Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Too Much of a Good Thing? Part 2: A Secret Trilogue and Business as Usual

With last week’s blizzard of Snowden leaks hitting the news, the EU parliament overwhelmingly passed a draft set of new EU data privacy rules with a fast-tracked time frame of implementation by mid April 2014. But, in a surprising twist, David Cameron just managed to do away with the fast tracking, arguing that the proposed rules would be an onerous burden on businesses. So the new EU data privacy rules are still coming, but not for at least another year and presumably with a lot of changes:

Bloomberg
EU Fails to Speed Up Privacy Rule in Spite of Merkel Spy Tension
By Stephanie Bodoni & Ian Wishart – Oct 24, 2013 7:43 PM CT

European Union leaders dropped a 2014 deadline to complete an overhaul of the bloc’s data privacy laws even as they condemned allegations that the U.S. eavesdropped on German Chancellor Angela Merkel.

Leaders called for a strengthened data-protection law to be introduced in a “timely” fashion. A draft version of their summit statement had language seeking its adoption next year. A U.K.-led group urged a slowdown to consider the effect of the legislation on businesses.

“We stressed that we have to speed up the work, but it is a complex task. It’s not only related to the already difficult issues of protecting privacy, but it is also an impact on business,” EU President Herman Van Rompuy said after the first day of a two-day summit. “We have to study this carefully.”

The overhaul of the privacy law, which could result in U.S.-based companies including Google Inc. (GOOG), Facebook Inc. (FB), and Apple Inc. (AAPL) facing fines as high as 100 million euros ($138 million) for data-protection violations, was endorsed by a panel of EU lawmakers this week. National governments have to agree to the proposals before they can become law. At the summit, leaders called for adoption of the law as part of the introduction of new telecom rules in 2015.

“We think there’s too much red tape in the proposal,” Markus Beyrer, director general of European business federation BusinessEurope, told reporters before the summit. “We think there are too many things which might hurt data flow, which might hinder growth.”

Hmmm…so what information do we have yet on the proposed anti-business rules Cameron is referring to? It must be pretty severe to warrant a delay on bill with so much momentum behind it. It certainly suggests there’s going to be a lot to discuss during the “secret trilogue”:

Infosecurity
European Civil Liberties Committee Approves Current Draft Data Protection Regulation

22 October 2013
Edward Snowden’s leaked information on the character and extent of NSA surveillance brought new impetus to the European Commission’s proposed new General Data Protection Regulation, which had been floundering under the weight of extensive US government and business lobbying.

For example, under the proposed legislation the transfer of data to third-country authorities (by companies such as Google, Facebook, Apple and Microsoft) can only occur under European law or an agreement based on European law. This would mean that regardless of FISA rules, such companies could not pass Europeans’ personal data to the NSA without facing European sanctions (which in theory could be a fine of up to 5% of global turnover).

This was part of the original proposal from the European Commission, but had been dropped in the face of extensive US government lobbying. Now, following Snowden’s revelations it has been re-introduced into the draft legislation (and the potential sanction increased from an original 2% to 5% of turnover).

The current draft proposal has now been approved by the European Parliament’s Civil Liberties Committee (LIBE). It was accepted by a vote of 51 in favor, 1 against, and 3 abstentions, after several postponements over the summer months. The proposal’s draftsperson and rapporteur, Jan Philipp Albrecht, called it “a breakthrough for data protection in Europe” that “would overhaul EU rules, ensuring they are up to the task of the challenges in the digital age.”

But the devil, as always, is in the detail – and much confusion remains. Ad Age reports, “‘It seems to provide for a complete block of cross-border data flows unless the US agrees to EU rules on NSA access to data,’ said Christopher Wolf, director of the Privacy and Information Management practice group at law firm Hogan Lovells, calling the proposal ‘draconian.'” But the same report quotes Justin Brookman, director of consumer privacy at the Center for Democracy and Technology: “The regulation looks pretty robust, though there are some workarounds that will let companies do a lot of what they already do.”

It is these ‘workarounds’ that are still heavily criticized by European civil liberties groups. Prior to the vote, La Quadrature du Net (LQDN) wrote to the LIBE committee, “we urge you to reject compromise amendments made on articles 6 and 20.”

“If allowed to stand,” said Joe McNamee, Executive Director of European Digital Rights, “this vote would launch an ‘open season’ for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder. This is all the more disappointing because it undermines and negates much of the good work that has been done,” he added.

LQDN has a further criticism. The LIBE committee also approved ‘trilogue negotiations’ in the run up to the final European vote. This means that further discussion on the proposed legal framework between the EU and national governments will now be held in secret. “That legal framework – geared to protect the fundamental right to privacy of the European citizens – deserves an open and transparent debate that is equal to the challenge represented by these issues,” LQDN said in its letter to the LIBE committee, urging “transparency and a proper, in-depth public debate.”

So while some of the amendments voted by the LIBE committee yesterday strengthen and bring forward the new European General Data Protection Regulation, there are many who believe it still contains enough loopholes – and potentially new loopholes introduced in secret – to mean business as usual in the collection and movement of European personal data by the big internet companies.
would launch an ‘open season’ for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder.

So there’s nearly 4000 amendments still to be worked out in the secret trilogue, but right now it’s sounding like the new rules potentially “provide for a complete block of cross-border data flows unless the US agrees to EU rules on NSA access to data” while at the same time containing loopholes that “would launch an ‘open season’ for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder” and “mean business as usual in the collection and movement of European personal data by the big internet companies“. And possible large fines if the rules are found to be broken in a way that falls outside the loophole. So hypothetical protection against spying by foreign governments but probably no real threat to data collection by private companies. This was probably to be expected because it’s not like EU tech giants wouldn’t like business as usual too.

With much left up to the secret trilogue it’s very unclear how beneficial the final legislation is going to be for average EU citizens. On the other hand, the new rules are also going to require that firms have a designated “data protection officer” and this is the closest to a jobs program we’ve seen from the EU in years at least there’s that.

What’s better than being one of the big fish in the ocean? Being an even bigger fish in global sea on ponds
Still, it has to be said that the implementation of EU-wide data-privacy laws are a great example of the usefulness that the EU can provide and exactly why something like the EU has value. When it’s not implementing far-right economic theories across the union the EU can actually be useful! Because there are some things in the world that really benefit from a standardized sets of rules and data-privacy laws for cross-border exchanges are one of them. If it’s possible to have a common set of rules that close trading partners can agree upon all the better.

The EU also helps to avoid situations like each nation having its own domestic internet that requires all internet traffic be kept within the nation. An internal internet for critical infrastructure certainly makes sense. And a larger national internet might work well for some services, like a national email service. But it also might break the internet and do very little to deal with the global threat of mass domestic surveillance or even exacerbate that threat if authoritarian governments use the balkanization of the internet to impose controls to censor access. So let’s hope nations with intranet ambitions proceed with caution:

Germany wants a German Internet as spying scandal rankles

By Leila Abboud and Peter Maushagen

PARIS/FRANKFURT | Fri Oct 25, 2013 11:36am EDT

(Reuters) – As a diplomatic row rages between the United States and Europe over spying accusations, state-backed Deutsche Telekom wants German communications companies to cooperate to shield local internet traffic from foreign intelligence services.

Yet the nascent effort, which took on new urgency after Germany said on Wednesday that it had evidence that Chancellor Angela Merkel’s mobile phone had been monitored, faces an uphill battle if it is to be more than a marketing gimmick.

It would not work when Germans surf on websites hosted on servers abroad, such as social network Facebook or search engine Google, according to interviews with six telecom and internet experts. Deutsche Telekom could also have trouble getting rival broadband groups on board because they are wary of sharing network information.

More fundamentally, the initiative runs counter to how the Internet works today – global traffic is passed from network to network under free or paid-for agreements with no thought for national borders.

If more countries wall themselves off, it could lead to a troubling “Balkanisation” of the Internet, crippling the openness and efficiency that have made the web a source of economic growth, said Dan Kaminsky, a U.S. security researcher.

Controls over internet traffic are more commonly seen in countries such as China and Iran where governments seek to limit the content their people can access by erecting firewalls and blocking Facebook and Twitter.

“It is internationally without precedent that the internet traffic of a developed country bypasses the servers of another country,” said Torsten Gerpott, a professor of business and telecoms at the University of Duisburg-Essen.

“The push of Deutsche Telekom is laudable, but it’s also a public relations move.”

Deutsche Telekom, which is 32 percent owned by the government, has received backing for its project from the telecoms regulator for potentially giving customers more options.

In August, the company also launched a service dubbed “E-mail made in Germany” that encrypts email and sends traffic exclusively through its domestic servers.

BUGGING

Government snooping is a sensitive subject in Germany, which has among the strictest privacy laws in the world, since it dredges up memories of eavesdropping by the Stasi secret police in the former East Germany, where Merkel grew up.

The issue dominated discussions at a European summit on Thursday, prompting Merkel to demand that the U.S. strike a “no-spying” agreement with Berlin and Paris by the end of the year.

As the row festers, telecom and Internet experts said the rhetoric exceeded the practical changes that could be expected from Deutsche Telekom’s project. More than 90 percent of Germany’s internet traffic already stays within its borders, said Klaus Landefeld, a board member of the non-profit organization that runs the DE-CIX Internet exchange point in Frankfurt.

Note that Deutche Telekom’s “E-mail made in Germany” campaign recently ran into a snag recently when it was reported that the BND has been reading foreign email flowing through the giant De-Cix data exchange center in Frankfurt where the “E-mail made in Germany” service that was recently set up is run. German citizen’s traffic is reportedly safe from this snooping (uh huh) and now, presumably, foreign users of the service are supposed to favor the BND’s surveillance over the NSA’s. It’s a reminder of the strange reality that the internet has brought surveillance regime shopping to the masses. The marketing campaigns are going to be awesome.

Continuing…

Others pointed out that Deutsche Telekom’s preference for being paid by other Internet networks for carrying traffic to the end user, instead of “peering” agreements at no cost, clashed with the goal to keep traffic within Germany. It can be cheaper or free for German traffic to go through London or Amsterdam, where it can be intercepted by foreign spies.

Thomas Kremer, the executive in charge of data privacy and legal affairs for the German operator, said the group needed to sign connection agreements with three additional operators to make a national routing possible. “If this were not the case, one could think of a legislative solution,” he said.

“As long as sender and receiver are in the Schengen area or in Germany, traffic should no longer be routed through other countries,” Kremer said, referring to the 26-country passport-free zone in Europe.

A spokesman for Telefonica Germany said it was in early discussions on national routing with other groups. A spokesman for Vodafone said it was “evaluating if and how” to implement the Deutsche Telekom proposal.

Although Deutsche Telekom is positioning itself as a safe custodian of user data, its track record on privacy is mixed. In a 2008 affair dubbed Telekomgate, Klaus Trzeschan, a security manager at the group, was jailed for three and a half years for his role in monitoring phone calls of the firm’s own management and supervisory board mem0bers, as well as business reporters.

A spokesman for Deutsche Telekom said the affair was the reason why the group worked “so hard” on privacy and security issues in recent years. “We are now the leading company of our industry when it comes to customers’ trust,” he said.

DATA CENTRES

While the routers and switches that direct traffic can be programmed so data travel certain routes, the most popular online services are not built to respect borders.

Web companies often rely on a few large data centers to power their entire operation, and they don’t choose locations based on the location of their customers but on factors such as the availability of cheap power, cool climates, and high-speed broadband networks.

For example, if a Munich resident uses Facebook to chat with a friend sitting 500 kilometers (310 miles) away in Berlin, the traffic would go through one of the company’s three massive data centers 8,000 km away in Oregon or North Carolina, or one near the Arctic Circle in the Swedish town of Luleå. European users’ profiles are not necessarily stored in the Swedish centre; instead the website’s different functions such as games, messaging, and wall posts are distributed among the data centers to improve efficiency.

Similarly, emails sent by Google’s Gmail between two German residents would probably be routed through one of the company’s three data centers in Finland, Belgium and Ireland.

The only way to change this would be for Germany to require local hosting of websites, a drastic move according to experts that has not yet been pushed by German leaders. Deutsche Telekom declined to say whether it would lobby for such an approach.

Brazil’s President Dilma Rousseff, angered by reports that the U.S. spied on her and other Brazilians, is pushing legislation that would force Google, Facebook and other internet companies to store locally gathered or user-generated data inside the country.

One solution would be for European leaders to beef up a new data-privacy law, which has been in the works for almost two years. A greatly toughened version of the law was backed by the European Parliament on Monday, but it still requires agreement by members states.

France and Germany may succeed in getting member states to push ahead on talks to complete the new data rules by 2015.

While it’s possible that we could see a German-internet arise from all this, it seems much more likely that this will be used as a kind of diplomatic threat, much like the threat to revoke the data-privacy ‘safe-harbor’ agreements between the US and EU. IF there’s one thing the large multinational corporations that dominate the governments across the world love it’s large, unified marketplaces. And balkanizing the internet isn’t exactly a great way to create large, unified global marketplaces. A balkanized internet requiring global firms to utilize a global network of domestic server farms and follow an ever-changing set of local data-exchange rules probably isn’t going to be profit-maximizing scenario.

On the other hand, a balkanized internet does perform one very valuable service for the IT giants of the world: large multinational corporations with very deep pockets and the ability to build facilities anywhere in the world are going to be the only entities capable of providing global internet services, like cloud computing. In a world where multiple internets operate on multiple legal and possibly technical standards, we could find ourselves in a world where the big multinationals are the only entities that can facilitate the transactions required for the global e-commerce/cloud-computing services of tomorrow. Avoiding foreign-spying isn’t just a business expense in the global e-commerce/cloud computing marketplace of tomorrow: It’s also a big protective barrier to entry when balkanized internets are part of the solution:

Computing.co.uk
SAP to circumvent NSA spying in Brazil by building data centres in the country
By Sooraj Shah
17 Sep 2013

SAP is to circumvent any spying by the US National Security Agency (NSA) in Brazil by building data centres in the South American country.

In documents aired by Brazil’s biggest television network, Globo, the NSA had a presentation dated May 2012 that was used to show new NSA employees how to spy on private computer networks.

The slides had suggested the NSA had tapped into the network of Brazilan oil firm Petroleo Brasileiro SA.

The firm is a major customer of SAP’s and SAP’s managing director of Southern Latin America, Diego Dzosan, suggested that as a result of recent revelations about the NSA’s involvement in Brazil, SAP will ensure that it keeps all of its Brazilian customer data within Brazilian territory; it is currently housed in the US.

Dzosan was speaking at SAP’s Innovation Tour in Brazil, and believes that the Brazilian government’s stance on the privacy of data, even prior to the NSA revelations, has always been clear.

“Brazil has had a very strong policy in recent years for both private and public companies, in how they store and access data securely. It has a long tradition of that, and our industry has been evolving in line with a lot of those government guidelines,” he said.

He claimed that SAP, which is headquartered in Germany, can fall in line with the Brazlian government’s regulatory framework with a cloud solution but that the first step for the firm is to work with local partners.

“We don’t currently have our own data centres in Brazil, so our first step is to work with local partners to give us a short-term solution, building data centres takes some time, so you need immediate capacity, and we will eventually own our own data centres ,” Dzosan stated.

A significant balkanization of the internet, like the creation of a German-only or Brazilian-only internet that requires a dramatic rewriting of web-service software, is probably more of a diplomatic threat than a real plan at this point in time. But the soft balkanization of the internet via a growing patchwork of different national and regional data-privacy rules seems like a near certainty since it’s currently hapening. How this changing landscape is going to impact rapidly growing sectors of the global economy like global cloud computing and web-services will be something to watch. We can be sure the large web-service multinational giants will have a global web-service presence. How about the smaller and mid-sized companies? Because companies like Facebook might be currently complaining about new laws that require user data to be stored in Brazil but after the existing giants invest in these local data-storage services you also have to wonder who on earth is going to be able to compete with them? Other global giants capable of making the same investments will be able to compete in the area of global services with local storage requirements. Anyone else? These are going to be increasingly important questions to ask as the debate (and secret negotiations) over the EU’s data-privacy rules debate continues because whatever the EU decides upon is a likely template for multinational data-privacy agreements globally going forward. The concerns over ‘business as usual’ expressed by civil libertarians could morph into concerns over ‘big business as usual. everywhere’ if these new rules are screwed up.

And then there’s the new ‘no spying’ rules
Now that France and Germany are trying to publicly negotiate ‘no spy’ agreements with the US, we could also be looking at a situation where more and more governments want no spy agreements too. How this new era of public ‘no spying’ shapes the evolution of the internet and Big Brother 2.0 given how intertwined the internet is with modern spying will be something to watch:

Lawfare blog
I Spy, You Spy, We All Spy?

By Ashley Deeks
Friday, September 6, 2013 at 4:06 PM

Among the documents that Edward Snowden released are reports showing that the NSA had been picking up email and phone conversations by and among foreign leaders. Among the alleged targets were officials from the EU, individual EU member countries, Brazil, and Mexico. While each subject of this reported surveillance has expressed outrage, perhaps no state has been more agitated than Germany. Revelations about NSA activity directed at the EU have posed significant problems for the German government, given East Germany’s history of widespread surveillance of its own citizens by the Stasi. Chancellor Angela Merkel is under political pressure as she runs for re-election, and opposition parties have threatened to delay US-EU trade talks unless and until they obtain greater clarity about these NSA allegations.

One way the United States has addressed Germany’s concern is by agreeing to negotiate an arrangement pursuant to which neither state will spy on the other for governmental or industrial purposes. We might suspect that Germany proposed the idea and the United States acceded to the request, although Germany’s Chancellery Minister Roland Pofalla (in charge of Germany’s secret services and its intelligence cooperation with other states) told the German parliament that the United States had offered to enter into these talks. Negotiations are to begin in September. Merkel’s primary challenger in the upcoming German elections called on her to seek a “binding pledge from the U.S. government” not to spy on Germany, though the United States does not seem to have indicated publicly precisely what kind of “agreement” it is prepared to negotiate.

In view of these pending negotiations, it is worth considering at least two things: (1) the potential impact on international law of an arrangement intended to regulate espionage; and (2) the strategic and practical effects such an arrangement might have on U.S. intelligence in the future.

(1) As to the first issue, there is something inherently odd—as Duncan Hollis noted over at Opinio Juris—about the idea of an international agreement not to do something that states largely decline to acknowledge that they do, and that many states already view as unlawful (at least as a matter of domestic law). But there are at least two ways to think about espionage and international law: you may believe that peacetime espionage violates international law, or you may take the view that international law simply does not purport to regulate espionage, an activity nearly as old as time. If you take the former view, you presumably would invoke customary international law norms such as non-intervention and respect for sovereignty, which the use of secret listening posts and wiretaps by one state in another state would contravene. If you take the latter view, you would argue that ideas such as non-intervention and sovereignty developed against a background understanding that states do and will spy on each other, thus establishing a carve-out within those very concepts that allows—or at least turns a blind eye to—espionage.

Because espionage fits uncomfortably with international law, it is unsurprising that there are few (public) precedents of states agreeing not to spy on each other. The most commonly cited example is the “Five Eyes” agreement among the United States, UK, Canada, Australia, and New Zealand. In a paper submitted by the Canadian executive branch to a Member of Parliament, Canada stated, “Five Eyes allies, in their own national interests as sovereign states, can lawfully collect intelligence in accordance with their own domestic laws while respecting the long-standing convention not to target the communications of one another.” Of course, this sounds like an “understanding” rather than a binding legal arrangement, and there is no way to know the extent to which the Five Eyes states honor such standing arrangements.

In 2010, then-DNI Director Dennis Blair sought a comparable arrangement with France. According to the Telegraph, “Mr Blair proposed an unprecedented written pledge even more binding than the post-war ‘gentlemen’s agreement’ between the US, Britain, Canada, Australia and New Zealand as trusted partners who do not spy on each other. The deal would also have given France access to a highly secure intelligence retrieval and exchange system.” President Obama ultimately scuttled the deal out of concern that the agreement might handcuff the United States if a less U.S.-friendly French government came into power in the future. (Note the underlying assumption that the United States would feel obliged to alter its behavior in the face of such an agreement, even if were not in U.S. interests to do so.) In short, I am unaware of any publicly available bilateral “no spy” agreements involving the United States. However, if the United States and Germany do come to an arrangement, it would illustrate the idea that international law can regulate espionage, however unnatural it may seem.

(2) As to the second issue, what are the potential implications for the United States in entering into such an agreement? In the first place, it depends what the “agreement” looks like. If it is a legally binding arrangement, the United States may find itself torn in the future between violating an international legal commitment and conducting espionage in Germany to pursue, say, reports of an imminent armed attack. If—as seems more likely—it ends up being an arrangement that binds as a political matter but not as a legal one, the United States would retain more leeway to act in ways that don’t strictly comply with whatever the final language is. But even political agreements raise the stakes when violations occur; if the United States were caught spying on Germany in violation of a political arrangement, Germany undoubtedly would be exercised. The specific wording of any such agreement also will be important, of course: a limitation on spying on German officials or industries is different from a limitation on spying in Germany at all (against known terrorist groups, for example).

One potential downside of concluding either a binding or non-binding agreement is that other states (including Brazil and Mexico, for instance) may clamor for comparable arrangements, and express outrage and suspicion if the United States proves unwilling to negotiate such deals with them. Another downside is simply the loss of intelligence if the United States agrees not to spy on Germany—or the loss of access to matters or third parties to which the German government might have unique access. The United States conceivably might be able to glean important intelligence via third parties (such as other Five Eyes states), however. Yet another reason such an arrangement might be undesirable is the reason given by President Obama in the French context: a future German government might prove less friendly to the United States than the current one is. Finally, we might think that the United States has more to lose in such a bilateral arrangement because the United States presumably has a broader capacity to collect intelligence on (and in) Germany than Germany does on the United States. So the quid and quo in the arrangement won’t be equivalent.

Part of what makes this new public initiative by France and Germany to work out ‘no spy’ agreements with the US so strange is that it raises a question of how governments would have acted differently in the past if they knew rival governments weren’t spying on them. Would they have behaved differently? If so, how? That’s something worth asking on a government by government basis because, while mass-surveillance of random people is obviously something that has to be stopped everywhere, the surveillance of governments by other governments is a very different situation. We need to start asking ourselves if this is ‘no spying between governments’ thing is actually a good idea because the ‘no spy’-agreement trend may not stop with France and Germany. The genie is officially out of the bottle and it would be incredibly tragic if a global drive to create a world safe from Big Brother became a world safe for Big Brother from the Other Big Brothers. Other Big Brother surveillance is pretty much the only surveillance a Big Brother is going to have in many cases. Big Brothers should spy on each other, it’s the spying on the rest of us that’s the problem. So are we sure these no spy agreements should apply to Merkel too? Do we want to be in a world where there are rules against trying to spy on the most powerful people in the world? Beyond the chilling rise of the far-right that we’re seeing across Europe, there’s one possibility that should be giving everyone pause regarding US/European ‘no spy’ agreements: President Ted Cruz. No spying on President Ted Cruz. Thems the rules.

And in the mean time, be sure to keep an eye on those EU data-privacy laws because the changes to the NSA’s policies over the next year might have an even bigger impact on the EU data-privacy rules than those 4000 amendments yet to be worked out and not in a good way. A lot will have to do with the NSA’s actual role in EU intelligence gathering and how that role could change. By introducing ‘no spy’ agreements to the public discourse, the ability of the NSA to act as the unofficial global spy-monger for both the US’s own interests (which includes general spy-mongering and very expensive Larping) and also spy on behalf of the US’s larger NATO/global alliances and all of their possible foreign-intelligence gathering interests might end up changing quite a bit. That also means we should expect a lot more foreign intelligence agencies to start gathering a lot more foreign intelligence themselves. And that includes the EU member nations, which could translate into the kind of future EU data-privacy rules that civil-libertarians may not enjoy. It’s somewhat counter-intuitive, but it’s very possible that the over-aggression of the NSA’s spying was simultaneously contributing to a temporary under-aggression by allied intelligence agencies around the world because, well, why bother developing global mass spy capabilities when your ally is already creating archive.org for everything and giving you access to it? As the NSA and “Five Eyes” get’s shut out of the data collection business (it could happen with the way the diplomacy is developing) someone else is presumably going to fill the mass-surveillance void and that someone else will probably be someone in the EU, perhaps France and/or Germany. All of that means the upcoming changes to the EU’s data-privacy might get a lot looser. It could be more ‘big business as usual’ and there might even be a few more little Big Brothers than before. Watch out.

Update 11/10/2013
Deutsche Telekom’s plans for a German-intranet appear to have expanded to potentially include the entire 26-country Schengen Area. All traffic would have to stay within the area. Bye bye global internet?

Deutsche Welle
Telecoms plan shielded European Internet
10.11.2013

Deutsche Telekom says the scandal over US and British eavesdropping has prompted German providers to contemplate an inner-German or inner-European Internet. Data would no longer be routed and stored via other continents.

Germany’s state-backed Telekom confirmed on Sunday that German providers were discussing an Internet confined within Europe’s “Schengen” countries. One project code-named “Clean Pipe” would help firms to fend off industrial spies and hackers.

Schengen is the Luxembourg border town where in 1985 EU nations initiated a visa-free zone that now encompasses 26 European countries but excludes Britain.

A Telekom spokesman told the German news agency DPA that talks were taking place with “diverse, likely partners.” The project would be unveiled on Monday at an information technology (IT) conference in Bonn.

According to the news magazine Der Spiegel, Telekom managers see fewer technical setup problems than IT experts had at first anticipated.

Germany already has a project entitled “E-Mail made in Germany” in which Telekom, United Internet and Freenet handle messages inside the national border.

Infiltration via LinkedIN?

The magazine also claimed that the British agency GCHQ had used a method code-named “Quantum Insect” to manipulate the online service LinkedIn and then infiltrate offices, namely the Belgian concern Belgacom and Mach, which handles mobile phone routing.

Computers of nine personnel at the Vienna headquarters of the Organisation of Petroleum Exporting Countries (OPEC) had also been infiltrated by GCHQ. The US National Security Agency (NSA) had also used the method to access OPEC’s general-secretariat, Spiegel claimed.

LinkedIn told Spiegel it would “never approve” such intrusion. Starhome Mach, a successor of Mach, said it would launch a “comprehensive security check.”

Telekom confirmed a report by the weekly Wirtschaftswoche that it together with the electronic security firm Lancom had begun testing “Clean Pipe” among pilot customers.

End in sight for global Internet?

Last month, US security researcher Dan Kaminsky told Reuters that if countries walled themselves off this would cripple the global, originally open structure of the Internet.

Electronic snooping is a sensitive subject in Germany due to the heavy surveillance of citizens in the former communist East and under Hitler’s Nazis.

Revelations of snooping by US and British secret services stem from documents leaked by fugitive and former NSA contractor Edward Snowden. Russia recently granted him one year’s asylum.

Der Spiegel reported in June that the US had tapped half a billion phone calls, emails and text messages in Germany in a typical month.

‘Krypto-handys’ safe

On Sunday, Spiegel said Germany’s Federal Office for IT security had urged Chancellor Angela Merkel’s Berlin bureau and government ministries to use new, reputedly secure “krypto-handys” – mobile phones with encryption.

The anti-hacker feature actually sounds pretty neat, although it will be interesting to see how well the EU’s intelligence agencies can avoid taking on more of an NSA-like character in their attempts to eliminate the hacking.

