Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Too Much of a Good Thing? Part 2: A Secret Trilogue and Business as Usual

With last week’s bliz­zard of Snow­den leaks hit­ting the news, the EU par­lia­ment over­whelm­ing­ly passed a draft set of new EU data pri­va­cy rules with a fast-tracked time frame of imple­men­ta­tion by mid April 2014. But, in a sur­pris­ing twist, David Cameron just man­aged to do away with the fast track­ing, argu­ing that the pro­posed rules would be an oner­ous bur­den on busi­ness­es. So the new EU data pri­va­cy rules are still com­ing, but not for at least anoth­er year and pre­sum­ably with a lot of changes:

Bloomberg
EU Fails to Speed Up Pri­va­cy Rule in Spite of Merkel Spy Ten­sion
By Stephanie Bodoni & Ian Wishart — Oct 24, 2013 7:43 PM CT

Euro­pean Union lead­ers dropped a 2014 dead­line to com­plete an over­haul of the bloc’s data pri­va­cy laws even as they con­demned alle­ga­tions that the U.S. eaves­dropped on Ger­man Chan­cel­lor Angela Merkel.

Lead­ers called for a strength­ened data-pro­tec­tion law to be intro­duced in a “time­ly” fash­ion. A draft ver­sion of their sum­mit state­ment had lan­guage seek­ing its adop­tion next year. A U.K.-led group urged a slow­down to con­sid­er the effect of the leg­is­la­tion on busi­ness­es.

“We stressed that we have to speed up the work, but it is a com­plex task. It’s not only relat­ed to the already dif­fi­cult issues of pro­tect­ing pri­va­cy, but it is also an impact on busi­ness,” EU Pres­i­dent Her­man Van Rompuy said after the first day of a two-day sum­mit. “We have to study this care­ful­ly.”

The over­haul of the pri­va­cy law, which could result in U.S.-based com­pa­nies includ­ing Google Inc. (GOOG), Face­book Inc. (FB), and Apple Inc. (AAPL) fac­ing fines as high as 100 mil­lion euros ($138 mil­lion) for data-pro­tec­tion vio­la­tions, was endorsed by a pan­el of EU law­mak­ers this week. Nation­al gov­ern­ments have to agree to the pro­pos­als before they can become law. At the sum­mit, lead­ers called for adop­tion of the law as part of the intro­duc­tion of new tele­com rules in 2015.

“We think there’s too much red tape in the pro­pos­al,” Markus Beyr­er, direc­tor gen­er­al of Euro­pean busi­ness fed­er­a­tion Busi­nessEu­rope, told reporters before the sum­mit. “We think there are too many things which might hurt data flow, which might hin­der growth.”

...

Hmmm...so what infor­ma­tion do we have yet on the pro­posed anti-busi­ness rules Cameron is refer­ring to? It must be pret­ty severe to war­rant a delay on bill with so much momen­tum behind it. It cer­tain­ly sug­gests there’s going to be a lot to dis­cuss dur­ing the “secret tri­logue”:

Infos­e­cu­ri­ty
Euro­pean Civ­il Lib­er­ties Com­mit­tee Approves Cur­rent Draft Data Pro­tec­tion Reg­u­la­tion

22 Octo­ber 2013
Edward Snow­den’s leaked infor­ma­tion on the char­ac­ter and extent of NSA sur­veil­lance brought new impe­tus to the Euro­pean Com­mis­sion’s pro­posed new Gen­er­al Data Pro­tec­tion Reg­u­la­tion, which had been floun­der­ing under the weight of exten­sive US gov­ern­ment and busi­ness lob­by­ing.

For exam­ple, under the pro­posed leg­is­la­tion the trans­fer of data to third-coun­try author­i­ties (by com­pa­nies such as Google, Face­book, Apple and Microsoft) can only occur under Euro­pean law or an agree­ment based on Euro­pean law. This would mean that regard­less of FISA rules, such com­pa­nies could not pass Euro­peans’ per­son­al data to the NSA with­out fac­ing Euro­pean sanc­tions (which in the­o­ry could be a fine of up to 5% of glob­al turnover).

This was part of the orig­i­nal pro­pos­al from the Euro­pean Com­mis­sion, but had been dropped in the face of exten­sive US gov­ern­ment lob­by­ing. Now, fol­low­ing Snow­den’s rev­e­la­tions it has been re-intro­duced into the draft leg­is­la­tion (and the poten­tial sanc­tion increased from an orig­i­nal 2% to 5% of turnover).

The cur­rent draft pro­pos­al has now been approved by the Euro­pean Par­lia­men­t’s Civ­il Lib­er­ties Com­mit­tee (LIBE). It was accept­ed by a vote of 51 in favor, 1 against, and 3 absten­tions, after sev­er­al post­pone­ments over the sum­mer months. The pro­pos­al’s draftsper­son and rap­por­teur, Jan Philipp Albrecht, called it “a break­through for data pro­tec­tion in Europe” that “would over­haul EU rules, ensur­ing they are up to the task of the chal­lenges in the dig­i­tal age.”

But the dev­il, as always, is in the detail – and much con­fu­sion remains. Ad Age reports, “ ‘It seems to pro­vide for a com­plete block of cross-bor­der data flows unless the US agrees to EU rules on NSA access to data,’ said Christo­pher Wolf, direc­tor of the Pri­va­cy and Infor­ma­tion Man­age­ment prac­tice group at law firm Hogan Lovells, call­ing the pro­pos­al ‘dra­con­ian.’ ” But the same report quotes Justin Brook­man, direc­tor of con­sumer pri­va­cy at the Cen­ter for Democ­ra­cy and Tech­nol­o­gy: “The reg­u­la­tion looks pret­ty robust, though there are some workarounds that will let com­pa­nies do a lot of what they already do.”

It is these ‘workarounds’ that are still heav­i­ly crit­i­cized by Euro­pean civ­il lib­er­ties groups. Pri­or to the vote, La Quad­ra­ture du Net (LQDN) wrote to the LIBE com­mit­tee, “we urge you to reject com­pro­mise amend­ments made on arti­cles 6 and 20.”

...

“If allowed to stand,” said Joe McNamee, Exec­u­tive Direc­tor of Euro­pean Dig­i­tal Rights, “this vote would launch an ‘open sea­son’ for online com­pa­nies to qui­et­ly col­lect our data, cre­ate pro­files and sell our per­son­al­i­ties to the high­est bid­der. This is all the more dis­ap­point­ing because it under­mines and negates much of the good work that has been done,” he added.

LQDN has a fur­ther crit­i­cism. The LIBE com­mit­tee also approved ‘tri­logue nego­ti­a­tions’ in the run up to the final Euro­pean vote. This means that fur­ther dis­cus­sion on the pro­posed legal frame­work between the EU and nation­al gov­ern­ments will now be held in secret. “That legal frame­work – geared to pro­tect the fun­da­men­tal right to pri­va­cy of the Euro­pean cit­i­zens – deserves an open and trans­par­ent debate that is equal to the chal­lenge rep­re­sent­ed by these issues,” LQDN said in its let­ter to the LIBE com­mit­tee, urg­ing “trans­paren­cy and a prop­er, in-depth pub­lic debate.”

So while some of the amend­ments vot­ed by the LIBE com­mit­tee yes­ter­day strength­en and bring for­ward the new Euro­pean Gen­er­al Data Pro­tec­tion Reg­u­la­tion, there are many who believe it still con­tains enough loop­holes – and poten­tial­ly new loop­holes intro­duced in secret – to mean busi­ness as usu­al in the col­lec­tion and move­ment of Euro­pean per­son­al data by the big inter­net com­pa­nies.
would launch an ‘open sea­son’ for online com­pa­nies to qui­et­ly col­lect our data, cre­ate pro­files and sell our per­son­al­i­ties to the high­est bid­der.

So there’s near­ly 4000 amend­ments still to be worked out in the secret tri­logue, but right now it’s sound­ing like the new rules poten­tial­ly “pro­vide for a com­plete block of cross-bor­der data flows unless the US agrees to EU rules on NSA access to data” while at the same time con­tain­ing loop­holes that “would launch an ‘open sea­son’ for online com­pa­nies to qui­et­ly col­lect our data, cre­ate pro­files and sell our per­son­al­i­ties to the high­est bid­der” and “mean busi­ness as usu­al in the col­lec­tion and move­ment of Euro­pean per­son­al data by the big inter­net com­pa­nies”. And pos­si­ble large fines if the rules are found to be bro­ken in a way that falls out­side the loop­hole. So hypo­thet­i­cal pro­tec­tion against spy­ing by for­eign gov­ern­ments but prob­a­bly no real threat to data col­lec­tion by pri­vate com­pa­nies. This was prob­a­bly to be expect­ed because it’s not like EU tech giants would­n’t like busi­ness as usu­al too.

With much left up to the secret tri­logue it’s very unclear how ben­e­fi­cial the final leg­is­la­tion is going to be for aver­age EU cit­i­zens. On the oth­er hand, the new rules are also going to require that firms have a des­ig­nat­ed “data pro­tec­tion offi­cer” and this is the clos­est to a jobs pro­gram we’ve seen from the EU in years at least there’s that.

What’s bet­ter than being one of the big fish in the ocean? Being an even big­ger fish in glob­al sea on ponds
Still, it has to be said that the imple­men­ta­tion of EU-wide data-pri­va­cy laws are a great exam­ple of the use­ful­ness that the EU can pro­vide and exact­ly why some­thing like the EU has val­ue. When it’s not imple­ment­ing far-right eco­nom­ic the­o­ries across the union the EU can actu­al­ly be use­ful! Because there are some things in the world that real­ly ben­e­fit from a stan­dard­ized sets of rules and data-pri­va­cy laws for cross-bor­der exchanges are one of them. If it’s pos­si­ble to have a com­mon set of rules that close trad­ing part­ners can agree upon all the bet­ter.

The EU also helps to avoid sit­u­a­tions like each nation hav­ing its own domes­tic inter­net that requires all inter­net traf­fic be kept with­in the nation. An inter­nal inter­net for crit­i­cal infra­struc­ture cer­tain­ly makes sense. And a larg­er nation­al inter­net might work well for some ser­vices, like a nation­al email ser­vice. But it also might break the inter­net and do very lit­tle to deal with the glob­al threat of mass domes­tic sur­veil­lance or even exac­er­bate that threat if author­i­tar­i­an gov­ern­ments use the balka­niza­tion of the inter­net to impose con­trols to cen­sor access. So let’s hope nations with intranet ambi­tions pro­ceed with cau­tion:

Ger­many wants a Ger­man Inter­net as spy­ing scan­dal ran­kles

By Leila Abboud and Peter Mausha­gen

PARIS/FRANKFURT | Fri Oct 25, 2013 11:36am EDT

(Reuters) — As a diplo­mat­ic row rages between the Unit­ed States and Europe over spy­ing accu­sa­tions, state-backed Deutsche Telekom wants Ger­man com­mu­ni­ca­tions com­pa­nies to coop­er­ate to shield local inter­net traf­fic from for­eign intel­li­gence ser­vices.

Yet the nascent effort, which took on new urgency after Ger­many said on Wednes­day that it had evi­dence that Chan­cel­lor Angela Merkel’s mobile phone had been mon­i­tored, faces an uphill bat­tle if it is to be more than a mar­ket­ing gim­mick.

It would not work when Ger­mans surf on web­sites host­ed on servers abroad, such as social net­work Face­book or search engine Google, accord­ing to inter­views with six tele­com and inter­net experts. Deutsche Telekom could also have trou­ble get­ting rival broad­band groups on board because they are wary of shar­ing net­work infor­ma­tion.

More fun­da­men­tal­ly, the ini­tia­tive runs counter to how the Inter­net works today — glob­al traf­fic is passed from net­work to net­work under free or paid-for agree­ments with no thought for nation­al bor­ders.

If more coun­tries wall them­selves off, it could lead to a trou­bling “Balka­ni­sa­tion” of the Inter­net, crip­pling the open­ness and effi­cien­cy that have made the web a source of eco­nom­ic growth, said Dan Kamin­sky, a U.S. secu­ri­ty researcher.

Con­trols over inter­net traf­fic are more com­mon­ly seen in coun­tries such as Chi­na and Iran where gov­ern­ments seek to lim­it the con­tent their peo­ple can access by erect­ing fire­walls and block­ing Face­book and Twit­ter.

“It is inter­na­tion­al­ly with­out prece­dent that the inter­net traf­fic of a devel­oped coun­try bypass­es the servers of anoth­er coun­try,” said Torsten Ger­pott, a pro­fes­sor of busi­ness and tele­coms at the Uni­ver­si­ty of Duis­burg-Essen.

“The push of Deutsche Telekom is laud­able, but it’s also a pub­lic rela­tions move.”

Deutsche Telekom, which is 32 per­cent owned by the gov­ern­ment, has received back­ing for its project from the tele­coms reg­u­la­tor for poten­tial­ly giv­ing cus­tomers more options.

In August, the com­pa­ny also launched a ser­vice dubbed “E‑mail made in Ger­many” that encrypts email and sends traf­fic exclu­sive­ly through its domes­tic servers.

BUGGING

Gov­ern­ment snoop­ing is a sen­si­tive sub­ject in Ger­many, which has among the strictest pri­va­cy laws in the world, since it dredges up mem­o­ries of eaves­drop­ping by the Stasi secret police in the for­mer East Ger­many, where Merkel grew up.

The issue dom­i­nat­ed dis­cus­sions at a Euro­pean sum­mit on Thurs­day, prompt­ing Merkel to demand that the U.S. strike a “no-spy­ing” agree­ment with Berlin and Paris by the end of the year.

As the row fes­ters, tele­com and Inter­net experts said the rhetoric exceed­ed the prac­ti­cal changes that could be expect­ed from Deutsche Telekom’s project. More than 90 per­cent of Ger­many’s inter­net traf­fic already stays with­in its bor­ders, said Klaus Lan­de­feld, a board mem­ber of the non-prof­it orga­ni­za­tion that runs the DE-CIX Inter­net exchange point in Frank­furt.

...

Note that Deutche Telekom’s “E‑mail made in Ger­many” cam­paign recent­ly ran into a snag recent­ly when it was report­ed that the BND has been read­ing for­eign email flow­ing through the giant De-Cix data exchange cen­ter in Frank­furt where the “E‑mail made in Ger­many” ser­vice that was recent­ly set up is run. Ger­man cit­i­zen’s traf­fic is report­ed­ly safe from this snoop­ing (uh huh) and now, pre­sum­ably, for­eign users of the ser­vice are sup­posed to favor the BND’s sur­veil­lance over the NSA’s. It’s a reminder of the strange real­i­ty that the inter­net has brought sur­veil­lance regime shop­ping to the mass­es. The mar­ket­ing cam­paigns are going to be awe­some.

Con­tin­u­ing...

...

Oth­ers point­ed out that Deutsche Telekom’s pref­er­ence for being paid by oth­er Inter­net net­works for car­ry­ing traf­fic to the end user, instead of “peer­ing” agree­ments at no cost, clashed with the goal to keep traf­fic with­in Ger­many. It can be cheap­er or free for Ger­man traf­fic to go through Lon­don or Ams­ter­dam, where it can be inter­cept­ed by for­eign spies.

Thomas Kre­mer, the exec­u­tive in charge of data pri­va­cy and legal affairs for the Ger­man oper­a­tor, said the group need­ed to sign con­nec­tion agree­ments with three addi­tion­al oper­a­tors to make a nation­al rout­ing pos­si­ble. “If this were not the case, one could think of a leg­isla­tive solu­tion,” he said.

“As long as sender and receiv­er are in the Schen­gen area or in Ger­many, traf­fic should no longer be rout­ed through oth­er coun­tries,” Kre­mer said, refer­ring to the 26-coun­try pass­port-free zone in Europe.

A spokesman for Tele­fon­i­ca Ger­many said it was in ear­ly dis­cus­sions on nation­al rout­ing with oth­er groups. A spokesman for Voda­fone said it was “eval­u­at­ing if and how” to imple­ment the Deutsche Telekom pro­pos­al.

Although Deutsche Telekom is posi­tion­ing itself as a safe cus­to­di­an of user data, its track record on pri­va­cy is mixed. In a 2008 affair dubbed Telekom­gate, Klaus Trzeschan, a secu­ri­ty man­ag­er at the group, was jailed for three and a half years for his role in mon­i­tor­ing phone calls of the fir­m’s own man­age­ment and super­vi­so­ry board mem0bers, as well as busi­ness reporters.

A spokesman for Deutsche Telekom said the affair was the rea­son why the group worked “so hard” on pri­va­cy and secu­ri­ty issues in recent years. “We are now the lead­ing com­pa­ny of our indus­try when it comes to cus­tomers’ trust,” he said.

DATA CENTRES

While the routers and switch­es that direct traf­fic can be pro­grammed so data trav­el cer­tain routes, the most pop­u­lar online ser­vices are not built to respect bor­ders.

Web com­pa­nies often rely on a few large data cen­ters to pow­er their entire oper­a­tion, and they don’t choose loca­tions based on the loca­tion of their cus­tomers but on fac­tors such as the avail­abil­i­ty of cheap pow­er, cool cli­mates, and high-speed broad­band net­works.

For exam­ple, if a Munich res­i­dent uses Face­book to chat with a friend sit­ting 500 kilo­me­ters (310 miles) away in Berlin, the traf­fic would go through one of the com­pa­ny’s three mas­sive data cen­ters 8,000 km away in Ore­gon or North Car­oli­na, or one near the Arc­tic Cir­cle in the Swedish town of Luleå. Euro­pean users’ pro­files are not nec­es­sar­i­ly stored in the Swedish cen­tre; instead the web­site’s dif­fer­ent func­tions such as games, mes­sag­ing, and wall posts are dis­trib­uted among the data cen­ters to improve effi­cien­cy.

Sim­i­lar­ly, emails sent by Google’s Gmail between two Ger­man res­i­dents would prob­a­bly be rout­ed through one of the com­pa­ny’s three data cen­ters in Fin­land, Bel­gium and Ire­land.

The only way to change this would be for Ger­many to require local host­ing of web­sites, a dras­tic move accord­ing to experts that has not yet been pushed by Ger­man lead­ers. Deutsche Telekom declined to say whether it would lob­by for such an approach.

Brazil’s Pres­i­dent Dil­ma Rouss­eff, angered by reports that the U.S. spied on her and oth­er Brazil­ians, is push­ing leg­is­la­tion that would force Google, Face­book and oth­er inter­net com­pa­nies to store local­ly gath­ered or user-gen­er­at­ed data inside the coun­try.

One solu­tion would be for Euro­pean lead­ers to beef up a new data-pri­va­cy law, which has been in the works for almost two years. A great­ly tough­ened ver­sion of the law was backed by the Euro­pean Par­lia­ment on Mon­day, but it still requires agree­ment by mem­bers states.

France and Ger­many may suc­ceed in get­ting mem­ber states to push ahead on talks to com­plete the new data rules by 2015.

...

While it’s pos­si­ble that we could see a Ger­man-inter­net arise from all this, it seems much more like­ly that this will be used as a kind of diplo­mat­ic threat, much like the threat to revoke the data-pri­va­cy ‘safe-har­bor’ agree­ments between the US and EU. IF there’s one thing the large multi­na­tion­al cor­po­ra­tions that dom­i­nate the gov­ern­ments across the world love it’s large, uni­fied mar­ket­places. And balka­niz­ing the inter­net isn’t exact­ly a great way to cre­ate large, uni­fied glob­al mar­ket­places. A balka­nized inter­net requir­ing glob­al firms to uti­lize a glob­al net­work of domes­tic serv­er farms and fol­low an ever-chang­ing set of local data-exchange rules prob­a­bly isn’t going to be prof­it-max­i­miz­ing sce­nario.

