itself can’t comply should be seen as a flashing warning sign that the problem is the framework of the law.

* For what it’s worth, every time I write about the GDPR, “data protection” experts in the EU get furious with me. But none have ever been able to explain how this setup makes any sense or how whatever benefits they insist accrue as a result of this regime outweigh the very obvious problems (which they rarely seem willing to acknowledge).

Filed Under: compliance, data protection, eu, eu commission, gdpr, privacy shield

Would Meta Really Shut Down Facebook And Instagram In The EU Over Data Transfer Rules?

from the this-could-get-interesting dept

Just a few weeks back we talked about how the US’s unwillingness to fix the way the NSA collects internet data could basically mean that most of the big US internet services cannot work in the EU. That article was about Google, and it goes through the background and history of the various US/EU privacy data sharing agreements, and how each one has been tossed out by EU courts in large part because of the NSA surveillance techniques brought to light by Edward Snowden. But much less attention has been paid to what this all means at a practical level.

The latest, though, is that Meta, the parent company of Facebook and Instagram, is making noises about how similar rulings regarding its services might mean that the company couldn’t offer either of those popular social media apps in the EU. I think this is unlikely how things will actually play out for a variety of reasons, but it is still worth watching closely.

While Facebook has pulled out the nuclear option like this once before in Australia, that was only on a small segment (and not an important one). If anything, this all seems like posturing by Meta to try to highlight how absurd some of the setup of the EU data protection regime is (even as EU policymakers whine that Facebook hasn’t been punished enough).

But, once again, the underlying issue here is only partially the setup of the GDPR. The real issue is the way the NSA surveillance works — and despite the many, many, many times people have pointed this out, the US has done basically nothing to fix all of that. Instead, it’s leaving US internet companies out to dry, and the end result might be a system that makes it effectively impossible for them to actually operate in the EU.

Of course, the US and the EU announced new data sharing rules recently, and, while it still seems likely that (years from now) these will also be struck down, it might give the kind of temporary reprieve that means that Facebook and Instagram remain accessible in the EU, and everyone just kicks the can down the road, rather than solving the underlying NSA problem.

Filed Under: data privacy, data protection, data transfers, eu, gdpr, nsa, privacy shield
Companies: facebook, instagram, meta

Yet Another EU Data Protection Authority Says Google Analytics Violates The Law

from the this-is-why-we-can't-have-nice-things dept

It’s kind of weird that in some convoluted way, the NSA may be killing Google Analytics, at least in the EU. You may recall that back in 2020, Max Schrems won his second big data privacy effort against the EU/US Privacy Shield agreement, which allowed data from people in the EU to be transferred to US companies under certain conditions. The “Privacy Shield” was a concept the EU and US cooked up after their earlier setup, the EU/US “safe harbor” framework was tossed out in an earlier case brought by Schrems. In both cases, a key underlying issue was the NSA’s ability to conduct mass surveillance on the internet. The failure to fix that between the safe harbor framework and the Privacy Shield meant that the Privacy Shield was doomed from the start.

Earlier this year, the US and EU announced a new version of the Privacy Shield though details were still lacking. Assuming the NSA isn’t giving up its powers to surveil much of the internet, it doesn’t seem likely to survive Schrems’ next attempt.

In the meantime, though, it’s causing all sorts of issues. And many of those issues are basically: Google Analytics. Most recently, Italy’s data protection authority, said that using Google Analytics violates the GDPR by sending data overseas, something that can’t be done without a new Privacy Shield (or equivalent) agreement between the US and the EU.

As TechCrunch points out, this decision is just the latest in an increasingly long line of similar rulings:

Earlier this month, France’s data protection regulator issued updated guidance warning over illegal use of Google Analytics — following a similar finding of fault with a local website’s use of the software in February.

[…]

Austria’s DPA also upheld a similar complaint over a site’s use of Google Analytics in January.

While the European Parliament found itself in hot water over the same core issue at the start of the year.

Leaving aside the ongoing irony of the EU Parliament’s own website violating the GDPR, at the heart of all this remains: the NSA basically has screwed up Google Analytics for the EU.

Now, there are all sorts of reasons to dislike Google Analytics — we ditched it ourselves — but it’s important to remember that at the core of this, is the NSA basically making things impossible for a number of American internet companies. This is one of many reasons (and certainly lower in importance than just basic civil rights and liberties) why it’s still amazing that we’ve more or less allowed the NSA to continue its surveillance efforts with only minor modifications in the decade or so since Ed Snowden leaked the details.