Also keep in mind that Germany’s interior ministry is looking into ways to ward off the EU’s internet from foreign intelligence services. So the main selling point for the new Schengen intranet isn’t just going to be that the traffic will stay within the Schengen area with some sort of EU-anti-hacker feature, but other spying services will be kept out of the area as well. It’ll be an EU-only spy zone:

Deutsche Welle
Germany looks to erect IT barrier

Amid revelations concerning the NSA’s spying on the German government, Interior Minister Hans-Peter Friedrich is looking to erect an IT barrier in Germany and Europe. DW takes a look.
Date 04.11.2013
Author Gabriel Borrud
Editor Lori Herber

Germany’s Interior Ministry is looking to force Internet Service Providers to keep European data out of the hands of third parties, including intelligence agencies, in the wake of an espionage scandal that has cooled relations between the US and Germany over widespread hacking.

Minister Friedrich told the weekly Welt am Sonntag that he wanted to “incorporate an IT-Security law in the upcoming coalition agreement that would provide a legal framework for hindering the interception of data exchanged [within Germany and Europe] by foreign intelligence.”

But what Friedrich didn’t mention was whether Germany was looking to protect data shared with servers outside Europe – where the vast majority of Internet activity in Germany takes place.

Setting up barriers

“The infrastructure needed to create an inner European network exists,” said Dirk Engling, spokesman of the Chaos Computer Club, Europe’s largest association of hackers.

But the problem is: This is extremely counterintuitive,” he told DW. “By ‘ensuring’ citizens that they are only safe if they restrict their internet usage to within Europe, what is the Internet there for?”

‘We don’t want to cut connections’

Germany’s largest telecommunications company, Deutsche Telekom, has already begun planning a routing system that would restrict all Internet traffic within the country to domestic networks.

“This is just the first step,” said Philipp Blank, corporate blogger for Telekom, adding that eventually the company was looking to expand its routing system to the countries in the border-free Schengen Area.

Blank emphasized, however, that “Telekom does not want to cut connections or restrict users from navigating to sites based outside of Germany or the Schengen Area.”

“Why should email traffic be routed outside [the Schengen Area] if both the sender and receiver are located within its borders? If our system were realized, intelligence services from countries outside this area would find it much more difficult to access this data traffic.

Safe haven Europe?

Telekom’s claims haven’t won over critics like Dirk Engling of the Chaos Computer Club, who pointed out to DW that spying also took place on data that was restricted to European networks.

“We know now that data was intercepted here on a large scale. So limiting traffic to Germany and Europe doesn’t look as promising as the government and [Telekom] would like you to believe.”

Amelia Andersdotter, who represents the Pirate Party in the European Parliament, told DW that the issue goes far beyond Internet security, dismissing Friedrich’s proposals as “trumped-up lip service.”

“Our politicians are making these claims now about IT security to enhance their popularity. It’s lip service, and it’s ineffective, and it’s hypocritical. Over the last decade governments have worked together with companies to build up infrastructure that creates insecurity, in effect preventing the Internet from serving its true purpose of communication and self-empowerment.”

And in the face of revelations of spying in Europe – not only by the NSA – Andersdotter called on the German government to focus more on the protection of human rights in its cyber security pledge:

“The spying we’ve seen is an egregious violation of human rights. Why should we believe that the limitation of internet traffic to Germany and Europe means the problem is solved? To me it seems very vague, if not suspect.”

A Schengen Area intranet would also imply that the GCHQ would also be barred from spying on EU traffic(since the UK and Ireland aren’t members). This also means that the Schengen Area intelligence services are going to be primary responsible for intelligence gathering (assuming the prohibition on foreign-intelligence gathering is truly feasible and isn’t just a farce for public consumption). Given this possibility of an EU spy-takeover of the Schengen Area, it’s good to see that the folks in the Pirate Party and Chaos Computer Club are skeptical of this proposal as a solution to mass-surveillance because whatever concerns they have regarding the proclivity of EU spy agencies to mass-spy now are about to get a lot worse once the EU takes sole ownership of the responsibility to Schengen Area spying (no GCHQ spyware allowed. That function will be in-housed). Even if the EU somehow finds a way to start out spying responsibly under this new system, it’s not too hard for a responsibility to spy responsibly to turn into a responsibility to spy irresponsibly when you’re the primary organization doing the spying partially on behalf of the entire global community. Mission creep can apply to continental intranets too. Especially when they start in-housing outsourced domestic spying responsibilities.

Discussion

23 comments for “Too Much of a Good Thing? Part 2: A Secret Trilogue and Business as Usual”

  1. Something to consider regarding the potential costs and incentives the large multinationals might have to see a move like Germany or Brazil creating their own internal internet: Many of the changes that could be required if the internet starts fragmenting along national lines might be similar to the changes that would happen if net-neutrality is lost. In either case, the internet could break in very profitable ways:

    Wired
    We’re About to Lose Net Neutrality — And the Internet as We Know It

    By Marvin Ammori
    11.04.13
    9:30 AM

    Net neutrality is a dead man walking. The execution date isn’t set, but it could be days, or months (at best). And since net neutrality is the principle forbidding huge telecommunications companies from treating users, websites, or apps differently — say, by letting some work better than others over their pipes — the dead man walking isn’t some abstract or far-removed principle just for wonks: It affects the internet as we all know it.

    Once upon a time, companies like AT&T, Comcast, Verizon, and others declared a war on the internet’s foundational principle: that its networks should be “neutral” and users don’t need anyone’s permission to invent, create, communicate, broadcast, or share online. The neutral and level playing field provided by permissionless innovation has empowered all of us with the freedom to express ourselves and innovate online without having to seek the permission of a remote telecom executive.

    But today, that freedom won’t survive much longer if a federal court — the second most powerful court in the nation behind the Supreme Court, the DC Circuit — is set to strike down the nation’s net neutrality law, a rule adopted by the Federal Communications Commission in 2010. Some will claim the new solution “splits the baby” in a way that somehow doesn’t kill net neutrality and so we should be grateful. But make no mistake: Despite eight years of public and political activism by multitudes fighting for freedom on the internet, a court decision may soon take it away.

    Game of Loopholes and Rules

    How did we get here?

    The CEO of AT&T told an interviewer back in 2005 that he wanted to introduce a new business model to the internet: charging companies like Google and Yahoo! to reliably reach internet users on the AT&T network. Keep in mind that users already pay to access the internet and that Google and Yahoo! already pay other telecom companies — often called backbone providers — to connect to these internet users. [Disclosure: I have done legal work for several companies supporting network neutrality, including Google.]

    But AT&T wanted to add an additional toll, beyond what it already made from the internet. Shortly after that, a Verizon executive voiced agreement, hoping to end what he called tech companies’ “free lunch”. It turns out that around the same time, Comcast had begun secretly trialing services to block some of the web’s most popular applications that could pose a competitive threat to Comcast, such as BitTorrent.

    Yet the phone and cable companies tried to dress up their plans as a false compromise. Counterintuitively, they supported telecommunications legislation in 2006 that would authorize the FCC to stop phone and cable companies from blocking websites.

    There was a catch, however. The bills included an exception that swallowed the rule: the FCC would be unable to stop cable and phone companies from taxing innovators or providing worse service to some sites and better service to others. Since we know internet users tend to quit using a website or application if it loads even just a few seconds slower than a competitor’s version, this no-blocking rule would essentially have enabled the phone and cable companies to discriminate by picking website/app/platform winners and losers. (Congress would merely enact the loophole. Think of it as a safe harbor for discriminating online.)

    Luckily, consumer groups, technology companies, political leaders, and American citizens saw through the nonsense and rallied around a principle to preserve the internet’s openness. They advocated for one simple, necessary rule — a nondiscrimination principle that became known as “network neutrality”. This principle would forbid phone and cable companies not only from blocking — but also from discriminating between or entering in special business deals to the benefit of — some sites over others.

    Both sides battled out the issues before Congress, federal agencies, and in several senate and presidential campaigns over the next five years. These fights culminated in the 2010 FCC decision that included the nondiscrimination rule.

    Unfortunately, the rule still had major loopholes — especially when it came to mobile networks. It also was built, to some extent, on a shaky political foundation because the then-FCC chairman repeatedly folded when facing pressure. Still, the adopted rule was better than nothing, and it was a major advance over AT&T’s opening bid in 2005 of a no-blocking rule.

    As a result, Verizon took the FCC to court to void the 2010 FCC rule. Verizon went to court to attack the part of the rule forbidding them from discriminating among websites and applications; from setting up — on what we once called the information superhighway — the equivalents of tollbooths, fast lanes, and dirt roads.

    There and Back Again

    So that’s where we are today — waiting for the most powerful court in the nation, the DC Circuit, to rule in Verizon’s case. During the case’s oral argument, back in early September, corporate lobbyists, lawyers, financial analysts, and consumer advocates packed into the courtroom: some sitting, some standing, some relegated to an overflow room.

    Since then, everyone interested in internet freedom has been waiting for an opinion — including everyday folks who search the web or share their thoughts in 140 characters; and including me, who argued the first (losing) network neutrality case before the DC Circuit in 2010.

    But, in their questions and statements during oral argument, the judges have made clear how they planned to rule — for the phone and cable companies, not for those who use the internet. While the FCC has the power to impose the toothless “no-blocking” rule (originally proposed by AT&T above), it does not (the court will say) have the power to impose the essential “nondiscrimination” rule.

    It looks like we’ll end up where AT&T initially began: a false compromise.

    In addition to the impact that the DC Appeals court ruling could have on net-neutrality, keep in mind that the EU is putting into place new net-neutrality laws too. The proposed rules announced in September sounded like they would protect net-neutrality, but that might be changing. In secret:

    Computer World UK
    Help: EU Net Neutrality Consultation Closes Today
    Glyn Moody
    Published 08:15, 05 November 13

    As you may recall, back in September the European Commission finally came out with its proposals for net neutrality, part of its larger “Connected Continent” package designed to complete the telecoms single market. I learned yesterday that the European committee responsible for this area, ITRE (Industry, Research and Energy), has launched something of a stealth consultation on these proposals. Stealth, because neither I nor anyone else that I know covering this area, was aware of them, which is pretty bizarre.

    Unfortunately, that consultation closes at the end of business today. That means we have very little time to comment, although speaking to the people running the consultation, I get the impression that they won’t apply the deadline too strictly if you let them know that something will be coming through a little late. There is no formal document outlining the terms of the consultation – just bring up the points you think important. Submissions should be sent to elina.kaartinen@europarl.europa.eu and/or peter.traung@europarl.europa.eu. Here’s what I’ve written:

    Given the very short time I have to contribute to this consultation, I’d like to concentrate on one key aspect, that of net neutrality. In particular, I’d like to urge ITRE not to allow specialised services to be offered, since this will in fact destroy the very net neutrality that the European Commission claims that it is protecting in its regulations. In what follows, I will try to explain why.

    Alongside things such as IPTV, more “serious” uses like telemedicine are frequently invoked to justify permitting specialised services with guaranteed quality of service – for example speed, or latency. But this is really just a clever trick on the part of the telecom companies and their lobbyists, who are the main drivers of this attempt to kill net neutrality.

    After all, if an ISP is able to provide a guaranteed quality of service for such specialised services, running on the general Internet, then there is no reason not to provide that guaranteed quality of service for everything on that connection.

    Whenever the guaranteed speeds or latency are required for telemedicine (or IPTV), all the user has to do is close down all other applications. In that case, the entire connection is devoted to the “specialised” service, which is able to make use of the quality of service guarantees. With all the other services shut down, it is as if the specialised service enjoys privileged treatment – it does, but only because there is nothing else running. This allows quality of service to be provided without damaging net neutrality: all IP packets are treated equally, but sometimes the user chooses to send only one kind of IP packet over the connection.

    This shows that it is not necessary to kill net neutrality in order to provide services that require particular quality of service guarantees. But there is a very real danger that the European Commission’s proposals to allow specialised services will do just that. The “protection” for net neutrality misses the point.

    If a startup is in competition with an established market leader, and the latter is offering a “specialised service” with a guaranteed quality of service, while the newcomer is not (because it can’t afford to pay ISPs the requisite fees for doing so), the incumbent will have a huge advantage. That’s because by definition the new service will run better than those running on the “ordinary” Internet, which are bound to be perceived as slow or unreliable compared to the one given preferential treatment. It doesn’t matter that the specialised service doesn’t impair the standard service “in a recurring or continuous manner”: it’s simply human nature to prefer the service that runs better, and the specialised service will, thanks to the quality of service guarantees. In this way, innovation will be disadvantaged and discouraged, and deep-pocketed market leaders entrenched.

    The tragedy is that this danger is entirely avoidable. If ISPs were allowed to offer quality of service guarantees for additional payment, just as they can offer faster services, or greater monthly bandwidth, but not tied to any one service, then end-users could use this connection for both established players and newcomers alike, enjoying a superior technical experience for both. They could then decide on the merits of the content of the services which to adopt, rather than being pushed in the direction of established companies able to afford deals with ISPs to provide superior connections compared to those available to startups.


    Posted by Pterrafractyl | November 5, 2013, 1:33 pm
  2. See the 11/10/2013 update in the OP on the new Schengen-Area intranet plans.

    Posted by Pterrafractyl | November 10, 2013, 10:20 pm
  3. Heh, I had missed this: it turns out that David Cameron wasn’t the only EU leader that played a role in stalling the new EU data privacy rules overhaul:

    Der Spiegel
    Appearances and Reality: Merkel Balks at EU Privacy Push
    October 28, 2013 – 06:08 PM
    By Gregor Peter Schmitz in Brussels

    Chancellor Merkel has put on a good show of being outraged by American spying. But, at the same time, she has impeded efforts to strengthen data security. Does she really want more privacy, or is she more interested in being accepted into the exclusive group of info-sharing countries known as the ‘Five Eyes’ club?

    One particular point of clarification was especially important to Angela Merkel during the EU summit in Brussels last week. When she complained about the NSA’s alleged tapping of her cellphone, the German chancellor made clear that her concern was not for herself, but for the “telephones of millions of EU citizens,” whose privacy she said was compromised by US spying.

    Yet at a working dinner with fellow EU heads of state on Thursday, where the agenda included a proposed law to bolster data protection, Merkel’s fighting spirit on behalf of the EU’s citizens seemed to have dissipated.

    In fact, internal documents show that Germany applied the brakes when it came to speedy passage of such a reform. Although a number of EU member states — including France, Italy and Poland — were pushing for the creation of a Europe-wide modern data protection framework before European Parliament elections take place in May 2014, the issue ended up tabled until 2015.

    Great Britain, itself suspected of spying on its EU partners, and Prime Minister David Cameron, who has former Google CEO Eric Schmidt as one of his advisors, put up considerable resistance. He pushed instead for the final summit statement to call simply for “rapid” progress on a solid EU data-protection framework.

    A Setback for ‘ Europe ‘s Declaration of Independence ‘

    Merkel also joined those applying the brakes. Over the weekend, SPIEGEL ONLINE gained access to internal German Foreign Ministry documents concerning the EU leaders’ final summit statement. The “track changes” feature reflects a crucial proposed change to item No. 8 under the subject heading “Digital Economy” — the suggestion that the phrase “adoption next year” be replaced with “The negotiations have to be carried on intensively.”

    Ultimately, the official version of the final summit statement simply called for “rapid” progress on the issue — just as Great Britain was hoping for.

    This amounts to a setback for proponents of the proposed data-protection law, which EU Justice Commissioner Viviane Reding has called “Europe’s declaration of independence.”

    The European Parliament recently began drafting stricter regulations in this area, including potential fines running into the billions of euros for any Internet company caught illegally passing private data to US intelligence agencies. Such proposed legislation has the support even of some of Merkel’s fellow conservatives in the European Parliament, including Manfred Weber of the Christian Social Union (CSU), the Bavarian sister party to Merkel’s Christian Democratic Union (CDU), who says: “We need to finally summon the political will for more data protection.”

    American tech corporations could hardly believe their luck at having Merkel’s support. Now they’re hoping for more leeway to water down the data-protection law as soon as the furor over the latest spying scandal has subsided. One high-ranking American tech-company executive told the Financial Times: “When we saw the story about Merkel’s phone being tapped … we thought we were going to lose.” But, he added: “It looks like we won.”

    Indeed, the EU leaders’ anger was already starting to dissipate during their sessions in Brussels. Summit participants say leaders pointed out that Europe is not exactly on the side of the angels when it comes to government spying. Luxembourg’s prime minister, Jean-Claude Juncker, cautioned his fellow leaders, questioning whether they were certain their own intelligence agencies had never violated data privacy themselves.

    Code of Conduct for Intelligence Agencies

    The concerns of the tech industry, in particular, received an attentive ear among Europe’s leaders. One summit participant relates that restructuring data-protection laws was portrayed as a “laborious” task that would require more time to complete, and that Merkel did not push for speed on the matter, to the surprise of some of her counterparts.

    According to summit participants, the German chancellor seemed far more interested in the “Five Eyes” alliance among the US, the UK, Australia, New Zealand and Canada. The top-level allies within this exclusive group, which began in 1946 as a pact between London and Washington, have agreed not to spy on one another, but instead to share information and resources. In Brussels, Cameron stressed to his fellow leaders how many terrorist attacks had been prevented by successful intelligence work.

    Merkel, meanwhile, stated: “Unlike David, we are unfortunately not part of this group.” According to the New York Times, Germany has sought membership in the “Five Eyes” alliance for years, but has been turned down due to opposition, including from the Obama administration. But this could now change, the paper speculates.

    Posted by Pterrafractyl | December 19, 2013, 2:09 pm
  4. Should we say ‘so long’ to the US-EU safe harbor data agreement? Maybe, because that’s what the EU panel investigating the NSA spying scandal is expected to recommend:

    European Voice
    MEPs to ask for suspension of EU-US data exchanges
    By Toby Vogel – 19.12.2013 / 05:59 CET
    Decision deferred on testimony from Edward Snowden.

    A panel of MEPs tasked with shedding light on alleged mass surveillance of European Union citizens by US intelligence services is expected to recommend in January that the EU should suspend two data-exchange agreements with the US.

    A report drafted by Claude Moraes, a centre-left UK MEP, urges the European Commission to suspend the safe-harbour agreement, which allows US companies to use data relating to EU citizens if they certify that they follow EU rules.

    He also wants an interruption in the Terrorist Finance Tracking Programme (TFTP), which gives US counter-terrorism authorities access to data on banking transfers made through the global SWIFT messaging system, headquartered in Brussels.

    The European Parliament called in October for the suspension of the TFTP, but Cecilia Malmström, the European commissioner for home affairs, subsequently said that extensive consultations with the US had not uncovered any breach of the agreement.

    Moraes’s call is supported by the centre-left, Green and liberal groups in the Parliament, while the centre-right is split. Axel Voss, a centre-right German MEP who is his group’s spokesman on the subject, backs suspension of the safe-harbour agreement – seen by businesses as critical for their ability to process customer data on both sides of the Atlantic – but not the suspension of the TFTP.

    Other calls

    Other recommendations in the report are less controversial – for example calls for a Commission report on whistleblower protection in the EU, or for the Council of Ministers to move fast on reform of the EU’s data-protection regime.

    Moraes presented his draft recommendations to MEPs on the civil-liberties committee yesterday (18 December) following an exchange via video link with Glenn Greenwald, a journalist who disclosed the US operation to collect global communications data, based on documents provided by Edward Snowden, a former US intelligence contractor. Greenwald called on EU governments to grant asylum to Snowden, who is thought to be in Russia.

    Posted by Pterrafractyl | December 20, 2013, 9:15 am
  5. The EU just unveiled its proposed changes to the governance of the internet in response to the Snowden affair. The proposals mostly appear to focus on setting up a timeline for shifting control of ICANN out of US jurisdiction. But the EU is also opposing moving ICANN under the UN’s domain. No international control and no government control. Instead, it sounds like the plan is to continue the “open multi-stakeholder governance” model for ICANN, but under a new type of international “governance network”. If that sounds sort of nebulous it is because it is:

    intellectual property watch
    EU Commission Pushes Internationalisation Of Core Internet Infrastructure
    Published on 12 February 2014 @ 6:42 pm

    By Monika Ermert for Intellectual Property Watch

    Over the revelations of mass surveillance of internet users and government officials, the topic of internet governance has risen to the mainstream political agenda. And a Communication on “Europe’s role in shaping the future of Internet Governance” passed by the European Commission today would put “Europe in the center of the debate,” EC Vice President Neelie Kroes said in a press conference in Brussels.

    The Communication, which in part is supposed to foster an EU consensus position for the upcoming Brazil and other 2014 internet governance meetings (IPW, Information and Communications Technology, 30 January 2014), supports the globalisation of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned Numbers Authority (IANA) functions, performed under contract with the US Department of Commerce.

    Kroes and her predecessor Viviane Reding made several attempts to push for a reform of the still unilateral oversight role of the US over the management of the root zone, the heart of the internet domain name system. So far, those attempts failed due to opposition from the US administration, though some steps to internationalise ICANN oversight have been taken and were welcomed today by the Commission.

    In presenting the communication today, Kroes said the current debate is “happening at a time of broken trust, not the least because of surveillance scandals and at a time when many governments want more control over the internet.” The EU certainly did not support a UN or government takeover, she rushed to assure. The Commission rejected the notion that there is only a “binary choice” between “pretending there are no problems with governance” or “a revolutionary a top down approach.”

    But in order “to avoid a split of the global political community” and an unravelling of the internet into “a series of regional and national networks,” there is a need to act urgently, she said. The Commission, therefore, is recommending the establishment of a clear timeline for the globalisation of the ICANN, a dialogue over “how to globalise the IANA functions,” and a strengthening of the multi-stakeholder model in general and the Internet Governance Forum as one of the platforms based on that model.

    Compared to earlier proposals, the EU Commission this time seemingly wants to make sure to pre-empt any claims that it might help those asking for more UN control over the internet.

    Multi-Stakeholder – Not a Magic Wand

    The Communication will be discussed next week by the representatives of member states in the Council, according to the Commission, and later in the European Parliament where Dutch MEP Mareitje Schaake today called for a debate.

    The Communication includes a list of other measures, too. Proposed measures of the Communication include the start of a Global Internet Policy Observatory to ease access to information on the complicated internet governance processes.

    Moreover, the “fact that a process is claimed to be multistakeholder does not per se guarantee outcomes that are widely seen to be legitimate,” the Communication reads. A consultation on how “adequate and transparent multi-stakeholder involvement” can be ensured in the EU itself therefore is also on the to-do list.

    One question raised with regard to multi-stakeholder context in particular is related to the role of public authorities in these new processes. There have been many questions by non-governmental participants about the role of representatives in ICANN’s Governmental Advisory Committee for example.

    Also some of the tough topics of global internet governance are included in the Communication, such as how to deal with the clash of jurisdictions in one universal, borderless network. The concern is that even if ICANN moves from California to another jurisdiction, the problem would not go away, but would only change with regard to what jurisdiction might be the dominant one.f“Stakeholders” Welcome Communication

    The EC’s proposals today were quickly welcomed by many of the so-called stakeholders. ICANN Vice President for Europe Nigel Hickson sent out a statement saying the organisation was “pleased that the European Commission in this important communication is emphasizing the need to sustain the multi-stakeholder approach to governing the Internet.“ ICANN has joined Brazil in hosting and preparing the April Sao Paulo Conference, and ICANN CEO Fadi Chehadé has committed to internationalisation.

    The European Telecom and Network Operator Association (ETNO) in a press release said it agreed “that we need to move towards a coherent set of global Internet principles and that the upcoming Global Multi-stakeholder Meeting on the Future of Internet Governance, hosted by the Brazilian Government in co-operation with other Member States, is a good place to start that debate.” ETNO’s Chairman Luigi Gambardella in the release said: “We need more Europe in Internet governance, or we won’t be able to make an impact at global level.”

    Computer & Communications Industry Association (CCIA) Vice President James Waterworth said in a statement that he was pleased with the EC’s “support for a truly open, free and global Internet and will take that position into the Brazil Summit in April this year.”

    “It is vital that Europe leads liberal democracies in supporting a multilateral and multi-stakeholder system of Internet governance that does not hand control over critical Internet resources to an intergovernmental institution or to governments,” he said.

    As EU Telecom Commissioner Neelie Kroes put it, in order “to avoid a split of the global political community” and an unravelling of the internet into “a series of regional and national networks,” there is a need to act urgently. So they’re acting urgently. Whether or not they’re acting appropriately too sort of depends on how the “open multi-stakeholder governance” model actually works. And that’s still an open question. The internet is currently operated under a multi-stakeholder model but it’s a model that still include US jurisdiction for some aspects of how the internet’s core works. In the interview of ICANN’s CEO below, however, the the multi-stakeholder governance model of the future “what you want instead is to create governance networks — a term I’m pushing. Not governance institutions, not governance regulations. What we need in the age of the Internet is governance networks. These are networks that are formed by multiple stakeholders to solve governance characteristics.” So the vision for the global internet governance is, like, government, but not government. That’s deep:

    CNET
    ICANN CEO sets off explosion of new Internet names (Q&A)

    Next week, ICANN opens the Internet up to new domains like .ski, .sexy, and .berlin — and Fadi Chehade has to handle people unhappy with the change. Also: time for the US to let go of its Net oversight?
    by Stephen Shankland
    January 28, 2014 4:42 AM PST

    Starting next week, the Internet is going to look very different — and ICANN Chief Executive Fadi Chehade is the one who’ll get both the credit and the blame.

    Today, Net addresses end with 22 familiar terms — .com, .net, and .edu — called generic top-level domains (GTLDs). But starting Feb. 4, the first of hundreds of new GTLDs will begin arriving — .ninja, .farm, .shoes, .photography, .bike, .pink, and even .wtf.

    The Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit organization, oversees the domain-name expansion and the core Internet technology called the Domain Name System that makes it tick. Chehade took over ICANN leadership in 2012 and now is grappling not just with the GTLD expansion, but also the dwindling supply of numeric Internet addresses and an attempt to wean the Internet from the US government’s dominant oversight role.

    Why bother with the domain-name expansion? For a company trying to get a new start on the Net, finding an unclaimed Web address can be tough. And for a company catering to customers in countries like China or Russia, names are held back with characters in the Roman alphabet. Other companies might want to use their own domain — actual examples including .google, .canon, .apple, .samsung, and .ibm.

    That’s pleased those who see a business reason to embrace the new addresses. “Since Fadi has taken the helm at ICANN, the program has moved forward at a much faster pace,” said Shayan Rostam, production manager at XYZ.com, which will operate registries for .xyz and .college. “We have pushed up our global .xyz launch date to this March, directly due to Fadi’s leadership of the program.”

    The reason Chehade is also in the hot seat, though, is fielding criticisms from those with a trademark to protect. For them, the explosion of new GTLDs means new hassles and expenses.

    ICANN established a Trademark Clearinghouse where organizations can register their brand names and get alerts if somebody else wants to use them in some way. But even with that, organizations still must decide whether to apply for the right to operate a registry with their name, to contest or bid against others’ domain-name choices, and to register Net addresses on the hundreds of new domains others will operate — ibm.xyz, for example. (Although the first round of applications to run generic top-level domains is closed, companies still must decide what to do with approved new domains and what to do when they can apply again.)

    What exactly is the nature of your contract with the US Department of Commerce? I don’t think a lot of people know.
    It’s a zero-dollar contract: there’s no money that passes between us and the Department of Commerce. The origins of ICANN started when the US government left this function of updating the root of the Internet Domain Name System. Three things are covered by this contract: the Domain Name System, which are the names; the numbers, which are the IP numbers [Internet Protocol numbers are used to route data across the Net from one machine to another]; and the protocol parameters. That’s the extent of our relationship with the US government, other than the US government, like any other government, being a member of ICANN’s governmental advisory committee.