On the oth­er hand, a balka­nized inter­net does per­form one very valu­able ser­vice for the IT giants of the world: large multi­na­tion­al cor­po­ra­tions with very deep pock­ets and the abil­i­ty to build facil­i­ties any­where in the world are going to be the only enti­ties capa­ble of pro­vid­ing glob­al inter­net ser­vices, like cloud com­put­ing. In a world where mul­ti­ple inter­nets oper­ate on mul­ti­ple legal and pos­si­bly tech­ni­cal stan­dards, we could find our­selves in a world where the big multi­na­tion­als are the only enti­ties that can facil­i­tate the trans­ac­tions required for the glob­al e‑com­merce/­cloud-com­put­ing ser­vices of tomor­row. Avoid­ing for­eign-spy­ing isn’t just a busi­ness expense in the glob­al e‑commerce/cloud com­put­ing mar­ket­place of tomor­row: It’s also a big pro­tec­tive bar­ri­er to entry when balka­nized inter­nets are part of the solu­tion:

Computing.co.uk
SAP to cir­cum­vent NSA spy­ing in Brazil by build­ing data cen­tres in the coun­try
By Sooraj Shah
17 Sep 2013

SAP is to cir­cum­vent any spy­ing by the US Nation­al Secu­ri­ty Agency (NSA) in Brazil by build­ing data cen­tres in the South Amer­i­can coun­try.

In doc­u­ments aired by Brazil’s biggest tele­vi­sion net­work, Globo, the NSA had a pre­sen­ta­tion dat­ed May 2012 that was used to show new NSA employ­ees how to spy on pri­vate com­put­er net­works.

The slides had sug­gest­ed the NSA had tapped into the net­work of Brazi­lan oil firm Petroleo Brasileiro SA.

The firm is a major cus­tomer of SAP’s and SAP’s man­ag­ing direc­tor of South­ern Latin Amer­i­ca, Diego Dzosan, sug­gest­ed that as a result of recent rev­e­la­tions about the NSA’s involve­ment in Brazil, SAP will ensure that it keeps all of its Brazil­ian cus­tomer data with­in Brazil­ian ter­ri­to­ry; it is cur­rent­ly housed in the US.

Dzosan was speak­ing at SAP’s Inno­va­tion Tour in Brazil, and believes that the Brazil­ian gov­ern­men­t’s stance on the pri­va­cy of data, even pri­or to the NSA rev­e­la­tions, has always been clear.

“Brazil has had a very strong pol­i­cy in recent years for both pri­vate and pub­lic com­pa­nies, in how they store and access data secure­ly. It has a long tra­di­tion of that, and our indus­try has been evolv­ing in line with a lot of those gov­ern­ment guide­lines,” he said.

He claimed that SAP, which is head­quar­tered in Ger­many, can fall in line with the Bra­zlian gov­ern­men­t’s reg­u­la­to­ry frame­work with a cloud solu­tion but that the first step for the firm is to work with local part­ners.

“We don’t cur­rent­ly have our own data cen­tres in Brazil, so our first step is to work with local part­ners to give us a short-term solu­tion, build­ing data cen­tres takes some time, so you need imme­di­ate capac­i­ty, and we will even­tu­al­ly own our own data cen­tres ‚” Dzosan stat­ed.

...

A sig­nif­i­cant balka­niza­tion of the inter­net, like the cre­ation of a Ger­man-only or Brazil­ian-only inter­net that requires a dra­mat­ic rewrit­ing of web-ser­vice soft­ware, is prob­a­bly more of a diplo­mat­ic threat than a real plan at this point in time. But the soft balka­niza­tion of the inter­net via a grow­ing patch­work of dif­fer­ent nation­al and region­al data-pri­va­cy rules seems like a near cer­tain­ty since it’s cur­rent­ly hapen­ing. How this chang­ing land­scape is going to impact rapid­ly grow­ing sec­tors of the glob­al econ­o­my like glob­al cloud com­put­ing and web-ser­vices will be some­thing to watch. We can be sure the large web-ser­vice multi­na­tion­al giants will have a glob­al web-ser­vice pres­ence. How about the small­er and mid-sized com­pa­nies? Because com­pa­nies like Face­book might be cur­rent­ly com­plain­ing about new laws that require user data to be stored in Brazil but after the exist­ing giants invest in these local data-stor­age ser­vices you also have to won­der who on earth is going to be able to com­pete with them? Oth­er glob­al giants capa­ble of mak­ing the same invest­ments will be able to com­pete in the area of glob­al ser­vices with local stor­age require­ments. Any­one else? These are going to be increas­ing­ly impor­tant ques­tions to ask as the debate (and secret nego­ti­a­tions) over the EU’s data-pri­va­cy rules debate con­tin­ues because what­ev­er the EU decides upon is a like­ly tem­plate for multi­na­tion­al data-pri­va­cy agree­ments glob­al­ly going for­ward. The con­cerns over ‘busi­ness as usu­al’ expressed by civ­il lib­er­tar­i­ans could morph into con­cerns over ‘big busi­ness as usu­al. every­where’ if these new rules are screwed up.

And then there’s the new ‘no spy­ing’ rules
Now that France and Ger­many are try­ing to pub­licly nego­ti­ate ‘no spy’ agree­ments with the US, we could also be look­ing at a sit­u­a­tion where more and more gov­ern­ments want no spy agree­ments too. How this new era of pub­lic ‘no spy­ing’ shapes the evo­lu­tion of the inter­net and Big Broth­er 2.0 giv­en how inter­twined the inter­net is with mod­ern spy­ing will be some­thing to watch:

Law­fare blog
I Spy, You Spy, We All Spy?

By Ash­ley Deeks
Fri­day, Sep­tem­ber 6, 2013 at 4:06 PM

Among the doc­u­ments that Edward Snow­den released are reports show­ing that the NSA had been pick­ing up email and phone con­ver­sa­tions by and among for­eign lead­ers. Among the alleged tar­gets were offi­cials from the EU, indi­vid­ual EU mem­ber coun­tries, Brazil, and Mex­i­co. While each sub­ject of this report­ed sur­veil­lance has expressed out­rage, per­haps no state has been more agi­tat­ed than Ger­many. Rev­e­la­tions about NSA activ­i­ty direct­ed at the EU have posed sig­nif­i­cant prob­lems for the Ger­man gov­ern­ment, giv­en East Germany’s his­to­ry of wide­spread sur­veil­lance of its own cit­i­zens by the Stasi. Chan­cel­lor Angela Merkel is under polit­i­cal pres­sure as she runs for re-elec­tion, and oppo­si­tion par­ties have threat­ened to delay US-EU trade talks unless and until they obtain greater clar­i­ty about these NSA alle­ga­tions.

One way the Unit­ed States has addressed Germany’s con­cern is by agree­ing to nego­ti­ate an arrange­ment pur­suant to which nei­ther state will spy on the oth­er for gov­ern­men­tal or indus­tri­al pur­pos­es. We might sus­pect that Ger­many pro­posed the idea and the Unit­ed States acced­ed to the request, although Germany’s Chan­cellery Min­is­ter Roland Pofal­la (in charge of Germany’s secret ser­vices and its intel­li­gence coop­er­a­tion with oth­er states) told the Ger­man par­lia­ment that the Unit­ed States had offered to enter into these talks. Nego­ti­a­tions are to begin in Sep­tem­ber. Merkel’s pri­ma­ry chal­lenger in the upcom­ing Ger­man elec­tions called on her to seek a “bind­ing pledge from the U.S. gov­ern­ment” not to spy on Ger­many, though the Unit­ed States does not seem to have indi­cat­ed pub­licly pre­cise­ly what kind of “agree­ment” it is pre­pared to nego­ti­ate.

In view of these pend­ing nego­ti­a­tions, it is worth con­sid­er­ing at least two things: (1) the poten­tial impact on inter­na­tion­al law of an arrange­ment intend­ed to reg­u­late espi­onage; and (2) the strate­gic and prac­ti­cal effects such an arrange­ment might have on U.S. intel­li­gence in the future.

(1) As to the first issue, there is some­thing inher­ent­ly odd—as Dun­can Hol­lis not­ed over at Opinio Juris—about the idea of an inter­na­tion­al agree­ment not to do some­thing that states large­ly decline to acknowl­edge that they do, and that many states already view as unlaw­ful (at least as a mat­ter of domes­tic law). But there are at least two ways to think about espi­onage and inter­na­tion­al law: you may believe that peace­time espi­onage vio­lates inter­na­tion­al law, or you may take the view that inter­na­tion­al law sim­ply does not pur­port to reg­u­late espi­onage, an activ­i­ty near­ly as old as time. If you take the for­mer view, you pre­sum­ably would invoke cus­tom­ary inter­na­tion­al law norms such as non-inter­ven­tion and respect for sov­er­eign­ty, which the use of secret lis­ten­ing posts and wire­taps by one state in anoth­er state would con­tra­vene. If you take the lat­ter view, you would argue that ideas such as non-inter­ven­tion and sov­er­eign­ty devel­oped against a back­ground under­stand­ing that states do and will spy on each oth­er, thus estab­lish­ing a carve-out with­in those very con­cepts that allows—or at least turns a blind eye to—espionage.

Because espi­onage fits uncom­fort­ably with inter­na­tion­al law, it is unsur­pris­ing that there are few (pub­lic) prece­dents of states agree­ing not to spy on each oth­er. The most com­mon­ly cit­ed exam­ple is the “Five Eyes” agree­ment among the Unit­ed States, UK, Cana­da, Aus­tralia, and New Zealand. In a paper sub­mit­ted by the Cana­di­an exec­u­tive branch to a Mem­ber of Par­lia­ment, Cana­da stat­ed, “Five Eyes allies, in their own nation­al inter­ests as sov­er­eign states, can law­ful­ly col­lect intel­li­gence in accor­dance with their own domes­tic laws while respect­ing the long-stand­ing con­ven­tion not to tar­get the com­mu­ni­ca­tions of one anoth­er.” Of course, this sounds like an “under­stand­ing” rather than a bind­ing legal arrange­ment, and there is no way to know the extent to which the Five Eyes states hon­or such stand­ing arrange­ments.

In 2010, then-DNI Direc­tor Den­nis Blair sought a com­pa­ra­ble arrange­ment with France. Accord­ing to the Tele­graph, “Mr Blair pro­posed an unprece­dent­ed writ­ten pledge even more bind­ing than the post-war ‘gentlemen’s agree­ment’ between the US, Britain, Cana­da, Aus­tralia and New Zealand as trust­ed part­ners who do not spy on each oth­er. The deal would also have giv­en France access to a high­ly secure intel­li­gence retrieval and exchange sys­tem.” Pres­i­dent Oba­ma ulti­mate­ly scut­tled the deal out of con­cern that the agree­ment might hand­cuff the Unit­ed States if a less U.S.-friendly French gov­ern­ment came into pow­er in the future. (Note the under­ly­ing assump­tion that the Unit­ed States would feel oblig­ed to alter its behav­ior in the face of such an agree­ment, even if were not in U.S. inter­ests to do so.) In short, I am unaware of any pub­licly avail­able bilat­er­al “no spy” agree­ments involv­ing the Unit­ed States. How­ev­er, if the Unit­ed States and Ger­many do come to an arrange­ment, it would illus­trate the idea that inter­na­tion­al law can reg­u­late espi­onage, how­ev­er unnat­ur­al it may seem.

(2) As to the sec­ond issue, what are the poten­tial impli­ca­tions for the Unit­ed States in enter­ing into such an agree­ment? In the first place, it depends what the “agree­ment” looks like. If it is a legal­ly bind­ing arrange­ment, the Unit­ed States may find itself torn in the future between vio­lat­ing an inter­na­tion­al legal com­mit­ment and con­duct­ing espi­onage in Ger­many to pur­sue, say, reports of an immi­nent armed attack. If—as seems more likely—it ends up being an arrange­ment that binds as a polit­i­cal mat­ter but not as a legal one, the Unit­ed States would retain more lee­way to act in ways that don’t strict­ly com­ply with what­ev­er the final lan­guage is. But even polit­i­cal agree­ments raise the stakes when vio­la­tions occur; if the Unit­ed States were caught spy­ing on Ger­many in vio­la­tion of a polit­i­cal arrange­ment, Ger­many undoubt­ed­ly would be exer­cised. The spe­cif­ic word­ing of any such agree­ment also will be impor­tant, of course: a lim­i­ta­tion on spy­ing on Ger­man offi­cials or indus­tries is dif­fer­ent from a lim­i­ta­tion on spy­ing in Ger­many at all (against known ter­ror­ist groups, for exam­ple).

One poten­tial down­side of con­clud­ing either a bind­ing or non-bind­ing agree­ment is that oth­er states (includ­ing Brazil and Mex­i­co, for instance) may clam­or for com­pa­ra­ble arrange­ments, and express out­rage and sus­pi­cion if the Unit­ed States proves unwill­ing to nego­ti­ate such deals with them. Anoth­er down­side is sim­ply the loss of intel­li­gence if the Unit­ed States agrees not to spy on Germany—or the loss of access to mat­ters or third par­ties to which the Ger­man gov­ern­ment might have unique access. The Unit­ed States con­ceiv­ably might be able to glean impor­tant intel­li­gence via third par­ties (such as oth­er Five Eyes states), how­ev­er. Yet anoth­er rea­son such an arrange­ment might be unde­sir­able is the rea­son giv­en by Pres­i­dent Oba­ma in the French con­text: a future Ger­man gov­ern­ment might prove less friend­ly to the Unit­ed States than the cur­rent one is. Final­ly, we might think that the Unit­ed States has more to lose in such a bilat­er­al arrange­ment because the Unit­ed States pre­sum­ably has a broad­er capac­i­ty to col­lect intel­li­gence on (and in) Ger­many than Ger­many does on the Unit­ed States. So the quid and quo in the arrange­ment won’t be equiv­a­lent.

...

Part of what makes this new pub­lic ini­tia­tive by France and Ger­many to work out ‘no spy’ agree­ments with the US so strange is that it rais­es a ques­tion of how gov­ern­ments would have act­ed dif­fer­ent­ly in the past if they knew rival gov­ern­ments weren’t spy­ing on them. Would they have behaved dif­fer­ent­ly? If so, how? That’s some­thing worth ask­ing on a gov­ern­ment by gov­ern­ment basis because, while mass-sur­veil­lance of ran­dom peo­ple is obvi­ous­ly some­thing that has to be stopped every­where, the sur­veil­lance of gov­ern­ments by oth­er gov­ern­ments is a very dif­fer­ent sit­u­a­tion. We need to start ask­ing our­selves if this is ‘no spy­ing between gov­ern­ments’ thing is actu­al­ly a good idea because the ‘no spy’-agreement trend may not stop with France and Ger­many. The genie is offi­cial­ly out of the bot­tle and it would be incred­i­bly trag­ic if a glob­al dri­ve to cre­ate a world safe from Big Broth­er became a world safe for Big Broth­er from the Oth­er Big Broth­ers. Oth­er Big Broth­er sur­veil­lance is pret­ty much the only sur­veil­lance a Big Broth­er is going to have in many cas­es. Big Broth­ers should spy on each oth­er, it’s the spy­ing on the rest of us that’s the prob­lem. So are we sure these no spy agree­ments should apply to Merkel too? Do we want to be in a world where there are rules against try­ing to spy on the most pow­er­ful peo­ple in the world? Beyond the chill­ing rise of the far-right that we’re see­ing across Europe, there’s one pos­si­bil­i­ty that should be giv­ing every­one pause regard­ing US/European ‘no spy’ agree­ments: Pres­i­dent Ted Cruz. No spy­ing on Pres­i­dent Ted Cruz. Thems the rules.

And in the mean time, be sure to keep an eye on those EU data-pri­va­cy laws because the changes to the NSA’s poli­cies over the next year might have an even big­ger impact on the EU data-pri­va­cy rules than those 4000 amend­ments yet to be worked out and not in a good way. A lot will have to do with the NSA’s actu­al role in EU intel­li­gence gath­er­ing and how that role could change. By intro­duc­ing ‘no spy’ agree­ments to the pub­lic dis­course, the abil­i­ty of the NSA to act as the unof­fi­cial glob­al spy-mon­ger for both the US’s own inter­ests (which includes gen­er­al spy-mon­ger­ing and very expen­sive Larp­ing) and also spy on behalf of the US’s larg­er NATO/global alliances and all of their pos­si­ble for­eign-intel­li­gence gath­er­ing inter­ests might end up chang­ing quite a bit. That also means we should expect a lot more for­eign intel­li­gence agen­cies to start gath­er­ing a lot more for­eign intel­li­gence them­selves. And that includes the EU mem­ber nations, which could trans­late into the kind of future EU data-pri­va­cy rules that civ­il-lib­er­tar­i­ans may not enjoy. It’s some­what counter-intu­itive, but it’s very pos­si­ble that the over-aggres­sion of the NSA’s spy­ing was simul­ta­ne­ous­ly con­tribut­ing to a tem­po­rary under-aggres­sion by allied intel­li­gence agen­cies around the world because, well, why both­er devel­op­ing glob­al mass spy capa­bil­i­ties when your ally is already cre­at­ing archive.org for every­thing and giv­ing you access to it? As the NSA and “Five Eyes” get’s shut out of the data col­lec­tion busi­ness (it could hap­pen with the way the diplo­ma­cy is devel­op­ing) some­one else is pre­sum­ably going to fill the mass-sur­veil­lance void and that some­one else will prob­a­bly be some­one in the EU, per­haps France and/or Ger­many. All of that means the upcom­ing changes to the EU’s data-pri­va­cy might get a lot loos­er. It could be more ‘big busi­ness as usu­al’ and there might even be a few more lit­tle Big Broth­ers than before. Watch out.

Update 11/10/2013
Deutsche Telekom’s plans for a Ger­man-intranet appear to have expand­ed to poten­tial­ly include the entire 26-coun­try Schen­gen Area. All traf­fic would have to stay with­in the area. Bye bye glob­al inter­net?

Deutsche Welle
Tele­coms plan shield­ed Euro­pean Inter­net
10.11.2013

Deutsche Telekom says the scan­dal over US and British eaves­drop­ping has prompt­ed Ger­man providers to con­tem­plate an inner-Ger­man or inner-Euro­pean Inter­net. Data would no longer be rout­ed and stored via oth­er con­ti­nents.

Ger­many’s state-backed Telekom con­firmed on Sun­day that Ger­man providers were dis­cussing an Inter­net con­fined with­in Europe’s “Schen­gen” coun­tries. One project code-named “Clean Pipe” would help firms to fend off indus­tri­al spies and hack­ers.

Schen­gen is the Lux­em­bourg bor­der town where in 1985 EU nations ini­ti­at­ed a visa-free zone that now encom­pass­es 26 Euro­pean coun­tries but excludes Britain.

A Telekom spokesman told the Ger­man news agency DPA that talks were tak­ing place with “diverse, like­ly part­ners.” The project would be unveiled on Mon­day at an infor­ma­tion tech­nol­o­gy (IT) con­fer­ence in Bonn.

Accord­ing to the news mag­a­zine Der Spiegel, Telekom man­agers see few­er tech­ni­cal set­up prob­lems than IT experts had at first antic­i­pat­ed.

Ger­many already has a project enti­tled “E‑Mail made in Ger­many” in which Telekom, Unit­ed Inter­net and Freenet han­dle mes­sages inside the nation­al bor­der.