Filed Under: data sharing, eu, gdpr, google analytics, italy, nsa, privacy shield, safe harbor, surveillance
Companies: google

EU/US Say They’ve Agreed To A New Privacy Shield… That Doesn’t Seem To Deal With Any Of The Problems Of The Old One

from the lipstick-on-a-dead-pig dept

Last week, the EU and the US announced something important that sounds pretty boring — a new “privacy shield” agreement. You should know it’s important, because in the midst of dealing with everything else, including the Russian invasion of Ukraine, President Biden actually made a public statement with European Commission President Ursula von der Leyen to announce it (in a speech that also included talk about the Russia/Ukraine situation). Here was the key bit:

And I’m proud to announce that we’ve also reached another major breakthrough in transatlantic data flows. Privacy and security are key elements of my digital agenda.

And today, we’ve agreed to unprecedented protections for data privacy and security for our citizens.

This new agreement will enhance the Privacy Shield Framework; promote growth and innovation in Europe and the United States; and help companies, both small and large, compete in the digital economy.

Just as we did when we resolved the Boeing-Airbus dispute and lifted the steel and aluminum tariffs, the United States and the EU are finding creative, new approaches to knit our economies and our people closer together, grounded on shared values.

This framework underscores our shared commitment to privacy, to data protection, and to the rule of law. And it’s going to allow the European Commission to once again authorize transatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.

A little history if you don’t follow this too closely. For years, the US and the EU had a “privacy safe harbor” setup, by which US internet companies were allowed to collect some data on EU users by agreeing to live up to certain standards. What this meant in practice was that every US internet company had to hire some random “privacy auditor” in the EU who would bless you with some sort of compliance statement. It was kind of a boondoggle (and, yes, we had to go through it ourselves).

Back in 2015, privacy advocate/perpetual thorn in the side of companies who collect data, Max Schrems, successfully challenged the legality of this agreement at the EU Court of Justice. What the EUCJ said in scrapping the privacy safe harbor agreement was that the NSA’s PRISM program (exposed by Ed Snowden, and involving pressuring US internet companies to cough up information on users) violated the safe harbor.

Suddenly, it became unclear if US internet companies even could continue to collect data from EU users. There was a lot of scrambling, and in early 2016, the EU and the US announced a new privacy safe harbor, with the catchier name “Privacy Shield.” However, as we noted at the time, considering that the US refused to end the NSA’s collection program under Section 702 of the FISA Amendments Act, it didn’t seem possible that the new agreement would survive a challenge.

And, indeed, Schrems challenged the Privacy Shield again, and once again, in 2020, the EU courts rejected the Privacy Shield. In that decision, it continued to call out NSA surveillance, including executive order 12333, which, as we’ve noted, is actually the main source of the NSA’s foreign surveillance powers, and (according to some) not subject to Congressional review.

So, now, the US and the EU claim they’ve come up with a new Privacy Shield framework that will allow the data to flow freely across the Atlantic. But I don’t see how that’s possible. Because 12333 still exists. And, back in 2018, Congress renewed Section 702 of the FISA Amendments Act. So the two biggest reasons why the EUCJ has rejected these agreements — two giant NSA spying programs — still exist. I don’t quite see how any new agreement is going to get around that without significantly modifying the NSA’s surveillance program.

Schrems seems, let’s say… skeptical.

“We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.”

_“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision._“

“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

While US tech companies have been “celebrating” the deal, they really shouldn’t bother. It’s hard to see how this survives another round in court, until the NSA has its wings clipped.

Filed Under: eo 12333, eu, executive order 12333, fisa amendments act, joe biden, max schrems, privacy, privacy safe harbor, privacy shield, section 702, surveillance, ursula von der leyen, us

from the biter-bit dept

Last year, the EU’s top court threw out the Privacy Shield framework for transferring personal data between the EU and US. The court decided that the NSA’s surveillance practices meant that the personal data of EU citizens was not protected to the degree required by the GDPR when it was sent to the US. This was the second time that such an agreement had been struck down: before, there was Safe Harbor, which failed for similar reasons. The absence of a simple procedure for sending EU personal data to the US is bad news for companies that need to do this on a regular basis. No wonder, then, that the US and EU are trying to come up with a new legal framework to allow it, as this CNBC story notes:

Officials from the EU and U.S. are “intensifying negotiations” on a new pact for transatlantic data transfers, trying to solve the messy issue of personal information that is transferred between the two regions.

Even if they manage to come up with one, there’s no guarantee that it won’t be shot down yet again by the courts, unless the underlying issues of NSA surveillance are addressed in some way — no easy task. Meanwhile, there’s been a fascinating development on the US side, reported here by The Irish Times:

The US Senate is to debate a proposal to limit foreign countries’ access to US citizens’ personal data and to introduce a licence requirement for foreign companies that trade in this information.