    This contract continues to maintain the US government’s stewardship over these three areas that we do. The US government role is to ensure that we are doing these functions as the community has asked us to do them. The US government is essentially in an oversight role over ICANN. The US government as well as the contract itself has always defined that at some point that stewardship will be replaced by the multistakeholder stewardship of the ICANN community. This was always envisaged as coming, but the question was when and how.

    I have in the last few months publicly stated that the time for that has come. This oversight is not sustainable any longer, and therefore we should work with the US to hand over its superb stewardship. We should all be thankful for the stewardship of the US government. It’s worked marvelously well. Now it is important for the US government to appreciate it’s time to have that stewardship headed to the world community through the ICANN’s multistakeholder model.

    What influence have the Snowden revelations had on your agenda and the timeline you’re pursuing it on?
    We’ve been waiting for the right moment to get there. The right moment is now, evidenced by the progress at ICANN in the last two years, and before that under Rod Beckstrom, my predecessor. ICANN has become a more mature organization — not just in its number of staff, but also in its global accountability and its presence around the world. President [Toomas Hendrik] Ilves of Estonia announced at the World Economic Forum that the ICANN multistakeholder regime is probably the most advanced in the world. These are statements that three or four years ago were not heard. Therefore it is important to appreciate the US government now sees this moment is upon us.

    The question is how and when? We do calmly, we do it wisely, with all the community involved, so the community can guide us. These discussions I need to start with our colleagues in the US government, and I will, but I first wanted to ensure we were aligned as a community.

    Clearly, there is no question that Edward Snowden’s revelations have stimulated the dialog. I attended a couple sessions at the World Economic Forum about security risks. I saw leader after of leader of major companies like GE sincerely worried about the trust factor on the Internet. And we have the Target situation. The trust in the ecosystem has been punctured a little bit.

    I’m not naive. I don’t believe we should all hug each other and trust each other. The reality is that trust can only be restored through checks and balances. Checks and balances mean you do not have a single actor or institution that owns the responsibility in any one part of the Internet governance ecosystem. What you want instead is to create governance networks — a term I’m pushing. Not governance institutions, not governance regulations. What we need in the age of the Internet is governance networks. These are networks that are formed by multiple stakeholders to solve governance characteristics. They must have three characteristics: they must be effective, they must be dynamic, and they must be legitimate. These are very complex characteristics. We need to evolve the US oversight into something that the world will embrace but also to not replace it with something that will be either one actor or one type of actor — for example, all governments — but target a governance network that includes all the stakeholders.

    How does that tie in with the power grab at the United Nations’ International Telecommunications Union (ITU)’s power grab?
    They want to address some issues that are not being addressed well through the tech sector or many governments around the world. They picked on things like spam and cybersecurity and said, “We could help there.” Where ICANN and the IETF play is the layer of governance of what makes up the Internet — the logical layer. Where the discussion is open is how do we govern what is on the Internet.

    Rather than continuing to say not here, and continuing this polarized fight between the multistakeholder and multilateral model, I went to Brazil and met with President [Dilma] Rousseff and asked her, why don’t we address all these issues on all sides. We need a more nuanced approach that ensures we have a home to start addressing what is on the Internet, and at the same time to evolve the current governance networks like ICANN so they also are more legitimate, accepted by the whole world, and more effective at things like addressing US oversight.

    So you’re proposing what sort of organization to oversee what’s on the Internet?
    It is not an organization. What we’re going to do at a meeting on April 23 in Sao Paulo is propose an interconnected governance ecosystem. We’re creating a highly distributed but also structured way to address the issues by establishing new governance networks. We’ll make sure these are well coordinated at the global, regional, and national levels. It’s like a 21st century governance system for the Internet. Hopefully at Brazil we’ll see the birth of something that evolves what we have today but also allows it to expand.

    I’m a US-UK citizen who lives in France. You’re a citizen of Lebanon, Egypt, and the US. We both live what some people are calling a post-national existence. Will the Internet ultimately make national borders look obsolete?
    As measured in centuries, yes. The Internet operates in a transnational space. It is challenging our laws, our jurisdictions. It is challenging world to create more international frameworks for legal and cultural matters.

    Today, we get certain rights and certain guarantees, but it is the nation-state model that provides them. But the Internet is humbling the nation-state model. It is stressing it and creating new challenges that didn’t exist before. I tell leaders they have two choices. They can build walls and create friction between their own Internet and the rest of the world, or they can engage in the world and participate in these networks.

    A Boston Consulting Group study introduced the idea of the e-friction index. It shows you that for a government that resorts to building friction that allow it to protect who it is, there is a cost to that. The study concludes there are up to 2.5 percentage points of GDP [gross domestic product, a measure a country’s total economic activity] that are potentially lost. A frictionless Internet should be our goal.

    Are you worried about that countries will wall off their own Internet services into their own “splinternets”?
    I’m really worried, because people do not understand the impact of a high-friction Internet. If they will resort to nationalization of their Internet ecosystem, the cost of that will be tremendous, not just economically, but socially. I talked to a professor who put online a senior college course in advanced mathematics. About 36,000 students used it, and the top students are in the age group of 14-15 years old. Imagine all these knowledge lines fractured by policy friction and content friction.

    The danger is there. Some people predicting it is inevitable. If we thoughtfully move to new governance networks to address the issues, we may have a chance this year to start a less alarming path to solving that problem today.

    Once again: “what we’re going to do at a meeting on April 23 in Sao Paulo is propose an interconnected governance ecosystem. We’re creating a highly distributed but also structured way to address the issues by establishing new governance networks. We’ll make sure these are well coordinated at the global, regional, and national levels. It’s like a 21st century governance system for the Internet.”

    So they’re proposing an “interconnected governance ecosystem” that won’t be run by governments or the UN. Assuming this isn’t some privatized-global-regulation trojan horse, this is potentially a big development, for good or ill. The multi-stakeholder model has worked pretty well at governing the internet so far, but there’s no guarantee of that going forward. In addition, whatever “interconnected governance ecosystem” model they agree upon could have applications beyond just sharing the governance of the internet. What other forms of global commerce might also lend themselves to the new 21st century “open multi-stakeholder governance” model and will these necessarily be situations where that model makes sense? We’ll see!

    Posted by Pterrafractyl | February 12, 2014, 12:42 pm
  6. Following up on the EU’s proposed overhaul to how the internet is governed: Here’s an article from October that discusses a leaked document from the Seoul Conference on Cyberspace calling for the creation of a “Commission on the Future of Internet Cooperation” to “provide new ideas for transnational and multi-stakeholder proposals for Internet governance”. While the status of that proposal is a secret, the article points out that ICANN CEO, Fadi Chehade, gave a speech at the Bali Internet Governance Forum where he gave a hint of the structure of upcoming summit in Brazil. According to the author below, the model Chehade has in mind for deciding the fate of the internet might have an eery resemblance to another governance model: the corporatist governance model. And as the author also points out, the corporatist criticism of the summit in Brazil might also apply the multi-stakeholder model itself:

    internetgovernance.org
    October 20, 2013
    Are we re-booting all Internet governance? (Or just releasing a lot of hot air?)
    by Milton Mueller

    It’s 2004 again. Ideas and proposals for the reform of Internet governance are now flying all over the place, just as they did at the outset of the UN Working Group on Internet Governance.

    At the recently concluded Seoul Conference on Cyberspace, a memo was circulated calling for the creation of a “Commission on the Future of Internet Cooperation.” The commission, the confidential memo said, would consist of “civic leaders, ministers, CEOs and technical pioneers.” Its purpose will be to “provide new ideas for transnational and multistakeholder proposals for Internet governance.” According to the leaked document, the group is supposed to begin work in October and conclude its work with a presentation at the World Economic Forum in January 2014.

    We do not know the current status of this proposal; it is not mentioned as part of the official output of the Seoul Conference. The idea may not even have been accepted by the assembled leaders. But if, as the document stated, work was to begin in October it would need to be created very soon. If efforts to create this commission are indeed underway, why doesn’t anyone know about it yet? Who will choose these “civic leaders,” etc.?

    While the formation and fate of this commission remain shadowy there is little doubt about where the proposal came from. It is another brainstorm of Fadi Chehade, the President and CEO of ICANN. In what has become a one-man crusade to re-shape Internet governance from the top down, Chehade has already created 4 “Strategy Panels,” one of them devoted to “ICANN’s role in the Internet Governance Ecosystem.” At the end of the page announcing these 4 panels on ICANN’s web site, it says “The 5th panel originally identified will be refocused and is expected to be forthcoming later this year.” My guess is that we now know what the 5th panel is. (NB: We should probably not confuse the 5th panel with a 5th column.)

    These are not really expert panels – very few of those selected are experts in subjects related to institutions and global governance. It would be more accurate to call them panels of the proximate (to ICANN staff), the prominent and the unobjectionable.

    While we have serious qualms about this particular style of reform, there are some good things to be said about Fadi’s latest initiatives. We are sympathetic to the ideas of fostering Internet cooperation – as opposed to Internet governance – and we approve of its emphasis on transnational – as opposed to international or intergovernmental – approaches. Furthermore, the energy and initiative displayed by Chehade makes for a useful contrast with the paralysis of the US government and the sluggish, ponderous tone of other governments.

    Speaking of the ponderous, at a Bali Internet Governance Forum pre-event, Chehade and representatives of the technical community began to provide more detail about what would happen at the planned Brazilian “Summit” meeting in April 2014. According to an description of the meeting sent out by Access’s Jochai Ben-Avie, Brazil and ICANN are proposing an oddly corporatist approach to representation at the meeting:

    To ensure multistakeholder and global participation, there is a proposal that each country will have three representatives to the conference (one each from government, business, and civil society) — to “create a mini CGI in each country.” It was not discussed how these people will be selected. Additionally, the heads of all the I* organizations and international government organizations will be invited. A question was raised about how the technical community would be represented, and the response was not clear whether technical community reps would be considered for some of the national civil society spots, or whether they would be represented by the heads-of-organizations representatives. The plan is to have 800-900 people present in total, but there will be large screens set up to facilitate remote participation from stakeholders and users from around the world. These details will be announced in 2-3 weeks in Brasilia, but Paulo Bernardo will also make some comments on Tuesday morning at the IGF.

    There are two things drastically wrong with this approach to the meeting. First, why is representation of civil society and private business, both of which are transnational, being organized on a nation-state basis? Second, imagine this: One representative of civil society and the private sector for each country! Civil society is conceived not as a pluralistic arena in which hundreds or even thousands of groups are free to articulate and advance diverse proposals and interests, but as a unitary stakeholder group with homogeneous interests. That’s wrong. Business, likewise, is seen as a single category: there is no difference between Amazon and the local second-hand bookstore; between IBM and a three-person IT consultancy. That’s insane.

    But this proposal reflects the inherent failings in the “stakeholderism” that underpins so much of our discussions of the so-called “multistakeholder model.” There has always been an unfortunate link between the concept of multstakeholderism and the corporatist mindset of the 1920s and ’30s. One academic defines corporatism as

    The basic idea … that the society and economy of a country should be organized into major interest groups (sometimes called corporations) and representatives of those interest groups settle any problems through negotiation and joint agreement.

    These top-heavy systems of collective representation are the opposite of the Internet’s spirit of permissionless innovation, open entry, diversity and competition.

    If you want a taste of what these formalistic approaches to representation will produce as output, one need look no farther than the Seoul Cyberspace Conference with which we opened this article. The official output of the Seoul meeting is the largely meaningless but harmless “Seoul Frameworks and Commitments.” The Seoul framework called for such things as “enabl[ing] more people to have access to broadband Internet so that the world economy will become more integrated” (wow, bet they had an intense debate on that one); the 87 nations agreed “that they will come up with measures to promote cyber security” (how impressive!); they recommended cracking down on cybercrime “without compromising the private lives and freedom of individuals” (easy to say, isn’t it?)

    So every country will get three representatives at the upcoming summit that might shape the future of the internet: One from government, one from business, and one representing civil society’s interests. China and India won’t be too enthusiastic about it but the EU probably shouldn’t mind. And the seasteaders had better hurry up! As that author points out, “there has always been an unfortunate link between the concept of multstakeholderism and the corporatist mindset of the 1920s and ’30s” and that’s a scene the seasteaders really don’t want to miss.

    Posted by Pterrafractyl | February 12, 2014, 2:49 pm
  7. While Angela Merkel has shown no sign of easing up on her desire to mandate EU citizens’ internet data to be stored in the EU, it still doesn’t look like meaningful protections for that data once it’s inside the EU are really on Merkel’s agenda:

    Deutsche Welle
    ‘I expect Merkel’s actions to follow her words’

    Angela Merkel wants to set up a European communication network, for more independence from US providers. That’s not enough, says Green MEP Jan Philipp Albrecht: She needs to support European data law reform.
    Date 17.02.2014
    Author Interview: Nina Haase, Brussels
    Editor Michael Lawton

    Deutsche Welle: John Kerry said during his visit to Berlin, “Let’s turn a page and open a new chapter.” He has had enough of the NSA spying scandal and the ensuing diplomatic difficulties – with Germany in particular. But Angela Merkel now said in her weekly podcast that she wants to promote a European communications network. That’s seen as a direct reaction to the NSA spying allegations. How useful is this proposal?

    Jan Philipp Albrecht: I think it’s a good sign that we see movement towards a European initiative to better protect our data and the information infrastructure in Europe. Yes, we need that. But on the other hand, it’s also clear that we cannot just build borders which would give us some sort of a German or a Schengen zone internet. Instead, we need to have a legal framework which secures our fundamental rights in the European market. We need to implement the European data protection reform. Angela Merkel has called that a priority. Now she should follow through with it. It’s not just about investing in infrastructure – even though that’s a good first step in giving Europeans a choice, so they can choose a European data processer instead of a US firm.

    Even if we did have European data processers – what would that change? Whistleblower Edward Snowden has said, “It doesn’t matter where your servers are. The NSA will go where the data is.”

    That’s true. We can’t just cut the cables. People do want to communicate, and we don’t want to stop them. But that’s why we need better data protection in terms of services. It has to be made clear that if somebody offers services to European citizens and consumers, these services need to comply with the rules of our market: data security and protection, better encryption, and more control for users. That’s what Angela Merkel should safeguard.

    Neelie Kroes, Vice-President of the European Commission, has also tried to promote some of these measures. Why does it seem to take Angela Merkel before considerable progress can be made?

    We, the European Parliament, have already shown that we are reacting to today’s challenges by saying we want to have European data protection rules. It’s now up to the member states. They must not follow the lobbyists from Silicon Valley. They must oppose their idea that only profit counts. If Angela Merkel does so, that is a step forward. But we need action. We’ve had almost one year of only words by leading politicians in the member states of the European Union. That needs to be changed.

    Germany and France initially only reacted to the NSA scandal with an attempt to sign so-called no-spy agreements with the US. But skeptics said straight away that was a paper tiger. Are you more confident about Angela Merkel’s latest proposals?

    So far they’re mere words. And she adopts the German perspective instead of taking on responsibility within the EU. She is one of the most important European leaders. It was a fatal sign – and I would say even disloyal towards the rest of the EU – that she and Francois Hollande negotiated no-spy agreements on their own. They didn’t even get them in the end. But they sacrificed a European perspective. They now need to come back to a European approach.

    The European data protection reform as well as the agreement on data protection between the EU and the US, which we have been negotiating for two years, should have absolute priority. Or else we will get nothing in the end. We’ll only have initiatives by individual EU member states which will not prevail. Only if we act together as the European Union can we get a solution which is better for citizens.

    But again, the latest proposals of a European communications network are a Franco-German initiative, which Angela Merkel plans to discuss with French president Francois Hollande this week. And according to Spiegel magazine, Merkel’s counter-spying offensive could go even further: it could mean that German secret services could lift their no-spying rule on Western partners, such as the US. The British service GCHQ was also in focus during the scandal. Will Germany spy on Britain now?

    I don’t think that it would be an appropriate reaction to the overstepping of red lines by intelligence services across the EU and the US. We know through the revelations by Edward Snowden that the scandals were not just about the US services. European services also had their part. We still have to clarify to which extent European services also exceeded their rights and infringed European Union citizens’ rights in a disproportionate way.

    Therefore we need to strengthen citizens’ ability to protect their rights in a digitized environment and encrypt their emails, for example. What we don’t need is an initiative which is obviously only a PR campaign. That’s like saying “we’re doing something,” while on the other hand, when you look at the Council of Ministers’ work on data protection, Germany has been delaying the process of getting the legal framework done for months. That’s not very coherent. I expect Angela Merkel to let action follow her words.

    Why has Germany been dragging its feet in terms of implementing the data protection reform?

    They have had no interest in getting a European data protection framework so far – judging by their behavior in the council of ministers so far. That is in stark contrast to what Merkel said half a year ago: as a reaction to Snowden’s revelations, she made the data protection reform a priority. I would expect the new German government to now be the first to ask for its adoption. That’s a precondition if you want European citizens to be able to decide whether they want to give their data to a US company or to a German or European alternative on the market. At the moment they don’t have the choice because their data is just processed, and their rights are not enforced here in Europe.

    US-German relations are at their lowest since the Iraq war. But do you feel that there really is a sense of frustration within the German government about the fact that moves like the no-spy agreement have not worked out? Do you really believe that the latest proposals are more than an attempt to deflect everybody’s attention away from the passivity in the months after this big scandal?

    Well, there is no action yet, and Merkel and her government have made many announcements in the past. Whether she really wants to do something depends crucially on how she behaves with respect to the data protection reform. It’s the only legislative process that would move in the direction of better protection for European and German citizens when it comes to their personal data. All the rest is talk. We can only speak of big change if Germany and France change their behavior in the council of ministers.

    Posted by Pterrafractyl | March 1, 2014, 6:22 pm
  8. The EU parliament just overwhelmingly backed the new set of data privacy rules, including a resolution to suspend the “Safe Harbor” agreement with the US and the Terrorist Finance Tracking Program. The European Commission still needs to approve that resolution (which it has so far resisted), and national parliaments still need to approve the package, but it sounds like the new EU data privacy rules are coming into force sooner or later:

    GigaOm
    Web firms face a strict new set of privacy rules in Europe — here’s what to expect
    By David Meyer
    3/12/2014

    Summary:

    The European Parliament has passed the EU’s first major overhaul of data protection legislation since 1995, taking into account today’s online landscape. Meanwhile, parliamentarians also approved a resolution calling for the suspension of a key deal affecting U.S. web firms.

    The European Parliament has overwhelmingly passed a large package of laws intended to strengthen data protection – that’s “privacy” in non-legalese – across the European Union. The next Parliament will need to take this over after the May election, and Europe’s governments still need to give their approval through the European Council, but it looks like web firms operating in the EU are about to face a very different regulatory landscape.

    This would include much higher fines for breaches of data protection law in the EU, the limited right for citizens to demand the erasure of their personal data, and strict limitations on what can be done with EU citizens’ data outside the union. A separate resolution passed on Wednesday could also lead to difficulties for U.S. firms in handling the personal data of Europeans.

    Read on for a comprehensive breakdown of the impact.

    Regulations, resolutions and directives

    The data protection regulation, passed by members of the European Parliament (MEPs) on Wednesday by 621 votes to 10 with 22 abstentions, was proposed by Justice Commissioner Viviane Reding just over two years ago as a way of harmonizing data protection law across the 28 member states. This has been a long road, and one fraught with secretive lobbying by European and U.S. industry, though much of this was unravelled in the wake of Edward Snowden’s NSA surveillance revelations.

    Here’s Reding’s reaction to today’s vote:

    “Data protection is made in Europe. Strong data protection rules must be Europe’s trade mark. Following the U.S. data spying scandals, data protection is more than ever a competitive advantage…Today’s vote is the strongest signal that it is time to deliver this reform for our citizens and our businesses.”

    In the same sitting, MEPs backed a resolution compiled by the parliament’s civil liberties committee, calling for the suspension of the Safe Harbor deal that lets U.S. firms self-certify as being in compliance with EU privacy law.

    The resolution, which follows a lengthy inquiry into mass surveillance, also calls for the suspension of the Terrorist Finance Tracking Program, which gives U.S. authorities access to European’s financial records if they ask for them through official channelss. MEPs have already voted to do this, as U.S. spies are accessing such data through unofficial channels, but the European Commission — which has the power to suspend TFTP — has so far refused to follow through.

    Here’s what Claude Moraes, who shepherded the civil liberties resolution, said in a statement:

    “The Snowden revelations gave us a chance to react. I hope we will turn those reactions into something positive and lasting into the next mandate of this Parliament, a data protection bill of rights that we can all be proud of. This is the only international inquiry into mass surveillance. Even Congress in the United States has not had an inquiry.”

    Although the resolution was passed overwhelmingly, with 544 votes in favor (78 against, 60 abstentions), it only represents the will of MEPs, while the power to suspend Safe Harbor lies with the European Commission. However, the regulation is a different matter — if it passes its final hurdles, it will become law across the European Union. A third report that was passed on Wednesday, setting out rules for cross-border law enforcement data-sharing, would create a directive, meaning that member states can interpret it into national law as they see fit.

    So member states are still going to have the latitude to interpret cross-border law enforcement data-sharing rules as they see fit. This sets the EU up for an interesting dynamic because the new rules also allow for anyone to complain to data protection authority from any of the EU members states. The choice is up to the citizen so there’s potentially going to be a competitive market amongst EU member states for generous interpretations of data-privacy laws. Could that include a market for shielding data from law enforcement?

    Deutsche Welle
    EU Parliament approves privacy package

    The European Parliament has voted on an action plan on the future of data protection in the EU on Wednesday. After allegations of mass surveillance, the package was passed with a large margin.

    Date 11.03.2014
    Author Nina Haase, Brussels
    Editor Ben Knight

    When members of the European Parliament (EP) click the buttons of their voting machines at noon local time on Wednesday (12.03.2014) in Strasbourg, there will be tension in the air. Within a few seconds, Claude Moraes will know whether the bulk of the last months’ work has been in vain or not. One of the three votes will be on the report which was put together after a recent parliamentary inquiry into mass surveillance, which Moraes was the rapporteur of.

    Moraes hopes the report will be approved as part of a package deal together with a regulation, and a directive on data protection. “The data regulation and the directive are the single-biggest pieces of legislation the EP has ever passed,” the Labour MEP told Deutsche Welle, “there were 4,000 amendments and they deal with something incredibly unique: no international or national parliament has ever tried to get the balance between privacy and internet usage.”

    Regulation will probably go through

    The first element of the package, the regulation, looks set to be approved by MEPs in Strasbourg. It contains criteria for data processing, such as the necessity for people to give their consent when their data is processed, as well as more transparent information on companies’ privacy terms. The regulation also includes a compromise on a so-called ‘one-stop-shop’: EU citizens will be able to seek help from the national data protection authority of their choice, no matter in which EU country they believe their privacy rights are being violated. Further aspects include penalties – up to five percent of global sales – for companies in violation of privacy rules, and strict rules for data exchange processes with third countries.

    While the likely ‘yes’ to the regulation means that MEPs can probably soon start negotiating with national governments, the directive may not go through quite as smoothly. Conservative parties in the EP have indicated they won’t approve of it. Timothy Kirkhope from ECR (European Conservatives and Reformists) wrote in a statement that he “cannot support this proposal as its overly prescriptive nature would prevent law enforcement officers from carrying out legitimate investigations.”

    The directive sets out rules for data protection rights in the fields of police and the judiciary. The European Council of ministers has blocked the reform package for more than two years, with Germany one of the major opponents of more data protection rights in law enforcement.

    EU Parliament vs member states

    Moraes was concerned that conservative MEPs from the EPP, a political group in the EP that includes Angela Merkel’s CDU/CSU, may also abstain from or vote against his inquiry report – which he thinks would further weaken the Parliament’s negotiating position in talks with the other big European institution, the Council of national ministers.

    “We wanted to say to the council: put this together quickly because you are the ones who are always slow and blocking the legislation of the citizens,” he warned. “And then we are sabotaging in our own parliament, and the biggest groups are the ones that are causing the problems.”

    “This committee has not been interested in finding out facts,” Timothy Kirkhope from the ECR said in a statement. “It has just been the most expensive and painstaking exercise in collecting together press cuttings and allegations, and reacting with little consideration towards the security challenges we face.”

    A few months ago, it would have been a lot more difficult for political parties to get away with voting no on a package to improve EU citizens’ privacy rights, insiders are convinced. “The reason why we got credibility with the inquiry was to do with timing, many of Snowden’s allegations happened at the same time,” Moraes told DW. “And we were the only institution who were actually legislating on data protection for citizens at the time of Snowden’s allegations. So we were anticipating the world as Snowden was portraying it.”

    Pragmatism and hypocrisy

    In Germany, Snowden’s revelations have led to an intense public debate, with members of the Green party calling for Germany to offer Snowden asylum. But Luke Harding doesn’t believe Snowden will be invited by the chancellor. “Realistically – even though of course Merkel was outraged by the fact that she was bugged for a decade and probably Gerhard Schröder before that – she is a supreme pragmatist,” he said. “And offering Snowden asylum would cause major damage to the transatlantic partnership. That’s a bill that she or no other senior German politician would be prepared to pay.”

    Snowden’s latest revelations even suggest the NSA pressured the German government to make certain changes to their laws and to bulk collect their citizens’ data. “So there’s an element of hypocrisy running through all of this,” said Harding.

    While intelligence services are the competence of national countries, there are many gray areas where EU law is affected. Still, only national parliaments can set the guidelines for their services’ activities. Therefore, the least the EP can do, said Moraes, is speak with one voice when negotiating with the member states.

    It sure sounds like the conservative MEPs tend to view the new law as allowing for the the restriction of legitimate law enforcement activities which suggests that we should expect a looser interpretation of those data-sharing rules in some countries than others. But could we see the emergence of EU states that embrace extremely tough data-privacy regulations as a national competitive advantage? A sort of Swiss vault for the EU’s citizens and corporations (that can afford the services)? Because it sounds like that could be possible under this new framework. Might Cyprus or Luxembourg become the Switzerland of data-privacy? Or Sweden? It’s kind of a hot market right now:

    Bloomberg
    Switzerland Shifting From Bankers to Bunkers in Data Push
    By Cornelius Rahn, Carolyn Bandel and Hans Nichols February 25, 2014

    The bunker deep in the Swiss Alps an hour’s drive south of Zurich was designed to withstand nuclear blasts and protect soldiers from a foreign invasion that never came. Today, it’s used to guard digital data.

    As Switzerland yields to pressure from the U.S. and the European Union to relax its bank secrecy rules, it’s repositioning itself as the global vault for online identities. With consumers and companies uploading ever more confidential information to make online transactions, there’s increasing demand for services that keep data out of reach of criminals and government spies.

    This is the future of this country: It’s not to store any more money, it’s actually to store data, which is the next currency,” said Carlos Moreira, founder and chief executive officer of WISeKey SA, which encrypts and stores information in the bunker. “The Swiss respect the privacy of people.”

    In the wake of reports about the extent of government spying, demand for WISeKey’s services is growing 300 percent every month, he said in a cavernous bunker room with a vaulted concrete ceiling. Moreira said he plans to fill the room, the far side of which is barely visible in the gloomy distance, with racks upon racks of computers that could hold the data of as many as 6 million people.