Infil­tra­tion via LinkedIN?

The mag­a­zine also claimed that the British agency GCHQ had used a method code-named “Quan­tum Insect” to manip­u­late the online ser­vice LinkedIn and then infil­trate offices, name­ly the Bel­gian con­cern Bel­ga­com and Mach, which han­dles mobile phone rout­ing.

Com­put­ers of nine per­son­nel at the Vien­na head­quar­ters of the Organ­i­sa­tion of Petro­le­um Export­ing Coun­tries (OPEC) had also been infil­trat­ed by GCHQ. The US Nation­al Secu­ri­ty Agency (NSA) had also used the method to access OPEC’s gen­er­al-sec­re­tari­at, Spiegel claimed.

LinkedIn told Spiegel it would “nev­er approve” such intru­sion. Starhome Mach, a suc­ces­sor of Mach, said it would launch a “com­pre­hen­sive secu­ri­ty check.”

Telekom con­firmed a report by the week­ly Wirtschaftswoche that it togeth­er with the elec­tron­ic secu­ri­ty firm Lan­com had begun test­ing “Clean Pipe” among pilot cus­tomers.

End in sight for glob­al Inter­net?

Last month, US secu­ri­ty researcher Dan Kamin­sky told Reuters that if coun­tries walled them­selves off this would crip­ple the glob­al, orig­i­nal­ly open struc­ture of the Inter­net.

Elec­tron­ic snoop­ing is a sen­si­tive sub­ject in Ger­many due to the heavy sur­veil­lance of cit­i­zens in the for­mer com­mu­nist East and under Hitler’s Nazis.

Rev­e­la­tions of snoop­ing by US and British secret ser­vices stem from doc­u­ments leaked by fugi­tive and for­mer NSA con­trac­tor Edward Snow­den. Rus­sia recent­ly grant­ed him one year’s asy­lum.

Der Spiegel report­ed in June that the US had tapped half a bil­lion phone calls, emails and text mes­sages in Ger­many in a typ­i­cal month.

‘Kryp­to-handys’ safe

On Sun­day, Spiegel said Ger­many’s Fed­er­al Office for IT secu­ri­ty had urged Chan­cel­lor Angela Merkel’s Berlin bureau and gov­ern­ment min­istries to use new, reput­ed­ly secure “kryp­to-handys” — mobile phones with encryp­tion.

...

The anti-hack­er fea­ture actu­al­ly sounds pret­ty neat, although it will be inter­est­ing to see how well the EU’s intel­li­gence agen­cies can avoid tak­ing on more of an NSA-like char­ac­ter in their attempts to elim­i­nate the hack­ing.

Also keep in mind that Ger­many’s inte­ri­or min­istry is look­ing into ways to ward off the EU’s inter­net from for­eign intel­li­gence ser­vices. So the main sell­ing point for the new Schen­gen intranet isn’t just going to be that the traf­fic will stay with­in the Schen­gen area with some sort of EU-anti-hack­er fea­ture, but oth­er spy­ing ser­vices will be kept out of the area as well. It’ll be an EU-only spy zone:

Deutsche Welle
Ger­many looks to erect IT bar­ri­er

Amid rev­e­la­tions con­cern­ing the NSA’s spy­ing on the Ger­man gov­ern­ment, Inte­ri­or Min­is­ter Hans-Peter Friedrich is look­ing to erect an IT bar­ri­er in Ger­many and Europe. DW takes a look.
Date 04.11.2013
Author Gabriel Bor­rud
Edi­tor Lori Her­ber

Ger­many’s Inte­ri­or Min­istry is look­ing to force Inter­net Ser­vice Providers to keep Euro­pean data out of the hands of third par­ties, includ­ing intel­li­gence agen­cies, in the wake of an espi­onage scan­dal that has cooled rela­tions between the US and Ger­many over wide­spread hack­ing.

Min­is­ter Friedrich told the week­ly Welt am Son­ntag that he want­ed to “incor­po­rate an IT-Secu­ri­ty law in the upcom­ing coali­tion agree­ment that would pro­vide a legal frame­work for hin­der­ing the inter­cep­tion of data exchanged [with­in Ger­many and Europe] by for­eign intel­li­gence.”

But what Friedrich did­n’t men­tion was whether Ger­many was look­ing to pro­tect data shared with servers out­side Europe — where the vast major­i­ty of Inter­net activ­i­ty in Ger­many takes place.

Set­ting up bar­ri­ers

“The infra­struc­ture need­ed to cre­ate an inner Euro­pean net­work exists,” said Dirk Engling, spokesman of the Chaos Com­put­er Club, Europe’s largest asso­ci­a­tion of hack­ers.

But the prob­lem is: This is extreme­ly coun­ter­in­tu­itive,” he told DW. “By ‘ensur­ing’ cit­i­zens that they are only safe if they restrict their inter­net usage to with­in Europe, what is the Inter­net there for?”

...

‘We don’t want to cut con­nec­tions’

Ger­many’s largest telecom­mu­ni­ca­tions com­pa­ny, Deutsche Telekom, has already begun plan­ning a rout­ing sys­tem that would restrict all Inter­net traf­fic with­in the coun­try to domes­tic net­works.

“This is just the first step,” said Philipp Blank, cor­po­rate blog­ger for Telekom, adding that even­tu­al­ly the com­pa­ny was look­ing to expand its rout­ing sys­tem to the coun­tries in the bor­der-free Schen­gen Area.

Blank empha­sized, how­ev­er, that “Telekom does not want to cut con­nec­tions or restrict users from nav­i­gat­ing to sites based out­side of Ger­many or the Schen­gen Area.”

“Why should email traf­fic be rout­ed out­side [the Schen­gen Area] if both the sender and receiv­er are locat­ed with­in its bor­ders? If our sys­tem were real­ized, intel­li­gence ser­vices from coun­tries out­side this area would find it much more dif­fi­cult to access this data traf­fic.

Safe haven Europe?

Telekom’s claims haven’t won over crit­ics like Dirk Engling of the Chaos Com­put­er Club, who point­ed out to DW that spy­ing also took place on data that was restrict­ed to Euro­pean net­works.

“We know now that data was inter­cept­ed here on a large scale. So lim­it­ing traf­fic to Ger­many and Europe does­n’t look as promis­ing as the gov­ern­ment and [Telekom] would like you to believe.”

Amelia Ander­s­dot­ter, who rep­re­sents the Pirate Par­ty in the Euro­pean Par­lia­ment, told DW that the issue goes far beyond Inter­net secu­ri­ty, dis­miss­ing Friedrich’s pro­pos­als as “trumped-up lip ser­vice.”

“Our politi­cians are mak­ing these claims now about IT secu­ri­ty to enhance their pop­u­lar­i­ty. It’s lip ser­vice, and it’s inef­fec­tive, and it’s hyp­o­crit­i­cal. Over the last decade gov­ern­ments have worked togeth­er with com­pa­nies to build up infra­struc­ture that cre­ates inse­cu­ri­ty, in effect pre­vent­ing the Inter­net from serv­ing its true pur­pose of com­mu­ni­ca­tion and self-empow­er­ment.”

And in the face of rev­e­la­tions of spy­ing in Europe — not only by the NSA — Ander­s­dot­ter called on the Ger­man gov­ern­ment to focus more on the pro­tec­tion of human rights in its cyber secu­ri­ty pledge:

“The spy­ing we’ve seen is an egre­gious vio­la­tion of human rights. Why should we believe that the lim­i­ta­tion of inter­net traf­fic to Ger­many and Europe means the prob­lem is solved? To me it seems very vague, if not sus­pect.”

A Schen­gen Area intranet would also imply that the GCHQ would also be barred from spy­ing on EU traffic(since the UK and Ire­land aren’t mem­bers). This also means that the Schen­gen Area intel­li­gence ser­vices are going to be pri­ma­ry respon­si­ble for intel­li­gence gath­er­ing (assum­ing the pro­hi­bi­tion on for­eign-intel­li­gence gath­er­ing is tru­ly fea­si­ble and isn’t just a farce for pub­lic con­sump­tion). Giv­en this pos­si­bil­i­ty of an EU spy-takeover of the Schen­gen Area, it’s good to see that the folks in the Pirate Par­ty and Chaos Com­put­er Club are skep­ti­cal of this pro­pos­al as a solu­tion to mass-sur­veil­lance because what­ev­er con­cerns they have regard­ing the pro­cliv­i­ty of EU spy agen­cies to mass-spy now are about to get a lot worse once the EU takes sole own­er­ship of the respon­si­bil­i­ty to Schen­gen Area spy­ing (no GCHQ spy­ware allowed. That func­tion will be in-housed). Even if the EU some­how finds a way to start out spy­ing respon­si­bly under this new sys­tem, it’s not too hard for a respon­si­bil­i­ty to spy respon­si­bly to turn into a respon­si­bil­i­ty to spy irre­spon­si­bly when you’re the pri­ma­ry orga­ni­za­tion doing the spy­ing par­tial­ly on behalf of the entire glob­al com­mu­ni­ty. Mis­sion creep can apply to con­ti­nen­tal intranets too. Espe­cial­ly when they start in-hous­ing out­sourced domes­tic spy­ing respon­si­bil­i­ties.

Discussion

23 comments for “Too Much of a Good Thing? Part 2: A Secret Trilogue and Business as Usual”

  1. Some­thing to con­sid­er regard­ing the poten­tial costs and incen­tives the large multi­na­tion­als might have to see a move like Ger­many or Brazil cre­at­ing their own inter­nal inter­net: Many of the changes that could be required if the inter­net starts frag­ment­ing along nation­al lines might be sim­i­lar to the changes that would hap­pen if net-neu­tral­i­ty is lost. In either case, the inter­net could break in very prof­itable ways:

    Wired
    We’re About to Lose Net Neu­tral­i­ty — And the Inter­net as We Know It

    By Mar­vin Ammori
    11.04.13
    9:30 AM

    Net neu­tral­i­ty is a dead man walk­ing. The exe­cu­tion date isn’t set, but it could be days, or months (at best). And since net neu­tral­i­ty is the prin­ci­ple for­bid­ding huge telecom­mu­ni­ca­tions com­pa­nies from treat­ing users, web­sites, or apps dif­fer­ent­ly — say, by let­ting some work bet­ter than oth­ers over their pipes — the dead man walk­ing isn’t some abstract or far-removed prin­ci­ple just for wonks: It affects the inter­net as we all know it.

    Once upon a time, com­pa­nies like AT&T, Com­cast, Ver­i­zon, and oth­ers declared a war on the internet’s foun­da­tion­al prin­ci­ple: that its net­works should be “neu­tral” and users don’t need anyone’s per­mis­sion to invent, cre­ate, com­mu­ni­cate, broad­cast, or share online. The neu­tral and lev­el play­ing field pro­vid­ed by per­mis­sion­less inno­va­tion has empow­ered all of us with the free­dom to express our­selves and inno­vate online with­out hav­ing to seek the per­mis­sion of a remote tele­com exec­u­tive.

    But today, that free­dom won’t sur­vive much longer if a fed­er­al court — the sec­ond most pow­er­ful court in the nation behind the Supreme Court, the DC Cir­cuit — is set to strike down the nation’s net neu­tral­i­ty law, a rule adopt­ed by the Fed­er­al Com­mu­ni­ca­tions Com­mis­sion in 2010. Some will claim the new solu­tion “splits the baby” in a way that some­how doesn’t kill net neu­tral­i­ty and so we should be grate­ful. But make no mis­take: Despite eight years of pub­lic and polit­i­cal activism by mul­ti­tudes fight­ing for free­dom on the inter­net, a court deci­sion may soon take it away.

    Game of Loop­holes and Rules

    How did we get here?

    The CEO of AT&T told an inter­view­er back in 2005 that he want­ed to intro­duce a new busi­ness mod­el to the inter­net: charg­ing com­pa­nies like Google and Yahoo! to reli­ably reach inter­net users on the AT&T net­work. Keep in mind that users already pay to access the inter­net and that Google and Yahoo! already pay oth­er tele­com com­pa­nies — often called back­bone providers — to con­nect to these inter­net users. [Dis­clo­sure: I have done legal work for sev­er­al com­pa­nies sup­port­ing net­work neu­tral­i­ty, includ­ing Google.]

    But AT&T want­ed to add an addi­tion­al toll, beyond what it already made from the inter­net. Short­ly after that, a Ver­i­zon exec­u­tive voiced agree­ment, hop­ing to end what he called tech com­pa­nies’ “free lunch”. It turns out that around the same time, Com­cast had begun secret­ly tri­al­ing ser­vices to block some of the web’s most pop­u­lar appli­ca­tions that could pose a com­pet­i­tive threat to Com­cast, such as Bit­Tor­rent.

    Yet the phone and cable com­pa­nies tried to dress up their plans as a false com­pro­mise. Coun­ter­in­tu­itive­ly, they sup­port­ed telecom­mu­ni­ca­tions leg­is­la­tion in 2006 that would autho­rize the FCC to stop phone and cable com­pa­nies from block­ing web­sites.

    There was a catch, how­ev­er. The bills includ­ed an excep­tion that swal­lowed the rule: the FCC would be unable to stop cable and phone com­pa­nies from tax­ing inno­va­tors or pro­vid­ing worse ser­vice to some sites and bet­ter ser­vice to oth­ers. Since we know inter­net users tend to quit using a web­site or appli­ca­tion if it loads even just a few sec­onds slow­er than a competitor’s ver­sion, this no-block­ing rule would essen­tial­ly have enabled the phone and cable com­pa­nies to dis­crim­i­nate by pick­ing website/app/platform win­ners and losers. (Con­gress would mere­ly enact the loop­hole. Think of it as a safe har­bor for dis­crim­i­nat­ing online.)

    Luck­i­ly, con­sumer groups, tech­nol­o­gy com­pa­nies, polit­i­cal lead­ers, and Amer­i­can cit­i­zens saw through the non­sense and ral­lied around a prin­ci­ple to pre­serve the internet’s open­ness. They advo­cat­ed for one sim­ple, nec­es­sary rule — a nondis­crim­i­na­tion prin­ci­ple that became known as “net­work neu­tral­i­ty”. This prin­ci­ple would for­bid phone and cable com­pa­nies not only from block­ing — but also from dis­crim­i­nat­ing between or enter­ing in spe­cial busi­ness deals to the ben­e­fit of — some sites over oth­ers.

    Both sides bat­tled out the issues before Con­gress, fed­er­al agen­cies, and in sev­er­al sen­ate and pres­i­den­tial cam­paigns over the next five years. These fights cul­mi­nat­ed in the 2010 FCC deci­sion that includ­ed the nondis­crim­i­na­tion rule.

    Unfor­tu­nate­ly, the rule still had major loop­holes — espe­cial­ly when it came to mobile net­works. It also was built, to some extent, on a shaky polit­i­cal foun­da­tion because the then-FCC chair­man repeat­ed­ly fold­ed when fac­ing pres­sure. Still, the adopt­ed rule was bet­ter than noth­ing, and it was a major advance over AT&T’s open­ing bid in 2005 of a no-block­ing rule.

    As a result, Ver­i­zon took the FCC to court to void the 2010 FCC rule. Ver­i­zon went to court to attack the part of the rule for­bid­ding them from dis­crim­i­nat­ing among web­sites and appli­ca­tions; from set­ting up — on what we once called the infor­ma­tion super­high­way — the equiv­a­lents of toll­booths, fast lanes, and dirt roads.

    There and Back Again

    So that’s where we are today — wait­ing for the most pow­er­ful court in the nation, the DC Cir­cuit, to rule in Verizon’s case. Dur­ing the case’s oral argu­ment, back in ear­ly Sep­tem­ber, cor­po­rate lob­by­ists, lawyers, finan­cial ana­lysts, and con­sumer advo­cates packed into the court­room: some sit­ting, some stand­ing, some rel­e­gat­ed to an over­flow room.

    Since then, every­one inter­est­ed in inter­net free­dom has been wait­ing for an opin­ion — includ­ing every­day folks who search the web or share their thoughts in 140 char­ac­ters; and includ­ing me, who argued the first (los­ing) net­work neu­tral­i­ty case before the DC Cir­cuit in 2010.

    But, in their ques­tions and state­ments dur­ing oral argu­ment, the judges have made clear how they planned to rule — for the phone and cable com­pa­nies, not for those who use the inter­net. While the FCC has the pow­er to impose the tooth­less “no-block­ing” rule (orig­i­nal­ly pro­posed by AT&T above), it does not (the court will say) have the pow­er to impose the essen­tial “nondis­crim­i­na­tion” rule.

    It looks like we’ll end up where AT&T ini­tial­ly began: a false com­pro­mise.

    ...

    In addi­tion to the impact that the DC Appeals court rul­ing could have on net-neu­tral­i­ty, keep in mind that the EU is putting into place new net-neu­tral­i­ty laws too. The pro­posed rules announced in Sep­tem­ber sound­ed like they would pro­tect net-neu­tral­i­ty, but that might be chang­ing. In secret:

    Com­put­er World UK
    Help: EU Net Neu­tral­i­ty Con­sul­ta­tion Clos­es Today
    Glyn Moody
    Pub­lished 08:15, 05 Novem­ber 13

    As you may recall, back in Sep­tem­ber the Euro­pean Com­mis­sion final­ly came out with its pro­pos­als for net neu­tral­i­ty, part of its larg­er “Con­nect­ed Con­ti­nent” pack­age designed to com­plete the tele­coms sin­gle mar­ket. I learned yes­ter­day that the Euro­pean com­mit­tee respon­si­ble for this area, ITRE (Indus­try, Research and Ener­gy), has launched some­thing of a stealth con­sul­ta­tion on these pro­pos­als. Stealth, because nei­ther I nor any­one else that I know cov­er­ing this area, was aware of them, which is pret­ty bizarre.

    Unfor­tu­nate­ly, that con­sul­ta­tion clos­es at the end of busi­ness today. That means we have very lit­tle time to com­ment, although speak­ing to the peo­ple run­ning the con­sul­ta­tion, I get the impres­sion that they won’t apply the dead­line too strict­ly if you let them know that some­thing will be com­ing through a lit­tle late. There is no for­mal doc­u­ment out­lin­ing the terms of the con­sul­ta­tion — just bring up the points you think impor­tant. Sub­mis­sions should be sent to elina.kaartinen@europarl.europa.eu and/or peter.traung@europarl.europa.eu. Here’s what I’ve writ­ten:

    Giv­en the very short time I have to con­tribute to this con­sul­ta­tion, I’d like to con­cen­trate on one key aspect, that of net neu­tral­i­ty. In par­tic­u­lar, I’d like to urge ITRE not to allow spe­cialised ser­vices to be offered, since this will in fact destroy the very net neu­tral­i­ty that the Euro­pean Com­mis­sion claims that it is pro­tect­ing in its reg­u­la­tions. In what fol­lows, I will try to explain why.

    Along­side things such as IPTV, more “seri­ous” uses like telemed­i­cine are fre­quent­ly invoked to jus­ti­fy per­mit­ting spe­cialised ser­vices with guar­an­teed qual­i­ty of ser­vice — for exam­ple speed, or laten­cy. But this is real­ly just a clever trick on the part of the tele­com com­pa­nies and their lob­by­ists, who are the main dri­vers of this attempt to kill net neu­tral­i­ty.

    After all, if an ISP is able to pro­vide a guar­an­teed qual­i­ty of ser­vice for such spe­cialised ser­vices, run­ning on the gen­er­al Inter­net, then there is no rea­son not to pro­vide that guar­an­teed qual­i­ty of ser­vice for every­thing on that con­nec­tion.