The draft “Protecting Americans’ Data From Foreign Surveillance Act”, presented on Thursday by Democratic Senator Ron Wyden of Oregon, is aimed primarily at curbing the sale and theft of data by “shady data brokers” to “hostile” foreign governments such as China.

The law may be aimed primarily at China, but its reach is wide, and it could hit an unlikely target. As the Irish Council for Civil Liberties (ICCL) explains, the new Bill (pdf) aims to stop the personal data of US citizens being transferred to locations with inadequate data protection — just as the EU’s GDPR does. But according to the ICCL, one country that may fall into this category of dodgy data handling is Ireland:

ICCL understands from those who wrote the draft Bill that Ireland’s failure to enforce the GDPR is of particular concern. The Bill intentionally uses language from the GDPR, and targets this enforcement failure. The draft Bill makes clear that merely enacting strong data protection law such as the GDPR is not enough. That law must be enforced.

Most digital giants have their European headquarters in Ireland. Under the GDPR, it is Ireland’s Data Protection Commission (DPC) that must investigate and ultimately fine these companies for their GDPR infringements anywhere in the EU. The DPC has opened many data privacy inquiries (pdf), but has so far failed to impose serious fines. Without strict enforcement by the Irish authorities, there is a growing feeling that the GDPR could be fatally undermined. Hence the risk that the US might not allow personal data to be transferred to Ireland, if the new “Protecting Americans’ Data From Foreign Surveillance Act” becomes law. Given the long-standing concerns over the protection of personal data flows from the EU to the US, that would be a rather ironic turn of events.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: data brokers, data transfers, gdpr, ireland, privacy, privacy shield, ron wyden, surveillance, us

from the now-what? dept

This one sounds boring, but stick with it because it’s important. Because the US and the EU have vastly different privacy regulation regimes, there has always been some conflict over how (mainly) US internet companies handle data from the EU. For years, this was “settled” by a weird and mostly useless “EU-US data protection safe harbor” agreement, in which US companies would have to get “certified” that they kept EU-originated data protected at an “equivalent” level to how it would be protected in the EU when transferring it across the Atlantic to US-based data centers. It was a bit of a nuisance as a company (we went through the process ourselves), but in 2015 the entire safe harbor agreement was invalidated by the EU Court of Justice because of the NSA’s ongoing snooping on data from those internet companies, as revealed by Ed Snowden.

The EU and US freaked out, and had a frantic negotiation to come up with a new “safe harbor” agreement with the catchier name of “Privacy Shield,” but as we pointed out when it was announced, the problem wasn’t the text of the agreement, but rather the NSA’s surveillance practices with regards to internet data. Here’s what I wrote four years ago:

The real issue here is mass surveillance overall. The only real way to fix this issue is to stop mass surveillance and go back to saying that intelligence agencies and law enforcement need to go back to doing targeted surveillance using warrants and true oversight. But, instead, the EU and the US keep trying to paper over this by coming up with a new agreement.

Since then, the Privacy Shield was challenged and the challenge took its sweet time to go through the courts — again brought by Max Schrems, whose lawsuit had sunk the original safe harbor as well. And, now, finally, four years later exactly what we expected to happen has happened. The CJEU has invalidated the Privacy Shield agreement, by basically saying “hey, the US surveillance regime remains the same, and that was the problem all along.” You can read the full decision if you want to get deep into the details.

But the short summary is that while the Privacy Shield framework offered a few ways for EU residents to seek redress from some forms of surveillance, the CJEU says that’s not nearly enough:

While individuals, including EU data subjects, therefore have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered. Moreover, even where judicial redress possibilities in principle do exist for non-U.S. persons, such as for surveillance under FISA, the available causes of action are limited ? and claims brought by individuals (including U.S. persons) will be declared inadmissible where they cannot show ?standing? ?, which restricts access to ordinary courts ?

As you may recall, Executive Order 12333 is the tool under which the US does most of its foreign surveillance totally outside of the oversight of Congress. This has always been a massive problem, and here the CJEU is basically saying “if the US doesn’t do wholesale surveillance reform, there’s going to be a serious problem with transferring data from the EU to the US.”

Now, there is some argument here that EU surveillance is just as bad, and it’s perhaps more than a little silly that the CJEU basically ignores that as if it’s not important.

Either way, the key point to all of this is that if US companies want to be able to transfer data over from the EU to the US long term (there are ways they can do it for now), the US government needs to vastly reform its surveillance practices. Well, assuming there was a competent government that actually cared about these things. I’m a bit worried that the current administration will just ignore this or use it to attack the EU, which would be somewhat disastrous for US internet companies.

I’ve seen some people saying that this is a ruling against the internet companies and their data collection practices, but that’s not really accurate. The problem is not so much that — it’s how the NSA spies on people with that data (with or without cooperation of the companies). This really should lead to the US internet industry pressuring the US government to stop mass surveillance — just like we said four years ago.