    The bunker, near the town of Attinghausen, was built to be self-sustaining, drawing on mountain water and powered by nearby hydroelectric plants. WISeKey has servers in four bunkers across Switzerland, providing the service to 2,000 companies and 2 million consumers.

    Rocketing Demand

    “It’s a very sensible move” for Switzerland, said Rik Turner, an analyst at researcher Ovum Ltd. in London, “to rebrand themselves as a safe haven for data.”

    Other companies are joining the effort. SIAG Secure Infostore AG, based in Zug, runs two underground data centers, branded “Swiss Fort Knox,” in a joint venture with the government. Safe Host SA owns a 10,000 square meter data center near Geneva and expects to start building a second one nearby in March.

    A key advantage is that “the Swiss have strict data privacy laws” due to the country’s tradition as a private banking center, said Safe Host CEO Gerard Sikias.

    Since former U.S. National Security Agency contractor Edward Snowden began documenting the extent of government surveillance, WISeKey has seen increasing demand in the U.S., Moreira said.

    Digital Keys

    With a large share of the closely-held company’s growth expected to come from the U.S. this year, the CEO plans to list the company on Nasdaq in 2015. A $35 million financing round in 2011 valued the company at $360 million.

    For the past three years, WISeKey has hosted parties at the World Economic Forum’s annual Davos meeting to promote the notion that Swiss trustworthiness in banking can be replicated on the Internet.

    WISeKey, with about 180 employees, offers applications that let customers secure their Web accounts with access codes called digital keys that can be hundreds of characters long. In online banking, customers share a public key with banks that are used for authorization. But without the client’s private key, stored on his mobile device or computer, the data cannot be decrypted.

    Bunker Maze

    “It’s like a safe in the bank,” Moreira said in the maze-like bunker, hundreds of meters below the mountaintop above. “You need your key and the bank’s to open the safe. We do the same, only digitally.”

    Moreira acknowledges that even blast-proof doors can do little against an attack via the Web. A skilled digital intruder could manage to siphon data from the servers to his own computer. And in today’s arms race between hackers and security firms, ever more powerful computers will require increasingly strong encryption, Moreira said.

    The keys at Attinghausen are in turn locked by a so-called root key that sits on a computer, unconnected to the Internet, in another bunker near Bern. Whenever it needs to be changed to keep decrypters guessing, Moreira and other executives must all be present, bringing different pieces of an authentication puzzle with them.

    “From a pure data center perspective it is a bit gimmicky” to place the servers in a bunker, said Steve Wallage, managing director of BroadGroup Consulting, which advises clients on data storage. But, he said, “some people might be impressed by that. It is like going to a Swiss bank.”

    The EU’s data privacy member state market might almost open for business. What that market is going to look like and what impact it might have on the EU and larger global community is still an open question.

    Posted by Pterrafractyl | March 12, 2014, 9:01 am
  9. The EU parliament has been threatening to derail a US-EU free trade if the US doesn’t end mass data collection, but it looks like that threat has been extended to EU national governments too. If EU member states don’t also make steps to restrict surveillance the deal could be off:

    European lawmakers threaten US trade veto unless EU tackles snooping

    Wed Mar 12, 2014 11:08pm IST

    * Lawmakers warn could block trade deal unless Brussels acts

    * Vote stems from investigation into Snowden spy allegations

    * Data protection big issue going into European elections

    By John O’Donnell

    BRUSSELS, March 12 (Reuters) – European lawmakers put pressure on EU countries on Wednesday to shield citizens’ privacy, warning that they could block a trade deal with the United States if governments did not take a tougher stance on snooping.

    Concluding its own investigation into leaks from former U.S. data analyst Edward Snowden over government spying, an overwhelming majority of lawmakers voted in favour of a resolution warning that the world’s biggest trade deal “could be endangered” unless EU countries stopped such surveillance.

    While the snooping vote was only a symbolic warning shot, both the European Parliament and U.S. Congress must sign off the U.S.-EU free trade deal for it to become law, meaning their threats carry some weight.

    “It’s not enough to point the finger at the United States. European states were also involved,” Jan Philipp Albrecht, a German lawmaker, told Reuters, referring to the alleged involvement of British and other intelligence services in surveillance.

    “The member states must put into place laws that place limits on the surveillance by intelligence agencies. We need rules on how they exchange information.”

    Tension over the issue has been building after parliamentarians criticised European leaders for what they said was a limp response to allegations of U.S. spying.

    Late last year, the European Union backed down on threats to suspend agreements granting the United States access to European data following leaks that Washington had spied on European citizens and EU institutions.

    DATA PROTECTION

    The tough stance of the parliament is unlikely to soften ahead of European elections in May, a vote set to bolster the number of lawmakers with a more populist political agenda.

    The parliament also voted to back new privacy rules, another symbolic move, this time to renew pressure on EU governments to finalise the first revision to Europe’s data laws since 1995.

    This regulation will establish a single law for data protection across the 28 countries in the European Union, replacing the current patchwork of national rules. It may still, however, be changed by countries before entering law.

    Parliament, in line with the Commission’s proposals, also wants to impose strict rules on how data is shared or transferred to countries outside the European Union.

    For example, if the United States wants access to information held by Google or Yahoo! about a European citizen in Europe, the firm would have to seek authorisation from a European data authority first.

    Facebook, Google and other Internet-based firms, the vast majority of them American, have lobbied against the Commission’s proposal, concerned it will lumber them with extra costs.

    “Strong data protection rules must be Europe’s trademark,” said Viviane Reding, the EU’s justice commissioner.

    “Following the U.S. data spying scandals, data protection is more than ever a competitive advantage. Today’s vote is the strongest signal that it is time to deliver.”

    Let the competition for competitive advantage in data-privacy rules begin! Indirectly!

    Tiny Luxembourg blocks tax evasion law for EU
    By JUERGEN BAETZ, Associated Press
    Updated 2:12 pm, Tuesday, March 11, 2014

    BRUSSELS (AP) — European Union finance ministers failed once again Tuesday to agree on a sweeping new policy to fight tax evasion because of resistance from Luxembourg, a tiny country that long has prospered from a secretive banking culture.

    EU Taxation Commissioner Algirdas Semeta said their failure was disappointing because, if approved, the legislation proposing an EU-wide automatic exchange of data on bank deposits would allow governments to “identify and chase up tax evaders.”

    Luxembourg, a duchy of barely 500,000 people, was able to shelve the legislation for the 28-nation bloc and its 500 million citizens because the decision required unanimous approval at Tuesday’s meeting in Brussels.

    Luxembourg Finance Minister Pierre Gramegna said he could not vote in favor and pushed the decision to a summit of EU government leaders next week.

    Luxembourg has insisted for years it would support the proposed law only if non-EU banking hubs within Europe, particularly Switzerland, also sign up.

    But as the EU’s negotiations with Switzerland, Liechtenstein and three other nations on signing the agreement have made progress, Luxembourg has responded with new reasons for opposition, chiefly the risk that banks outside Europe would draw deposits away if the continent’s banking rules are tightened too much.

    German Finance Minister Wolfgang Schaeuble said he was confident that Luxembourg would drop its opposition at next week’s summit.

    “We’ve been working on this for such a long time, whether we agree today or in four weeks, that doesn’t kill me either,” he said.

    EU officials say tax fraud and companies’ aggressive cross-border tax avoidance schemes cost the bloc’s governments an estimated 1 trillion euros ($1.4 trillion) a year, money needed in an age of sluggish growth and high debt across Europe.

    How might enhanced data-privacy rules (that will presumably be most helpful to those with the resources to fully exploit them) enhance the attractiveness of an EU member for money-laundering purposes? Out with the old ‘European Bazaar‘, in with the new one?

    Posted by Pterrafractyl | March 13, 2014, 2:06 pm
  10. @Pterrafractyl–

    Good find. The whole web/phone-snooping dynamic very much involves monitoring of illicit money flows by the %1 and allied corporate interests, not to mention crooks.

    This has been largely eclipsed.

    Also: note the EU and Germany’s behavior in the context of Serpent’s Walk.

    If one is to truly remake the past and control “opinion-forming media”,
    one must gain control of the internet.

    I suspect that Germany’s and Brazil’s ramping up of their IT and internet sectors is ultimately directed at this.

    Best,

    Dave

    Posted by Dave Emory | March 13, 2014, 4:30 pm
  11. With the EU’s historic data-privacy negotiations on track to be finalized this year the window of opportunity to shape the new law is steadily closing, which means we should probably expect a lot more reports like this:

    The Wall Street Journal
    German Companies Push for Tough New Data-Protection Rules in Europe
    Rules could check growth of U.S. data mining in Europe

    By Archibald Preuschat
    February 24, 2015

    BONN—As negotiations over new European Union data-protection rules head into their final stretch, German telecommunications and Internet service providers are pushing for tough rules that could roll back the dominance in Europe of U.S. technology companies such as Google Inc. and Facebook Inc.

    European Commission officials say they hope to wrap up talks—which have been continuing for several years—by the end of 2015, part of a push to legislate a single digital market to replace the EU’s current mix of 28 separate state laws on crucial issues including data protection and copyright.

    But German companies, who feel they have been twice bitten—once by revelations of widespread spying by the U.S. National Security Agency and again by the growing dominance of Silicon Valley firms—aren’t waiting. They are exerting heavy pressure, both publicly and behind-the-scenes, to speed up the talks and make sure the resulting legislation is in Europe’s favor.

    Companies such as Deutsche Telekom AG , and German Internet service providers United Internet AG and Freenet AG , are taking technical steps on the ground to keep their users’ private communications—emails, phone calls and texts—inside the country. They are stamping their joint encrypted email service products with “Email Made in Germany.”

    Deutsche Telekom says it is talking to German ministries that are negotiating the planned regulation with other EU member states. A spokesman for the German Federal Ministry of Interior said it was common practice for private companies to talk to ministries when the nature of legislation is being determined. The ministry, which coordinates Germany’s position on negotiations with the other EU member states, said final negotiations between the European Council, the EU Parliament and the commission can start by summer, although the spokesman wouldn’t put a time frame on the talks.

    “We are strictly against attempts to weaken the draft for the law,” Claus Ulmer, Deutsche Telekom AG’s head of data privacy, said in an interview. Mr. Ulmer said new data-protection rules are essential to ease consumers’ concerns. “It is a big risk if people avoid cloud services because they are uncertain about their privacy,” he said.

    In Europe, companies that want to transfer people’s personal information abroad—such as customer names, addresses or billing information—have to satisfy a number of regulatory provisions, such as one that requires any subsidiaries or third parties to agree to protect the information from breaches or improper uses. Under new regulations being debated in Europe, companies that violate the data-protection rules could face fines of as much as €100 million ($113 million) or 5% of annual revenue. To answer these concerns, U.S. tech companies such as Apple Inc., Amazon.com Inc. and Salesforce.com Inc. areincreasingly positioning their new data centers in Europe.

    That isn’t stopping the tough talk from German ISPs.

    “The data-monopolists Facebook and Google must not expand in the absence of rules. It is unacceptable that U.S. firms do data mining in Europe while local firms are bound to strict German privacy rules,” said United Internet’s founder and chief executive, Ralph Dommermuth.

    So it’s pretty clear that Germany’s ISPs are going to be lobbying hard for some sort of rules designed to reduce the European market dominance of US internet giants. And it’s also pretty clear that the implementation of a strict new EU-wide data privacy regime is a central to that goal.

    Still, don’t assume that the EU is merely determined to push the US tech giants out of Europe. This is about the world:

    The Wall Street Journal
    Europe Wants the World to Embrace Its Internet Rules
    A data-privacy regime offers toehold to advance local technology firms around the world

    By Tom Fairless and
    Stephen Fidler
    Feb. 24, 2015 6:44 p.m. ET

    BRUSSELS—European policy makers feel crowded out by the rise of U.S. Internet companies and are proposing a plan to give themselves a larger role: write a new rule book for the Web.

    Now putting finishing touches on its tough data-privacy regime, the European Union aims to establish a de facto standard that companies would have to embed to sell products in the giant European market.

    Their hope: As rules such as the right to remove Web links to personal information spread, European companies would get a leg up in the next era of Internet commerce.

    There are plenty of hurdles. U.S. technology firms worry that other regions won’t follow the tough EU model, leading to a Balkanized Internet, and some have pushed back against facets. China, which has more Internet users than any other country, is left out of the EU’s lobbying for its data-privacy rules.

    Still, said Jan Philipp Albrecht, chief negotiator for the European Parliament on the EU’s new data protection law, “If you can achieve…a standard [globally] that is somehow near…your own, then this is an advantage.”

    He and others point to the EU’s success in exporting its GSM technical standard for mobile communications in the 1990s. That technology now is widely used by phone makers in Europe, the U.S. and China. While there is no international organization to submit a global standard, officials here hope people would choose platforms that guarantee more privacy protections.

    “We have a chance to be influential around the world,” said Giovanni Buttarelli, who acts as the EU’s top data-protection watchdog. A “growing number” of countries including Japan, are “looking at us and are likely to follow the European approach,” he said. EU lobbyists say U.S. firms are building new products and services with the rules in mind to avoid regulatory uncertainty.

    EU officials are hitting the road to promote the regime. Mr. Buttarelli travels to Washington, D.C., New York and Boston next month to spread the message,and heads to Silicon Valley in the spring to explain the proposed rules to U.S. technology firms, which he said have shown a strong interest in the plans.

    A spokesman for U.S. Trade Representative Mike Froman said discussions between the U.S. and EU on digital trade “have been productive. We are confident that we will be able to find ways to deepen respect for privacy protections on both sides of the Atlantic…”

    While details are being thrashed out in negotiations between individual governments and the European Parliament, the rules could include “enormously enhanced” requirements around the processing of personal data, which would “require re-engineering of a lot of data-collection processes, apps [and] customer websites,” said Emily Jones, a data privacy lawyer with U.K.-based law firm Osborne Clarke.

    They would require individuals to give their explicit consent before companies can use their personal data, putting pressure on Internet businesses to build in data protection safeguards from the start. They will also enshrine a controversial “right to be forgotten” that allows individuals to ask for links to Web pages to be removed.

    The effort is part of a wider EU plan to create a digital single market that knits together the region’s fragmented online data-protection systems, creating a single standard for online privacy, copyright and consumer rights. The details of that plan are due to be announced in May by the European Commission, the EU’s executive arm that took office on Nov. 1.

    On Tuesday, Günther Oettinger, Germany’s powerful representative to the European Commission, argued Europe needs stronger safeguards to counter Google Inc., Facebook Inc., Apple Inc. and other U.S. companies offering Internet services and applications.

    “The Americans are in the lead, they’ve got the data, the business models and so the power,” Mr. Oettinger said in a hard-hitting speech in Brussels to policy makers and Internet company representatives in which he advocated for European-wide data regulations.

    “If you use an iPhone, they know all about your creditworthiness, your shopping habits,” he added. “Take car insurance. They know the last time you were involved in an accident.”

    Apple declined to comment on the remarks.

    James Waterworth, a Brussels-based Vice President for the Computer & Communications Industry Association, a lobby group for U.S. Internet companies including Google and Facebook, said he was “confused” by the remarks. Mr. Oettinger, he said, is “a pessimist who seems to believe the digital single market should be used as a weapon against ‘foreigners.’ ”

    U.S. technology firms broadly support creating a single standard across the 28-member EU but have lobbied fiercely against the new rules. Earlier this month, an advisory group convened by Google backed the company’s decision to apply Europe’s “right to be forgotten” ruling only in the EU, pushing back against demands by EU regulators that it apply globally.

    Is the EU’s new data privacy regime going to go global? That’s the plan. And, yes, you read that right, the EU pushed to get its new “Right to be forgotten” law to apply to ALL domains for search engine companies like Google and not just EU domains. It’s a reminder that the globalization of the EU’s data-privacy rules might not exclusively rely on persuasion.

    Still, persuasion is going to be necessary and that means those new data-privacy rules are going to have to be the kind of thing that either voters outside the EU would like to see their governments adopt OR businesses outside the EU. Or both. It’s an interesting conundrum since so much of what consumer like about the proposed rules businesses hate and vice versa. It’s not obvious how to thread that needle.

    Ok, there’s one obvious option: quietly gut the new data-privacy laws so that consumers think they gained all these new protections but businesses are still quietly allowed to proceed with business (collecting and selling your data) as usual. Maybe that’s what will happen:

    PC World
    EU data protection reform ‘badly broken,’ civil liberty groups warn
    Loek Essers @loekessers

    Mar 3, 2015 6:10 AM

    Leaked documents show that the European Union’s data protection is on its way to become an empty shell devoid of meaning, European civil rights groups warned Tuesday.

    The EU is busy overhauling its data protection rules, which date back to 1995. The European Commission and the European Parliament have already agreed on a draft regulation that seeks to modernize data protection rules to take new digital technologies into account.

    However, there is one more legislative body that has to sign off on the new rules: the Council of the EU, which consists of national ministers of EU member states.

    Since the Parliament approved the draft with minor changes in March last year, the Council has been busy changing the text. Ministers are expected to agree on how they want to reshape the text by Summer.

    However, new leaked documents show that the Council is trying to destroy key elements of the original proposal, European digital civil liberties group EDRi said. Working with civil liberties groups Access, the Panoptykon Foundation and Privacy International, EDRi published leaked Council proposals to amend the proposed data protection regulation on Tuesday.

    Along with the documents, the groups published a side-by-side comparison of the Parliament’s agreed text with the Council’s proposed changes, as well as an analysis of the proposed changes.

    The existence of the documents is no secret: They can be found in the Council’s online document register, but cannot be accessed by the general public.

    Under the proposals, crucial privacy protections are being drastically undermined by the Council, EDRi said in a blog post.

    The Council declined to comment on leaked documents.

    One of the proposed rights affected by the Council’s changes is the right not to be tracked by companies online without consent. The Council for example suggests that failing to change the default settings in a browser to prevent tracking, or failing to change the settings back, constitutes consent to being tracked and profiled online, the groups said.

    What’s more, the Council proposes that data can be processed under an “legitimate interest” exception. This means that consent is not needed if the company feels that they have a legitimate interest in processing personal data, and would allow data to be passed on to third parties. They could then use the same exception to start processing data for reasons that are completely unrelated and incompatible with the original purpose, the groups said.

    The Council also proposed deleting an article imposing concrete obligations on how people and especially children need to be informed in “concise, transparent, clear and easily accessible policies” about how their personal data is being used, the groups said.

    Moreover, countries would be given the right to profile citizens for national security, defence and public security reasons as well as for “other important objectives of general public interest.” That part of the original text drafted by the Commission was deleted by the Parliament but reintroduced by the Council.

    “This is basically providing a blank cheque to governments which, under various excuses, may start to profile people based on their online political activities and prepare, for example, blacklists who do not fit with the profile of ‘normal’ citizens,” the groups said.

    Other issues with the proposals include a plan to let a company determine whether a data breach is of sufficiently high risk to warrant notifying its customers. This would undermine people’s privacy and greatly reduce incentives for companies to improve data security, according to the groups.

    Meanwhile, they say, the Council is also still trying to undermine the creation of a one-stop data protection shop that could make it simpler to resolve transnational disputes involving big companies in the EU. The ministers have been backpedaling on that proposal for a while though and have not changed their minds, the leaked docs showed.

    They still want to involve national data protection authorities in every transnational dispute that would have to reach consensus, adding more bureaucracy and a time consuming step to a process that is meant to streamline current fragmentation, the groups said.

    “Unless something is done urgently, the Council will simply complete its agreement,” EDRi warned, adding that if the Council has agreed, only the Parliament could save the EU’s data protection reform.

    “What’s more, the Council proposes that data can be processed under an “legitimate interest” exception. This means that consent is not needed if the company feels that they have a legitimate interest in processing personal data, and would allow data to be passed on to third parties.”

    It would be legitimately interesting to learn what constitutes a “legitimate interest”, but perhaps even more legitimately interesting is what constitutes “other important objectives of general public interest”:

    Moreover, countries would be given the right to profile citizens for national security, defence and public security reasons as well as for “other important objectives of general public interest.” That part of the original text drafted by the Commission was deleted by the Parliament but reintroduced by the Council.

    “This is basically providing a blank cheque to governments which, under various excuses, may start to profile people based on their online political activities and prepare, for example, blacklists who do not fit with the profile of ‘normal’ citizens,” the groups said.

    So the “important objectives of general public interest” can include something other than “national security, defense and public security reasons”, which raises the question of what on earth could the “other important objectives” be that don’t fall under the general “national security, defense and public security” umbrella? Is the EU about to make up a whole new category of justifications for citizen profiling? Ironically, if so, the EU’s new data-privacy rules are probably a lot more likely to go global than you might expect.

    Posted by Pterrafractyl | March 5, 2015, 10:29 pm
  12. There was a pretty development in EU-US data privacy arrangement last week. It doesn’t guarantee that the the “Safe Harbor” data transfer agreement that allows US firms like Facebook and Google to transfer the personal data of EU residents back to their US operations will be overturned, but it definitely increases the likelihood of exactly that happening:
    A top adviser to the EU’s top constitutional court cited NSA spying as the primary reason for his recommendation that the EU suspend “Safe Harbor”. It’s a non-binding resolution, but his advice is usually followed, so it’s a predictive non-binding resolution:

    Bloomberg Business
    EU-U.S. Data Sharing Deal Can’t Be Trusted, Top Court Aide Says

    Advocate General critizes EU for not suspending EU-U.S. pact
    U.S. companies such as Facebook may face greater scrutiny

    Stephanie Bodoni
    September 23, 2015 — 3:10 AM CDT
    Updated on September 23, 2015 — 6:56 AM CDT

    American spies have almost unfettered access to information about European users of Facebook Inc. and other social media thanks to an illegal trans-Atlantic pact on data-transfers, an adviser to the EU’s top court warned on Wednesday.

    Secret U.S. orders forcing technology companies to hand over personal data linked to EU citizens can’t continue under an “invalid” data-transfer accord struck 15 years ago, Advocate General Yves Bot of the Luxembourg-based tribunal said in a non-binding opinion. The EU court follows such advice in a majority of cases.

    EU citizens “who are Facebook users are not informed that their personal data will be generally accessible to the United States security agencies,” said Bot. National data privacy watchdogs have the power, “where appropriate,” to suspend the transfer of such data to servers located in the U.S., including in the case concerning the data of European Facebook users, he said.

    Unwarranted Interference

    The EU Court of Justice should scrap the 2000 Safe Harbor decision because it doesn’t protect citizens from the 28-nation bloc enough from an “unwarranted interference” with their rights and a “large-scale collection of personal data,” he said.

    The EU-U.S. data-sharing accord gives U.S. intelligence services “wide-ranging” access to EU citizens’ data that “must be considered to be particularly serious, given the large number of users concerned and the quantities of data transferred,” said Bot.

    Those factors and “the secret nature” of the U.S. agencies’ access to such data via the servers of companies based in the U.S. “make the interference extremely serious.”

    The EU’s top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection. An Irish judge last year called on the EU’s tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the U.S.

    Too Lax

    Bot criticized the European Commission for having neither “suspended nor adapted” the decision even though “it was aware of shortcomings” all along. The commission has been in negotiations with the U.S. for two years in a bid to address its concerns with the Safe Harbor decision of too lax sharing of people’s personal data.

    The Brussels-based EU executive arm said it “has been working tirelessly with the U.S. on the final details of a deal in the last weeks and we are confident that we can reach a positive conclusion soon,” according to an e-mailed statement Wednesday.

    Austrian privacy activist Max Schrems triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the U.S. social network company has its European base. He alleged that Facebook’s Irish unit illegally handed over data to U.S. spies. Schrems had previously filed 22 complaints against the Menlo Park, California-based company.

    NSA Surveillance

    If followed by the court, it would mean that Facebook’s European branch in Ireland “would be barred from processing its data in the U.S., but would have to process its data in a place where those data are not subject to NSA mass-surveillance,” Herwig Hofmann, a lawyer representing Schrems, told reporters at the EU court today. All U.S. companies would have to follow the same rules, he said.

    Facebook “operates in compliance with EU Data Protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment,” said spokeswoman Sally Aldous.

    “We have repeatedly said that we do not provide ‘backdoor’ access to Facebook servers and data to intelligence agencies or governments,” she said.

    All U.S. companies that are certified under Safe Harbor — there are more than 4,000 such companies — will be affected by the EU court’s decision, which should follow in the next four to six months.

    DigitalEurope, a trade group that represents companies such as Apple Inc.,
    Google Inc. and Microsoft Corp., said it is “concerned about the potential
    disruption to international data flows if the court follows today’s
    opinion,” according to a statement by John Higgins, its director general.

    “If the safe harbor system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to U.S. companies that are subject to mass surveillance laws,” said Schrems in an e-mailed statement. “This may have major commercial downsides for the U.S. tech industry.”

    Note that this recommendation appears to be coming at a time when the EU and US have been attempting to finalize a deal for overhauling the existing Safe Harbor agreement:


    Bot criticized the European Commission for having neither “suspended nor adapted” the decision even though “it was aware of shortcomings” all along. The commission has been in negotiations with the U.S. for two years in a bid to address its concerns with the Safe Harbor decision of too lax sharing of people’s personal data.

    The Brussels-based EU executive arm said it “has been working tirelessly with the U.S. on the final details of a deal in the last weeks and we are confident that we can reach a positive conclusion soon,” according to an e-mailed statement Wednesday.

    But also note that the particular deal the US and EU were attempting to finalizing in recent weeks wasn’t the deal over a new Safe Harbor agreement, although closely related. It was a security/terrorism data-sharing agreement that places new limit US access to EU citizen data and opens US courts up to lawsuits by EU citizens if they feel their privacy rights have been violated and predicated on Congress passing some additional data-privacy laws:

    The Wall Street Journal
    EU-U.S. Agreement on Personal-Data Protections Reached
    Pact should promote expanded data sharing in counterterrorism probes
    By Julian E. Barnes
    Sept. 8, 2015 4:20 p.m. ET

    BRUSSELS—U.S. and European Union officials have reached agreement on a set of protections for personal data, which should allow for expanded data sharing in counterterrorism investigations.

    The deal is contingent on the U.S. Congress passing a law to allow citizens of EU countries to sue in U.S. courts if they feel their privacy rights have been violated.

    EU Justice Commissioner Vera Jourová said the agreement will guarantee a “high level of protection” for personal data exchanged between American and European investigators.

    “The finalization of the Umbrella Agreement negotiations is therefore an important step to strengthen the fundamental right to privacy effectively and to rebuild trust in EU-U.S. data flows,” she said in a statement.

    Counterterrorism cooperation and data sharing between the U.S. and Europe came under intense scrutiny in the wake of the release of National Security Agency documents by former NSA contractor Edward Snowden.

    EU officials said that the agreement will limit data for the purpose of preventing, investigating or prosecuting criminal offenses. It will also put limits on the ability of the U.S., or a European country, from passing the shared data to a third country.

    U.S. officials didn’t immediately comment.

    Under the agreement, the U.S. will have to publish how long it will confidentially hold personal data. It prohibits them from being retained indefinitely. The agreement says that EU and U.S. will need to create a mechanism if a data breach exposes personal data.

    Rep. Jim Sensenbrenner (R., Wis.), one of the architects of the original Patriot Act, introduced in March a measure called the Judicial Redress Bill giving citizens of U.S. allies the right to sue in American courts over privacy breaches, the key demand of European negotiators.

    Mr. Sensenbrenner said the agreement was a step forward for “international safety and prosperity.” He said he was optimistic that his bill, which has received bipartisan support, would be brought to a vote in Congress.