    When­ev­er the guar­an­teed speeds or laten­cy are required for telemed­i­cine (or IPTV), all the user has to do is close down all oth­er appli­ca­tions. In that case, the entire con­nec­tion is devot­ed to the “spe­cialised” ser­vice, which is able to make use of the qual­i­ty of ser­vice guar­an­tees. With all the oth­er ser­vices shut down, it is as if the spe­cialised ser­vice enjoys priv­i­leged treat­ment — it does, but only because there is noth­ing else run­ning. This allows qual­i­ty of ser­vice to be pro­vid­ed with­out dam­ag­ing net neu­tral­i­ty: all IP pack­ets are treat­ed equal­ly, but some­times the user choos­es to send only one kind of IP pack­et over the con­nec­tion.

    This shows that it is not nec­es­sary to kill net neu­tral­i­ty in order to pro­vide ser­vices that require par­tic­u­lar qual­i­ty of ser­vice guar­an­tees. But there is a very real dan­ger that the Euro­pean Com­mis­sion’s pro­pos­als to allow spe­cialised ser­vices will do just that. The “pro­tec­tion” for net neu­tral­i­ty miss­es the point.

    If a start­up is in com­pe­ti­tion with an estab­lished mar­ket leader, and the lat­ter is offer­ing a “spe­cialised ser­vice” with a guar­an­teed qual­i­ty of ser­vice, while the new­com­er is not (because it can’t afford to pay ISPs the req­ui­site fees for doing so), the incum­bent will have a huge advan­tage. That’s because by def­i­n­i­tion the new ser­vice will run bet­ter than those run­ning on the “ordi­nary” Inter­net, which are bound to be per­ceived as slow or unre­li­able com­pared to the one giv­en pref­er­en­tial treat­ment. It does­n’t mat­ter that the spe­cialised ser­vice does­n’t impair the stan­dard ser­vice “in a recur­ring or con­tin­u­ous man­ner”: it’s sim­ply human nature to pre­fer the ser­vice that runs bet­ter, and the spe­cialised ser­vice will, thanks to the qual­i­ty of ser­vice guar­an­tees. In this way, inno­va­tion will be dis­ad­van­taged and dis­cour­aged, and deep-pock­et­ed mar­ket lead­ers entrenched.

    The tragedy is that this dan­ger is entire­ly avoid­able. If ISPs were allowed to offer qual­i­ty of ser­vice guar­an­tees for addi­tion­al pay­ment, just as they can offer faster ser­vices, or greater month­ly band­width, but not tied to any one ser­vice, then end-users could use this con­nec­tion for both estab­lished play­ers and new­com­ers alike, enjoy­ing a supe­ri­or tech­ni­cal expe­ri­ence for both. They could then decide on the mer­its of the con­tent of the ser­vices which to adopt, rather than being pushed in the direc­tion of estab­lished com­pa­nies able to afford deals with ISPs to pro­vide supe­ri­or con­nec­tions com­pared to those avail­able to star­tups.

    ...

    Posted by Pterrafractyl | November 5, 2013, 1:33 pm
  2. See the 11/10/2013 update in the OP on the new Schen­gen-Area intranet plans.

    Posted by Pterrafractyl | November 10, 2013, 10:20 pm
  3. Heh, I had missed this: it turns out that David Cameron was­n’t the only EU leader that played a role in stalling the new EU data pri­va­cy rules over­haul:

    Der Spiegel
    Appear­ances and Real­i­ty: Merkel Balks at EU Pri­va­cy Push
    Octo­ber 28, 2013 – 06:08 PM
    By Gre­gor Peter Schmitz in Brus­sels

    Chan­cel­lor Merkel has put on a good show of being out­raged by Amer­i­can spy­ing. But, at the same time, she has imped­ed efforts to strength­en data secu­ri­ty. Does she real­ly want more pri­va­cy, or is she more inter­est­ed in being accept­ed into the exclu­sive group of info-shar­ing coun­tries known as the ‘Five Eyes’ club?

    One par­tic­u­lar point of clar­i­fi­ca­tion was espe­cial­ly impor­tant to Angela Merkel dur­ing the EU sum­mit in Brus­sels last week. When she com­plained about the NSA’s alleged tap­ping of her cell­phone, the Ger­man chan­cel­lor made clear that her con­cern was not for her­self, but for the “tele­phones of mil­lions of EU cit­i­zens,” whose pri­va­cy she said was com­pro­mised by US spy­ing.

    Yet at a work­ing din­ner with fel­low EU heads of state on Thurs­day, where the agen­da includ­ed a pro­posed law to bol­ster data pro­tec­tion, Merkel’s fight­ing spir­it on behalf of the EU’s cit­i­zens seemed to have dis­si­pat­ed.

    In fact, inter­nal doc­u­ments show that Ger­many applied the brakes when it came to speedy pas­sage of such a reform. Although a num­ber of EU mem­ber states — includ­ing France, Italy and Poland — were push­ing for the cre­ation of a Europe-wide mod­ern data pro­tec­tion frame­work before Euro­pean Par­lia­ment elec­tions take place in May 2014, the issue end­ed up tabled until 2015.

    Great Britain, itself sus­pect­ed of spy­ing on its EU part­ners, and Prime Min­is­ter David Cameron, who has for­mer Google CEO Eric Schmidt as one of his advi­sors, put up con­sid­er­able resis­tance. He pushed instead for the final sum­mit state­ment to call sim­ply for “rapid” progress on a sol­id EU data-pro­tec­tion frame­work.

    A Set­back for ’ Europe ‘s Dec­la­ra­tion of Inde­pen­dence ’

    Merkel also joined those apply­ing the brakes. Over the week­end, SPIEGEL ONLINE gained access to inter­nal Ger­man For­eign Min­istry doc­u­ments con­cern­ing the EU lead­ers’ final sum­mit state­ment. The “track changes” fea­ture reflects a cru­cial pro­posed change to item No. 8 under the sub­ject head­ing “Dig­i­tal Econ­o­my” — the sug­ges­tion that the phrase “adop­tion next year” be replaced with “The nego­ti­a­tions have to be car­ried on inten­sive­ly.”

    Ulti­mate­ly, the offi­cial ver­sion of the final sum­mit state­ment sim­ply called for “rapid” progress on the issue — just as Great Britain was hop­ing for.

    This amounts to a set­back for pro­po­nents of the pro­posed data-pro­tec­tion law, which EU Jus­tice Com­mis­sion­er Viviane Red­ing has called “Europe’s dec­la­ra­tion of inde­pen­dence.”

    The Euro­pean Par­lia­ment recent­ly began draft­ing stricter reg­u­la­tions in this area, includ­ing poten­tial fines run­ning into the bil­lions of euros for any Inter­net com­pa­ny caught ille­gal­ly pass­ing pri­vate data to US intel­li­gence agen­cies. Such pro­posed leg­is­la­tion has the sup­port even of some of Merkel’s fel­low con­ser­v­a­tives in the Euro­pean Par­lia­ment, includ­ing Man­fred Weber of the Chris­t­ian Social Union (CSU), the Bavar­i­an sis­ter par­ty to Merkel’s Chris­t­ian Demo­c­ra­t­ic Union (CDU), who says: “We need to final­ly sum­mon the polit­i­cal will for more data pro­tec­tion.”

    Amer­i­can tech cor­po­ra­tions could hard­ly believe their luck at hav­ing Merkel’s sup­port. Now they’re hop­ing for more lee­way to water down the data-pro­tec­tion law as soon as the furor over the lat­est spy­ing scan­dal has sub­sided. One high-rank­ing Amer­i­can tech-com­pa­ny exec­u­tive told the Finan­cial Times: “When we saw the sto­ry about Merkel’s phone being tapped … we thought we were going to lose.” But, he added: “It looks like we won.”

    Indeed, the EU lead­ers’ anger was already start­ing to dis­si­pate dur­ing their ses­sions in Brus­sels. Sum­mit par­tic­i­pants say lead­ers point­ed out that Europe is not exact­ly on the side of the angels when it comes to gov­ern­ment spy­ing. Lux­em­bourg’s prime min­is­ter, Jean-Claude Junck­er, cau­tioned his fel­low lead­ers, ques­tion­ing whether they were cer­tain their own intel­li­gence agen­cies had nev­er vio­lat­ed data pri­va­cy them­selves.

    Code of Con­duct for Intel­li­gence Agen­cies

    The con­cerns of the tech indus­try, in par­tic­u­lar, received an atten­tive ear among Europe’s lead­ers. One sum­mit par­tic­i­pant relates that restruc­tur­ing data-pro­tec­tion laws was por­trayed as a “labo­ri­ous” task that would require more time to com­plete, and that Merkel did not push for speed on the mat­ter, to the sur­prise of some of her coun­ter­parts.

    Accord­ing to sum­mit par­tic­i­pants, the Ger­man chan­cel­lor seemed far more inter­est­ed in the “Five Eyes” alliance among the US, the UK, Aus­tralia, New Zealand and Cana­da. The top-lev­el allies with­in this exclu­sive group, which began in 1946 as a pact between Lon­don and Wash­ing­ton, have agreed not to spy on one anoth­er, but instead to share infor­ma­tion and resources. In Brus­sels, Cameron stressed to his fel­low lead­ers how many ter­ror­ist attacks had been pre­vent­ed by suc­cess­ful intel­li­gence work.

    Merkel, mean­while, stat­ed: “Unlike David, we are unfor­tu­nate­ly not part of this group.” Accord­ing to the New York Times, Ger­many has sought mem­ber­ship in the “Five Eyes” alliance for years, but has been turned down due to oppo­si­tion, includ­ing from the Oba­ma admin­is­tra­tion. But this could now change, the paper spec­u­lates.

    ...

    Posted by Pterrafractyl | December 19, 2013, 2:09 pm
  4. Should we say ‘so long’ to the US-EU safe har­bor data agree­ment? Maybe, because that’s what the EU pan­el inves­ti­gat­ing the NSA spy­ing scan­dal is expect­ed to rec­om­mend:

    Euro­pean Voice
    MEPs to ask for sus­pen­sion of EU-US data exchanges
    By Toby Vogel — 19.12.2013 / 05:59 CET
    Deci­sion deferred on tes­ti­mo­ny from Edward Snow­den.

    A pan­el of MEPs tasked with shed­ding light on alleged mass sur­veil­lance of Euro­pean Union cit­i­zens by US intel­li­gence ser­vices is expect­ed to rec­om­mend in Jan­u­ary that the EU should sus­pend two data-exchange agree­ments with the US.

    A report draft­ed by Claude Moraes, a cen­tre-left UK MEP, urges the Euro­pean Com­mis­sion to sus­pend the safe-har­bour agree­ment, which allows US com­pa­nies to use data relat­ing to EU cit­i­zens if they cer­ti­fy that they fol­low EU rules.

    He also wants an inter­rup­tion in the Ter­ror­ist Finance Track­ing Pro­gramme (TFTP), which gives US counter-ter­ror­ism author­i­ties access to data on bank­ing trans­fers made through the glob­al SWIFT mes­sag­ing sys­tem, head­quar­tered in Brus­sels.

    The Euro­pean Par­lia­ment called in Octo­ber for the sus­pen­sion of the TFTP, but Cecil­ia Malm­ström, the Euro­pean com­mis­sion­er for home affairs, sub­se­quent­ly said that exten­sive con­sul­ta­tions with the US had not uncov­ered any breach of the agree­ment.

    Moraes’s call is sup­port­ed by the cen­tre-left, Green and lib­er­al groups in the Par­lia­ment, while the cen­tre-right is split. Axel Voss, a cen­tre-right Ger­man MEP who is his group’s spokesman on the sub­ject, backs sus­pen­sion of the safe-har­bour agree­ment – seen by busi­ness­es as crit­i­cal for their abil­i­ty to process cus­tomer data on both sides of the Atlantic – but not the sus­pen­sion of the TFTP.

    Oth­er calls

    Oth­er rec­om­men­da­tions in the report are less con­tro­ver­sial – for exam­ple calls for a Com­mis­sion report on whistle­blow­er pro­tec­tion in the EU, or for the Coun­cil of Min­is­ters to move fast on reform of the EU’s data-pro­tec­tion regime.

    Moraes pre­sent­ed his draft rec­om­men­da­tions to MEPs on the civ­il-lib­er­ties com­mit­tee yes­ter­day (18 Decem­ber) fol­low­ing an exchange via video link with Glenn Green­wald, a jour­nal­ist who dis­closed the US oper­a­tion to col­lect glob­al com­mu­ni­ca­tions data, based on doc­u­ments pro­vid­ed by Edward Snow­den, a for­mer US intel­li­gence con­trac­tor. Green­wald called on EU gov­ern­ments to grant asy­lum to Snow­den, who is thought to be in Rus­sia.

    ...

    Posted by Pterrafractyl | December 20, 2013, 9:15 am
  5. The EU just unveiled its pro­posed changes to the gov­er­nance of the inter­net in response to the Snow­den affair. The pro­pos­als most­ly appear to focus on set­ting up a time­line for shift­ing con­trol of ICANN out of US juris­dic­tion. But the EU is also oppos­ing mov­ing ICANN under the UN’s domain. No inter­na­tion­al con­trol and no gov­ern­ment con­trol. Instead, it sounds like the plan is to con­tin­ue the “open mul­ti-stake­hold­er gov­er­nance” mod­el for ICANN, but under a new type of inter­na­tion­al “gov­er­nance net­work”. If that sounds sort of neb­u­lous it is because it is:

    intel­lec­tu­al prop­er­ty watch
    EU Com­mis­sion Push­es Inter­na­tion­al­i­sa­tion Of Core Inter­net Infra­struc­ture
    Pub­lished on 12 Feb­ru­ary 2014 @ 6:42 pm

    By Moni­ka Ermert for Intel­lec­tu­al Prop­er­ty Watch

    Over the rev­e­la­tions of mass sur­veil­lance of inter­net users and gov­ern­ment offi­cials, the top­ic of inter­net gov­er­nance has risen to the main­stream polit­i­cal agen­da. And a Com­mu­ni­ca­tion on “Europe’s role in shap­ing the future of Inter­net Gov­er­nance” passed by the Euro­pean Com­mis­sion today would put “Europe in the cen­ter of the debate,” EC Vice Pres­i­dent Neel­ie Kroes said in a press con­fer­ence in Brus­sels.

    The Com­mu­ni­ca­tion, which in part is sup­posed to fos­ter an EU con­sen­sus posi­tion for the upcom­ing Brazil and oth­er 2014 inter­net gov­er­nance meet­ings (IPW, Infor­ma­tion and Com­mu­ni­ca­tions Tech­nol­o­gy, 30 Jan­u­ary 2014), sup­ports the glob­al­i­sa­tion of the Inter­net Cor­po­ra­tion for Assigned Names and Num­bers (ICANN) and the Inter­net Assigned Num­bers Author­i­ty (IANA) func­tions, per­formed under con­tract with the US Depart­ment of Com­merce.

    Kroes and her pre­de­ces­sor Viviane Red­ing made sev­er­al attempts to push for a reform of the still uni­lat­er­al over­sight role of the US over the man­age­ment of the root zone, the heart of the inter­net domain name sys­tem. So far, those attempts failed due to oppo­si­tion from the US admin­is­tra­tion, though some steps to inter­na­tion­alise ICANN over­sight have been tak­en and were wel­comed today by the Com­mis­sion.

    In pre­sent­ing the com­mu­ni­ca­tion today, Kroes said the cur­rent debate is “hap­pen­ing at a time of bro­ken trust, not the least because of sur­veil­lance scan­dals and at a time when many gov­ern­ments want more con­trol over the inter­net.” The EU cer­tain­ly did not sup­port a UN or gov­ern­ment takeover, she rushed to assure. The Com­mis­sion reject­ed the notion that there is only a “bina­ry choice” between “pre­tend­ing there are no prob­lems with gov­er­nance” or “a rev­o­lu­tion­ary a top down approach.”

    But in order “to avoid a split of the glob­al polit­i­cal com­mu­ni­ty” and an unrav­el­ling of the inter­net into “a series of region­al and nation­al net­works,” there is a need to act urgent­ly, she said. The Com­mis­sion, there­fore, is rec­om­mend­ing the estab­lish­ment of a clear time­line for the glob­al­i­sa­tion of the ICANN, a dia­logue over “how to glob­alise the IANA func­tions,” and a strength­en­ing of the mul­ti-stake­hold­er mod­el in gen­er­al and the Inter­net Gov­er­nance Forum as one of the plat­forms based on that mod­el.

    Com­pared to ear­li­er pro­pos­als, the EU Com­mis­sion this time seem­ing­ly wants to make sure to pre-empt any claims that it might help those ask­ing for more UN con­trol over the inter­net.

    Mul­ti-Stake­hold­er – Not a Mag­ic Wand

    The Com­mu­ni­ca­tion will be dis­cussed next week by the rep­re­sen­ta­tives of mem­ber states in the Coun­cil, accord­ing to the Com­mis­sion, and lat­er in the Euro­pean Par­lia­ment where Dutch MEP Mare­it­je Schaake today called for a debate.

    The Com­mu­ni­ca­tion includes a list of oth­er mea­sures, too. Pro­posed mea­sures of the Com­mu­ni­ca­tion include the start of a Glob­al Inter­net Pol­i­cy Obser­va­to­ry to ease access to infor­ma­tion on the com­pli­cat­ed inter­net gov­er­nance process­es.

    More­over, the “fact that a process is claimed to be mul­ti­stake­hold­er does not per se guar­an­tee out­comes that are wide­ly seen to be legit­i­mate,” the Com­mu­ni­ca­tion reads. A con­sul­ta­tion on how “ade­quate and trans­par­ent mul­ti-stake­hold­er involve­ment” can be ensured in the EU itself there­fore is also on the to-do list.

    One ques­tion raised with regard to mul­ti-stake­hold­er con­text in par­tic­u­lar is relat­ed to the role of pub­lic author­i­ties in these new process­es. There have been many ques­tions by non-gov­ern­men­tal par­tic­i­pants about the role of rep­re­sen­ta­tives in ICANN’s Gov­ern­men­tal Advi­so­ry Com­mit­tee for exam­ple.

    Also some of the tough top­ics of glob­al inter­net gov­er­nance are includ­ed in the Com­mu­ni­ca­tion, such as how to deal with the clash of juris­dic­tions in one uni­ver­sal, bor­der­less net­work. The con­cern is that even if ICANN moves from Cal­i­for­nia to anoth­er juris­dic­tion, the prob­lem would not go away, but would only change with regard to what juris­dic­tion might be the dom­i­nant one.f“Stake­hold­ers” Wel­come Com­mu­ni­ca­tion

    The EC’s pro­pos­als today were quick­ly wel­comed by many of the so-called stake­hold­ers. ICANN Vice Pres­i­dent for Europe Nigel Hick­son sent out a state­ment say­ing the organ­i­sa­tion was “pleased that the Euro­pean Com­mis­sion in this impor­tant com­mu­ni­ca­tion is empha­siz­ing the need to sus­tain the mul­ti-stake­hold­er approach to gov­ern­ing the Inter­net.“ ICANN has joined Brazil in host­ing and prepar­ing the April Sao Paulo Con­fer­ence, and ICANN CEO Fadi Chehadé has com­mit­ted to inter­na­tion­al­i­sa­tion.