Filed Under: data protection, eu, gdpr, mass surveillance, max schrems, nsa, privacy shield, surveillance
Companies: facebook, noyb

Top EU Court's Adviser Says Personal Data Can Be Transferred Using 'Standard Contractual Clauses' — But Also Suggests That Privacy Shield Should Be Ruled Invalid

from the sting-in-the-tail dept

As is usual for cases being considered by the EU’s highest court, the Court of Justice of the European Union (CJEU), before the main ruling a senior legal adviser offers a preliminary opinion. Although the view by the Advocate General is not binding on the court, it often gives a good idea of how things will go. That makes some of the issues raised in a new opinion by Advocate General Saugmandsgaard Øe (pdf) concerning the EU’s GDPR privacy regulation particularly interesting. The case is yet another one triggered by a complaint from the privacy activist Max Schrems as a result of Snowden’s revelations. The background is summed up well by the press release on the Advocate General’s opinion (pdf):

The data of Facebook users residing in the EU, such as Mr Schrems, are transferred, in full or in part, from Facebook Ireland, the Irish subsidiary of Facebook Inc., to servers located in the United States, where they are processed. In 2013, Mr Schrems lodged a complaint with the Irish authority responsible for monitoring the application of the provisions relating to the protection of personal data (‘the supervisory authority’), taking the view that, in the light of the revelations made by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency or ‘NSA’), the law and practices of the United States do not offer sufficient protection against surveillance, by the public authorities, of the data transferred to that country. The supervisory authority rejected the complaint, on the ground, inter alia, that in a decision of 26 July 2000 the Commission had considered that, under the ‘safe harbour’ scheme, the United States ensured an adequate level of protection of the personal data transferred.

As Techdirt reported, the “safe harbor” framework was thrown out by the CJEU in 2015, because it failed to offer enough protection for EU data. It was swiftly replaced by the Privacy Shield framework — a slightly tweaked version of the safe harbor scheme. Both made transfers of EU personal data to the US legal by certifying that US data protection standards are “adequate”.

But there is another way to make such transfers legally. Instead of relying on a general framework, individual companies can use standard contractual clauses (SCC), which are simply a promise that EU personal data will be protected in the US (or elsewhere) according to EU standards. The key issue considered by the Advocate General in advance of the CJEU ruling is whether the use of SCCs for the transfer of personal data to non-EU countries is valid. On that point, the court adviser has now said that in his view SCCs can be used as an alternative to things like the Privacy Shield framework. The main reason is that SCCs can be cancelled at any time — for example, if evidence emerges that EU personal data is not sufficiently protected under foreign laws. The Advocate General goes further, saying:

there is an obligation — placed on the data controllers [in a company, for example] and, where the latter fail to act, on the supervisory authorities [of each EU nation] — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.

So the good news for companies is that SCCs are a perfectly legitimate way of transferring EU personal data to the US. The bad news is that the data protection authorities in the EU must check whether the personal data is really protected according to EU norms, and if not, to block the flows immediately. In his press release on the opinion (pdf), Schrems says this is a huge step for the enforcement of the GDPR if it is followed by the CJEU: “At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints.” In particular, Schrems says the Irish Data Protection Commissioner (DPC) would have to suspend the data flows between Facebook Ireland and Facebook Inc. because the DPC has already agreed EU data is not sufficiently protected by the latter. More generally, Schrems thinks this will lead to “More privacy for EU consumers, massive issues for certain US business”:

If the Court follows today’s opinion to have a “targeted approach” [on a case-by-case basis], there would be no impact on most EU data transfers. EU data protection authorities may however stop transfers to US companies that fall under FISA 702 (“electronic communication service providers”). This includes companies like Facebook, Google, Microsoft, Amazon Web Services or Yahoo.

Although it’s subsidiary to the main issue of whether SCCs are valid, the Advocate General concludes with something of a legal bombshell. As the press release puts it:

According to the Advocate General, the resolution of the dispute in the main proceedings does not require the Court to rule on the validity of the ‘privacy shield’ decision, since that dispute concerns only the validity of Decision 2010/87 [regarding SCCs]. Nevertheless, the Advocate General sets out, in the alternative, the reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.

The Advocate General is saying that the EU’s top court doesn’t have to consider whether today’s Privacy Shield offers enough protection of EU personal data sent to the US, but if it chooses to do so, he thinks it ought to rule that it’s invalid. If the CJEU agrees, and throws out Privacy Shield as it threw out the safe harbor framework, that would have a major impact on today’s digital world. We’ll find out some time next year whether the judges are happy to do that.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: cjeu, eu, personal data, privacy, privacy shield