    Passing the law, he said, “remains a critical piece in our partnership with the European Union and is critical to ensure continued sharing of law-enforcement intelligence.”

    The agreement is separate from other ongoing talks between the U.S. and the EU to update a pact used by Google and other U.S. companies that allows them to transfer personal data to U.S.-based servers.

    The negotiations over the so-called Safe Harbor agreement have hit road blocks over data-collection practices by U.S. security services, but Ms. Jourová on Tuesday reiterated that a deal was impending.

    So the US and EU agree to expand government-to-government data sharing on citizens, but in exchange for greater internal and legal safeguards. This seems like the kind of development that should be a rather big deal in the post-Snowden era. Then again, it’s all contingent on the US Congress passing Mr. Sensenbrenner’s bill that allows EU citizens to sue in US courts if they feel their privacy rights have been violated, so maybe this deal is assumed to be mostly symbolic:

    The deal is contingent on the U.S. Congress passing a law to allow citizens of EU countries to sue in U.S. courts if they feel their privacy rights have been violated.

    Rep. Jim Sensenbrenner (R., Wis.), one of the architects of the original Patriot Act, introduced in March a measure called the Judicial Redress Bill giving citizens of U.S. allies the right to sue in American courts over privacy breaches, the key demand of European negotiators.

    Mr. Sensenbrenner said the agreement was a step forward for “international safety and prosperity.” He said he was optimistic that his bill, which has received bipartisan support, would be brought to a vote in Congress.

    Passing the law, he said, “remains a critical piece in our partnership with the European Union and is critical to ensure continued sharing of law-enforcement intelligence.”

    The agreement is separate from other ongoing talks between the U.S. and the EU to update a pact used by Google and other U.S. companies that allows them to transfer personal data to U.S.-based servers.

    The negotiations over the so-called Safe Harbor agreement have hit road blocks over data-collection practices by U.S. security services, but Ms. Jourová on Tuesday reiterated that a deal was impending.

    Keep in mind that this agreement was worked out before John Boehner resigned as Speaker of the US House and potentially handed the keys to the Congressional car to the extra crazy wing of the extra crazy party. So it’s not really clear what to expect in terms of the passage of the bill by Congress as required by the deal going into an election year.

    But if that bill isn’t passed, Safe Harbor might actually get repealed, which could create massive headache for at least parts of the the US tech sector operating in Europe. The large companies like Facebook and Google may not care very much since the giants already have EU-based data warehouses and operations. But for the tiny US firms with limited resources operating in the EU, the repeal of Safe Harbor may not be very fun. And the passage, or refusal to pass, by a GOP-controlled Congress of the Judicial Redress Bill could be about exactly one of those factors that determines whether or not Safe Harbor gets repealed.

    So it’s very that the repeal of Safe Harbor is up to the yet to be determined GOP House leadership to shepherd the passage of the Judicial Redress Bill. The yet to be determined GOP House leadership.

    But it’s also worth keeping in mind that the EU parliament has to pass the agreement too. And there is no shortage of questions about what the “Umbrella agreement” actually means, in parts because it’s still not known if the EU’s future data privacy laws that have yet to be worked out (the “future data protection directives” referred to below) will take precedence over the “Umbrella agreement”. So even when you ignore the institutionalized madness that has gripped the US congress, there’s going to be no shortage of questions from the EU too:

    The Register
    In EU-US data sharing we trust – but can we have that in writing, say MEPs
    Signs of split between EU apparatchiks and elected reps

    16 Sep 2015 at 14:33, Jennifer Baker

    European lawmakers won’t blindly accept an EU-US agreement on new data sharing laws without important legal questions being answered and fine print being read, according to several prominent MEPs.

    After four years of talks, the EU and the US reached a “gentleman’s agreement” on data sharing for law enforcement last week.

    On Tuesday evening, the so-called Umbrella Agreement was presented to the European Parliament’s civil liberties committee by Paraskevi Michou, acting director general of the EU Commission’s justice department, which led negotiations from the east of the Atlantic.

    Despite the commission presenting the agreement as a done deal, it will not take effect until it is approved by the European Parliament and a Judicial Redress Bill has been signed by the US Congress.

    This bill would put Europeans on a level footing with Americans in the US; US citizens already have data protection rights in Europe.

    Although the deal would give EU citizens the same rights as Americans to seek judicial redress before US courts if US authorities deny access to, or rectification of, their personal data, those rights are not absolute. Certain types of data are exempt.

    Michou was nonetheless buoyant, saying that the agreement goes even further than the anticipated EU Data Protection Directive.

    “This is a step forward so safeguards do not have to be renegotiated from scratch every time,” she said, urging MEPs to “use your contacts in Congress to insist on the passing of the judicial redress bill, as it is essential to improve law enforcement cooperation.”

    However, although welcoming the move towards greater data protection, Green MEP Jan Philipp Albrecht said he would like the text of the agreement to be examined by the parliament’s own legal department.

    “Judicial address is a huge step forward. Most of our demands in the text of this agreement are met, but with two preconditions,” he said.

    The first is the judicial redress bill. The second, in Albrecht’s view, is that the agreement “should not compromise the existing legislation on data protection that we have in the EU. The commission’s view is that it would not, but I think as parliamentarians we should ask our own legal service to assess this”.

    Dutch MEP Sophie in ’t Veld (ALDE) was also in favour of having the lawyers look at the small print, as she appeared to disagree with Michou’s assertion that the deal would go further than the EU’s own data protection proposals.

    “I think we need a little more time to look at the text in detail,” she said. “It is not just me; it is also the citizens of Europe who are entitled to know the status of this document. The protections are lower than the EU rules that we hope to adopt.”

    “But if it’s true that this only fills the gaps between the data protection directive and Mutual Legal Assistance Treaties, then that is good,” she added.

    “I want to be sure before we vote on this, that this agreement will never override the future data protection directive. As a citizen if I have a complaint, I want to know which agreement takes precedence?” added in ’t Veld.

    German EPP MEP Axel Voss, not normally on exactly the same page as Albrecht and In’t Veld, also wants the agreement subjected to scrutiny. “I have nothing against the legal services, but it might be useful to get ideas from the court ahead of time,” he said.

    Finally, German MEP Cornelia Ernst (Nordic Green Left) wanted to know: “What happens in the case of a non-US or non-EU citizen who lives here in Europe?”
    The timetable for the agreement is still hazy and dependent on a lot of billable hours for the lawyers. Officially, negotiators are saying it has been agreed, but not yet “inked”. The commission’s “breakthrough” may turn out to be nothing of the sort.

    “This bill would put Europeans on a level footing with Americans in the US; US citizens already have data protection rights in Europe.”
    That’s something worth keeping in mind: US citizens already enjoys the protections the EU citizens will receive if the “Umbrella agreement” is implemented.
    And then there’s the addition question of whether or not the yet to be finalized EU data privacy directives will take prececent:


    “I want to be sure before we vote on this, that this agreement will never override the future data protection directive. As a citizen if I have a complaint, I want to know which agreement takes precedence?” added in ’t Veld.

    So there could be some significant legal barriers to US spying on Eu citizens coming up, which is especially notable since the “Five Eyes” is presumably doing much of the domestic spying, as a proxy, for the “Nine Eyes” and “Fourteen Eyes”, which includes a lot of the EU.

    So the in-housing of EU domestic spying operations could be something to keep in eye on if the shakeup in how the US and EU divide up their spying labor and share the results. We’ll see what happens but it’s looking like a number of new data centers are probably about to be built in Europe. Filled with domestic data. Delicious domestic data.

    In other news…

    Posted by Pterrafractyl | September 29, 2015, 10:49 pm
  13. It looks like it’s time to say “so long” to Safe Harbour

    Reuters
    Europe-U.S. data transfer deal used by thousands of firms is ruled invalid
    BRUSSELS | By Julia Fioretti

    Tue Oct 6, 2015 11:37am EDT
    Related: Tech

    The EU’s highest court struck down a deal that allows thousands of companies to easily transfer data from Europe to the United States, in a landmark ruling on Tuesday that follows revelations of mass U.S. government snooping.

    Many companies, particularly tech firms, use the Safe Harbour system to help them get round cumbersome checks to transfer data between offices on both sides of the Atlantic, including payroll and human resources information as well as lucrative data used for online advertising.

    But the decision by the Court of Justice of the European Union (ECJ) sounds the death knell for the system, set up by the European Commission 15 years ago and used by over 4,000 firms including IBM (IBM.N), Google (GOOGL.O) and Ericsson (ERICb.ST).

    The court said Safe Harbour did not sufficiently protect EU citizens’ personal data as American companies were “bound to disregard, without limitation” the privacy safeguards where they come into conflict with the national security, public interest and law enforcement requirements of the United States.

    In addition, EU citizens have no means of legal recourse against the storage or misuse of their data in the United States, the court said. A bill is currently winding its way through the U.S. Congress to give Europeans the right to legal redress.

    The ECJ cited U.S. surveillance and authorities’ access to data as a reason behind its ruling. In its summary of the case it referred to revelations from former National Security Agency contractor Edward Snowden, which included that the Prism programme allowed U.S. authorities to harvest private information directly from big tech companies such as Apple (AAPL.O), Facebook (FB.O) and Google.

    The European Commission said it would continue to work with the United States on a revamped data transfer deal that could fill the void left by the ruling on Safe Harbour, which came into effect immediately.

    “In the light of the ruling, we will continue this work towards a new and safe framework for the transfer of personal data across the Atlantic,” Commission Vice President Frans Timmermans told a news conference.
    Related Coverage

    Without Safe Harbour, companies will be forced to draw up contracts establishing privacy protections between groups or seek approval from data protection authorities for information transfers to countries the EU deems to have lower privacy standards, including the United States.

    “The EU’s highest court has pulled the rug under the feet of thousands of companies that have been relying on Safe Harbour,” said Monika Kuschewsky, special counsel at law firm Covington. “All these companies are now forced to find an alternative mechanism for their data transfers to the U.S.”

    The Commission said it would issue guidance to national data protection authorities to ensure a coordinated approach in dealing with data transfer requests to the United States.

    The group of EU data protection authorities, known as the Article 29 Working Party, said it would hold discussions this week to “determine the consequences on transfers” of data and schedule an extraordinary meeting shortly.

    However, lawyers said most multinationals would probably be able to continue with business as usual as they already had alternative legal channels for transferring data to the United States.

    ‘UNCERTAINTY FOR FIRMS’

    The court case stemmed from a complaint by Austrian law student Max Schrems, who challenged Facebook’s transfers of European users’ data to its American servers because of the risk of U.S. snooping, in light of Snowden’s revelations in 2013.

    The European Commission separately demanded a review of Safe Harbour to ensure that U.S. authorities’ access to Europeans’ data would be proportionate and limited to what is absolutely necessary.

    Washington and Brussels have been in talks for two years to strengthen Safe Harbour in a way that could allay Europe’s privacy concerns, and Tuesday’s judgement heaps pressure on the Commission to accelerate the talks.

    “The Court put pretty high standards on a new Safe Harbour,” Kuschewsky said.

    Christian Borggreen, director at the Computer & Communications Industry Association, whose members include Google, Facebook and Amazon (AMZN.O), said the ruling would hit small and medium-sized businesses most.

    Schrems filed his complaint to the Irish Data Protection Commissioner, as Facebook has its European headquarters in Ireland. The case eventually wound its way up to the Luxembourg-based ECJ, which was asked to rule on whether national data privacy watchdogs could unilaterally suspend the Safe Harbour framework if they had concerns about U.S. privacy safeguards.

    “The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights,” said 28-year-old Schrems.

    Well that should teach US tech giants that are actually collecting the bulk of EU citizen private data a lesson:


    The group of EU data protection authorities, known as the Article 29 Working Party, said it would hold discussions this week to “determine the consequences on transfers” of data and schedule an extraordinary meeting shortly.

    However, lawyers said most multinationals would probably be able to continue with business as usual as they already had alternative legal channels for transferring data to the United States.

    So now we get to not only find out what, if any, agreement replaces Safe Harbour but also how individual EU governments that were outsourcing their domestic spying to the NSA are going to do now which may not be obvious because new methods used by governments for domestic surveillance aren’t necessarily discussed in the daily news. Although sometimes they are:

    Truth-Out
    France’s Government Aims to Give Itself – and the NSA – Carte Blanche to Spy on the World

    Sunday, 04 October 2015 00:00 By Danny O’Brien, Electronic Frontier Foundation | Op-Ed

    The United States makes an improper division between surveillance conducted on residents of the United States and the surveillance that is conducted with almost no restraint upon the rest of the world. This double standard has proved poisonous to the rights of Americans and non-Americans alike. In theory, Americans enjoy better protections. In practice there are no magical sets of servers and Internet connections that carry only American conversations. To violate the privacy of everyone else in the world, the U.S. inevitably scoops up its own citizens’ data. Establishing nationality as a basis for discrimination also encourages intelligence agencies to make the obvious end-run: spying on each other’s citizens, and then sharing that data. Treating two sets of innocent targets differently is already a violation of international human rights law. In reality, it reduces everyone to the same, lower standard.

    Now France’s government is about the make the same error as US practice with its new “Surveillance des communications électroniques internationales” bill, currently being rushed through the French Parliament. As an open letter led by France’s La Quadrature du Net and signed by over thirty civil society groups including EFF, states, France’s legislators’ must reject this bill to protect the rights of individuals everywhere, including those in France.

    By legalizing France’s own plans to spy on the rest of the world, France would take a step to establishing the NSA model as an acceptable global norm. Passing the law would undermine France’s already weak surveillance protections for its own citizens, including lawyers, journalists and judges. And it would make challenging the NSA’s practices far more difficult for France and other states.

    The new bill comes as a result of France’s Constitutional Council review of the country’s last mass surveillance bill, which passed with little parliamentary opposition in July. The Council passed most of that bill on the basis of its minor concessions to oversight and proportionality, but rejected the sections on international surveillance, which contained no limits to what France might do.

    France already spies on the world. In July, the French news magazine L’Obs revealed a secret decree dating from at least 2008, which funded a French intelligence service project to intercept and analyze international data traffic passing through through submarine cable intercepts. The decree authorized the interception of cable traffic from 40 countries including Algeria, Morocco, Tunisia, Iraq, Syria, Sub-Saharan Africa, Russia, China, India and the United States. The report states that France’s intelligence agency, the General Directorate for External Security (DGCE), spent $775 million on the project.

    Given that the Constitutional Council implied that such practices are almost certainly unlawful as is, the French government has now scrambled to create a framework that could excuse it.

    Under the new proposed law, France’s intelligence agencies still have an incredibly broad remit. The law concentrates the power to grant wide-ranging surveillance permission in the office of the Prime Minister, who can sign off on mass surveillance of communications sent or received from overseas. Such surveillance can be conducted when in the “essential interests of foreign policy” or “[the] essential economic and scientific interests of France”, giving the executive the widest possible scope to conduct surveillance.

    The original surveillance law included limits on data retention when spying on French nationals (30 days for the content of communications, four years for metadata, six years for encrypted data). The new international limits are much longer – one year, six years, and eight years respectively. The law’s authors do not justify this longer period, nor do they explain how the intelligence agencies will be able to separate data from each class of target without collecting, analyzing and filtering them all.

    The collapsing divide between the lawful, warranted surveillance of ordinary citizens, and the wide-ranging capabilities of the intelligence services to collect signals intelligence on foreign powers and agents, has ended up corroding both domestic and global privacy rights. The U.S. has taken advantage of the lesser protections for non-U.S. persons to introduce the dragnet surveillance of everyone who uses the Internet outside the U.S. Because unprotected foreigners’ data is mixed up with somewhat more protected communications of Americans, the U.S. government believes that it can “incidentally” scoop up its own citizens’ data, and sort it out later under nobody’s oversight but its own.

    If the French Parliament passes this bill, it will mean that France has decided to embody and excuse the same practices as the NSA in its own law. It is a short-sighted attempt to cover France’s existing secret practices, but the consequences are far-reaching. The limited protections that were included in the original surveillance bill – including assurances that French journalists, judges and lawyers would be protected from dragnet surveillance – will be undermined by their inevitable inclusion in the vacuuming up of all international traffic.

    Any attempt by the EU countries to rein back the NSA’s surveillance plan by calls for the United States to respect data protection principles, and data protection principles, will provoke the response that the U.S. is simply exercising the powers that an EU member has already granted itself.

    So if you’ve been a web service based in France it was probably spied on already, but now that spying should have more legal protections:

    France already spies on the world. In July, the French news magazine L’Obs revealed a secret decree dating from at least 2008, which funded a French intelligence service project to intercept and analyze international data traffic passing through through submarine cable intercepts. The decree authorized the interception of cable traffic from 40 countries including Algeria, Morocco, Tunisia, Iraq, Syria, Sub-Saharan Africa, Russia, China, India and the United States. The report states that France’s intelligence agency, the General Directorate for External Security (DGCE), spent $775 million on the project.

    Given that the Constitutional Council implied that such practices are almost certainly unlawful as is, the French government has now scrambled to create a framework that could excuse it.

    The collapsing divide between the lawful, warranted surveillance of ordinary citizens, and the wide-ranging capabilities of the intelligence services to collect signals intelligence on foreign powers and agents, has ended up corroding both domestic and global privacy rights. The U.S. has taken advantage of the lesser protections for non-U.S. persons to introduce the dragnet surveillance of everyone who uses the Internet outside the U.S. Because unprotected foreigners’ data is mixed up with somewhat more protected communications of Americans, the U.S. government believes that it can “incidentally” scoop up its own citizens’ data, and sort it out later under nobody’s oversight but its own.

    If the French Parliament passes this bill, it will mean that France has decided to embody and excuse the same practices as the NSA in its own law. It is a short-sighted attempt to cover France’s existing secret practices, but the consequences are far-reaching. The limited protections that were included in the original surveillance bill – including assurances that French journalists, judges and lawyers would be protected from dragnet surveillance – will be undermined by their inevitable inclusion in the vacuuming up of all international traffic.

    “If the French Parliament passes this bill, it will mean that France has decided to embody and excuse the same practices as the NSA in its own law”

    Posted by Pterrafractyl | October 6, 2015, 11:03 am
  14. With Safe Harbor no longer valid, the scramble is underway among US tech firms to figure how how to adapt. And as the article below points out, if firms are assuming that they’re going to now have to move their servers over to an EU nation they might be disappointed because based on the new ruling, each EU nation could decide to set up its own local storage requirement:

    The Wall Street Journal
    Small Firms Worry, as Big-Data Pact Dies
    Higher costs loom amid needs to renegotiate contracts and relocate servers

    By Elizabeth Dwoskin and
    Robert McMillan
    Updated Oct. 8, 2015 10:36 a.m. ET

    Technology giants hardly flinched when news broke on Tuesday that the European Union’s highest court had struck down the 15-year-old agreement that allowed U.S. businesses to transfer Europeans’ personal information to the U.S. But many smaller companies were caught flat-footed.

    TheMobileYogi, which offers a collection of apps for yoga aficionados, wasn’t prepared. The Ohio-based software developer has about 200,000 users, and Chief Executive Sebastian Holst suspects that one-third of them might be in Europe. He says he thinks so because the company collects a mobile-device identifier that is generally associated with a region or country and the rough location of the device when it signs in. But this information isn’t precise, so he can’t be sure.

    The ruling left him flummoxed. “Two days ago, my application on a German phone was totally covered [by the pact]. Now it’s not,” he said. “With a swipe of a pen, they’ve made [the ability to collect data on European users] invalid. Now I need to know: Am I in jeopardy?”

    Amazon.com Inc., Airbnb Inc. Facebook Inc. and Fair Isaac Corp. , the data collector referred to as FICO, are among the many large companies that said lawyers had been working on their behalf for some time to find technical workarounds and legal alternatives to the now-defunct accord, known as Safe Harbor. Many have been racing to build sprawling European data-storage facilities. Last year, Amazon’s cloud-computing service AWS opened a data center in Frankfurt, its first large data center in continental Europe, in part to show it complied with strict German data-privacy laws.

    However, smaller companies such as theMobileYogi face uncertain prospects after the ruling by the European Court of Justice. Some executives fear they must renegotiate contracts with their clients or relocate database servers. Others, such as Mr. Holst, are struggling to parse whether they even have data on European citizens, who aren’t required to specify their citizenship when they sign up for many apps.

    Setting up servers in Europe or buying cloud storage there could double the operational costs of small businesses, said Chris Babel, chief executive of Truste, which advises companies about data-privacy laws.

    Among the 4,400 companies certified by the U.S. Commerce Department to take advantage of Safe Harbor, some 60% are small or midsize businesses, according to the government agency.

    Companies seeking to comply with the ruling have options, but they are largely unexplored by small businesses and thus represent significant risk. Some companies are taking advantage of an alternative known as a model contract. This option involves updating contracts with vendors and customers, as well as their privacy policies, with legal language published by European officials, said Harriet Pearson, a partner at the law firm Hogan Lovells who has represented Uber Technologies Inc. and Bloomberg LP.

    Taking advantage of model contracts can entail substantial work and costs. “We’re potentially going to see a massive number of contracts be renegotiated,” said Michael Overly, a lawyer with Foley & Lardner LLP who advises companies on legal issues related to cloud computing.

    Corporations need to not only ensure that they themselves comply with European law but also that their service providers comply, Mr. Overly said. That includes cloud-computing providers that operate fluidly across national borders over the Internet.

    The challenge of sharing data between Europe and the U.S. might become more complex. Tuesday’s ruling gives more power to local regulators to challenge the European Commission, the EU’s executive arm, on data-protection issues. Individual European countries could require local storage, said Mr. Babel of Truste.

    Morgan Reed, director of the App Association, which represents 5,000 app developers and is sponsored by Apple Inc., AT&T Inc., BlackBerry Ltd., Microsoft Corp. and Facebook, said the European decision pushed the Internet further toward becoming a two-tiered system in which small businesses faced a higher barrier to entry than large ones. “Our small businesses are the collateral damage of this case,” he said.

    “The challenge of sharing data between Europe and the U.S. might become more complex. Tuesday’s ruling gives more power to local regulators to challenge the European Commission, the EU’s executive arm, on data-protection issues. Individual European countries could require local storage, said Mr. Babel of Truste.
    Keep in mind we don’t actually know if any EU members are going to specify that you have to store their citizen data in that specific country, but it sounds like that could be an option to national legislators going forward. And either way, a lot more of the data generated by EU citizens on US-owned internet services is going to end up being stored somewhere in the EU. All safe and sound.

    Posted by Pterrafractyl | October 8, 2015, 10:50 am
  15. US internet companies currently fretting over the collapse of the US/EU Safe Harbor data sharing agreement can fret a bit less. The EU recently announced an agreement in principle with the US on Safe Harbor 2.0:

    The Wall Street Journal
    EU, U.S. Agree in Principle on New Data-Transfer Pact
    European court had struck down previous trans-Atlantic deal dubbed Safe Harbor

    By Natalia Drozdiak
    Updated Oct. 26, 2015 6:32 p.m. ET

    BRUSSELS—The European Union on Monday said it had agreed in principle with the U.S. on a new trans-Atlantic data-transfer pact, as both sides race to complete the deal after the bloc’s highest court junked a previous framework used by thousands of firms.

    The European Court of Justice this month invalidated a 15-year old agreement, known as Safe Harbor, which allowed businesses to move Europeans’ data, such as payroll information, to servers in the U.S. The court ruled that Europeans’ data was insufficiently protected when transferred to the U.S., where it could fall prey to national intelligence services.

    Washington and Brussels have been negotiating for around two years to update the Safe Harbor framework after EU officials demanded changes to the agreement in 2013 following National Security Agency contractor Edward Snowden’s disclosures of widespread U.S. spying.

    “There is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the court,” Justice Commissioner Vera Jourova told European lawmakers Monday.

    The negotiations between the EU and U.S. became more urgent after the court’s ruling, which raises questions about how much legal certainty a new version could bring businesses because it enshrines the power for national data protection authorities to independently review, and potentially suspend, data transfers to the U.S.

    Ms. Jourova didn’t set a hard deadline for a completed deal, but she said she expected both sides to make significant progress on the remaining technical points of discussion by the time she visits the U.S. in mid-November. The commission wants to ensure the new agreement complies “a hundred percent” with the court’s ruling, she said.

    Among the issues that still need to be addressed, the commissioner said the EU was still looking for clear conditions and limits to the extent to which U.S. intelligence services have access to Europeans’ personal data.

    Following the court ruling, national data privacy regulators set an end-January deadline for the EU and U.S. to replace the framework and said they would also look into implications the court’s ruling has on other arrangements for transferring personal data, which are more cumbersome for businesses to use but are currently the only options available.

    On Monday, Ms. Jourova said the new framework would include stronger oversight by the U.S. Department of Commerce to ensure that companies comply with rules to protect Europeans’ data as well as greater cooperation between national data protection regulators and American authorities.

    The new deal would also bring consumers more transparency about the way companies handle their data and would establish free of charge redress mechanisms as well as strict rules for companies about the onward transfer of data to additional parties, she said.

    Ms. Jourova also said the new deal would establish an annual review mechanism run by authorities on both sides of the Atlantic that would monitor whether law enforcement and national security services complied with limits on access to Europeans’ data.

    “This will transform the system from a purely self-regulating one to an oversight system that is more responsive as well as proactive and backed up by significant enforcement, including sanctions,” she said.

    Austrian privacy activist Max Schrems, whose complaint to the Irish data protection authority helped torpedo the original Safe Harbor agreement, was still skeptical of the new plans.

    “Overall, Vera Jourova’s statements showed willingness, but inability [of the commission] to come up with a solid master plan after Safe Harbor,” Mr. Schrems said on Twitter.

    Ms. Jourova said the commission would soon issue a statement explaining the consequences of the so-called Schrems ruling and would set guidance for international data transfers, without overriding the authority of national data privacy regulators.

    “Ms. Jourova also said the new deal would establish an annual review mechanism run by authorities on both sides of the Atlantic that would monitor whether law enforcement and national security services complied with limits on access to Europeans’ data.”
    So it sounds like an annual review mechanism might be a key part of the new Safe Harbor agreement. But it also sounds like Max Schrems, the Austrian law student and plaintiff in the case against Facebook that actually resulted in the European constitutional court ruling that killed Safe Harbor, remains skeptical that an agreement that meets the court’s standards will actually be achievable because that would require the end of US mass surveillance policies:

    The Wall Street Journal
    Real Time Brussels
    Max Schrems, Who Torpedoed Safe Harbor 1, Sees No Safe Harbor 2

    By Natalia Drozdiak
    10:16 am ET
    Oct 22, 2015

    He’s just helped bring down a longstanding trans-Atlantic data-transfer pact used by thousands of businesses and Austrian privacy activist Max Schrems is already pouring cold water on the framework’s impending replacement now being hammered out by European Union and U.S. officials.

    In a case stemming from a complaint sent to Irish privacy regulators by the 28-year old Mr. Schrems, the European Court of Justice earlier this month junked a 15-year old agreement, known as Safe Harbor, which allowed businesses to move Europeans’ data, such as payroll information, to servers in the U.S. The court ruled that Europeans’ data was insufficiently protected when transferred to the U.S., where it could fall prey to national intelligence services.

    EU and U.S. officials are now racing to the replace the deal but the court’s ruling raises questions about how much legal certainty even a new version would bring businesses.

    “I don’t think we’re going to see a second Safe Harbor,” Mr. Schrems said at an event in Brussels.“If we find an agreement, it’s very likely that it will be challenged in the court again and if it’s not totally solid, it will be invalidated again and then companies will be in the same situation again.”