    The Euro­pean Tele­com and Net­work Oper­a­tor Asso­ci­a­tion (ETNO) in a press release said it agreed “that we need to move towards a coher­ent set of glob­al Inter­net prin­ci­ples and that the upcom­ing Glob­al Mul­ti-stake­hold­er Meet­ing on the Future of Inter­net Gov­er­nance, host­ed by the Brazil­ian Gov­ern­ment in co-oper­a­tion with oth­er Mem­ber States, is a good place to start that debate.” ETNO’s Chair­man Lui­gi Gam­bardel­la in the release said: “We need more Europe in Inter­net gov­er­nance, or we won’t be able to make an impact at glob­al lev­el.”

    Com­put­er & Com­mu­ni­ca­tions Indus­try Asso­ci­a­tion (CCIA) Vice Pres­i­dent James Water­worth said in a state­ment that he was pleased with the EC’s “sup­port for a tru­ly open, free and glob­al Inter­net and will take that posi­tion into the Brazil Sum­mit in April this year.”

    “It is vital that Europe leads lib­er­al democ­ra­cies in sup­port­ing a mul­ti­lat­er­al and mul­ti-stake­hold­er sys­tem of Inter­net gov­er­nance that does not hand con­trol over crit­i­cal Inter­net resources to an inter­gov­ern­men­tal insti­tu­tion or to gov­ern­ments,” he said.

    ...

    As EU Tele­com Com­mis­sion­er Neel­ie Kroes put it, in order “to avoid a split of the glob­al polit­i­cal com­mu­ni­ty” and an unrav­el­ling of the inter­net into “a series of region­al and nation­al net­works,” there is a need to act urgent­ly. So they’re act­ing urgent­ly. Whether or not they’re act­ing appro­pri­ate­ly too sort of depends on how the “open mul­ti-stake­hold­er gov­er­nance” mod­el actu­al­ly works. And that’s still an open ques­tion. The inter­net is cur­rent­ly oper­at­ed under a mul­ti-stake­hold­er mod­el but it’s a mod­el that still include US juris­dic­tion for some aspects of how the inter­net’s core works. In the inter­view of ICAN­N’s CEO below, how­ev­er, the the mul­ti-stake­hold­er gov­er­nance mod­el of the future “what you want instead is to cre­ate gov­er­nance net­works — a term I’m push­ing. Not gov­er­nance insti­tu­tions, not gov­er­nance reg­u­la­tions. What we need in the age of the Inter­net is gov­er­nance net­works. These are net­works that are formed by mul­ti­ple stake­hold­ers to solve gov­er­nance char­ac­ter­is­tics.” So the vision for the glob­al inter­net gov­er­nance is, like, gov­ern­ment, but not gov­ern­ment. That’s deep:

    CNET
    ICANN CEO sets off explo­sion of new Inter­net names (Q&A)

    Next week, ICANN opens the Inter­net up to new domains like .ski, .sexy, and .berlin — and Fadi Chehade has to han­dle peo­ple unhap­py with the change. Also: time for the US to let go of its Net over­sight?
    by Stephen Shank­land
    Jan­u­ary 28, 2014 4:42 AM PST

    Start­ing next week, the Inter­net is going to look very dif­fer­ent — and ICANN Chief Exec­u­tive Fadi Chehade is the one who’ll get both the cred­it and the blame.

    Today, Net address­es end with 22 famil­iar terms — .com, .net, and .edu — called gener­ic top-lev­el domains (GTLDs). But start­ing Feb. 4, the first of hun­dreds of new GTLDs will begin arriv­ing — .nin­ja, .farm, .shoes, .pho­tog­ra­phy, .bike, .pink, and even .wtf.

    The Inter­net Cor­po­ra­tion for Assigned Names and Num­bers (ICANN), a non-prof­it orga­ni­za­tion, over­sees the domain-name expan­sion and the core Inter­net tech­nol­o­gy called the Domain Name Sys­tem that makes it tick. Chehade took over ICANN lead­er­ship in 2012 and now is grap­pling not just with the GTLD expan­sion, but also the dwin­dling sup­ply of numer­ic Inter­net address­es and an attempt to wean the Inter­net from the US gov­ern­men­t’s dom­i­nant over­sight role.

    Why both­er with the domain-name expan­sion? For a com­pa­ny try­ing to get a new start on the Net, find­ing an unclaimed Web address can be tough. And for a com­pa­ny cater­ing to cus­tomers in coun­tries like Chi­na or Rus­sia, names are held back with char­ac­ters in the Roman alpha­bet. Oth­er com­pa­nies might want to use their own domain — actu­al exam­ples includ­ing .google, .canon, .apple, .sam­sung, and .ibm.

    That’s pleased those who see a busi­ness rea­son to embrace the new address­es. “Since Fadi has tak­en the helm at ICANN, the pro­gram has moved for­ward at a much faster pace,” said Shayan Ros­tam, pro­duc­tion man­ag­er at XYZ.com, which will oper­ate reg­istries for .xyz and .col­lege. “We have pushed up our glob­al .xyz launch date to this March, direct­ly due to Fadi’s lead­er­ship of the pro­gram.”

    The rea­son Chehade is also in the hot seat, though, is field­ing crit­i­cisms from those with a trade­mark to pro­tect. For them, the explo­sion of new GTLDs means new has­sles and expens­es.

    ICANN estab­lished a Trade­mark Clear­ing­house where orga­ni­za­tions can reg­is­ter their brand names and get alerts if some­body else wants to use them in some way. But even with that, orga­ni­za­tions still must decide whether to apply for the right to oper­ate a reg­istry with their name, to con­test or bid against oth­ers’ domain-name choic­es, and to reg­is­ter Net address­es on the hun­dreds of new domains oth­ers will oper­ate — ibm.xyz, for exam­ple. (Although the first round of appli­ca­tions to run gener­ic top-lev­el domains is closed, com­pa­nies still must decide what to do with approved new domains and what to do when they can apply again.)

    ...

    What exact­ly is the nature of your con­tract with the US Depart­ment of Com­merce? I don’t think a lot of peo­ple know.
    It’s a zero-dol­lar con­tract: there’s no mon­ey that pass­es between us and the Depart­ment of Com­merce. The ori­gins of ICANN start­ed when the US gov­ern­ment left this func­tion of updat­ing the root of the Inter­net Domain Name Sys­tem. Three things are cov­ered by this con­tract: the Domain Name Sys­tem, which are the names; the num­bers, which are the IP num­bers [Inter­net Pro­to­col num­bers are used to route data across the Net from one machine to anoth­er]; and the pro­to­col para­me­ters. That’s the extent of our rela­tion­ship with the US gov­ern­ment, oth­er than the US gov­ern­ment, like any oth­er gov­ern­ment, being a mem­ber of ICAN­N’s gov­ern­men­tal advi­so­ry com­mit­tee.

    This con­tract con­tin­ues to main­tain the US gov­ern­men­t’s stew­ard­ship over these three areas that we do. The US gov­ern­ment role is to ensure that we are doing these func­tions as the com­mu­ni­ty has asked us to do them. The US gov­ern­ment is essen­tial­ly in an over­sight role over ICANN. The US gov­ern­ment as well as the con­tract itself has always defined that at some point that stew­ard­ship will be replaced by the mul­ti­stake­hold­er stew­ard­ship of the ICANN com­mu­ni­ty. This was always envis­aged as com­ing, but the ques­tion was when and how.

    I have in the last few months pub­licly stat­ed that the time for that has come. This over­sight is not sus­tain­able any longer, and there­fore we should work with the US to hand over its superb stew­ard­ship. We should all be thank­ful for the stew­ard­ship of the US gov­ern­ment. It’s worked mar­velous­ly well. Now it is impor­tant for the US gov­ern­ment to appre­ci­ate it’s time to have that stew­ard­ship head­ed to the world com­mu­ni­ty through the ICAN­N’s mul­ti­stake­hold­er mod­el.

    What influ­ence have the Snow­den rev­e­la­tions had on your agen­da and the time­line you’re pur­su­ing it on?
    We’ve been wait­ing for the right moment to get there. The right moment is now, evi­denced by the progress at ICANN in the last two years, and before that under Rod Beck­strom, my pre­de­ces­sor. ICANN has become a more mature orga­ni­za­tion — not just in its num­ber of staff, but also in its glob­al account­abil­i­ty and its pres­ence around the world. Pres­i­dent [Toomas Hen­drik] Ilves of Esto­nia announced at the World Eco­nom­ic Forum that the ICANN mul­ti­stake­hold­er regime is prob­a­bly the most advanced in the world. These are state­ments that three or four years ago were not heard. There­fore it is impor­tant to appre­ci­ate the US gov­ern­ment now sees this moment is upon us.

    The ques­tion is how and when? We do calm­ly, we do it wise­ly, with all the com­mu­ni­ty involved, so the com­mu­ni­ty can guide us. These dis­cus­sions I need to start with our col­leagues in the US gov­ern­ment, and I will, but I first want­ed to ensure we were aligned as a com­mu­ni­ty.

    Clear­ly, there is no ques­tion that Edward Snow­den’s rev­e­la­tions have stim­u­lat­ed the dia­log. I attend­ed a cou­ple ses­sions at the World Eco­nom­ic Forum about secu­ri­ty risks. I saw leader after of leader of major com­pa­nies like GE sin­cere­ly wor­ried about the trust fac­tor on the Inter­net. And we have the Tar­get sit­u­a­tion. The trust in the ecosys­tem has been punc­tured a lit­tle bit.

    I’m not naive. I don’t believe we should all hug each oth­er and trust each oth­er. The real­i­ty is that trust can only be restored through checks and bal­ances. Checks and bal­ances mean you do not have a sin­gle actor or insti­tu­tion that owns the respon­si­bil­i­ty in any one part of the Inter­net gov­er­nance ecosys­tem. What you want instead is to cre­ate gov­er­nance net­works — a term I’m push­ing. Not gov­er­nance insti­tu­tions, not gov­er­nance reg­u­la­tions. What we need in the age of the Inter­net is gov­er­nance net­works. These are net­works that are formed by mul­ti­ple stake­hold­ers to solve gov­er­nance char­ac­ter­is­tics. They must have three char­ac­ter­is­tics: they must be effec­tive, they must be dynam­ic, and they must be legit­i­mate. These are very com­plex char­ac­ter­is­tics. We need to evolve the US over­sight into some­thing that the world will embrace but also to not replace it with some­thing that will be either one actor or one type of actor — for exam­ple, all gov­ern­ments — but tar­get a gov­er­nance net­work that includes all the stake­hold­ers.

    How does that tie in with the pow­er grab at the Unit­ed Nations’ Inter­na­tion­al Telecom­mu­ni­ca­tions Union (ITU)‘s pow­er grab?
    They want to address some issues that are not being addressed well through the tech sec­tor or many gov­ern­ments around the world. They picked on things like spam and cyber­se­cu­ri­ty and said, “We could help there.” Where ICANN and the IETF play is the lay­er of gov­er­nance of what makes up the Inter­net — the log­i­cal lay­er. Where the dis­cus­sion is open is how do we gov­ern what is on the Inter­net.

    Rather than con­tin­u­ing to say not here, and con­tin­u­ing this polar­ized fight between the mul­ti­stake­hold­er and mul­ti­lat­er­al mod­el, I went to Brazil and met with Pres­i­dent [Dil­ma] Rouss­eff and asked her, why don’t we address all these issues on all sides. We need a more nuanced approach that ensures we have a home to start address­ing what is on the Inter­net, and at the same time to evolve the cur­rent gov­er­nance net­works like ICANN so they also are more legit­i­mate, accept­ed by the whole world, and more effec­tive at things like address­ing US over­sight.

    So you’re propos­ing what sort of orga­ni­za­tion to over­see what’s on the Inter­net?
    It is not an orga­ni­za­tion. What we’re going to do at a meet­ing on April 23 in Sao Paulo is pro­pose an inter­con­nect­ed gov­er­nance ecosys­tem. We’re cre­at­ing a high­ly dis­trib­uted but also struc­tured way to address the issues by estab­lish­ing new gov­er­nance net­works. We’ll make sure these are well coor­di­nat­ed at the glob­al, region­al, and nation­al lev­els. It’s like a 21st cen­tu­ry gov­er­nance sys­tem for the Inter­net. Hope­ful­ly at Brazil we’ll see the birth of some­thing that evolves what we have today but also allows it to expand.

    I’m a US-UK cit­i­zen who lives in France. You’re a cit­i­zen of Lebanon, Egypt, and the US. We both live what some peo­ple are call­ing a post-nation­al exis­tence. Will the Inter­net ulti­mate­ly make nation­al bor­ders look obso­lete?
    As mea­sured in cen­turies, yes. The Inter­net oper­ates in a transna­tion­al space. It is chal­leng­ing our laws, our juris­dic­tions. It is chal­leng­ing world to cre­ate more inter­na­tion­al frame­works for legal and cul­tur­al mat­ters.

    Today, we get cer­tain rights and cer­tain guar­an­tees, but it is the nation-state mod­el that pro­vides them. But the Inter­net is hum­bling the nation-state mod­el. It is stress­ing it and cre­at­ing new chal­lenges that did­n’t exist before. I tell lead­ers they have two choic­es. They can build walls and cre­ate fric­tion between their own Inter­net and the rest of the world, or they can engage in the world and par­tic­i­pate in these net­works.

    A Boston Con­sult­ing Group study intro­duced the idea of the e‑friction index. It shows you that for a gov­ern­ment that resorts to build­ing fric­tion that allow it to pro­tect who it is, there is a cost to that. The study con­cludes there are up to 2.5 per­cent­age points of GDP [gross domes­tic prod­uct, a mea­sure a coun­try’s total eco­nom­ic activ­i­ty] that are poten­tial­ly lost. A fric­tion­less Inter­net should be our goal.

    Are you wor­ried about that coun­tries will wall off their own Inter­net ser­vices into their own “splin­ter­nets”?
    I’m real­ly wor­ried, because peo­ple do not under­stand the impact of a high-fric­tion Inter­net. If they will resort to nation­al­iza­tion of their Inter­net ecosys­tem, the cost of that will be tremen­dous, not just eco­nom­i­cal­ly, but social­ly. I talked to a pro­fes­sor who put online a senior col­lege course in advanced math­e­mat­ics. About 36,000 stu­dents used it, and the top stu­dents are in the age group of 14–15 years old. Imag­ine all these knowl­edge lines frac­tured by pol­i­cy fric­tion and con­tent fric­tion.

    The dan­ger is there. Some peo­ple pre­dict­ing it is inevitable. If we thought­ful­ly move to new gov­er­nance net­works to address the issues, we may have a chance this year to start a less alarm­ing path to solv­ing that prob­lem today.

    Once again: “what we’re going to do at a meet­ing on April 23 in Sao Paulo is pro­pose an inter­con­nect­ed gov­er­nance ecosys­tem. We’re cre­at­ing a high­ly dis­trib­uted but also struc­tured way to address the issues by estab­lish­ing new gov­er­nance net­works. We’ll make sure these are well coor­di­nat­ed at the glob­al, region­al, and nation­al lev­els. It’s like a 21st cen­tu­ry gov­er­nance sys­tem for the Inter­net.”

    So they’re propos­ing an “inter­con­nect­ed gov­er­nance ecosys­tem” that won’t be run by gov­ern­ments or the UN. Assum­ing this isn’t some pri­va­tized-glob­al-reg­u­la­tion tro­jan horse, this is poten­tial­ly a big devel­op­ment, for good or ill. The mul­ti-stake­hold­er mod­el has worked pret­ty well at gov­ern­ing the inter­net so far, but there’s no guar­an­tee of that going for­ward. In addi­tion, what­ev­er “inter­con­nect­ed gov­er­nance ecosys­tem” mod­el they agree upon could have appli­ca­tions beyond just shar­ing the gov­er­nance of the inter­net. What oth­er forms of glob­al com­merce might also lend them­selves to the new 21st cen­tu­ry “open mul­ti-stake­hold­er gov­er­nance” mod­el and will these nec­es­sar­i­ly be sit­u­a­tions where that mod­el makes sense? We’ll see!

    Posted by Pterrafractyl | February 12, 2014, 12:42 pm
  6. Fol­low­ing up on the EU’s pro­posed over­haul to how the inter­net is gov­erned: Here’s an arti­cle from Octo­ber that dis­cuss­es a leaked doc­u­ment from the Seoul Con­fer­ence on Cyber­space call­ing for the cre­ation of a “Com­mis­sion on the Future of Inter­net Coop­er­a­tion” to “pro­vide new ideas for transna­tion­al and mul­ti-stake­hold­er pro­pos­als for Inter­net gov­er­nance”. While the sta­tus of that pro­pos­al is a secret, the arti­cle points out that ICANN CEO, Fadi Chehade, gave a speech at the Bali Inter­net Gov­er­nance Forum where he gave a hint of the struc­ture of upcom­ing sum­mit in Brazil. Accord­ing to the author below, the mod­el Chehade has in mind for decid­ing the fate of the inter­net might have an eery resem­blance to anoth­er gov­er­nance mod­el: the cor­po­ratist gov­er­nance mod­el. And as the author also points out, the cor­po­ratist crit­i­cism of the sum­mit in Brazil might also apply the mul­ti-stake­hold­er mod­el itself:

    internetgovernance.org
    Octo­ber 20, 2013
    Are we re-boot­ing all Inter­net gov­er­nance? (Or just releas­ing a lot of hot air?)
    by Mil­ton Mueller

    It’s 2004 again. Ideas and pro­pos­als for the reform of Inter­net gov­er­nance are now fly­ing all over the place, just as they did at the out­set of the UN Work­ing Group on Inter­net Gov­er­nance.

    At the recent­ly con­clud­ed Seoul Con­fer­ence on Cyber­space, a memo was cir­cu­lat­ed call­ing for the cre­ation of a “Com­mis­sion on the Future of Inter­net Coop­er­a­tion.” The com­mis­sion, the con­fi­den­tial memo said, would con­sist of “civic lead­ers, min­is­ters, CEOs and tech­ni­cal pio­neers.” Its pur­pose will be to “pro­vide new ideas for transna­tion­al and mul­ti­stake­hold­er pro­pos­als for Inter­net gov­er­nance.” Accord­ing to the leaked doc­u­ment, the group is sup­posed to begin work in Octo­ber and con­clude its work with a pre­sen­ta­tion at the World Eco­nom­ic Forum in Jan­u­ary 2014.

    We do not know the cur­rent sta­tus of this pro­pos­al; it is not men­tioned as part of the offi­cial out­put of the Seoul Con­fer­ence. The idea may not even have been accept­ed by the assem­bled lead­ers. But if, as the doc­u­ment stat­ed, work was to begin in Octo­ber it would need to be cre­at­ed very soon. If efforts to cre­ate this com­mis­sion are indeed under­way, why doesn’t any­one know about it yet? Who will choose these “civic lead­ers,” etc.?

    While the for­ma­tion and fate of this com­mis­sion remain shad­owy there is lit­tle doubt about where the pro­pos­al came from. It is anoth­er brain­storm of Fadi Chehade, the Pres­i­dent and CEO of ICANN. In what has become a one-man cru­sade to re-shape Inter­net gov­er­nance from the top down, Chehade has already cre­at­ed 4 “Strat­e­gy Pan­els,” one of them devot­ed to “ICANN’s role in the Inter­net Gov­er­nance Ecosys­tem.” At the end of the page announc­ing these 4 pan­els on ICANN’s web site, it says “The 5th pan­el orig­i­nal­ly iden­ti­fied will be refo­cused and is expect­ed to be forth­com­ing lat­er this year.” My guess is that we now know what the 5th pan­el is. (NB: We should prob­a­bly not con­fuse the 5th pan­el with a 5th col­umn.)

