Posted by Alexander Hanff on March 25, 2015.
Yesterday was a very important day for privacy and data protection in Europe. It was the day that Max Schrems was able to present arguments in the Court of Justice of the European Union (CJEU) with regards to the US surveillance programme called PRISM and whether or not companies which expose European citizens’ data to the programme are in breach of the Safe Harbor system.
To be brief, in order for a company to legally export data relating to EU citizens outside of the EU, the country where it is being exported must have the equivelant privacy and data protection rights to Europe. The United States is deemed to not have such protections and given that many of our digital products and services are provided by US corporations this became a problem. So an agreement was formed which would allow companies to export data to the US on the condition that a contractual obligation existed for those companies to treat that data with the same regard as if it were in Europe under European rules. The framework is enforced in the US by the Federal Trade Commission and companies are permitted to self certify compliance.
The problem is, under US laws such as the PATRIOT Act and the Foreign Intelligence Surveillance Act – US government agencies are able to access data on foreigners with no due process obligations and can order companies to hand over data in bulk under secret orders which prevent these companies from disclosure of the fact (known as “gag orders”). As such it is impossible for any US company to guarantee that the fundamental rights afforded to EU citizens under EU law can be maintained, as such activities do not meet the proportionality or due process requirements of our laws.
This is not a new issue, back in 2000 when the agreement was originally written there was significant concern that the agreement set the bar too low and would put European citizens at risk.
Now to be fair, it is not really the fault of US corporations that the US government have a complete disregard for the rights of non-US citizens. They cannot really say “No” to a court order or national security letter and sacrifice their executives to jail terms for breaching gagging orders – so I would urge the reader to understand that I am sympathetic to these corporations on that matter.
However, that does not remove the fact that there is a real and serious problem that needs to be resolved and that Safe Harbor is quite simply not fit for purpose – because it is not adequate for dealing with the US surveillance machine.
In fact the European Commission in their testimony at the CJEU stated exactly that when asked about the adequacy of the Safe Harbor Framework. Max Schrems provided a commentary of the hearing over Twitter and quoted the following from the European Commission:
the Commission cannot confirm an adequate protection right now
This was a damning admission by the European Commission that the Safe Harbor agreement is not fit for purpose, which in itself should require the Commission to suspend or revoke the agreement.
The Court responded with:
Directive requires COM to PROHIBIT transfers (Recital 57).
and was referencing Recital 57 of the Data Protection Directive (95/46/EC) which states the following:
(57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;
In other words, under the existing Directive, the European Commission are supposed to prohibit the transfer of personal data to any country where the level of protection is deemed as inadequate and by the Commission’s own admission, they are unable to confirm the adequacy of the Safe Harbor agreement and should therefore prohibit any data being transferred under it – effectively suspending the agreement.
I wrote to the Commission several times in the weeks following the Edward Snowden revelations requesting they revoke the Safe Harbor agreement:
but unsurprisingly did not receive a satisfactory response.
But what made the hearing particularly worrying yesterday was another response by the European Commission with regards to how we should manage the situation of ensuring that European citizens’ fundamental rights are protected from US surveillance. The astonishing response of the European Commission was as follows:
If you don’t want your data to go to the US, close your Facebook.
I remember a couple of years ago listening to Vice-President Viviane Reding (of the European Commission) give a speech in Brussels at a conference I was also speaking at. On the issue of privacy, she expressed that citizens should not be excluded from using digital services just because they choose privacy – that companies should find a way to ensure consumers can demand privacy (in context we were discussing consumers opting out of behavioural profiling and advertising) but continue to use their services.
Her reasoning for this was quite sincere and quite obvious – we cannot create a situation where citizens’ fundamental rights are put under duress. If we have a system in place where we simply say if you want privacy and data protection you can’t use companies from the United States, we are effectively excluding citizens from digital society and the advantages that offers (which are wide ranging). The hearing yesterday was in relation to Facebook, sure, but the meat of the matter is about the Safe Harbor agreement and surveillance of European citizens. If the European Commission’s response is for citizens to simply stop using the vast array of digital services we rely on on a day to day basis – exclusion from digital society is at the bottom of that slope and the digital divide will become a chasm.
There is a deeper problem here as well – it is not just services like Facebook which are exporting our data to the US and making us vulnerable to surveillance. Many public sector web sites providing information on a multitude of government services (health, education, taxes, welfare etc.) which are considered to be deeply sensitive information – have third party services provided by US corporations embedded into their web pages. For example, Google Analytics is used extensively by public sector web sites across Europe – meaning all that data is vulnerable to US surveillance. The European Commission’s attitude and comments go far beyond excluding us from the consumer segment of digital society – in essence, they are recommending that if we want to maintain our fundamental rights, we should exclude ourselves from the ever expanding digital democracy.
It is the responsibility of the Commission to prohibit the transfer of data to countries where the protection of citizen’s rights is inadequate – it is the job of the Commission to revoke the Safe Harbor agreement. It is absolutely unacceptable for the Commission’s response to be that citizens exclude themselves from digital society if they wish to maintain their fundamental rights and it is even less acceptable for the European Commission to place those rights under duress.Share This: Submitted in: Alexander Hanff, News_legal, News_politics, News_privacy, News_surveillance, Security, Social Media | Tags: CJEU, data protection, European Commission, Facebook, fisa, NSA, PATRIOT Act, privacy, surveillance
Top 100 Information Security Blogs
Independent news and views on the confluence of cybersecurity, politics and gaming.
We take neither advertising nor sponsorship so we can guarantee our independence.