    European Union privacy regulators are giving negotiators until the end of January to reach a deal before potentially suspending data transfers. EU officials after the court ruling had said more time was needed to complete the new agreement in order to address concerns about data-collection by U.S. national security services.

    “The interest of a new Safe Harbor may be limited in the U.S. when they realize what they have to meet in a new Safe Harbor,” Mr. Schrems said. “If you look at the [court’s] judgment…it would basically require the end of U.S. mass surveillance.”

    Visiting from Washington, the Federal Trade Commission’s director for consumer protection told journalists in Brussels that U.S. officials were aware businesses wanted more certainty than they have at the moment and were working with European counterparts to address the court’s concerns in the new Safe Harbor agreement.

    “There’s a lot of speculation as to what‘s going to happen and what will satisfy the court and what won’t– I’m not sure we’re going to know right now, the answers to that,” the FTC’s Jessica Rich said. “The best thing for us to do right now is to try to negotiate a new agreement… and take it from there.”

    “The interest of a new Safe Harbor may be limited in the U.S. when they realize what they have to meet in a new Safe Harbor,…If you look at the [court’s] judgment…it would basically require the end of U.S. mass surveillance.”
    That’s the view from Schrem, and if Germany’s data-protection authorities are any indication of the likelihood of this tentative Safe Harbor 2.0 framework, Schrem’s skepticism might be warranted:

    The Wall Street Journal
    Real Time Brussels
    Germany’s Tough Line on Data Transfers to U.S. Is Criticized

    By Natalia Drozdiak
    6:24 am ET Oct 29, 2015

    Germany’s federal and regional data-protection authorities this week said they wouldn’t approve any new transfers of data to the U.S. — even for transfers based on arrangements different from the trans-Atlantic data-transfer pact knocked down by the European Union’s highest court.

    The European Court of Justice this month invalidated a 15-year old agreement, known as Safe Harbor, which allowed businesses to move Europeans’ data, such as employee information, to servers in the U.S. The court ruled that Europeans’ data was insufficiently protected when transferred to the U.S., where it could be accessed by national intelligence services.

    Businesses can still transfer that data using more time-consuming and bureaucratic methods, but the court’s ruling calls into question the legal footing for those arrangements as well because it blesses the EU’s national data protection authorities – even those with harsher views of U.S. data privacy rules – with the power to review and challenge those transfers.

    After the court’s decision, the EU’s 28 national data-privacy regulators set an end-January deadline to replace the Safe Harbor agreement with a new version that respects EU citizens’ privacy rights. The regulators said they would look into the implications the ruling had on other arrangements for transferring personal data, but until the January deadline, those methods would still be legitimate to use.

    But in this week’s position paper stating they wouldn’t approve new data transfers, German regulators went beyond what was agreed by the bloc’s data protection authorities, drawing the ire of some business associations.

    “The statement of the Germany data protection authorities goes in direct contradiction to the coordinated approach between member state authorities,” said John Higgins, Director General of Digital Europe, a business association representing digital companies.

    Mr. Higgins said their decision would lead to unnecessary market volatility. In addition to withholding consent for new data transfers, at least one German regulator encouraged companies to think twice about sending data to the U.S. at all and consider storing it on Europe-based servers instead.

    “Whoever wants to remain unaffected by the legal and political consequences of the judgment, should consider storing personal data only on EU-based servers in the future,” said Johannes Caspar, supervisor at the Hamburg data protection authority, which claims jurisdiction in Germany for U.S. tech companies like Alphabet’s Google and Facebook.

    Yes, Germany’s data-protection authorities “said they wouldn’t approve any new transfers of data to the U.S. — even for transfers based on arrangements different from the trans-Atlantic data-transfer pact knocked down by the European Union’s highest court.” And that’s something that could happen for years to come given the court’s ruling since national data-protection authorities are free to protect their citizens’ data as they see fit…

    Businesses can still transfer that data using more time-consuming and bureaucratic methods, but the court’s ruling calls into question the legal footing for those arrangements as well because it blesses the EU’s national data protection authorities – even those with harsher views of U.S. data privacy rules – with the power to review and challenge those transfers.

    And how does Germany’s data-protection authorities recommend businesses deal with the all the legal and regulatory uncertainty? Just store the data on EU servers in the future:


    “Whoever wants to remain unaffected by the legal and political consequences of the judgment, should consider storing personal data only on EU-based servers in the future,” said Johannes Caspar, supervisor at the Hamburg data protection authority, which claims jurisdiction in Germany for U.S. tech companies like Alphabet’s Google and Facebook.

    Well, the EU data storage industry is probably ok with that suggestion. And if a new Safe Harbor agreement can’t be reach in the next few months it may not be just a suggestion. Shutting down EU operations or setting up data storage in the EU might be the only two remaining options for internet business operating in the EU.

    Of course, this still leaves the question of which EU nation you should store your business’s data in since the data protection rules are going to vary from nation to nation. You have a number of options, although thanks to the array of new domestic surveillance laws that have being passed by nations across the EU that curiously don’t seem to be a part of the Safe Harbor debate, your many European options may not be great options:

    The New York Times
    The Opinion Pages
    Europe Is Spying on You

    By NILS MUIZNIEKS
    OCT. 27, 2015

    STRASBOURG, France — When Edward Snowden disclosed details of America’s huge surveillance program two years ago, many in Europe thought that the response would be increased transparency and stronger oversight of security services. European countries, however, are moving in the opposite direction. Instead of more public scrutiny, we are getting more snooping.
    Stories from Our Advertisers

    Pushed to respond to the atrocious attacks in Paris and Copenhagen and by the threats posed by the Islamic State to Europe’s internal security, several countries are amending their counterterrorism legislation to grant more intrusive powers to security services, especially in terms of mass electronic surveillance.

    France recently adopted a controversial law on surveillance that permits major intrusions, without prior judicial authorization, into the private lives of suspects and those who communicate with them, live or work in the same place or even just happen to be near them.

    The German Parliament adopted a new data retention law on Oct. 16 that requires telecommunications operators and Internet service providers to retain connection data for up to 10 weeks. And the British government intends to increase the authorities’ powers to carry out mass surveillance and bulk collection of intercepted data.

    Meanwhile, Austria is set to discuss a draft law that would allow a new security agency to operate with reduced external control and to collect and store communication data for up to six years. The Netherlands is considering legislation allowing dragnet surveillance of all telecommunications, indiscriminate gathering of metadata, decryption and intrusion into the computers of non-suspects. And in Finland, the government is even considering changing the Constitution to weaken privacy protections in order to ease the adoption of a bill granting the military and intelligence services the power to conduct electronic mass surveillance with little oversight.

    Governments now argue that to guarantee our security we have to sacrifice some rights. This is a specious argument. By shifting from targeted to mass surveillance, governments risk undermining democracy while pretending to protect it.

    They are also betraying a long political and judicial tradition affording broad protection to privacy in Europe, where democratic legal systems have evolved to protect individuals from arbitrary interference by the state in their private and family life. The European Court of Human Rights has long upheld the principle that surveillance interferes with the right to privacy. Although the court accepts that the use of confidential information is essential in combating terrorist threats, it has held that the collection, use and storage of such information should be authorized only under exceptional and precise conditions, and must be accompanied by adequate legal safeguards and independent supervision. The court has consistently applied this principle for decades when it was called to judge the conduct of several European countries, which were combating domestic terrorist groups.

    More recently, as new technologies have offered more avenues to increase surveillance and data collection, the court has reiterated its position in a number of leading cases against several countries, including France, Romania, Russia and Britain, condemned for having infringed the right to private and family life that in the interpretation of the court covers also “the physical and psychological integrity of a person.”

    Last year, the European Court of Justice set limits on telecommunication data retention. By invalidating a European Union directive for its unnecessary “wide-ranging and particularly serious interference with the fundamental right to respect for private life” and personal data, this court reaffirmed the outstanding place privacy holds in Europe. This judgment echoed a 2006 German Constitutional Court ruling that the German police had breached the individual right to self-determination and human dignity after they conducted a computerized search of suspected terrorists.

    Regrettably, these judgments are often ignored by key decision-makers. Many of the surveillance policies that have recently been adopted in Europe fail to abide by these legal standards. Worse, many of the new intrusive measures would be applied without any prior judicial review establishing their legality, proportionality or necessity. This gives excessive power to governments and creates a clear risk of arbitrary application and abuse.

    Nils Muiznieks is the Council of Europe Commissioner for Human Rights.

    So that’s where we are: the US and EU have a couple months left to work out Safe Harbor 2.0 or else all EU-to-US data transfers become illegal. And even if a new agreement in worked out, it looks like Germany’s data protection authorities are going to continue to ban Germany-to-US transfers unless the US basically adopts exactly the same surveillance laws as the EU and applies them equally to EU citizens.

    How’s But as the article above points out, this entire debate is happening within the context of growing domestic surveillance powers in one EU country after another that don’t meet the EU standards either:

    ….
    Last year, the European Court of Justice set limits on telecommunication data retention. By invalidating a European Union directive for its unnecessary “wide-ranging and particularly serious interference with the fundamental right to respect for private life” and personal data, this court reaffirmed the outstanding place privacy holds in Europe. This judgment echoed a 2006 German Constitutional Court ruling that the German police had breached the individual right to self-determination and human dignity after they conducted a computerized search of suspected terrorists.

    Regrettably, these judgments are often ignored by key decision-makers. Many of the surveillance policies that have recently been adopted in Europe fail to abide by these legal standards. Worse, many of the new intrusive measures would be applied without any prior judicial review establishing their legality, proportionality or necessity. This gives excessive power to governments and creates a clear risk of arbitrary application and abuse.

    And that all may point us towards a likely long-term resolution to the “Safe Harbor” debate: the EU constitutional court ruled that US’s laws must meet EU privacy standards while, at the same time, EU members are passing laws that don’t meet those standards either. So there’s clearly a fight coming up between the EU’s constitutional court and EU member states, and there’s no guarantee that the constitutional court won’t rule in favor of allowing greater surveillance. After all, those future fights could very well be taking place in a very different security environment where the US has already dramatically scaled back its surveillance of EU citizens. And since the NSA has basically been acting as a proxy domestic surveillance agency for EU nations for decades, those future fights within the EU could be taking place when the choice really is between having domestic surveillance capabilities or not.

    All indications right now are that EU members want to end their long-standing use of the NSA as Europe’s proxy-spy agency, but all indications are also that these same EU members want to simultaneously and dramatically ramp up their own domestic spying capabilities. So while it’s widely assumed that the US has to cut back on spying to get a new “Safe Habor” agreement, which might be the case in the short-run, the long-run implications of the EU court’s rulings may not be that significant on US surveillance laws if the EU is simultaneously increasing its own domestic spying.

    So we probably shouldn’t be super surprised if a large number of US firms start transferring and keeping their EU data on EU servers next year. Whether or not that data is forced to stay there due to a lack of harmonization between US and EU privacy laws, however, seems like more of an open question.

    Posted by Pterrafractyl | November 3, 2015, 7:45 pm
  16. If you manage a US-based IT company with a significant market in the EU and your company didn’t rely on the now-invalid US/EU Safe Harbor agreement for data-sharing but instead used one of the alternate mechanisms like Binding Corporate Rules or Model Clauses, you’re probably giving thanks this for those relying on those mechanisms instead of Safe Harbor during your Thanksgiving Day feast. And if your one of those thankful individuals and you need a little adrenline to knock you out of that Tofurkey-coma, this should do the trick:

    The Wall Street Journal

    EU Data Transfer Mechanisms May Keep Tumbling

    By Stephen Dockery
    4:54 pm ET, Nov 23, 2015

    Data transfer systems that companies have been relying on in the wake of the end of the U.S.-EU Safe Harbor agreement are likely to be picked apart by the European Court of Justice for the same reasons the broad privacy agreement was tossed out, data privacy experts said Monday.

    The recent EU data privacy court ruling invalidating the Safe Harbor agreement with the U.S. has sent ripples through consumer service businesses, leaving many companies scrambling to find a replacement system to govern their data transfers. The privacy ruling found that the U.S. was fundamentally compromised in protecting individuals’ personal data because of its mass surveillance systems.

    Binding Corporate Rules, Model Clauses and use of White List countries have all been touted by law and tech firms in the wake of the Safe Harbor ruling as the best ways to stay on the right side of the law while diplomats hammer out a new international agreement to govern data. Those rules and clauses govern a group of companies’ privacy policies and are laid out to notify regulators about how the businesses handle information.

    But advocating those solutions misses the fundamental issues that led the EU Court of Justice to get rid of safe harbor, said Stewart Room, head of cyber security and data protection at PwC.

    “Right now these other solutions are still legally valid…the problem is they have the same parent and the same architecture and the same legal vulnerability” as Safe Harbor, Mr. Room said in a webcast Monday.

    Mr. Room said the EU working party on the issue had already signaled that it was encouraging challenges to those mechanisms and was likely those solutions would be invalidated as well.

    Because mass surveillance, a staple of the U.S.’s national security program, is at the heart of the case, that means a new agreement will be unlikely to offer a solution for future data transfers, said Jay Cline, a data protection expert at PwC.

    “Safe Harbor 2 is not going to fix our problems,” he said , adding that “After [the attacks in] Paris, it’s hard to see anybody rolling back their surveillance.”

    Instead of looking for other paper compliance systems to take the place of Safe Harbor, such as consent-based programs that can be difficult to implement, companies would be better off adopting a data-sharing plan that looks at the issue of privacy in a different way altogether, Mr. Room and Mr. Cline said.

    Europe’s extending regulatory arm in the privacy realm means companies should adopt a “vision” of data sharing that can withstand tests over the notion of privacy that the European court has supported in its ruling, Mr. Room said.

    He said the court picked apart scenarios where companies can be legally in the clear but not protecting people’s data. Mr. Room endorsed an approach that includes frequent privacy tests, proving the system is meeting EU requirements.

    Have fun digesting this one:

    Because mass surveillance, a staple of the U.S.’s national security program, is at the heart of the case, that means a new agreement will be unlikely to offer a solution for future data transfers, said Jay Cline, a data protection expert at PwC.

    “Safe Harbor 2 is not going to fix our problems,” he said , adding that “After [the attacks in] Paris, it’s hard to see anybody rolling back their surveillance.

    Yes, it is indeed hard to see anybody rolling back their surveillance following the Paris attacks. Maybe they’re even going to increase those efforts. *burp*

    In other news…

    Posted by Pterrafractyl | November 26, 2015, 7:40 pm
  17. Well, after almost three years of negotiations (a time frame that included the Snowden Affair and the following implosion of the US/EU “Safe Harbor” treaty) the EU’s new data privacy regulations are ready. This is following a four and a half month secret ‘trilogue’ negotiation that started in July 2015 and ended in December with the final negotiated text. But it’s here. The EU’s data privacy rules are finally finalized:

    The National Law Review
    EU Finalizes Text of New General Data Protection Regulation

    Joseph D. McClendon
    Polsinelli PC

    Tuesday, January 5, 2016

    Three years after Luxembourg politician Viviane Reding originally proposed overhauling the EU Data Protection Directive (“Directive”), European Union officials finally reached an agreement to replace the Directive with new comprehensive privacy legislation called the General Data Protection Regulation (“GDPR”). The GDPR is not yet EU law; however, the EU Parliament is expected to approve the GDPR when it next meets in January 2016. When approved, the GDPR will become law in 2018 across all 28 EU Member States and will supersede the inconsistent laws the EU Member States implemented in order to comply with the minimum data protection requirements set out in the Directive.

    Enacted in 1995, the Directive was in severe need of updating to keep up with the near constant change in the technology sector. The EU government intends to synchronize privacy laws across the Euro zone using the GDPR, with heavy fines for a company’s failure to implement the new privacy requirements.

    The GDPR in its current form contains provisions that will change how data is collected, stored and transmitted in and out of the EU, including:

    * Making the requirements for obtaining an individual’s consent for collecting that individual’s information more rigorous;

    * Raising the age of consent for collecting an individual’s information from 13 years old to 16 years old;

    * Memorializing the “right to be forgotten”, meaning that a company must delete an individual’s data if the company is no longer using the data for the purpose it was collected or if the individual revokes his or her consent for the company to hold the data;

    * Requiring companies to notify the EU government of data breaches within 72 hours of learning about the breach;

    * Establishing a single national office for monitoring and handling complaints brought under the GDPR; and

    * Fines up to 4% of a company’s global revenue for its non-compliance with the rules set out in the GDPR.

    The most critical change brought about by the GDPR is that jurisdiction is not a physical or geographical barrier – jurisdiction will be measured digitally, meaning that companies outside of the EU will be affected by these new regulations by virtue of collecting data that belongs to an EU citizen. With fines for non-compliance being set at 4% of a company’s global revenue, the financial impact to companies like Google, Facebook, Apple, and Microsoft for non-compliance can potentially result in billions of dollars in fines alone. How strictly the EU government will enforce and monitor compliance with the GDPR remains to be seen; however, companies should begin planning and implementing new business practices into their workflows with the expectation that EU regulators will be aggressive with their enforcement when the 2018 deadline hits.

    Finally, the GDPR does recognize standard contractual clauses and binding corporate rules as authorized frameworks for transferring EU citizen data out of the EU. With Safe Harbor invalidated in 2015 in the wake of Edward Snowden’s disclosure of the U.S.’s comprehensive surveillance programs, recognition of standard contractual clauses and binding corporate rules should provide some relief to business owners who chose to rely on self-certifying their company’s compliance with the Safe Harbor principles rather than using standard contractual clauses or binding corporate rules to transfer data out of the EU. The EU is currently in negotiations with the U.S. government to establish “Safe Harbor 2.0”, with both parties pushing to finalize the framework by the end of January 2016, thereby providing another avenue for data transfer to the roughly 4,000 companies that previously relied on Safe Harbor to collect and transfer data out of the EU.

    While internet firms everywhere that do business in the EU are probably at least somewhat pleased to see a final set of rules they can plan for, it’s going to be very interesting to see how much fear we see in the business community over potential fines of 4 percent of global revenues for non-compliance:


    With fines for non-compliance being set at 4% of a company’s global revenue, the financial impact to companies like Google, Facebook, Apple, and Microsoft for non-compliance can potentially result in billions of dollars in fines alone.

    Yeah, Google, Facebook, Apple, and Microsoft probably weren’t super-enthusiastic about that part.

    But something worth keeping in mind is that the internet giants of today may aren’t necessarily going to be the personal data giants of tomorrow. The “Internet of Things” (IoT) is going to provide an opportunity for a large chunk of the personal digital data we generate in the future to get splintered off into a variety of different businesses beyond the Silicon Valley giants of today.

    Sure, Googles of tomorrow will probably play a role in sharing and processing data with the IoT manufacturers and might be the main holders of personal data as the IoT continues to get more and more inserted into the meat space. Or maybe there will be a radical change in how people handle their personal digital data and the internet giants of today lose their grip on the data streams of our lives. Either way, the IoT is only going to get more and more incorporated into our lives, and if Germany’s auto industry gives us a hint of what to expect, the new EU data privacy laws are about to become a giant IoT turf war over who gets to own the data collected by their products. Not surprisingly, Google is seen as the industry’s mortal threat that must be stopped before the data services giant gains too strong of a grip on the personal data collected via our future smart cars. And as the article below makes clear, Germany’s auto manufacturers want to use the EU’s data privacy laws to keep Google out of Germany’s (and presumably Europe’s) cars. And Merkel’s government is receptive. And that’s just one sector, albeit of big one, of the coming “Internet of Things”.

    So with the new EU data privacy laws coming into effect in 2018 there’s no doubt going to be a growing number of questions that arise, especially as the IoT evolves. But one thing is clear: EU data privacy lawyers like the fellow that wrote the above article are going to be really busy for the next few decades:

    PC Magazine
    Why German Automakers Are Uneasy Over Google’s Growth

    By Doug Newcomb
    June 12, 2015

    Audi’s CEO is concerned about Google’s incursion into Germany’s auto industry.

    As connected car technology goes, Google got in early with German luxury automakers. The tech giant’s Local Search first appeared in BMW vehicles way back in 2007, while Audi introduced Google Earth mapping to give owners a more realistic picture of navigation in 2009. In 2013, Mercedes-Benz added Google Street View to help graphically guide drivers to a destination.

    But recently the same automakers, along with the German government, have expressed caution over Google’s incursion into the car business on two fronts. As Google prepares to begin testing its prototype self-driving cars on public roads this summer, and is set to roll out the Android Auto infotainment platform that takes over a vehicle’s in-dash display and controls, German carmakers and lawmakers have become increasingly vocal about keeping the company’s automotive ambitions in check, especially as it relates to data mining.

    Audi CEO Rupert Stadler voiced concerns about Google this week during a Berlin conference also attended by Google exec Eric Schmidt. “A car today is a second living room—and that’s private,” Stadler said. He added that the automaker’s “customers want to be at the center” of the benefits that come from connectivity “and not exploited for it.”

    “They want to be in control of their data,” he added, “and not subject to monitoring.”

    While a group of automakers here in the U.S. recently developed a set of Privacy Principles to propose what data should be collected from vehicles and how it should and should not be used, the focus of the German companies is more on who controls the data generated by connected cars. “The data that we collect is our data and not Google’s data,” Stadler said late last year. “When it gets close to our operating system, it’s hands off.”

    VW Group CEO Martin Winterkorn also said at the time that the German automakers “seek connection to Google’s data systems, but we still want to be the masters of our own cars.” Dieter Zetsche, CEO of Mercedes Benz’s parent company Daimler, added that the auto industry needs to develop ways to process and store vehicle data so it doesn’t have to rely on third parties. “That’ll boost our position when working with Google,” he said.

    Source of National Pride and Revenue
    For Germany, the auto industry and its technology is not only a source national pride but also the largest source of tax revenue in the country’s manufacturing sector. The German auto industry has lobbied regulators to take a restrictive line on data privacy, making it more difficult for a company like Google to establish a data-driven foothold in the car business.

    The German government is sympathetic to the automakers’ concerns. A position paper that German Chancellor Angela Merkel’s Christian Democrats party presented at its annual conference late last year noted that “soon the performance of car digital systems will play at least as big a role in consumers’ purchasing decisions as the company that builds the car.”

    Chancellor Merkel’s government has also made it a priority to prevent Google and others from building a monopoly position in self-driving cars. “We mustn’t under any circumstances let our development become dependent on companies like Google,” commented Joachim Pfeiffer, spokesman for Merkel’s parliamentary bloc on economic and energy policy.

    Given the sluggish pace at which the automotive industry moves—and that Google is already entrenched in German luxury cars—this could be a slow war of attrition that will play out over the course of several years. In the meantime, Google’s Eric Schmidt struck a conciliatory tone at the conference where Stadler made his comments this week.

    Google wants “to emphasize we’re doing this with partners. In our case, we’re working with a whole infrastructure here in Germany,” Schmidt said. But Google has to convince the German automakers and government that it can work with them without competing for driver data and help them “make money without doing evil

    “Google tries to accompany people throughout their day, to generate data and then use that data for economic gain,” said Damiler’s Zetsche. “It’s at that point where a conflict with Google seems pre-programmed.” And inevitable.

    “A car today is a second living room—and that’s private…customers want to be at the center [of the benefits that come from connectivity] and not exploited for it…They want to be in control of their data and not subject to monitoring.”
    That was how Audi CEO Rupert Stadler put in last July when he about the potential damage the all seeing eye of Google could do to the digital car experience. And not surprisingly, the German government is on board with the idea:


    Chancellor Merkel’s government has also made it a priority to prevent Google and others from building a monopoly position in self-driving cars. “We mustn’t under any circumstances let our development become dependent on companies like Google,” commented Joachim Pfeiffer, spokesman for Merkel’s parliamentary bloc on economic and energy policy.

    As far as national branding goes, that’s not a bad move. At least assuming these auto manufacturers don’t get caught commercializing or otherwise abusing that data for their own ends. It’s something VW CEO Martin Winterkorn no doubt recognizes these days:


    VW Group CEO Martin Winterkorn also said at the time that the German automakers “seek connection to Google’s data systems, but we still want to be the masters of our own cars.” Dieter Zetsche, CEO of Mercedes Benz’s parent company Daimler, added that the auto industry needs to develop ways to process and store vehicle data so it doesn’t have to rely on third parties. “That’ll boost our position when working with Google,” he said.

    And when we consider VW’s ongoing fraud scandal, it highlights part of what’s going to make the new EU data privacy rules so fascinating to watch unfold: There’s clearly a push to make the EU the global personal data warehouse of choice under the premise that users will get greater personal data protections when its under EU jurisdiction. And who knows, maybe there’s going to be really vigilant enforcement of all the new EU data privacy laws, which would be amazing and great.

    If that EU personal data haven does come to fruition we would expect a much larger share of the global personal data to fall under EU jurisdiction. But, of course, the more personal data EU businesses collect, the more tempted those businesses are going to be to find ways to make some money off that data. And if you listen to the just the fretting on the part of German auto manufacturers over the prospect of Google getting its hands on that data it might seem like the plan is to create internet-connected cars that are effectively personal data havens and use that “branding” as a way to sell more cars. But when you listen the all the other plans the industry has for the future it’s becoming increasingly clear that the auto manufacturers want to keep Google’s (and Apple’s) hands off that data mostly so the automakers are the only ones to profit on it:

    Bloomber Business
    Google Auto Faces German Resistance as Audi Guards Data

    Cornelius Rahn, Brian Parkin and Elisabeth Behrmann
    December 18, 2014 — 5:01 PM CST
    Updated on December 19, 2014 — 6:21 AM CST

    Google Inc.’s push into cars is meeting growing opposition in Germany, where lawmakers are backing the likes of Audi and Mercedes-Benz as they seek to limit the software company’s access under the hood.

    Like in a smartphone, Google’s Android Auto will let drivers interact with their cars’ music and navigation systems. What carmakers don’t want, though, is for Android to control cars just as it does phones and tablets.

    That also worries German politicians. They don’t want the country’s flagship industry to have its importance diluted if Google gains access to data on the behavior and whereabouts of cars and their passengers. And if the German manufacturers who dominate the technologically innovative luxury segment aren’t ready to play along, Google may find it more difficult to penetrate the industry as a whole.

    “The data that we collect is our data and not Google’s data,” Audi Chief Executive Officer Rupert Stadler said, echoing comments from Volkswagen AG CEO Martin Winterkorn and Daimler AG CEO Dieter Zetsche. “When it gets close to our operating system, it’s hands off.”

    Already concerned about Google’s market power, German Chancellor Angela Merkel’s government wants to prevent the Mountain View, California-based company from building a monopoly position as a partner for developing cars that will ultimately drive themselves. The automotive industry accounted for 6.5 percent of all taxable revenue in Germany in 2012, according to the Federal Statistical Office, making it the country’s biggest manufacturing sector.

    Google-Dependent

    “We mustn’t under any circumstances let our development become dependent on companies like Google,” said Joachim Pfeiffer, spokesman for Merkel’s parliamentary bloc on economic and energy policy.

    The market for assisted-driving software may reach 20 billion euros ($25 billion) by 2030, consulting firm Roland Berger said this month.

    Google spokesman Klaas Flechsig declined to comment on political opposition to the software maker’s plans.

    The company no longer has a target for the first Android Auto cars to be on the streets by the end of this year, Flechsig said. He declined to comment further on timing.

    When Economy and Energy Minister Sigmar Gabriel met Google Chairman Eric Schmidt in Berlin on Oct. 14, he told the American executive that he “admires Google — but I also admire the skills of an engineer who can build a car.” The European Union wants to establish its own “data architecture” to support economic growth, Gabriel said.