    These are not real­ly expert pan­els – very few of those select­ed are experts in sub­jects relat­ed to insti­tu­tions and glob­al gov­er­nance. It would be more accu­rate to call them pan­els of the prox­i­mate (to ICANN staff), the promi­nent and the unob­jec­tion­able.

    While we have seri­ous qualms about this par­tic­u­lar style of reform, there are some good things to be said about Fadi’s lat­est ini­tia­tives. We are sym­pa­thet­ic to the ideas of fos­ter­ing Inter­net coop­er­a­tion — as opposed to Inter­net gov­er­nance — and we approve of its empha­sis on transna­tion­al — as opposed to inter­na­tion­al or inter­gov­ern­men­tal — approach­es. Fur­ther­more, the ener­gy and ini­tia­tive dis­played by Chehade makes for a use­ful con­trast with the paral­y­sis of the US gov­ern­ment and the slug­gish, pon­der­ous tone of oth­er gov­ern­ments.

    Speak­ing of the pon­der­ous, at a Bali Inter­net Gov­er­nance Forum pre-event, Chehade and rep­re­sen­ta­tives of the tech­ni­cal com­mu­ni­ty began to pro­vide more detail about what would hap­pen at the planned Brazil­ian “Sum­mit” meet­ing in April 2014. Accord­ing to an descrip­tion of the meet­ing sent out by Access’s Jochai Ben-Avie, Brazil and ICANN are propos­ing an odd­ly cor­po­ratist approach to rep­re­sen­ta­tion at the meet­ing:

    To ensure mul­ti­stake­hold­er and glob­al par­tic­i­pa­tion, there is a pro­pos­al that each coun­try will have three rep­re­sen­ta­tives to the con­fer­ence (one each from gov­ern­ment, busi­ness, and civ­il soci­ety) — to “cre­ate a mini CGI in each coun­try.” It was not dis­cussed how these peo­ple will be select­ed. Addi­tion­al­ly, the heads of all the I* orga­ni­za­tions and inter­na­tion­al gov­ern­ment orga­ni­za­tions will be invit­ed. A ques­tion was raised about how the tech­ni­cal com­mu­ni­ty would be rep­re­sent­ed, and the response was not clear whether tech­ni­cal com­mu­ni­ty reps would be con­sid­ered for some of the nation­al civ­il soci­ety spots, or whether they would be rep­re­sent­ed by the heads-of-orga­ni­za­tions rep­re­sen­ta­tives. The plan is to have 800–900 peo­ple present in total, but there will be large screens set up to facil­i­tate remote par­tic­i­pa­tion from stake­hold­ers and users from around the world. These details will be announced in 2–3 weeks in Brasil­ia, but Paulo Bernar­do will also make some com­ments on Tues­day morn­ing at the IGF.

    There are two things dras­ti­cal­ly wrong with this approach to the meet­ing. First, why is rep­re­sen­ta­tion of civ­il soci­ety and pri­vate busi­ness, both of which are transna­tion­al, being orga­nized on a nation-state basis? Sec­ond, imag­ine this: One rep­re­sen­ta­tive of civ­il soci­ety and the pri­vate sec­tor for each coun­try! Civ­il soci­ety is con­ceived not as a plu­ral­is­tic are­na in which hun­dreds or even thou­sands of groups are free to artic­u­late and advance diverse pro­pos­als and inter­ests, but as a uni­tary stake­hold­er group with homo­ge­neous inter­ests. That’s wrong. Busi­ness, like­wise, is seen as a sin­gle cat­e­go­ry: there is no dif­fer­ence between Ama­zon and the local sec­ond-hand book­store; between IBM and a three-per­son IT con­sul­tan­cy. That’s insane.

    But this pro­pos­al reflects the inher­ent fail­ings in the “stake­holderism” that under­pins so much of our dis­cus­sions of the so-called “mul­ti­stake­hold­er mod­el.” There has always been an unfor­tu­nate link between the con­cept of mult­stake­holderism and the cor­po­ratist mind­set of the 1920s and ’30s. One aca­d­e­m­ic defines cor­po­ratism as

    The basic idea … that the soci­ety and econ­o­my of a coun­try should be orga­nized into major inter­est groups (some­times called cor­po­ra­tions) and rep­re­sen­ta­tives of those inter­est groups set­tle any prob­lems through nego­ti­a­tion and joint agree­ment.

    These top-heavy sys­tems of col­lec­tive rep­re­sen­ta­tion are the oppo­site of the Internet’s spir­it of per­mis­sion­less inno­va­tion, open entry, diver­si­ty and com­pe­ti­tion.

    If you want a taste of what these for­mal­is­tic approach­es to rep­re­sen­ta­tion will pro­duce as out­put, one need look no far­ther than the Seoul Cyber­space Con­fer­ence with which we opened this arti­cle. The offi­cial out­put of the Seoul meet­ing is the large­ly mean­ing­less but harm­less “Seoul Frame­works and Com­mit­ments.” The Seoul frame­work called for such things as “enabl[ing] more peo­ple to have access to broad­band Inter­net so that the world econ­o­my will become more inte­grat­ed” (wow, bet they had an intense debate on that one); the 87 nations agreed “that they will come up with mea­sures to pro­mote cyber secu­ri­ty” (how impres­sive!); they rec­om­mend­ed crack­ing down on cyber­crime “with­out com­pro­mis­ing the pri­vate lives and free­dom of indi­vid­u­als” (easy to say, isn’t it?)

    ...

    So every coun­try will get three rep­re­sen­ta­tives at the upcom­ing sum­mit that might shape the future of the inter­net: One from gov­ern­ment, one from busi­ness, and one rep­re­sent­ing civ­il soci­ety’s inter­ests. Chi­na and India won’t be too enthu­si­as­tic about it but the EU prob­a­bly should­n’t mind. And the seast­ead­ers had bet­ter hur­ry up! As that author points out, “there has always been an unfor­tu­nate link between the con­cept of mult­stake­holderism and the cor­po­ratist mind­set of the 1920s and ’30s” and that’s a scene the seast­ead­ers real­ly don’t want to miss.

    Posted by Pterrafractyl | February 12, 2014, 2:49 pm
  7. While Angela Merkel has shown no sign of eas­ing up on her desire to man­date EU cit­i­zens’ inter­net data to be stored in the EU, it still does­n’t look like mean­ing­ful pro­tec­tions for that data once it’s inside the EU are real­ly on Merkel’s agen­da:

    Deutsche Welle
    ‘I expect Merkel’s actions to fol­low her words’

    Angela Merkel wants to set up a Euro­pean com­mu­ni­ca­tion net­work, for more inde­pen­dence from US providers. That’s not enough, says Green MEP Jan Philipp Albrecht: She needs to sup­port Euro­pean data law reform.
    Date 17.02.2014
    Author Inter­view: Nina Haase, Brus­sels
    Edi­tor Michael Law­ton

    Deutsche Welle: John Ker­ry said dur­ing his vis­it to Berlin, “Let’s turn a page and open a new chap­ter.” He has had enough of the NSA spy­ing scan­dal and the ensu­ing diplo­mat­ic dif­fi­cul­ties — with Ger­many in par­tic­u­lar. But Angela Merkel now said in her week­ly pod­cast that she wants to pro­mote a Euro­pean com­mu­ni­ca­tions net­work. That’s seen as a direct reac­tion to the NSA spy­ing alle­ga­tions. How use­ful is this pro­pos­al?

    Jan Philipp Albrecht: I think it’s a good sign that we see move­ment towards a Euro­pean ini­tia­tive to bet­ter pro­tect our data and the infor­ma­tion infra­struc­ture in Europe. Yes, we need that. But on the oth­er hand, it’s also clear that we can­not just build bor­ders which would give us some sort of a Ger­man or a Schen­gen zone inter­net. Instead, we need to have a legal frame­work which secures our fun­da­men­tal rights in the Euro­pean mar­ket. We need to imple­ment the Euro­pean data pro­tec­tion reform. Angela Merkel has called that a pri­or­i­ty. Now she should fol­low through with it. It’s not just about invest­ing in infra­struc­ture — even though that’s a good first step in giv­ing Euro­peans a choice, so they can choose a Euro­pean data process­er instead of a US firm.

    Even if we did have Euro­pean data processers — what would that change? Whistle­blow­er Edward Snow­den has said, “It does­n’t mat­ter where your servers are. The NSA will go where the data is.”

    That’s true. We can’t just cut the cables. Peo­ple do want to com­mu­ni­cate, and we don’t want to stop them. But that’s why we need bet­ter data pro­tec­tion in terms of ser­vices. It has to be made clear that if some­body offers ser­vices to Euro­pean cit­i­zens and con­sumers, these ser­vices need to com­ply with the rules of our mar­ket: data secu­ri­ty and pro­tec­tion, bet­ter encryp­tion, and more con­trol for users. That’s what Angela Merkel should safe­guard.

    Neel­ie Kroes, Vice-Pres­i­dent of the Euro­pean Com­mis­sion, has also tried to pro­mote some of these mea­sures. Why does it seem to take Angela Merkel before con­sid­er­able progress can be made?

    We, the Euro­pean Par­lia­ment, have already shown that we are react­ing to today’s chal­lenges by say­ing we want to have Euro­pean data pro­tec­tion rules. It’s now up to the mem­ber states. They must not fol­low the lob­by­ists from Sil­i­con Val­ley. They must oppose their idea that only prof­it counts. If Angela Merkel does so, that is a step for­ward. But we need action. We’ve had almost one year of only words by lead­ing politi­cians in the mem­ber states of the Euro­pean Union. That needs to be changed.

    Ger­many and France ini­tial­ly only react­ed to the NSA scan­dal with an attempt to sign so-called no-spy agree­ments with the US. But skep­tics said straight away that was a paper tiger. Are you more con­fi­dent about Angela Merkel’s lat­est pro­pos­als?

    So far they’re mere words. And she adopts the Ger­man per­spec­tive instead of tak­ing on respon­si­bil­i­ty with­in the EU. She is one of the most impor­tant Euro­pean lead­ers. It was a fatal sign — and I would say even dis­loy­al towards the rest of the EU — that she and Fran­cois Hol­lande nego­ti­at­ed no-spy agree­ments on their own. They did­n’t even get them in the end. But they sac­ri­ficed a Euro­pean per­spec­tive. They now need to come back to a Euro­pean approach.

    The Euro­pean data pro­tec­tion reform as well as the agree­ment on data pro­tec­tion between the EU and the US, which we have been nego­ti­at­ing for two years, should have absolute pri­or­i­ty. Or else we will get noth­ing in the end. We’ll only have ini­tia­tives by indi­vid­ual EU mem­ber states which will not pre­vail. Only if we act togeth­er as the Euro­pean Union can we get a solu­tion which is bet­ter for cit­i­zens.

    But again, the lat­est pro­pos­als of a Euro­pean com­mu­ni­ca­tions net­work are a Fran­co-Ger­man ini­tia­tive, which Angela Merkel plans to dis­cuss with French pres­i­dent Fran­cois Hol­lande this week. And accord­ing to Spiegel mag­a­zine, Merkel’s counter-spy­ing offen­sive could go even fur­ther: it could mean that Ger­man secret ser­vices could lift their no-spy­ing rule on West­ern part­ners, such as the US. The British ser­vice GCHQ was also in focus dur­ing the scan­dal. Will Ger­many spy on Britain now?

    I don’t think that it would be an appro­pri­ate reac­tion to the over­step­ping of red lines by intel­li­gence ser­vices across the EU and the US. We know through the rev­e­la­tions by Edward Snow­den that the scan­dals were not just about the US ser­vices. Euro­pean ser­vices also had their part. We still have to clar­i­fy to which extent Euro­pean ser­vices also exceed­ed their rights and infringed Euro­pean Union cit­i­zens’ rights in a dis­pro­por­tion­ate way.

    There­fore we need to strength­en cit­i­zens’ abil­i­ty to pro­tect their rights in a dig­i­tized envi­ron­ment and encrypt their emails, for exam­ple. What we don’t need is an ini­tia­tive which is obvi­ous­ly only a PR cam­paign. That’s like say­ing “we’re doing some­thing,” while on the oth­er hand, when you look at the Coun­cil of Min­is­ters’ work on data pro­tec­tion, Ger­many has been delay­ing the process of get­ting the legal frame­work done for months. That’s not very coher­ent. I expect Angela Merkel to let action fol­low her words.

    Why has Ger­many been drag­ging its feet in terms of imple­ment­ing the data pro­tec­tion reform?

    They have had no inter­est in get­ting a Euro­pean data pro­tec­tion frame­work so far — judg­ing by their behav­ior in the coun­cil of min­is­ters so far. That is in stark con­trast to what Merkel said half a year ago: as a reac­tion to Snow­den’s rev­e­la­tions, she made the data pro­tec­tion reform a pri­or­i­ty. I would expect the new Ger­man gov­ern­ment to now be the first to ask for its adop­tion. That’s a pre­con­di­tion if you want Euro­pean cit­i­zens to be able to decide whether they want to give their data to a US com­pa­ny or to a Ger­man or Euro­pean alter­na­tive on the mar­ket. At the moment they don’t have the choice because their data is just processed, and their rights are not enforced here in Europe.

    US-Ger­man rela­tions are at their low­est since the Iraq war. But do you feel that there real­ly is a sense of frus­tra­tion with­in the Ger­man gov­ern­ment about the fact that moves like the no-spy agree­ment have not worked out? Do you real­ly believe that the lat­est pro­pos­als are more than an attempt to deflect every­body’s atten­tion away from the pas­siv­i­ty in the months after this big scan­dal?

    Well, there is no action yet, and Merkel and her gov­ern­ment have made many announce­ments in the past. Whether she real­ly wants to do some­thing depends cru­cial­ly on how she behaves with respect to the data pro­tec­tion reform. It’s the only leg­isla­tive process that would move in the direc­tion of bet­ter pro­tec­tion for Euro­pean and Ger­man cit­i­zens when it comes to their per­son­al data. All the rest is talk. We can only speak of big change if Ger­many and France change their behav­ior in the coun­cil of min­is­ters.

    ...

    Posted by Pterrafractyl | March 1, 2014, 6:22 pm
  8. The EU par­lia­ment just over­whelm­ing­ly backed the new set of data pri­va­cy rules, includ­ing a res­o­lu­tion to sus­pend the “Safe Har­bor” agree­ment with the US and the Ter­ror­ist Finance Track­ing Pro­gram. The Euro­pean Com­mis­sion still needs to approve that res­o­lu­tion (which it has so far resist­ed), and nation­al par­lia­ments still need to approve the pack­age, but it sounds like the new EU data pri­va­cy rules are com­ing into force soon­er or lat­er:

    GigaOm
    Web firms face a strict new set of pri­va­cy rules in Europe — here’s what to expect
    By David Mey­er
    3/12/2014

    Sum­ma­ry:

    The Euro­pean Par­lia­ment has passed the EU’s first major over­haul of data pro­tec­tion leg­is­la­tion since 1995, tak­ing into account today’s online land­scape. Mean­while, par­lia­men­tar­i­ans also approved a res­o­lu­tion call­ing for the sus­pen­sion of a key deal affect­ing U.S. web firms.

    The Euro­pean Par­lia­ment has over­whelm­ing­ly passed a large pack­age of laws intend­ed to strength­en data pro­tec­tion – that’s “pri­va­cy” in non-legalese – across the Euro­pean Union. The next Par­lia­ment will need to take this over after the May elec­tion, and Europe’s gov­ern­ments still need to give their approval through the Euro­pean Coun­cil, but it looks like web firms oper­at­ing in the EU are about to face a very dif­fer­ent reg­u­la­to­ry land­scape.

    This would include much high­er fines for breach­es of data pro­tec­tion law in the EU, the lim­it­ed right for cit­i­zens to demand the era­sure of their per­son­al data, and strict lim­i­ta­tions on what can be done with EU cit­i­zens’ data out­side the union. A sep­a­rate res­o­lu­tion passed on Wednes­day could also lead to dif­fi­cul­ties for U.S. firms in han­dling the per­son­al data of Euro­peans.

    Read on for a com­pre­hen­sive break­down of the impact.

    Reg­u­la­tions, res­o­lu­tions and direc­tives

    The data pro­tec­tion reg­u­la­tion, passed by mem­bers of the Euro­pean Par­lia­ment (MEPs) on Wednes­day by 621 votes to 10 with 22 absten­tions, was pro­posed by Jus­tice Com­mis­sion­er Viviane Red­ing just over two years ago as a way of har­mo­niz­ing data pro­tec­tion law across the 28 mem­ber states. This has been a long road, and one fraught with secre­tive lob­by­ing by Euro­pean and U.S. indus­try, though much of this was unrav­elled in the wake of Edward Snowden’s NSA sur­veil­lance rev­e­la­tions.

    Here’s Reding’s reac­tion to today’s vote:

    “Data pro­tec­tion is made in Europe. Strong data pro­tec­tion rules must be Europe’s trade mark. Fol­low­ing the U.S. data spy­ing scan­dals, data pro­tec­tion is more than ever a com­pet­i­tive advantage…Today’s vote is the strongest sig­nal that it is time to deliv­er this reform for our cit­i­zens and our busi­ness­es.”

    In the same sit­ting, MEPs backed a res­o­lu­tion com­piled by the parliament’s civ­il lib­er­ties com­mit­tee, call­ing for the sus­pen­sion of the Safe Har­bor deal that lets U.S. firms self-cer­ti­fy as being in com­pli­ance with EU pri­va­cy law.

    The res­o­lu­tion, which fol­lows a lengthy inquiry into mass sur­veil­lance, also calls for the sus­pen­sion of the Ter­ror­ist Finance Track­ing Pro­gram, which gives U.S. author­i­ties access to European’s finan­cial records if they ask for them through offi­cial chan­nelss. MEPs have already vot­ed to do this, as U.S. spies are access­ing such data through unof­fi­cial chan­nels, but the Euro­pean Com­mis­sion — which has the pow­er to sus­pend TFTP — has so far refused to fol­low through.

    Here’s what Claude Moraes, who shep­herd­ed the civ­il lib­er­ties res­o­lu­tion, said in a state­ment:

    “The Snow­den rev­e­la­tions gave us a chance to react. I hope we will turn those reac­tions into some­thing pos­i­tive and last­ing into the next man­date of this Par­lia­ment, a data pro­tec­tion bill of rights that we can all be proud of. This is the only inter­na­tion­al inquiry into mass sur­veil­lance. Even Con­gress in the Unit­ed States has not had an inquiry.”

    Although the res­o­lu­tion was passed over­whelm­ing­ly, with 544 votes in favor (78 against, 60 absten­tions), it only rep­re­sents the will of MEPs, while the pow­er to sus­pend Safe Har­bor lies with the Euro­pean Com­mis­sion. How­ev­er, the reg­u­la­tion is a dif­fer­ent mat­ter — if it pass­es its final hur­dles, it will become law across the Euro­pean Union. A third report that was passed on Wednes­day, set­ting out rules for cross-bor­der law enforce­ment data-shar­ing, would cre­ate a direc­tive, mean­ing that mem­ber states can inter­pret it into nation­al law as they see fit.

    ...

    So mem­ber states are still going to have the lat­i­tude to inter­pret cross-bor­der law enforce­ment data-shar­ing rules as they see fit. This sets the EU up for an inter­est­ing dynam­ic because the new rules also allow for any­one to com­plain to data pro­tec­tion author­i­ty from any of the EU mem­bers states. The choice is up to the cit­i­zen so there’s poten­tial­ly going to be a com­pet­i­tive mar­ket amongst EU mem­ber states for gen­er­ous inter­pre­ta­tions of data-pri­va­cy laws. Could that include a mar­ket for shield­ing data from law enforce­ment?