    Industry Lessons

    Lessons from the mobile-phone industry are fresh on executives’ and regulators’ minds. As more consumers relied on mobile applications and services, Android forced handset makers such as Samsung Electronics Co. and HTC Corp. to comply with its standards, largely stripping them of their individual strengths. Within five years of the operating system’s introduction, European players Nokia Oyj and Ericsson AB quit making phones entirely.

    The more Google and other software makers manage to embed themselves in the ecosystem of a car, the more consumer money will go to technology companies instead of carmakers, said Juergen Reiner, a partner at consulting company Oliver Wyman.

    “There’s one point where carmakers can protect themselves from someone wedging themselves in between the producers and the customers,” Reiner said. “It’s about the data that’s created in and around the car.”

    The more Google and other software makers manage to embed themselves in the ecosystem of a car, the more consumer money will go to technology companies instead of carmakers, said Juergen Reiner, a partner at consulting company Oliver Wyman.”
    And with all that potential money at risk, it’s no surprise that the politicians of a country like Germany, where 1 in 7 jobs are auto-related, are keen on seeing an EU-made data-architecture become the industry standard:


    When Economy and Energy Minister Sigmar Gabriel met Google Chairman Eric Schmidt in Berlin on Oct. 14, he told the American executive that he “admires Google — but I also admire the skills of an engineer who can build a car.” The European Union wants to establish its own “data architecture” to support economic growth, Gabriel said.

    And while it would be great to assume an EU-made “data architecture” for the future of internet-connected cars would be one where personal privacy is made a premium and all that potential money that could be made from exploiting that data is intentionally not made, it’s also pretty hard to believe that’s how it’s going to be. Especially when you read about studies like this:

    IDG News Service

    Connected cars gather too much data about their drivers, say motorists associations
    Cars report on how hard you drive and brake, but also on where you’re going and who you know

    Peter Sayer

    Nov 26, 2015 8:21 AM

    Car drivers may imagine they have greater privacy than public transport users, but that isn’t necessarily the case in modern, connected cars, European motoring organizations warned this week.

    To help identify faults or plan maintenance, manufacturers are able to gather performance data from connected cars such as the total distance travelled, or the length and number of trips made.

    But drivers may be unaware of just how much other information such cars allow manufacturers to gather about them.

    A study conducted by German motorists organization ADAC for European lobby group FIA Region 1 found that in addition to trip and distance data, one recent model reported maximum engine revolutions, the status of vehicle lights — and far more besides.

    The car, a BMW 320d, also recorded the length of time the driver used different driving modes, and recorded when the seatbelt tightened due to sudden braking. More sinisterly, it also transmitted the latest destinations entered into the car’s navigation system, and personal information such as contacts synchronized from mobile phones.

    ADAC only examined one car, and wants to extend the study to see how other brands behave, a spokeswoman said.

    But FIA wants car manufacturers to come clean themselves, without waiting to be unmasked: It asked them to publish an easily understandable list for each model of all the data collected, processed, stored and transmitted externally.

    With the risk that the data might be intercepted or the car hacked and the data taken, FIA wants carmakers to secure the data, and to make it possible for drivers to block the processing or transmission of non-essential data.

    It will soon be impossible for car buyers to purchase non-connected vehicles in Europe, as from April 2018 all new vehicles must include support for eCall,, a system that in case of accident automatically communicates its exact location to emergency services, with the time of incident and the direction of travel (most important on motorways). To do that, it will need to be continuously monitoring its position and have a mobile data connection to report back in case of incident.

    Once automotive manufacturers have gone to the trouble of installing such hardware, it’s unlikely they will pass up the opportunity to link in potentially revenue-generating services such as music streaming, traffic information or location-based recommendations.

    Should they take that step, though, FIA wants them to give car owners the opportunity to switch providers for such services, as it believes that that way they will get the lowest prices and the most innovative products.

    “The car, a BMW 320d, also recorded the length of time the driver used different driving modes, and recorded when the seatbelt tightened due to sudden braking. More sinisterly, it also transmitted the latest destinations entered into the car’s navigation system, and personal information such as contacts synchronized from mobile phones.
    Wow, so the FIA decides to study what consumer information is getting sent back to manufacturers, they choose a single model to start their study, the BMW 320d, and it turns out the car sends personal information like contacts synchronized from mobile phones back to BMW. And what’s FIA’s recommendation? That internet-connected cars should offer owners the opportunity to switch service providers, which is basically the opposite of the “it our data!” attitude expressed by the manufacturers. And starting in 2018, the EU is mandating that ALL new cars be internet-connected and constantly streaming data:


    It will soon be impossible for car buyers to purchase non-connected vehicles in Europe, as from April 2018 all new vehicles must include support for eCall,, a system that in case of accident automatically communicates its exact location to emergency services, with the time of incident and the direction of travel (most important on motorways). To do that, it will need to be continuously monitoring its position and have a mobile data connection to report back in case of incident.

    So there’s a pretty massive conflict of interests emerging in the auto industry and it’s not just a conflict between consumers and a manufacturer. It’s a conflict between consumers and ALL the different manufacturer’s whose technology might have access to the personal data generated by the vehicle. And also a conflict between all those manufacturers who all have an economic incentive to be the sole collectors of that data.

    But there’s another interesting potential conflict on the horizon and that involves each nation’s data privacy regulators. The way the new laws work, each nation is going to be in charge of enforcing the data privacy rules according to its own interpretations of those ruls and a company only needs to follow the rules of the EU country it’s headquartered in. This was seen as one of the biggest benefits from the new EU data privacy rules for companies operating in the EU.

    But there’s a catch: since EU member states have the flexibility to interpret and enforce rules somewhat differently, a compromise was made where other the data privacy authorities of other EU member states can “object” to a particular member’s data privacy rulings. And if they can’t come to an agreement the whole dispute is arbitrated by the European Data Protection Board (EDPB). And as we saw with the Germany auto manufacturers and Google, there’s going to be A LOT of potential commercial disputes as various industries try to use data privacy rules to influence which firms can compete in different digital markets, whether its the traditional internet or the “Internet of Things”.

    So while internet companies can be pleased to see the final rules EU data privacy rules finally take shape, questions of how the conflicts get worked out between EU members over the inevitably differing interpretation of those rules (that might involved conflicting commercial interests and digital turf wars) and which members’ desires end up getting favored by the EDPB that resolves those conflicts is going to be something data privacy advocates (and everyone else) really needs to watch:

    Reuters
    EU data protection reform may promise more than it delivers

    Tue Jan 5, 2016 7:44am EST

    This December 21 story has been corrected to read Sidley Austin in paragraph 18)

    By Julia Fioretti

    Implementing the biggest shake-up to Europe’s fragmented data protection laws in two decades may fail to provide companies with the consistency and simplicity that had been promised across the 28-nation bloc.

    A patchwork of privacy laws in the European Union, dating back to 1995 when the internet was in its infancy, was criticized for lacking teeth and being interpreted differently across the EU.

    To tackle those failings, the EU last week agreed a sweeping overhaul of data protection rules which would introduce a single rule book, fines of up to 4 percent of a company’s global turnover and simpler system of enforcement.

    The exponential growth in data — from people’s credit card habits, social media postings and wearable fitness devices tracking their sleep and movements — have fueled concerns that individuals do not have enough control over such information.

    The new rules should be a boon for web companies such as Google, Facebook and Amazon which do business across Europe and who currently have to deal with a series of national regulators.

    EU Justice Commissioner Vera Jourova said on Monday that a single data protection law would save businesses around 2.3 billion euros ($2.5 billion) a year.

    However, critics of the new measures question whether regulators will be able to cope with an increased workload and whether the regulatory overlap has genuinely been removed.

    “We are concerned that investors will be scared off from investing in Europe and will look outside the continent to finance the next big thing in technology,” said the Industry Coalition for Data Protection, whose members include Google, Facebook, Amazon and IBM.

    NATIONAL CONCERNS

    The rules are tougher in some obvious ways.

    Not all privacy regulators currently have the power to levy fines. When they do, the amounts are often paltry compared to the billions of dollars of revenues of the businesses involved.

    One of the most significant changes that companies were looking forward to was the “one-stop-shop”.

    Under the new law, which will come into force in two years, companies operating across the EU should only have to deal with the regulator in the country where they have their European headquarters.

    But it was watered down by member states who were eager to protect the power of their national regulators to investigate U.S. tech companies — which hold swathes of Europeans’ data — and ensure citizens could still complain to their local authority about a company located elsewhere.

    That means any “concerned” authority will have the power to object to the decision made by the “lead” authority — the one where the company has its EU headquarters.

    Lawyers say that the definition of a concerned authority is too broad and for some companies it will not be clear where their main European base is.

    “There is concern that the trigger for other data protection authorities to get involved is too low,” said William Long, Partner at law firm Sidley Austin LLP.

    But consumer groups say ensuring that citizens can still complain to their local regulator is important for protecting their privacy.

    “If that proximity to the citizen is assured in a way that I, as a consumer, can easily complain to my national supervisory authority…that is a victory for citizens,” said David Martin, senior legal officer at BEUC, the European Consumer Organisation.

    Lawyers also point out it that the new EU rules leave many issues to the discretion of individual countries and there is still a risk that regulators could interpret them differently.

    “It would be bad if an Italian company were sanctioned more than a French one for the same thing,” Jourova said in an interview.

    If there is disagreement between regulators the case will be referred to a European Data Protection Board (EDPB), yet to be created, to take binding decisions.

    “The mechanism laid down in the data protection regulation establishes a hyper bureaucratic procedure that will lead to more complexity and longer procedures of law enforcement,” said Johannes Caspar, head of Hamburg’s data protection authority in Germany, which has jurisdiction over companies including Google and Facebook.

    “If there is disagreement between regulators the case will be referred to a European Data Protection Board (EDPB), yet to be created, to take binding decisions.”
    Yep, regulatory disagreements are going to get sent to the yet to be created EDPB. So it’s going to be pretty critical to see how the EDPB finally takes shape. Especially since its rulings will presumably impact the rulings like the new fines that could reach 4 percent of global revenues for corporations. And note how the creation of the EDPB was apparently done to assuage concerns that members states wouldn’t be able to adequate investigate US tech firms for privacy violations of their citizens:

    Under the new law, which will come into force in two years, companies operating across the EU should only have to deal with the regulator in the country where they have their European headquarters.

    But it was watered down by member states who were eager to protect the power of their national regulators to investigate U.S. tech companies — which hold swathes of Europeans’ data — and ensure citizens could still complain to their local authority about a company located elsewhere.

    Yep, the the whole system involving “objections” between member states and the creation of the EDPB was set up because some national data regulators were keen on ensuring companies like Google and Apple couldn’t find an EU member that’s more lenient on privacy violations (like Ireland), and shield themselves from, say, German data privacy regulators while still operating across the EU.

    But with the EDPB system set up to allow for fights between EU member states on data privacy issues that could have huge potential impacts on critical national industries, why would, for instance, Germany automakers be ONLY interested in keeping US or other foreign firms out of its internet-connected car markets? What about other potential EU competitors in the “digital cars” software that might be headquartered in, say, France? And don’t forget the mass surveillance policies of most EU member states have become much more mass surveillance friendly in recent years despite the the post-Snowden freak out (and despite the passage of big new data privacy regulations). so if compliance with US mass surveillance policies are viewed as a viable reason for fining or blocking companies like Google or Apple out the EU markets, what opportunities will the mass surveillance policies of individual EU states create for waged intra-EU commercial turf wars?

    And keep in mind that this just the auto industry we’re talking about. Now imagine the rest of the “Internet of Things” that pops up going forward, all these digital things talking to each other, sharing data, and creating fun new data privacy headaches but also fun new opportunities for manufacturers to become the sole software provider (and sole data collector). Aren’t the manufacturers across the whole IoT going to have an interest in ensuring that they, and they alone, collect and profit from the personal data their devices collect? It’s hard to see why that wouldn’t be the case.

    So there’s no shortage of major questions about how the EU’s new data privacy regime will unfold and reshape the digital economy of the future. But one thing is very clear: Google is going to get sued. A lot. And Apple and probably the rest of the Silicon Valley personal data giants operating in the EU are totally getting sued too. Repeatedly. That’s basically a given at this point. The EDPB was set up for that purpose.

    Posted by Pterrafractyl | January 6, 2016, 8:19 pm
  18. Here’s a peek at all the fun new features currently under development by Audi for the next generation of internet-connected cars that will likely also be self-driving cars that allow the passengers to basically treat the car as a living room on the road (as Audi’s CEO once put it), with internet browsing and all sorts of other options. Also included is a system for measuring the passengers’ physical vital signs, like heart rate and skin temperature, and then using that information to make assessments about the passengers’ state of mind and modify the internal environment according to make it was relaxing and rejuvenating a trip as possible. And then there’s the feature that turns each car into one part of a larger “swarm” that’s constantly feeding information to the cloud for the purpose of updating everyone about changing road conditions. All pretty neat! It’s also a whole new data privacy nightmare:

    The Auto Channel
    Piloted, Electrified and Fully Connected — Audi at the 2016 CES

    Interior model with new operating and display concept

    Audi e-tron quattro concept study with full-electric drive

    Evolution of the Audi connect portfolio to include Car-to-X communication and remote vehicle services

    Livestream and subsequent download of the Audi Press Conference at CES on Wednesday, January 6 at 7pm GMT available on Audi TV and Audi Media Center

    INGOLSTADT/LAS VEGAS –January 6, 2016: – At the 2016 Consumer Electronics Show (CES), Audi is presenting its latest technologies in the form of attractive solutions for today and visionary ideas for tomorrow. The world’s most important electronics show takes place January 6–9, 2016, in Las Vegas, Nevada (USA) and the focus for the brand with the four rings is on the three future automotive trends of electrification, digitalisation and piloted driving.

    The Audi e-tron quattro concept combines all of these innovations which build upon technologies that are used in its production cars today. Visitors will be able to experience the new control and display concept that has been implemented in an interior mock-up of the Audi e-tron quattro concept. Advanced development of Audi connect as well as new developments in lighting technology will be also be showcased.

    New approaches: controls and displays

    User-friendly operation is an Audi strength, and now the brand with the four rings is expanding its operating and display concept (HMI, human-machine interface) with new solutions. The concept is being presented in an interior mock-up of the Audi e-tron quattro concept car. The curved OLED (OLED: Organic Light Emitting Diodes) of the new Audi virtual cockpit lies in the driver’s immediate visual field.

    The AMOLED (AMOLED: Active Matrix Organic Light Emitting Diodes) technology that is used offers new creative freedoms in designing display shapes. The two displays of the Audi MMI on the centre console offer an outlook on the digital future. Key functions can also be controlled conveniently by voice. Both displays exploit the advantages of a new type of touch recognition – what is known as Audi MMI touch response. Here, the selected functions are activated by gentle yet defined pressure on the display. This makes it possible to operate the system safely and with few distractions while driving.

    Behind the new operating and display concept is the latest extension stage of the Audi Modular Infotainment Platform, MIB2+. Its further boosted computing power makes it possible to drive several high-resolution displays.

    MIB2+ has been prepared for the latest mobile communications standard: LTE Advanced. It can download data into the car at a maximum speed of 300 Mbit/s. LTE Advanced also enables mobile telephony using the VoLTE (VoLTE = Voice over LTE) method, which shortens the time needed to make a phone connection and increases voice quality. Voice control has also become more powerful – it utilises both the on-board address book and a server in the cloud.

    The control and display concepts from Audi are already visionary today. The Audi virtual cockpit – a fully digital instrument cluster with a 12.3-inch TFT display – provides all information in intricately calculated and brilliant 3D graphics, in which drivers can choose between different views. The latest Audi models have MMI terminals on board that follow a new operating logic. This resembles the concept that is familiar from modern smartphones – flat hierarchies instead of complex menu trees. Voice control is available as an alternative.

    Audi connect

    The term Audi connect covers all applications and developments that network an Audi with its owner, the Internet, infrastructure and other vehicles. Audi continues to extend its lead in this technology field. An LTE/UMTS module of Audi connect connects to the Internet with download speeds of up to 100 MBit/s.

    The integrated Wi-Fi hotspot lets passengers freely surf the web, stream and text/e-mail with up to eight mobile devices. Customised services from the Audi connect portfolio are delivered to the car for the driver. They include traffic information online, Google Earth and Google Street View, parking information, fuel prices and flight, train and gate information. The Audi connect lineup is rounded out by City Events, individually configurable news, travel and weather information and other services.

    Audi will also be offering additional new services in Europe, and soon in the USA.

    They include emergency call that alerts the Audi Emergency Call Centre after an accident, online roadside assistance that calls the Audi Service Centre and Audi service request with which customers can schedule a service appointment.

    The free Audi MMI connect app brings more services into the car such as Online Media Streaming, which offers access to the services of the subscription music portals Napster and Rhapsody and the Aupeo! radio service. For owners of the new A4 and Q7 models, the Audi MMI connect app also offers remote vehicle services. From a smartphone, they can lock or unlock the doors or view the latest car status report. They can also have the parking location and parking time displayed. Other functions have been added for the Audi e-tron models – remote control of battery charging and climate control and access to driving data. The app’s remote functions can also be activated by a smartwatch, and effective at the beginning of 2016 by a fourth-generation Apple TV.

    In just a few months, the Audi connect SIM will be available for the new A4 and Q7 models in European markets. It is a permanently installed embedded SIM (e-SIM) that automatically brings Audi connect services into the car across Europe and does not require that the driver perform an activation procedure.

    It permits EU-wide roaming, because the SIM card can be automatically set to specific country providers as necessary. This eliminates country-specific roaming fees and annoying roaming confirmations.

    Regardless of which connect services are integrated, Audi owners can choose additional data packages for the Audi connect SIM at economical rates to operate the Wi-Fi hotspot. Here too, the data transfer automatically continues at the fixed price when crossing a border, i.e. when switching providers.

    In 2016, Audi is expanding its connect lineup to include the first Car-to-X technologies. The services traffic sign information and hazard information make the new Audi models part of a swarm. They report detected speed limits and hazardous locations, e.g. at points where a vehicle has broken down or the road service is slippery, to a server in the cloud via the mobile phone network. The server collects the data, processes it, and provides it to other Audi drivers who have suitable equipment. The updated information also flows into regular map updates for the MMI navigation plus system, making it available to the entire Audi fleet.

    The traffic light information service connects the new models in the USA via the mobile phone network to the central traffic computer that controls traffic lights in the city. Based on the information from this system, the Audi virtual cockpit recommends a speed to the driver for reaching the next traffic light while it is green.

    Audi electrification strategy

    The Audi e-tron quattro concept, the brand’s conceptual study at CES, is an all electrically powered sport SUV. Three electric motors with a total output of up to 370 kW enable a quattro drive system and electric torque vectoring for maximum dynamic performance and stability. The 95 kWh battery, located between the axles and therefore in an ideal position in terms of the centre of gravity, enables a range of over 310 miles. The Audi e-tron quattro concept car is a preview of a future production model that will arrive on the market in 2018.

    Piloted driving

    The Audi e-tron quattro concept has piloted driving technologies on board, which Audi will be launching into production in the near future. They include piloted driving in traffic jams and piloted parking. These services represent greater safety, time savings, efficiency, comfort and convenience. The systems can make a valuable contribution toward safety, especially in situations in which the driver is either overwhelmed or underwhelmed by driving tasks. The core component of future systems will be the central driver assistance controller, known as the zFAS. Information is continually acquired from all of the car’s sensors and processed in this compact module. They include signals from the 3D cameras, the laser scanner and radar and ultrasonic sensors. The high computing power of the zFAS gives it the ability to continually compare the data of vehicle sensors to the environmental model of the road.

    Especially in this area, Audi will benefit from the highly up-to-date HERE maps database, which AUDI AG acquired together with the BMW Group and Daimler AG in December 2015. In the future, self-driving vehicles will need to be based on a new data source with centimetre accuracy. The live data approach of HERE makes it possible to evaluate all sorts of changes and movements and recognise potential hazards in an extremely short time. In addition, vehicle sensors will send anonymised feedback to the cloud in real time – not only about the current traffic situation, but also about changes, e.g. related to the road condition, detours or other disturbances. In addition, HERE serves as a database with information on hotels and businesses, parking places and events. This is an example of how Audi is generating swarm intelligence with a high level of relevance.

    The Audi VR experience

    Audi is the world’s first carmaker to develop its own software and hardware solution for virtual reality applications by introducing the Audi VR experience in 2016. Customers can use virtual reality glasses to experience the car of their choice at a dealership with unprecedented realism – in 3D, with a 360-degree panoramic view, sound effects and all available features.

    Audi Fit Driver

    The Audi Fit Driver project is focusing on the well-being of the driver. Audi has a vision of drivers who step out of their cars at their destinations feeling more relaxed than when they stepped into them. A wearable – a fitness wristband or watch – monitors important vital parameters such as heart rate and skin temperature. The car’s sensors supplement them with information on driving style, breathing rate and relevant environmental data such as the weather or traffic situation. By analysing the combination of this data, the car can deduce the current state of the driver, e.g. whether the driver is stressed or overly tired. The vehicle systems then adjust their modes of operation to relax, vitalise, or even protect the driver.

    In a later extension phase, Audi Fit Driver will also incorporate driver assistance and safety systems as well as systems for piloted driving – with functions that extend all the way to piloted emergency stops with emergency calling. When it comes to data protection, the usual strict regulations by Audi apply.

    “The Audi Fit Driver project is focusing on the well-being of the driver. Audi has a vision of drivers who step out of their cars at their destinations feeling more relaxed than when they stepped into them. A wearable – a fitness wristband or watch – monitors important vital parameters such as heart rate and skin temperature. The car’s sensors supplement them with information on driving style, breathing rate and relevant environmental data such as the weather or traffic situation. By analysing the combination of this data, the car can deduce the current state of the driver, e.g. whether the driver is stressed or overly tired. The vehicle systems then adjust their modes of operation to relax, vitalise, or even protect the driver.”

    That’s quite a car. And while such features are cutting edge today, they’re probably going to be standardized over the next decade. And while passengers can presumably just not wear the wristband/watch if they aren’t super comfortable with a car that can “deduce the current stat of the driver”, it would be interesting to learn if this internal passenger-focused sensor data is part of the rest of the vehicular sensor data that’s getting streamed back to to Audi:

    The Audi e-tron quattro concept has piloted driving technologies on board, which Audi will be launching into production in the near future. They include piloted driving in traffic jams and piloted parking. These services represent greater safety, time savings, efficiency, comfort and convenience. The systems can make a valuable contribution toward safety, especially in situations in which the driver is either overwhelmed or underwhelmed by driving tasks. The core component of future systems will be the central driver assistance controller, known as the zFAS. Information is continually acquired from all of the car’s sensors and processed in this compact module. They include signals from the 3D cameras, the laser scanner and radar and ultrasonic sensors. The high computing power of the zFAS gives it the ability to continually compare the data of vehicle sensors to the environmental model of the road.

    Especially in this area, Audi will benefit from the highly up-to-date HERE maps database, which AUDI AG acquired together with the BMW Group and Daimler AG in December 2015. In the future, self-driving vehicles will need to be based on a new data source with centimetre accuracy. The live data approach of HERE makes it possible to evaluate all sorts of changes and movements and recognise potential hazards in an extremely short time. In addition, vehicle sensors will send anonymised feedback to the cloud in real time – not only about the current traffic situation, but also about changes, e.g. related to the road condition, detours or other disturbances. In addition, HERE serves as a database with information on hotels and businesses, parking places and events. This is an example of how Audi is generating swarm intelligence with a high level of relevance.

    Could the “Audi Fit Driver” data get sent back to Audi too? We’ll have to wait for more product information to find out but it’s an example of the kind of data that cars are going to be generating in the future and it’s hard to see how accessing and commercializing that data isn’t going to be increasingly tempting. Let’s hope those data privacy regulators keep an eye on this.

    Also keep in mind that the kind of personal data generating for these next generation cars isn’t just useful for potentially selling to third parties or more effectively marketing to your own customers. It’s also incredibly valuable to developing the next-generation of that same technology. Especially when it comes to the artificial intelligence systems that use “deep learning” to intelligently navigate the car’s environment:

    Audiusa.com
    Deep learning is at the core of Audi piloted driving

    June 04, 2015 | HERNDON, Virginia

    Working with partners such as NVIDIA, Audi uses machine learning to advance piloted driving
    Artificial intelligence in piloted Audi cars simulates human learning
    Deep learning was key to the 550-mile piloted driving run of Jack the A7 in January

    As Audi perfects its approach to piloted driving, its engineers are relying on an advancement that developers call “deep learning” to train computers to imitate the human brain.

    Progress in this form of machine learning was crucial for the piloted-driving run of “Jack,” the Audi A7 Sedan that transported a group of automotive journalists some 550 miles from Silicon Valley to the International Consumer Electronics Show in Las Vegas in January.

    And deep learning is at the center of the fast evolution of piloted driving toward a commercially available vehicle that can get itself to any destination with little human help.

    Working with key suppliers such as NVIDIA, the digital-tech company based in Santa Clara, California, we are creating an automobile-computer model that simulates the way the brain processes new information.

    Think of the car’s way of learning as similar to a child’s. Caregivers teach a baby to identify things she perceives with her senses: a circle, a square, colors. Object edges are very important in this process. The edges form meaningful, distinct shapes, which the brain starts to recognize. A fire truck is red, has a certain shape and wheels, but at first, the baby might think all trucks are fire engines. Then the child learns to differentiate between different kinds of trucks.

    That’s how the nexus of our piloted driving technology – the zFAS central driver-assistance controller – works. Pixels are generated by camera images, similar to how the human eyeball transfers images to the brain. The Audi processor, about the size of a tablet PC and powered by NVIDIA’s Tegra processor, analyzes every frame of video that comes in, and it senses edges which it groups into shapes. It learns that the shapes are objects, then learns to differentiate those objects.

    This artificial intelligence enables the Audi processor to detect, for instance, features such as eyes, a nose and mouth, and it figures out that they all fit into a face. It also allows Audi vehicles to detect and identify other vehicles. All of this information goes into a database to foster future advances in such recognition. The system serves as one of the important bases of intelligence for piloted driving.

    With every mile, the car gets smarter. But it takes more than terabytes of such data to make for successful autonomous driving. The data also must be processed very quickly: 30 video frames a second. The information must be transmitted, recognized, processed, analyzed – and provide a reaction – almost instantaneously, in case an Audi driver is encountering tricky conditions.

    That’s why one of the most important objectives of deep learning is to ensure that every bit of object recognition is embedded in the processor in the Audi vehicle, not dependent on the internet cloud.

    Move over KITT!


    That’s how the nexus of our piloted driving technology – the zFAS central driver-assistance controller – works. Pixels are generated by camera images, similar to how the human eyeball transfers images to the brain. The Audi processor, about the size of a tablet PC and powered by NVIDIA’s Tegra processor, analyzes every frame of video that comes in, and it senses edges which it groups into shapes. It learns that the shapes are objects, then learns to differentiate those objects.

    This artificial intelligence enables the Audi processor to detect, for instance, features such as eyes, a nose and mouth, and it figures out that they all fit into a face. It also allows Audi vehicles to detect and identify other vehicles. All of this information goes into a database to foster future advances in such recognition. The system serves as one of the important bases of intelligence for piloted driving.

    Now your car is going to develop facial/auto recognition technology that gets “smarter” the more you let it observe the world. And this “deep learning” is intended to take place in the car itself and not rely on a constant internet connection and remote servers to process the data, which makes sense for something like a moving vehicle. But as Audi also points out, part of the improvement in artificial intelligence will come from using the data gathered in the early models and throwing it into “a database to foster future advances in such recognition.” That sure sound like all that data is getting sent back to Audi.

    So in the not too distant future our cars could be equipped for “deep learning” technology that includes facial and vehicular recognition technology that’s constantly monitoring your car’s surroundings and sending that info back to your auto manufacturer for the purpose of developing the next generation of the technology. At least, let’s hope that’s all they use it for. As Audi points out above, “”When it comes to data protection, the usual strict regulations by Audi apply.” And technology like the “Audi Fit Driver” system that monitors the passenger’s mood is only available in Audi’s German models for the time being, and Germany, at least officially, has some of the strongest data privacy laws in the world. But at some point technology like that is going to be exported to countries with different data privacy standards which is going to make it very interesting to see just how much data our future cars start sweeping up as cars fitted with an array of sensors and “deep learning” artificial intelligence becomes the norm and what the laws are regarding who “owns” that data and how it can be used.

    Also don’t forget that Audi is owned by VW. So while there are indeed laws that will determine how that personal data is used, whether or not those laws are respected is a very open question.

    Posted by Pterrafractyl | January 8, 2016, 12:03 pm
  19. Here’s another look at how the issue of ownership over the data gathered by the vehicles we drive (or ride in while they drive themselves) is poised to become an increasingly complex question. Data ownership is going to be enough of a headache when you have car manufacturers fighting with digital service providers like Google over who owns what. But how about the cars you rent or lease? That’s a bigger headache:

    Fleet News

    Fleets call for clarity on data access of connected cars

    Author: Tom Seymour
    11/01/2016 in Fleet Industry News

    The fleet industry is growing increasingly concerned at the lack of clarity around how manufacturers are collecting data on vehicles and drivers, as more connected car features are introduced to the new car market.

    Fleet representative body ACFO and the British Vehicle Rental and Leasing Association (BVRLA) are seeking clarification on who owns the data collected, used and protected by fleets and manufacturers.

    John Pryor, ACFO chairman, believes that while some larger fleets may be aware of the level at which brands are collecting data on vehicles, generally awareness is low.

    He said: “The big trouble is with who owns this data. Is it the manufacturer? Is it the fleet? Is it the leasing company? Who has the right to know and is it possible to switch off that data collection when cars are being used away from work for personal use?

    “There are still big questions that need addressing and there is so much to look at with this.”

    With an estimated 80% of cars expected to be connected by 2016, the industry is experiencing an explosion in the amount of data that is generated and processed.

    An increasing number of fleets are having telematics devices installed into their vehicles, and manufacturers are keen to gain market share.

    Mercedes-Benz has its own telematics division, Fleetboard, and is looking to take a more central role in providing telematics and fleet software services directly to fleets.

    “The telematics suppliers have been first to market,” Pierre Lussier, Fleetboard manager at Mercedes-Benz France said. “But who is better to supply services for vehicles than the manufacturers themselves?”

    However, he said the big challenge is not only whether manufacturers have the ability to technically handle and interpret the masses of data collected from vehicles, but the legal implications that come with that.

    New EU data protection laws are due to be introduced in 2016 as regulators seek to catch-up with the increased sharing and use of data via the internet.

    Rather than being legislation that can be interpreted, new data protection regulations will be binding across all 28 member states.

    Carlos Ghosn, Renault Nissan Alliance chairman and CEO and president of ACEA, the body which represents vehicle manufacturers in Europe, said manufacturers across Europe have set out five principles of data protection which the industry will adhere to.

    These principles include transparency, customer choice, ‘privacy by design’, data security and proportionate use of data.

    Ghosn said: “Data protection is an issue carmakers take very seriously, as we are committed to providing our customers with a high level of protection and maintaining their trust.”

    Models like the new Volvo XC90 do not have an OBD port for external parties to access diagnostic information and manufacturers are widely expected to move to a cloud-based system in the future where all diagnostic information gained from modern vehicles’ sophisticated sensors are shared to the internet through an online portal.

    Lussier, who was speaking at the recent TU-Automotive ‘monetise connected fleet data’ webinar, said manufacturers will be looking to track data on engines, emissions, driver behaviour, fuel efficiency and wear and tear as well as advanced real-time mapping and traffic information.

    That data could then be passed on to fleets and leasing companies to improve operating efficiencies, plus franchised dealerships, taxation services, insurers, emergency services and road authorities.

    Lussier said: “The sensors in vehicles can now pick up a lot of information and the cameras built into modern cars make what we can collect extremely accurate.”

    He sees a future in which every car could be like a ‘Google Maps’ car, analysing every road they are on, updating routes and traffic problems in real time for every other car to access.

    “At the moment, we’re at the frontier and the situation with vehicle data is a bit like the wild west, from a legal perspective,” he said.

    The BVRLA is campaigning for vehicle owners and drivers to be in charge of how their data is used and wants the Government to support the introduction of open, standardised and secure platforms to enable this to happen.

    Gerry Keaney, BVRLA chief executive, said: “The arrival of the connected car means that the dashboard is now a point of sale for all kinds of products and services, while vehicles themselves have becomes telematics devices, capable of delivering gigabytes of valuable real-time data.

    “Regulators and legislators are trying to ensure they keep pace with this new environment, but the fact is that current data protection, type approval and block exemption regulations are well out of date.”

    Keaney recognises it will take time to put a new regulatory environment in place, but he wants to make sure vehicle owners have the right to opt out of any connected offerings that might conflict with the services BVRLA members offer, for example breakdown or roadside assistance, accident services and the arrangement of any servicing and repairs.

    He said: “We are also seeking clarification around which driver data is collected by manufacturers and who is responsible for meeting data protection rules.”

    However, as more and more connected data becomes available, Chevin Fleet Solutions says that basic questions remain unanswered.

    Ashley Sowerby, managing director at Chevin Fleet Solutions, said: “This is a fast-moving area but one where the potential benefits for fleets are substantial so it is important that, as an industry, we work to get things right.

    “There are many questions to resolve but probably the one that concerns us most is who controls the data generated by connected cars and who has access to it?

    “Manufacturers may want to act as gatekeepers to this information but it is doubtful that they can claim to have ownership of the data.

    “After all, it is generated by the fleets [or leasing companies] that own the vehicles in question.”

    Sowerby told Fleet News it was difficult to predict whether manufacturers would replace the current telematics sector. But he added: “Whatever the outcome, there will definitely be a need for ever-more sophisticated fleet management software to enable managers to make sense of the huge amount of information that will become available to them.”

    He is calling for key stakeholders in the fleet industry to “hammer out some basic standards”.

    Chevin holds operational data on more than 850,000 vehicles that are managed using its FleetWave software, so has some experience of the kind of issues that connected vehicle data bring.

    Sowerby said: “The data that we hold has a commercial value. We can access information on how thousands of different types of vehicles operate in real world conditions.

    “From time to time, we have been approached by organisations who would like access to that data and we have refused, but it shows that there is an appetite for the kind of information that the connected car and van will provide.”

    Sowerby wants the industry to have an open dialogue to raise concerns, “rather than stumbling into compromises”.

    “The data that we hold has a commercial value. We can access information on how thousands of different types of vehicles operate in real world conditions…From time to time, we have been approached by organisations who would like access to that data and we have refused, but it shows that there is an appetite for the kind of information that the connected car and van will provide.”

    Posted by Pterrafractyl | January 19, 2016, 10:44 am
  20. @Pterrafractyl

    Thanks for all you do to shed the light that you shed. When it comes to big data and car fleets and big data in general the internet of things definitely and who controls the data are huge issues. I think Dave is right and it is mostly going to be the milieu Paul Manning wrote about and they are mostly going to run the show.

    Sincere thanks,
    GK

    Posted by GK | January 22, 2016, 10:59 pm
  21. @GK: One of the things to keep in mind regarding who owns the data on car fleets is that the data privacy rights for the digital cars and the Internet of Things in general are almost certainly going to be weaker for devices that rented/leased vs privately owned. In other words, Google or Volkswagen might both potentially gain access to some of the private data privately owned by an individual who uses the car’s various digital tools. But Google, Volkswagen, fleet operators, and all sorts of other third-parties are potentially going to have access to a lot more car-derived private data if that digital car happens to be rented or leased.

    So with that public vs private duality in data privacy protections in mind, it’s worth noting that General Motors just announced a partnership with Lyft to create a fleet of self-driving cars, and the president of General Motors later stated that self-driving car technology will first get released to the public in the form of car-sharing services operating by companies like GM and Lyft, as opposed to privately owned self-driving cars. He also predicted that these car-sharing fleets of self-driving cars will know you personally and be customized to your digital tastes. So the self-driving car revolution, as envisioned by the current major stakeholders, is going to start off as a self-driving car-sharing rental service:

    Mashable
    Self-driving cars will come to car sharing before showrooms, GM says

    By Nick Jaynes
    January 13, 2016

    DETROIT — Turns out, the first self-driving car you will ride in won’t be one you own; it’ll be one you order up on your smartphone from Lyft.

    “The first mainstream deployment of autonomous vehicles won’t be to customers but to a ride-share platform,” General Motors President Dan Ammann told Mashable at the North American International Auto Show.

    “We’re going to have a car that operates only in downtown Austin that has a maximum speed of 30 mph and operates in controlled conditions”

    Ammann later clarified he was speaking hypothetically; Although GM recently announced a partnership with Lyft, self-driving robo-taxis in Austin are not imminent.

    This revelation comes just days after GM announced it was investing $500 million in a strategic partnership with the ride-sharing company.

    The GM-powered Lyft cars could be more than just self-driving Chevy Volts or Malibu Hybrids, they will be digitally personalized to you — even before you open the door.

    With your Lyft profile, the car will know who you are and your preferences and will arrive preset with all the things you like — think Spotify playlists and ideal seat settings. All you’ll have to do is tell it where you’re going within downtown Austin and it’ll take you there autonomously.

    Though Ammann was unwilling to give a specific timeline for the rollout of this autonomous test fleet, he said it would be sooner than a self-driving car being offered for sale to customers. There are two strong reasons why. First, the average car today sits unused 95% of the time, which is hugely inefficient. An autonomous Bolt in a Lyft fleet would be in use around 60-70% of the time.

    Plainly, full autonomous technology is expensive — so is battery-electric technology as well as hydrogen fuel cells (Ammann tossed those three in together — not me). So right out the door, the economics are stacked against the likelihood of a customer choosing a self-driving car over a human-driven one. Lyft, however, could afford to pay such a price because it could run the car 16 hours a day while earning income for years on end. It makes much more sense.

    The second reason is that it is easier for GM to create a car that works in a known city within certain limits at or below 30 mph. Unlike a car you might drive to the mountain or past a parade or through a desert, the autonomous system has much less programming to handle.

    Importantly, expanding into car-sharing, General Motors isn’t sacrificing its current business model but rather expanding it. Ammann explained that the majority of the carmaker’s profits come from selling trucks and SUVs to people who live outside urban centers. Changing their business model inside cities doesn’t affect that but rather opens up a big new profit opportunity.

    That said, Ammann does see a business case for offering self-driving cars to retail customers some time down the road. In the short-term, however, GM is going to cut its autonomous teeth with Lyft.

    “With your Lyft profile, the car will know who you are and your preferences and will arrive preset with all the things you like — think Spotify playlists and ideal seat settings. All you’ll have to do is tell it where you’re going within downtown Austin and it’ll take you there autonomously.”
    For the car-sharers of the future, car-sharing services like what Lyft and GM are envisioning could become the more affordable version of a owning a personal car. And if fewer cars are needed to transport people that is a real increase in efficiency that’s exactly what a resource-constrained world need. But it’s an efficiency that’s going to potentially turn companies like Lyft and GM into new personal data collectors of a similar vein to what Google or your cellphone company already do. The “Lyft Profile” sure does sound like a Google-ish digital profile and it seems likely that GM has similar ambitions to the German auto manufacturers that made it clear they want to restrict access to the personal digital/internet information generated from the digital cars they manufacture to themselves.

    And that’s just internet-connected car-sharing at the very expensive end of consumer products. Offering customized digital services like internet access when you’re in the car (but then also quietly tracking the usage of that service) could be one of those things that gets incorporated into all sorts of shared internet-connected physical objects going forward, especially at the free-or-nearly-free end of the spectrum because giving people digital devices because free devices offering internet usage services will eventually be able to pay for themselves by mining that usage. Sort of like what 21 Inc is doing with free bitcoin-mining devices, but instead of mining bitcoins, the devices could offer internet services in exchange for tracking your usage of those services. Who knows what’s going to be possible in that sector as wireless internet access becomes more and more available and the Internet of Things explodes. Mark Zuckerberg’s controversial Internet.org initiative to provide free access to poor Indians to a Facebook-selected subset of the Internet (Facebook also gets to track your usage on it) is a great example of the kind of “free” internet services that the internet content giants like Facebook are going to be interested in providing, but that’s just the content side of things. The Internet of Things is going to create opportunities to provide free (but spying) internet access, especially if its to a free (but spied on) internet walled-garden like Zuckerberg’s

    At the same time, even if the Internet of Things explodes with free spyware, the digital cars really are going to be uniquely power sources of personal information simply because they’re going to be bristling with more and more sophisticated environmental sensing devices as self-driving technology advances that are going to be collecting data that goes far beyond your internet usage. Internet connected cars with cameras and “deep learning” facial recognition software turn every digital car into a something analogous to a Google-Maps car, except they’ll potentially be mapping the outdoor movements of the random people in your town as they get picked up on the cameras of growing fleets of self-driving internet-connected cars covered with sensors and facial recognition technology.

    So in the future a number of us are probably going to be accessing the internet on our way to work as we ride in our shared autonomous car, with the internet device manufacturer, auto manfacturer, and car-sharing fleet operator like Lyft all potentially claiming access to that internet usage data. And your car will be constantly scanning and identifying people in your environment and potentially sending it back to a headquarters. The age of the smartphone data privacy nightmare is growing alarmingly quaint.

    Posted by Pterrafractyl | January 24, 2016, 11:34 pm
  22. With the US and EU still trying to hammer out some sort of replacement for the Safe Harbor data sharing agreement, it’s worth noting that the Safe Harbor agreement with the EU wasn’t the only Safe Harbor agreement to dissolve in recent years following the Snowden affair. As the article below notes, the US-Swiss Safe Harbor agreement was also deemed invalid. And as a new US/Swiss data sharing agreement gets works out, one thing is clear: once Swiss data leaves Switzerland and travels to the US, the Swiss would like the replacement for Safe Harbor to minimize access to that data by US law enforcement and national security services to the greatest extent possible. And don’t forget that Swiss law also views business data as personal data, and personal data has extremely high legal protections in Switzerland. So if you’re an extremely high-net worth individual that doesn’t just have a lot of money to hide, but also a lot of personal or business data you’d really like to keep out of authorities’ hands, and you hadn’t already considered moving to Switzerland, it might be time to considering a life in Switzerland:

    The Daily Dot

    Can Switzerland become a safe haven for the world’s data?

    By Jonathan Keane
    Apr 19, 2016, 10:43am CT

    As United States and European Union regulators debate a sweeping new data-privacy agreement, Switzerland is presenting itself as a viable neutral location for storing the world’s data thanks to strict privacy laws and ideal infrastructure.

    The Swiss constitution guarantees data privacy under Article 13. The country’s laws protecting privacy are similar to those enacted by the E.U. Swiss data protections are also, in some cases, much stricter than those of the E.U., according to Nicola Benz, attorney at Swiss law firm Froriep. And since Switzerland is not part of the E.U., data stored there remains outside the reach of the union’s authorities.

    “Swiss law contains things that we call blocking statutes,” Benz said, “which mean that foreign authorities can’t conduct their authority’s functions on Swiss soil unless they follow the proper judicial channels.” The country’s tight privacy laws could make the small nation more attractive to privacy-focused start-ups. And it already has that momentum.

    After the former NSA contractor Edward Snowden 2013 revelations about the National Security Agency’s secret surveillance activities, Switzerland witnessed something of a boom in its data-center business. Phil Zimmermann, creator of the popular PGP encryption protocol and founder of Silent Circle, even left the U.S. for Switzerland last year, citing the overreach of American authorities.

    Andy Yen, CEO of Swiss-based encrypted email service Protonmail, said that the country has robust processes in how it carries out data requests from authorities.

    Data requests have to go through a court like in most countries, said Yen, but “the person that’s having their data requested needs to be notified eventually about the request happening and there’s an opportunity to fight it in an open court. This is quite different than the U.S., where things can go through a so-called FISA court.”

    Hoping to make the most of the opportunity, data center operators are trying to woo companies into storing data in the country.

    Vigiswiss, a trade group of Swiss data center companies, is promoting Switzerland as the “world’s safe haven for data” through its privacy laws and a charter for members to abide by, such as the types of data they store.

    “For company data, the level [of protection] is higher than in the E.U. because we consider company data as personal data, which is not the case in the E.U., so that’s why companies have an interest in putting their data in Switzerland,” said Florian Ducommun, a lawyer and member of Vigiswiss’ strategic board.

    “We do things properly, and we follow the rules, and we are committed to the security of your data.”

    But storing data in Switzerland is one thing. Transferring data to and from the U.S. is another issue, as we have seen with the collapse of Safe Harbor, whichthe E.U.’s top court struck down in October over concerns about U.S. surveillance, and the debate over its successor, a pact known as Privacy Shield.

    When Safe Harbor died last year, it left a lot of question marks around Switzerland’s own agreements with the U.S., known as the U.S.-Swiss Safe Harbor framework, which is also now invalid. The loss of Safe Harbor also caused consequential complications for U.S. technology firms, like Google and Facebook, which regularly transfer data to European countries and back to the U.S.

    A spokesperson for Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) told the Daily Dot that it is currently recommending Swiss businesses and authorities “enter into additional contractual guarantees and arrangements to secure better protection for personal data” transferred to the U.S.

    In March, Switzerland appointed a new data protection commissioner, Adrian Lobsiger. The ongoing Privacy Shield discussions will likely inform the path that his office takes, according to law firm Prager Dreifuss in a paper published in January, but concerns still linger over surveillance once data leaves the country.

    “Certainly our recommendation to most clients is that even once this new Privacy Shield comes into play, they should probably keep their [contract] agreements in future,” said Benz. “We’re still not confident that the Privacy Shield will stand up to test.”

    For all its promises of data security within the country, Swiss data-center providers and the Swiss government cannot, at this time, prevent abuses once data leaves its borders.

    “Other governments, we’ve seen with the whole Snowden affair, may still be looking at the data, so it’s very much a question of what technical safeguards are in place. There’s nothing that Switzerland can do as a state, any more than any other state, to stop that,” said Benz.

    Domestic surveillance is a concern, too. In September 2015, the government passed a new law to expand law enforcement’s surveillance capacities. However, given Switzerland’s model of direct democracy, anyone who gathers more than 50,000 signatures in opposition within 90 days will halt the law coming into effect, pushing it instead to a public ballot.

    Protonmail and several other opposition groups did just that earlier this year, and that referendum will take place later in 2016.

    “This is very powerful because outside pressure can be put on the Swiss government to introduce new laws, but these laws cannot actually come to power unless the population approves of it,” Yen said of the referendum.

    Even with these victories and the country’s commitment to privacy, Switzerland’s position as a future “data refuge” will be put to the test, according to former FDPIC chief Hanspeter Thür.

    “We all know the United States like to enforce their laws abroad,” he said, “the future will show if Swiss institutions will be able to resist them.”

    “We all know the United States like to enforce their laws abroad…the future will show if Swiss institutions will be able to resist them.”
    Those were the words of the former Federal Data Protection and Information Commissioner chief Hanspeter Thür. It’s quite a sales pitch. On top of all the other sales pitches. Time to start packing those bags.

    Posted by Pterrafractyl | April 21, 2016, 9:22 pm
  23. Now that the US and EU finally hammered out the “Privacy Shield” transatlantic data sharing agreement to replace the “Safe Harbor” agreement the EU cancelled in the wake of the Snowden affair the next step is reviewing the implementation of “Privacy Shield”. Forever. Annually. And the first review is coming up in September. That should be fun. Especially since, as the article below points out, one of the main reservations the EU still has with Privacy Shield is the bulk US data collection for potential use by US intelligence and law enforcement (and also potentially shared with the US’s EU partners…EU governments don’t complain about that as much). And in a motion passed by the EU parliament’s Committee on Civil Liberties, Justice and Home Affairs a couple weeks ago, the EU is still officially concerned about US bulk data collection. And as the article below notes, that EU parliament motion also includes a call for all members of the review team to have “full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes”. Which sounds like a call to make the various facilities used by US and EU governments to collect data open for inspection by US and EU review teams, along with a review of that actual bulk data collection policies. And the reviewers will then get to talk about what they saw and didn’t like. That’s what the EU’s committee that covers things like data privacy for the public is calling for going into the first review in September.

    And this is going to keeps happening annually, so if that EU committee motion doesn’t pass this year, there’s always next year. And one of Trump’s first moves was to lower the barriers between data sharing between US government agencies. So it’s not like the EU won’t have plenty of stuff to complain about if it decides to make review team inspections a sticking point going into the first review. Or the second. So that’s all going to be rather fascinating:

    Out-law.com

    First EU-US Privacy Shield annual review to take place in September 2017

    The inaugural annual review into the operation of the EU-US Privacy Shield is to take place in September this year.

    03 Apr 2017

    EU justice commissioner Vera Jourová confirmed the timing of the review in a speech in Washington late last week.

    The Privacy Shield facilitates the transfer of personal data between the EU and US businesses signed-up to the scheme. The framework was put in place last year to replace a previous system which was effectively invalidated by the EU’s highest court in 2015.

    The European Commission has deemed that data transfers handled in accordance with the Privacy Shield principles will adhere to EU data protection law requirements. The Commission negotiated amendments with US counterparts to an earlier draft of the framework following criticisms raised by EU data protection authorities. However, the framework has continued to draw criticism from privacy campaigners and is the subject of two separate legal challenges.

    A recent motion put forward by MEPs cited concerns with the Privacy Shield, including how the scheme addresses US bulk surveillance powers and accounts for judicial redress for EU citizens in the US. It also highlighted concerns about limitations on the rights of data subjects and inconsistencies in wording compared with EU data protection law.

    The motion also referred to the forthcoming annual review of the framework, which will be conducted jointly by EU and US officials. It said the review should consist of “a thorough and in-depth examination of all the shortcomings and weaknesses” it and others, such as EU data protection authorities, have identified with the Privacy Shield, and that reviewers should “demonstrate” how those issues have been addressed to ensure the framework is compliant with fundamental EU rights and laws.

    In addition, the motion called for all members of the review team to have “full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes”. The reviewers should also each be given the freedom to “express their own dissenting opinions in the final report”.

    In addition, the motion called for all members of the review team to have “full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes”. The reviewers should also each be given the freedom to “express their own dissenting opinions in the final report”.”

    Yep, this new annual review team thing is going to be interesting. Annually. Even when the review isn’t interesting, that’s sort of interesting.

    And, again, who knows what more Trump will do to piss off the EU between now and September? Oh wait, we do know. Trump and the GOP will the FCC regulation that would have prevented internet service providers in the US from selling the personal data they collect on their customers. That should do wonders for the September Privacy Shield review:

    Lexology

    Growing concern in Europe that privacy safeguards in the US are being undermined

    De Berti Jacchia Franchini Forlani Studio Legale
    European Union, Italy, USA
    April 7 2017

    On April 6, 2017, MEPs passed a resolution calling on the Commission to conduct a proper assessment to ensure that the Privacy Shield provides enough personal data protection for European citizens to comply with the EU Charter of Fundamental Rights and new EU rules on data protection. The Privacy Shield was laboriously negotiated and agreed in 2016 between the United States and the European Union to cover personal data transfers between these two markets crucial to world trade, in replacement of the previous Safe Harbor rules, which had been found by the European Court of Justice not to provide an adequate level of data protection.

    The European MPs concern regards a number of issues including:

    * new rules which entered into force in January 2017 allowing the US National Security Agency to share vast amounts of private data, gathered without court oversight, with a number of other agencies, including the FBI
    * insufficient independence of the Ombudsperson mechanism, added to the fact that the Trump administration has not yet appointed a new Ombudsperson
    * the fact that neither the Privacy Shield Principles nor letters from the US administration demonstrate the existence of effective judicial redress rights for EU individuals whose data are transferred to the US
    * the vote of the US Congress to repeal rules adopted by the Federal Communications Commission during the Obama administration, which were due to come into force later this year, and would have obliged internet service providers to give users an information notice and obtain their consent before collecting and selling their personal data.

    The Italian Data Protection Commissioner a few days earlier also expressed concern in relation to the repeal of the FCC rules. He pointed out that this is a regressive move, going against the increasingly prevailing trend worldwide in the direction of a greater protection of consumers’ data, since it allows providers to freely sell not only user profiles and purchase preferences, but even data revealing political and religious opinions and health data, classed in European law as sensitive data deserving a high level of protection. He said that this could have serious repercussions putting the Privacy Shield at risk.

    The bill repealing the FCC rules was signed by President Trump only days after a speech to the Center for Strategic and International Studies in Washington by Vera Jourovà, EU Commissioner for Justice, Consumers and Gender Equality in which she emphasized the potential of the Privacy Shield to strengthen the transatlantic economy while reaffirming shared values, but stressed at the same time the importance of ensuring that its key foundations remain in place. The repeal of the FCC rules and the removal of the privacy protection they entailed does indeed raise doubts as to whether some of the key principles of the Privacy Shield, including the Notice Principle, the Choice Principle and the Data Limitation and Purpose Limitation Principle can be upheld.

    The Justice Commissioner in her speech also particularly mentioned that “there would be no Privacy Shield without Presidential Policy Directive no. 28 and the Ombudsperson. Both are central elements of the representations and commitments on which the [Privacy Shield] framework is built”. The reference to Presidential Policy no. 28 (which sets out policies and procedures governing the safeguarding by US intelligence operators of personal information collected from signals intelligence activities, and extends to non-US citizens safeguards that require that surveillance of US citizens be limited to defined and legitimate purposes) may not have been casual, since the European MPs’s resolution also expresses concern in relation to recent revelations about surveillance activities conducted at the request of the NSA and FBI in 2015, a year after Presidential Policy Directive no. 28.

    The bill repealing the FCC rules was signed by President Trump only days after a speech to the Center for Strategic and International Studies in Washington by Vera Jourovà, EU Commissioner for Justice, Consumers and Gender Equality in which she emphasized the potential of the Privacy Shield to strengthen the transatlantic economy while reaffirming shared values, but stressed at the same time the importance of ensuring that its key foundations remain in place. The repeal of the FCC rules and the removal of the privacy protection they entailed does indeed raise doubts as to whether some of the key principles of the Privacy Shield, including the Notice Principle, the Choice Principle and the Data Limitation and Purpose Limitation Principle can be upheld.

    Just a few days after the EU Commissioner for Justice, Consumers and Gender Equality gives a speech in Washington about concerns over ensuring the foundations of the new Privacy Shield agreement remain in place, Trump and the GOP unleash the ISPs.

    So it looks like we’re headed towards a ‘nobody knew how complicated international data privacy protection agreements were’ moment for Trump (and his fellow GOP enablers) in September. Your ISP definitely knew it was coming.

    Posted by Pterrafractyl | April 14, 2017, 9:26 pm

Post a comment