    Deutsche Welle
    EU Par­lia­ment approves pri­va­cy pack­age

    The Euro­pean Par­lia­ment has vot­ed on an action plan on the future of data pro­tec­tion in the EU on Wednes­day. After alle­ga­tions of mass sur­veil­lance, the pack­age was passed with a large mar­gin.

    Date 11.03.2014
    Author Nina Haase, Brus­sels
    Edi­tor Ben Knight

    When mem­bers of the Euro­pean Par­lia­ment (EP) click the but­tons of their vot­ing machines at noon local time on Wednes­day (12.03.2014) in Stras­bourg, there will be ten­sion in the air. With­in a few sec­onds, Claude Moraes will know whether the bulk of the last months’ work has been in vain or not. One of the three votes will be on the report which was put togeth­er after a recent par­lia­men­tary inquiry into mass sur­veil­lance, which Moraes was the rap­por­teur of.

    Moraes hopes the report will be approved as part of a pack­age deal togeth­er with a reg­u­la­tion, and a direc­tive on data pro­tec­tion. “The data reg­u­la­tion and the direc­tive are the sin­gle-biggest pieces of leg­is­la­tion the EP has ever passed,” the Labour MEP told Deutsche Welle, “there were 4,000 amend­ments and they deal with some­thing incred­i­bly unique: no inter­na­tion­al or nation­al par­lia­ment has ever tried to get the bal­ance between pri­va­cy and inter­net usage.”

    Reg­u­la­tion will prob­a­bly go through

    The first ele­ment of the pack­age, the reg­u­la­tion, looks set to be approved by MEPs in Stras­bourg. It con­tains cri­te­ria for data pro­cess­ing, such as the neces­si­ty for peo­ple to give their con­sent when their data is processed, as well as more trans­par­ent infor­ma­tion on com­pa­nies’ pri­va­cy terms. The reg­u­la­tion also includes a com­pro­mise on a so-called ‘one-stop-shop’: EU cit­i­zens will be able to seek help from the nation­al data pro­tec­tion author­i­ty of their choice, no mat­ter in which EU coun­try they believe their pri­va­cy rights are being vio­lat­ed. Fur­ther aspects include penal­ties — up to five per­cent of glob­al sales — for com­pa­nies in vio­la­tion of pri­va­cy rules, and strict rules for data exchange process­es with third coun­tries.

    While the like­ly ‘yes’ to the reg­u­la­tion means that MEPs can prob­a­bly soon start nego­ti­at­ing with nation­al gov­ern­ments, the direc­tive may not go through quite as smooth­ly. Con­ser­v­a­tive par­ties in the EP have indi­cat­ed they won’t approve of it. Tim­o­thy Kirk­hope from ECR (Euro­pean Con­ser­v­a­tives and Reformists) wrote in a state­ment that he “can­not sup­port this pro­pos­al as its over­ly pre­scrip­tive nature would pre­vent law enforce­ment offi­cers from car­ry­ing out legit­i­mate inves­ti­ga­tions.”

    The direc­tive sets out rules for data pro­tec­tion rights in the fields of police and the judi­cia­ry. The Euro­pean Coun­cil of min­is­ters has blocked the reform pack­age for more than two years, with Ger­many one of the major oppo­nents of more data pro­tec­tion rights in law enforce­ment.

    EU Par­lia­ment vs mem­ber states

    Moraes was con­cerned that con­ser­v­a­tive MEPs from the EPP, a polit­i­cal group in the EP that includes Angela Merkel’s CDU/CSU, may also abstain from or vote against his inquiry report — which he thinks would fur­ther weak­en the Par­lia­men­t’s nego­ti­at­ing posi­tion in talks with the oth­er big Euro­pean insti­tu­tion, the Coun­cil of nation­al min­is­ters.

    “We want­ed to say to the coun­cil: put this togeth­er quick­ly because you are the ones who are always slow and block­ing the leg­is­la­tion of the cit­i­zens,” he warned. “And then we are sab­o­tag­ing in our own par­lia­ment, and the biggest groups are the ones that are caus­ing the prob­lems.”

    “This com­mit­tee has not been inter­est­ed in find­ing out facts,” Tim­o­thy Kirk­hope from the ECR said in a state­ment. “It has just been the most expen­sive and painstak­ing exer­cise in col­lect­ing togeth­er press cut­tings and alle­ga­tions, and react­ing with lit­tle con­sid­er­a­tion towards the secu­ri­ty chal­lenges we face.”

    A few months ago, it would have been a lot more dif­fi­cult for polit­i­cal par­ties to get away with vot­ing no on a pack­age to improve EU cit­i­zens’ pri­va­cy rights, insid­ers are con­vinced. “The rea­son why we got cred­i­bil­i­ty with the inquiry was to do with tim­ing, many of Snow­den’s alle­ga­tions hap­pened at the same time,” Moraes told DW. “And we were the only insti­tu­tion who were actu­al­ly leg­is­lat­ing on data pro­tec­tion for cit­i­zens at the time of Snow­den’s alle­ga­tions. So we were antic­i­pat­ing the world as Snow­den was por­tray­ing it.”

    ...

    Prag­ma­tism and hypocrisy

    In Ger­many, Snow­den’s rev­e­la­tions have led to an intense pub­lic debate, with mem­bers of the Green par­ty call­ing for Ger­many to offer Snow­den asy­lum. But Luke Hard­ing does­n’t believe Snow­den will be invit­ed by the chan­cel­lor. “Real­is­ti­cal­ly — even though of course Merkel was out­raged by the fact that she was bugged for a decade and prob­a­bly Ger­hard Schröder before that — she is a supreme prag­ma­tist,” he said. “And offer­ing Snow­den asy­lum would cause major dam­age to the transat­lantic part­ner­ship. That’s a bill that she or no oth­er senior Ger­man politi­cian would be pre­pared to pay.”

    Snow­den’s lat­est rev­e­la­tions even sug­gest the NSA pres­sured the Ger­man gov­ern­ment to make cer­tain changes to their laws and to bulk col­lect their cit­i­zens’ data. “So there’s an ele­ment of hypocrisy run­ning through all of this,” said Hard­ing.

    While intel­li­gence ser­vices are the com­pe­tence of nation­al coun­tries, there are many gray areas where EU law is affect­ed. Still, only nation­al par­lia­ments can set the guide­lines for their ser­vices’ activ­i­ties. There­fore, the least the EP can do, said Moraes, is speak with one voice when nego­ti­at­ing with the mem­ber states.

    It sure sounds like the con­ser­v­a­tive MEPs tend to view the new law as allow­ing for the the restric­tion of legit­i­mate law enforce­ment activ­i­ties which sug­gests that we should expect a loos­er inter­pre­ta­tion of those data-shar­ing rules in some coun­tries than oth­ers. But could we see the emer­gence of EU states that embrace extreme­ly tough data-pri­va­cy reg­u­la­tions as a nation­al com­pet­i­tive advan­tage? A sort of Swiss vault for the EU’s cit­i­zens and cor­po­ra­tions (that can afford the ser­vices)? Because it sounds like that could be pos­si­ble under this new frame­work. Might Cyprus or Lux­em­bourg become the Switzer­land of data-pri­va­cy? Or Swe­den? It’s kind of a hot mar­ket right now:

    Bloomberg
    Switzer­land Shift­ing From Bankers to Bunkers in Data Push
    By Cor­nelius Rahn, Car­olyn Ban­del and Hans Nichols Feb­ru­ary 25, 2014

    The bunker deep in the Swiss Alps an hour’s dri­ve south of Zurich was designed to with­stand nuclear blasts and pro­tect sol­diers from a for­eign inva­sion that nev­er came. Today, it’s used to guard dig­i­tal data.

    As Switzer­land yields to pres­sure from the U.S. and the Euro­pean Union to relax its bank secre­cy rules, it’s repo­si­tion­ing itself as the glob­al vault for online iden­ti­ties. With con­sumers and com­pa­nies upload­ing ever more con­fi­den­tial infor­ma­tion to make online trans­ac­tions, there’s increas­ing demand for ser­vices that keep data out of reach of crim­i­nals and gov­ern­ment spies.

    This is the future of this coun­try: It’s not to store any more mon­ey, it’s actu­al­ly to store data, which is the next cur­ren­cy,” said Car­los Mor­eira, founder and chief exec­u­tive offi­cer of WISeKey SA, which encrypts and stores infor­ma­tion in the bunker. “The Swiss respect the pri­va­cy of peo­ple.”

    In the wake of reports about the extent of gov­ern­ment spy­ing, demand for WISeKey’s ser­vices is grow­ing 300 per­cent every month, he said in a cav­ernous bunker room with a vault­ed con­crete ceil­ing. Mor­eira said he plans to fill the room, the far side of which is bare­ly vis­i­ble in the gloomy dis­tance, with racks upon racks of com­put­ers that could hold the data of as many as 6 mil­lion peo­ple.

    The bunker, near the town of Atting­hausen, was built to be self-sus­tain­ing, draw­ing on moun­tain water and pow­ered by near­by hydro­elec­tric plants. WISeKey has servers in four bunkers across Switzer­land, pro­vid­ing the ser­vice to 2,000 com­pa­nies and 2 mil­lion con­sumers.

    Rock­et­ing Demand

    “It’s a very sen­si­ble move” for Switzer­land, said Rik Turn­er, an ana­lyst at researcher Ovum Ltd. in Lon­don, “to rebrand them­selves as a safe haven for data.”

    Oth­er com­pa­nies are join­ing the effort. SIAG Secure Info­s­tore AG, based in Zug, runs two under­ground data cen­ters, brand­ed “Swiss Fort Knox,” in a joint ven­ture with the gov­ern­ment. Safe Host SA owns a 10,000 square meter data cen­ter near Gene­va and expects to start build­ing a sec­ond one near­by in March.

    A key advan­tage is that “the Swiss have strict data pri­va­cy laws” due to the country’s tra­di­tion as a pri­vate bank­ing cen­ter, said Safe Host CEO Ger­ard Sikias.

    Since for­mer U.S. Nation­al Secu­ri­ty Agency con­trac­tor Edward Snow­den began doc­u­ment­ing the extent of gov­ern­ment sur­veil­lance, WISeKey has seen increas­ing demand in the U.S., Mor­eira said.

    Dig­i­tal Keys

    With a large share of the close­ly-held company’s growth expect­ed to come from the U.S. this year, the CEO plans to list the com­pa­ny on Nas­daq in 2015. A $35 mil­lion financ­ing round in 2011 val­ued the com­pa­ny at $360 mil­lion.

    For the past three years, WISeKey has host­ed par­ties at the World Eco­nom­ic Forum’s annu­al Davos meet­ing to pro­mote the notion that Swiss trust­wor­thi­ness in bank­ing can be repli­cat­ed on the Inter­net.

    WISeKey, with about 180 employ­ees, offers appli­ca­tions that let cus­tomers secure their Web accounts with access codes called dig­i­tal keys that can be hun­dreds of char­ac­ters long. In online bank­ing, cus­tomers share a pub­lic key with banks that are used for autho­riza­tion. But with­out the client’s pri­vate key, stored on his mobile device or com­put­er, the data can­not be decrypt­ed.

    Bunker Maze

    “It’s like a safe in the bank,” Mor­eira said in the maze-like bunker, hun­dreds of meters below the moun­tain­top above. “You need your key and the bank’s to open the safe. We do the same, only dig­i­tal­ly.”

    Mor­eira acknowl­edges that even blast-proof doors can do lit­tle against an attack via the Web. A skilled dig­i­tal intrud­er could man­age to siphon data from the servers to his own com­put­er. And in today’s arms race between hack­ers and secu­ri­ty firms, ever more pow­er­ful com­put­ers will require increas­ing­ly strong encryp­tion, Mor­eira said.

    The keys at Atting­hausen are in turn locked by a so-called root key that sits on a com­put­er, uncon­nect­ed to the Inter­net, in anoth­er bunker near Bern. When­ev­er it needs to be changed to keep decrypters guess­ing, Mor­eira and oth­er exec­u­tives must all be present, bring­ing dif­fer­ent pieces of an authen­ti­ca­tion puz­zle with them.

    “From a pure data cen­ter per­spec­tive it is a bit gim­micky” to place the servers in a bunker, said Steve Wal­lage, man­ag­ing direc­tor of Broad­Group Con­sult­ing, which advis­es clients on data stor­age. But, he said, “some peo­ple might be impressed by that. It is like going to a Swiss bank.”

    ...

    The EU’s data pri­va­cy mem­ber state mar­ket might almost open for busi­ness. What that mar­ket is going to look like and what impact it might have on the EU and larg­er glob­al com­mu­ni­ty is still an open ques­tion.

    Posted by Pterrafractyl | March 12, 2014, 9:01 am
  9. The EU par­lia­ment has been threat­en­ing to derail a US-EU free trade if the US does­n’t end mass data col­lec­tion, but it looks like that threat has been extend­ed to EU nation­al gov­ern­ments too. If EU mem­ber states don’t also make steps to restrict sur­veil­lance the deal could be off:

    Euro­pean law­mak­ers threat­en US trade veto unless EU tack­les snoop­ing

    Wed Mar 12, 2014 11:08pm IST

    * Law­mak­ers warn could block trade deal unless Brus­sels acts

    * Vote stems from inves­ti­ga­tion into Snow­den spy alle­ga­tions

    * Data pro­tec­tion big issue going into Euro­pean elec­tions

    By John O’Don­nell

    BRUSSELS, March 12 (Reuters) — Euro­pean law­mak­ers put pres­sure on EU coun­tries on Wednes­day to shield cit­i­zens’ pri­va­cy, warn­ing that they could block a trade deal with the Unit­ed States if gov­ern­ments did not take a tougher stance on snoop­ing.

    Con­clud­ing its own inves­ti­ga­tion into leaks from for­mer U.S. data ana­lyst Edward Snow­den over gov­ern­ment spy­ing, an over­whelm­ing major­i­ty of law­mak­ers vot­ed in favour of a res­o­lu­tion warn­ing that the world’s biggest trade deal “could be endan­gered” unless EU coun­tries stopped such sur­veil­lance.

    While the snoop­ing vote was only a sym­bol­ic warn­ing shot, both the Euro­pean Par­lia­ment and U.S. Con­gress must sign off the U.S.-EU free trade deal for it to become law, mean­ing their threats car­ry some weight.

    “It’s not enough to point the fin­ger at the Unit­ed States. Euro­pean states were also involved,” Jan Philipp Albrecht, a Ger­man law­mak­er, told Reuters, refer­ring to the alleged involve­ment of British and oth­er intel­li­gence ser­vices in sur­veil­lance.

    “The mem­ber states must put into place laws that place lim­its on the sur­veil­lance by intel­li­gence agen­cies. We need rules on how they exchange infor­ma­tion.”

    Ten­sion over the issue has been build­ing after par­lia­men­tar­i­ans crit­i­cised Euro­pean lead­ers for what they said was a limp response to alle­ga­tions of U.S. spy­ing.

    Late last year, the Euro­pean Union backed down on threats to sus­pend agree­ments grant­i­ng the Unit­ed States access to Euro­pean data fol­low­ing leaks that Wash­ing­ton had spied on Euro­pean cit­i­zens and EU insti­tu­tions.

    DATA PROTECTION

    The tough stance of the par­lia­ment is unlike­ly to soft­en ahead of Euro­pean elec­tions in May, a vote set to bol­ster the num­ber of law­mak­ers with a more pop­ulist polit­i­cal agen­da.

    The par­lia­ment also vot­ed to back new pri­va­cy rules, anoth­er sym­bol­ic move, this time to renew pres­sure on EU gov­ern­ments to finalise the first revi­sion to Europe’s data laws since 1995.

    This reg­u­la­tion will estab­lish a sin­gle law for data pro­tec­tion across the 28 coun­tries in the Euro­pean Union, replac­ing the cur­rent patch­work of nation­al rules. It may still, how­ev­er, be changed by coun­tries before enter­ing law.

    ...

    Par­lia­ment, in line with the Com­mis­sion’s pro­pos­als, also wants to impose strict rules on how data is shared or trans­ferred to coun­tries out­side the Euro­pean Union.

    For exam­ple, if the Unit­ed States wants access to infor­ma­tion held by Google or Yahoo! about a Euro­pean cit­i­zen in Europe, the firm would have to seek autho­ri­sa­tion from a Euro­pean data author­i­ty first.

    Face­book, Google and oth­er Inter­net-based firms, the vast major­i­ty of them Amer­i­can, have lob­bied against the Com­mis­sion’s pro­pos­al, con­cerned it will lum­ber them with extra costs.

    “Strong data pro­tec­tion rules must be Europe’s trade­mark,” said Viviane Red­ing, the EU’s jus­tice com­mis­sion­er.

    “Fol­low­ing the U.S. data spy­ing scan­dals, data pro­tec­tion is more than ever a com­pet­i­tive advan­tage. Today’s vote is the strongest sig­nal that it is time to deliv­er.”

    Let the com­pe­ti­tion for com­pet­i­tive advan­tage in data-pri­va­cy rules begin! Indi­rect­ly!

    Tiny Lux­em­bourg blocks tax eva­sion law for EU
    By JUERGEN BAETZ, Asso­ci­at­ed Press
    Updat­ed 2:12 pm, Tues­day, March 11, 2014

    BRUSSELS (AP) — Euro­pean Union finance min­is­ters failed once again Tues­day to agree on a sweep­ing new pol­i­cy to fight tax eva­sion because of resis­tance from Lux­em­bourg, a tiny coun­try that long has pros­pered from a secre­tive bank­ing cul­ture.

    EU Tax­a­tion Com­mis­sion­er Algir­das Semeta said their fail­ure was dis­ap­point­ing because, if approved, the leg­is­la­tion propos­ing an EU-wide auto­mat­ic exchange of data on bank deposits would allow gov­ern­ments to “iden­ti­fy and chase up tax evaders.”

    Lux­em­bourg, a duchy of bare­ly 500,000 peo­ple, was able to shelve the leg­is­la­tion for the 28-nation bloc and its 500 mil­lion cit­i­zens because the deci­sion required unan­i­mous approval at Tues­day’s meet­ing in Brus­sels.

    Lux­em­bourg Finance Min­is­ter Pierre Grameg­na said he could not vote in favor and pushed the deci­sion to a sum­mit of EU gov­ern­ment lead­ers next week.

    Lux­em­bourg has insist­ed for years it would sup­port the pro­posed law only if non-EU bank­ing hubs with­in Europe, par­tic­u­lar­ly Switzer­land, also sign up.

    But as the EU’s nego­ti­a­tions with Switzer­land, Liecht­en­stein and three oth­er nations on sign­ing the agree­ment have made progress, Lux­em­bourg has respond­ed with new rea­sons for oppo­si­tion, chiefly the risk that banks out­side Europe would draw deposits away if the con­ti­nen­t’s bank­ing rules are tight­ened too much.

    Ger­man Finance Min­is­ter Wolf­gang Schaeu­ble said he was con­fi­dent that Lux­em­bourg would drop its oppo­si­tion at next week’s sum­mit.

    “We’ve been work­ing on this for such a long time, whether we agree today or in four weeks, that does­n’t kill me either,” he said.

    EU offi­cials say tax fraud and com­pa­nies’ aggres­sive cross-bor­der tax avoid­ance schemes cost the bloc’s gov­ern­ments an esti­mat­ed 1 tril­lion euros ($1.4 tril­lion) a year, mon­ey need­ed in an age of slug­gish growth and high debt across Europe.

    ...

    How might enhanced data-pri­va­cy rules (that will pre­sum­ably be most help­ful to those with the resources to ful­ly exploit them) enhance the attrac­tive­ness of an EU mem­ber for mon­ey-laun­der­ing pur­pos­es? Out with the old ‘Euro­pean Bazaar’, in with the new one?

    Posted by Pterrafractyl | March 13, 2014, 2:06 pm
  10. @Pterrafractyl–

    Good find. The whole web/­phone-snoop­ing dynam­ic very much involves mon­i­tor­ing of illic­it mon­ey flows by the %1 and allied cor­po­rate inter­ests, not to men­tion crooks.

    This has been large­ly eclipsed.

    Also: note the EU and Ger­many’s behav­ior in the con­text of Ser­pen­t’s Walk.

    If one is to tru­ly remake the past and con­trol “opin­ion-form­ing media”,
    one must gain con­trol of the inter­net.

    I sus­pect that Ger­many’s and Brazil’s ramp­ing up of their IT and inter­net sec­tors is ulti­mate­ly direct­ed at this.

    Best,

    Dave

    Posted by Dave Emory | March 13, 2014, 4:30 pm
  11. With the EU’s his­toric data-pri­va­cy nego­ti­a­tions on track to be final­ized this year the win­dow of oppor­tu­ni­ty to shape the new law is steadi­ly clos­ing, which means we should prob­a­bly expect a lot more reports like this:

    The Wall Street Jour­nal
    Ger­man Com­pa­nies Push for Tough New Data-Pro­tec­tion Rules in Europe
    Rules could check growth of U.S. data min­ing in Europe

    By Archibald Preuschat
    Feb­ru­ary 24, 2015

    BONN—As nego­ti­a­tions over new Euro­pean Union data-pro­tec­tion rules head into their final stretch, Ger­man telecom­mu­ni­ca­tions and Inter­net ser­vice providers are push­ing for tough rules that could roll back the dom­i­nance in Europe of U.S. tech­nol­o­gy com­pa­nies such as Google Inc. and Face­book Inc.

    Euro­pean Com­mis­sion offi­cials say they hope to wrap up talks—which have been con­tin­u­ing for sev­er­al years—by the end of 2015, part of a push to leg­is­late a sin­gle dig­i­tal mar­ket to replace the EU’s cur­rent mix of 28 sep­a­rate state laws on cru­cial issues includ­ing data pro­tec­tion and copy­right.

    But Ger­man com­pa­nies, who feel they have been twice bitten—once by rev­e­la­tions of wide­spread spy­ing by the U.S. Nation­al Secu­ri­ty Agency and again by the grow­ing dom­i­nance of Sil­i­con Val­ley firms—aren’t wait­ing. They are exert­ing heavy pres­sure, both pub­licly and behind-the-scenes, to speed up the talks and make sure the result­ing leg­is­la­tion is in Europe’s favor.

    Com­pa­nies such as Deutsche Telekom AG , and Ger­man Inter­net ser­vice providers Unit­ed Inter­net AG and Freenet AG , are tak­ing tech­ni­cal steps on the ground to keep their users’ pri­vate communications—emails, phone calls and texts—inside the coun­try. They are stamp­ing their joint encrypt­ed email ser­vice prod­ucts with “Email Made in Ger­many.”

    Deutsche Telekom says it is talk­ing to Ger­man min­istries that are nego­ti­at­ing the planned reg­u­la­tion with oth­er EU mem­ber states. A spokesman for the Ger­man Fed­er­al Min­istry of Inte­ri­or said it was com­mon prac­tice for pri­vate com­pa­nies to talk to min­istries when the nature of leg­is­la­tion is being deter­mined. The min­istry, which coor­di­nates Germany’s posi­tion on nego­ti­a­tions with the oth­er EU mem­ber states, said final nego­ti­a­tions between the Euro­pean Coun­cil, the EU Par­lia­ment and the com­mis­sion can start by sum­mer, although the spokesman wouldn’t put a time frame on the talks.

    “We are strict­ly against attempts to weak­en the draft for the law,” Claus Ulmer, Deutsche Telekom AG’s head of data pri­va­cy, said in an inter­view. Mr. Ulmer said new data-pro­tec­tion rules are essen­tial to ease con­sumers’ con­cerns. “It is a big risk if peo­ple avoid cloud ser­vices because they are uncer­tain about their pri­va­cy,” he said.

    In Europe, com­pa­nies that want to trans­fer people’s per­son­al infor­ma­tion abroad—such as cus­tomer names, address­es or billing information—have to sat­is­fy a num­ber of reg­u­la­to­ry pro­vi­sions, such as one that requires any sub­sidiaries or third par­ties to agree to pro­tect the infor­ma­tion from breach­es or improp­er uses. Under new reg­u­la­tions being debat­ed in Europe, com­pa­nies that vio­late the data-pro­tec­tion rules could face fines of as much as €100 mil­lion ($113 mil­lion) or 5% of annu­al rev­enue. To answer these con­cerns, U.S. tech com­pa­nies such as Apple Inc., Amazon.com Inc. and Salesforce.com Inc. areincreas­ing­ly posi­tion­ing their new data cen­ters in Europe.

    That isn’t stop­ping the tough talk from Ger­man ISPs.

    “The data-monop­o­lists Face­book and Google must not expand in the absence of rules. It is unac­cept­able that U.S. firms do data min­ing in Europe while local firms are bound to strict Ger­man pri­va­cy rules,” said Unit­ed Internet’s founder and chief exec­u­tive, Ralph Dom­mer­muth.

    ...

    So it’s pret­ty clear that Ger­many’s ISPs are going to be lob­by­ing hard for some sort of rules designed to reduce the Euro­pean mar­ket dom­i­nance of US inter­net giants. And it’s also pret­ty clear that the imple­men­ta­tion of a strict new EU-wide data pri­va­cy regime is a cen­tral to that goal.

    Still, don’t assume that the EU is mere­ly deter­mined to push the US tech giants out of Europe. This is about the world:

    The Wall Street Jour­nal
    Europe Wants the World to Embrace Its Inter­net Rules
    A data-pri­va­cy regime offers toe­hold to advance local tech­nol­o­gy firms around the world

    By Tom Fair­less and
    Stephen Fidler
    Feb. 24, 2015 6:44 p.m. ET

    BRUSSELS—European pol­i­cy mak­ers feel crowd­ed out by the rise of U.S. Inter­net com­pa­nies and are propos­ing a plan to give them­selves a larg­er role: write a new rule book for the Web.

    Now putting fin­ish­ing touch­es on its tough data-pri­va­cy regime, the Euro­pean Union aims to estab­lish a de fac­to stan­dard that com­pa­nies would have to embed to sell prod­ucts in the giant Euro­pean mar­ket.

    Their hope: As rules such as the right to remove Web links to per­son­al infor­ma­tion spread, Euro­pean com­pa­nies would get a leg up in the next era of Inter­net com­merce.

    There are plen­ty of hur­dles. U.S. tech­nol­o­gy firms wor­ry that oth­er regions won’t fol­low the tough EU mod­el, lead­ing to a Balka­nized Inter­net, and some have pushed back against facets. Chi­na, which has more Inter­net users than any oth­er coun­try, is left out of the EU’s lob­by­ing for its data-pri­va­cy rules.

    Still, said Jan Philipp Albrecht, chief nego­tia­tor for the Euro­pean Par­lia­ment on the EU’s new data pro­tec­tion law, “If you can achieve…a stan­dard [glob­al­ly] that is some­how near…your own, then this is an advan­tage.”

    He and oth­ers point to the EU’s suc­cess in export­ing its GSM tech­ni­cal stan­dard for mobile com­mu­ni­ca­tions in the 1990s. That tech­nol­o­gy now is wide­ly used by phone mak­ers in Europe, the U.S. and Chi­na. While there is no inter­na­tion­al orga­ni­za­tion to sub­mit a glob­al stan­dard, offi­cials here hope peo­ple would choose plat­forms that guar­an­tee more pri­va­cy pro­tec­tions.

    “We have a chance to be influ­en­tial around the world,” said Gio­van­ni Buttarel­li, who acts as the EU’s top data-pro­tec­tion watch­dog. A “grow­ing num­ber” of coun­tries includ­ing Japan, are “look­ing at us and are like­ly to fol­low the Euro­pean approach,” he said. EU lob­by­ists say U.S. firms are build­ing new prod­ucts and ser­vices with the rules in mind to avoid reg­u­la­to­ry uncer­tain­ty.

    EU offi­cials are hit­ting the road to pro­mote the regime. Mr. Buttarel­li trav­els to Wash­ing­ton, D.C., New York and Boston next month to spread the message,and heads to Sil­i­con Val­ley in the spring to explain the pro­posed rules to U.S. tech­nol­o­gy firms, which he said have shown a strong inter­est in the plans.

    A spokesman for U.S. Trade Rep­re­sen­ta­tive Mike Fro­man said dis­cus­sions between the U.S. and EU on dig­i­tal trade “have been pro­duc­tive. We are con­fi­dent that we will be able to find ways to deep­en respect for pri­va­cy pro­tec­tions on both sides of the Atlantic...”

    While details are being thrashed out in nego­ti­a­tions between indi­vid­ual gov­ern­ments and the Euro­pean Par­lia­ment, the rules could include “enor­mous­ly enhanced” require­ments around the pro­cess­ing of per­son­al data, which would “require re-engi­neer­ing of a lot of data-col­lec­tion process­es, apps [and] cus­tomer web­sites,” said Emi­ly Jones, a data pri­va­cy lawyer with U.K.-based law firm Osborne Clarke.

    They would require indi­vid­u­als to give their explic­it con­sent before com­pa­nies can use their per­son­al data, putting pres­sure on Inter­net busi­ness­es to build in data pro­tec­tion safe­guards from the start. They will also enshrine a con­tro­ver­sial “right to be for­got­ten” that allows indi­vid­u­als to ask for links to Web pages to be removed.

    The effort is part of a wider EU plan to cre­ate a dig­i­tal sin­gle mar­ket that knits togeth­er the region’s frag­ment­ed online data-pro­tec­tion sys­tems, cre­at­ing a sin­gle stan­dard for online pri­va­cy, copy­right and con­sumer rights. The details of that plan are due to be announced in May by the Euro­pean Com­mis­sion, the EU’s exec­u­tive arm that took office on Nov. 1.

    On Tues­day, Gün­ther Oet­tinger, Germany’s pow­er­ful rep­re­sen­ta­tive to the Euro­pean Com­mis­sion, argued Europe needs stronger safe­guards to counter Google Inc., Face­book Inc., Apple Inc. and oth­er U.S. com­pa­nies offer­ing Inter­net ser­vices and appli­ca­tions.

    “The Amer­i­cans are in the lead, they’ve got the data, the busi­ness mod­els and so the pow­er,” Mr. Oet­tinger said in a hard-hit­ting speech in Brus­sels to pol­i­cy mak­ers and Inter­net com­pa­ny rep­re­sen­ta­tives in which he advo­cat­ed for Euro­pean-wide data reg­u­la­tions.

    “If you use an iPhone, they know all about your cred­it­wor­thi­ness, your shop­ping habits,” he added. “Take car insur­ance. They know the last time you were involved in an acci­dent.”

    Apple declined to com­ment on the remarks.

    James Water­worth, a Brus­sels-based Vice Pres­i­dent for the Com­put­er & Com­mu­ni­ca­tions Indus­try Asso­ci­a­tion, a lob­by group for U.S. Inter­net com­pa­nies includ­ing Google and Face­book, said he was “con­fused” by the remarks. Mr. Oet­tinger, he said, is “a pes­simist who seems to believe the dig­i­tal sin­gle mar­ket should be used as a weapon against ‘for­eign­ers.’ ”

    U.S. tech­nol­o­gy firms broad­ly sup­port cre­at­ing a sin­gle stan­dard across the 28-mem­ber EU but have lob­bied fierce­ly against the new rules. Ear­li­er this month, an advi­so­ry group con­vened by Google backed the company’s deci­sion to apply Europe’s “right to be for­got­ten” rul­ing only in the EU, push­ing back against demands by EU reg­u­la­tors that it apply glob­al­ly.

    ...

    Is the EU’s new data pri­va­cy regime going to go glob­al? That’s the plan. And, yes, you read that right, the EU pushed to get its new “Right to be for­got­ten” law to apply to ALL domains for search engine com­pa­nies like Google and not just EU domains. It’s a reminder that the glob­al­iza­tion of the EU’s data-pri­va­cy rules might not exclu­sive­ly rely on per­sua­sion.

    Still, per­sua­sion is going to be nec­es­sary and that means those new data-pri­va­cy rules are going to have to be the kind of thing that either vot­ers out­side the EU would like to see their gov­ern­ments adopt OR busi­ness­es out­side the EU. Or both. It’s an inter­est­ing conun­drum since so much of what con­sumer like about the pro­posed rules busi­ness­es hate and vice ver­sa. It’s not obvi­ous how to thread that nee­dle.

    Ok, there’s one obvi­ous option: qui­et­ly gut the new data-pri­va­cy laws so that con­sumers think they gained all these new pro­tec­tions but busi­ness­es are still qui­et­ly allowed to pro­ceed with busi­ness (col­lect­ing and sell­ing your data) as usu­al. Maybe that’s what will hap­pen:

    PC World
    EU data pro­tec­tion reform ‘bad­ly bro­ken,’ civ­il lib­er­ty groups warn
    Loek Essers @loekessers

    Mar 3, 2015 6:10 AM

    Leaked doc­u­ments show that the Euro­pean Union’s data pro­tec­tion is on its way to become an emp­ty shell devoid of mean­ing, Euro­pean civ­il rights groups warned Tues­day.

    The EU is busy over­haul­ing its data pro­tec­tion rules, which date back to 1995. The Euro­pean Com­mis­sion and the Euro­pean Par­lia­ment have already agreed on a draft reg­u­la­tion that seeks to mod­ern­ize data pro­tec­tion rules to take new dig­i­tal tech­nolo­gies into account.

    How­ev­er, there is one more leg­isla­tive body that has to sign off on the new rules: the Coun­cil of the EU, which con­sists of nation­al min­is­ters of EU mem­ber states.

    Since the Par­lia­ment approved the draft with minor changes in March last year, the Coun­cil has been busy chang­ing the text. Min­is­ters are expect­ed to agree on how they want to reshape the text by Sum­mer.

    How­ev­er, new leaked doc­u­ments show that the Coun­cil is try­ing to destroy key ele­ments of the orig­i­nal pro­pos­al, Euro­pean dig­i­tal civ­il lib­er­ties group EDRi said. Work­ing with civ­il lib­er­ties groups Access, the Panop­tykon Foun­da­tion and Pri­va­cy Inter­na­tion­al, EDRi pub­lished leaked Coun­cil pro­pos­als to amend the pro­posed data pro­tec­tion reg­u­la­tion on Tues­day.

    Along with the doc­u­ments, the groups pub­lished a side-by-side com­par­i­son of the Parliament’s agreed text with the Council’s pro­posed changes, as well as an analy­sis of the pro­posed changes.

    The exis­tence of the doc­u­ments is no secret: They can be found in the Council’s online doc­u­ment reg­is­ter, but can­not be accessed by the gen­er­al pub­lic.

    Under the pro­pos­als, cru­cial pri­va­cy pro­tec­tions are being dras­ti­cal­ly under­mined by the Coun­cil, EDRi said in a blog post.

    The Coun­cil declined to com­ment on leaked doc­u­ments.

    One of the pro­posed rights affect­ed by the Council’s changes is the right not to be tracked by com­pa­nies online with­out con­sent. The Coun­cil for exam­ple sug­gests that fail­ing to change the default set­tings in a brows­er to pre­vent track­ing, or fail­ing to change the set­tings back, con­sti­tutes con­sent to being tracked and pro­filed online, the groups said.

    What’s more, the Coun­cil pro­pos­es that data can be processed under an “legit­i­mate inter­est” excep­tion. This means that con­sent is not need­ed if the com­pa­ny feels that they have a legit­i­mate inter­est in pro­cess­ing per­son­al data, and would allow data to be passed on to third par­ties. They could then use the same excep­tion to start pro­cess­ing data for rea­sons that are com­plete­ly unre­lat­ed and incom­pat­i­ble with the orig­i­nal pur­pose, the groups said.

    The Coun­cil also pro­posed delet­ing an arti­cle impos­ing con­crete oblig­a­tions on how peo­ple and espe­cial­ly chil­dren need to be informed in “con­cise, trans­par­ent, clear and eas­i­ly acces­si­ble poli­cies” about how their per­son­al data is being used, the groups said.

    More­over, coun­tries would be giv­en the right to pro­file cit­i­zens for nation­al secu­ri­ty, defence and pub­lic secu­ri­ty rea­sons as well as for “oth­er impor­tant objec­tives of gen­er­al pub­lic inter­est.” That part of the orig­i­nal text draft­ed by the Com­mis­sion was delet­ed by the Par­lia­ment but rein­tro­duced by the Coun­cil.

    “This is basi­cal­ly pro­vid­ing a blank cheque to gov­ern­ments which, under var­i­ous excus­es, may start to pro­file peo­ple based on their online polit­i­cal activ­i­ties and pre­pare, for exam­ple, black­lists who do not fit with the pro­file of ‘nor­mal’ cit­i­zens,” the groups said.

    Oth­er issues with the pro­pos­als include a plan to let a com­pa­ny deter­mine whether a data breach is of suf­fi­cient­ly high risk to war­rant noti­fy­ing its cus­tomers. This would under­mine people’s pri­va­cy and great­ly reduce incen­tives for com­pa­nies to improve data secu­ri­ty, accord­ing to the groups.

    Mean­while, they say, the Coun­cil is also still try­ing to under­mine the cre­ation of a one-stop data pro­tec­tion shop that could make it sim­pler to resolve transna­tion­al dis­putes involv­ing big com­pa­nies in the EU. The min­is­ters have been backpedal­ing on that pro­pos­al for a while though and have not changed their minds, the leaked docs showed.

    They still want to involve nation­al data pro­tec­tion author­i­ties in every transna­tion­al dis­pute that would have to reach con­sen­sus, adding more bureau­cra­cy and a time con­sum­ing step to a process that is meant to stream­line cur­rent frag­men­ta­tion, the groups said.

    “Unless some­thing is done urgent­ly, the Coun­cil will sim­ply com­plete its agree­ment,” EDRi warned, adding that if the Coun­cil has agreed, only the Par­lia­ment could save the EU’s data pro­tec­tion reform.

    ...

    “What’s more, the Coun­cil pro­pos­es that data can be processed under an “legit­i­mate inter­est” excep­tion. This means that con­sent is not need­ed if the com­pa­ny feels that they have a legit­i­mate inter­est in pro­cess­ing per­son­al data, and would allow data to be passed on to third par­ties.”

    It would be legit­i­mate­ly inter­est­ing to learn what con­sti­tutes a “legit­i­mate inter­est”, but per­haps even more legit­i­mate­ly inter­est­ing is what con­sti­tutes “oth­er impor­tant objec­tives of gen­er­al pub­lic inter­est”:

    More­over, coun­tries would be giv­en the right to pro­file cit­i­zens for nation­al secu­ri­ty, defence and pub­lic secu­ri­ty rea­sons as well as for “oth­er impor­tant objec­tives of gen­er­al pub­lic inter­est.” That part of the orig­i­nal text draft­ed by the Com­mis­sion was delet­ed by the Par­lia­ment but rein­tro­duced by the Coun­cil.

    “This is basi­cal­ly pro­vid­ing a blank cheque to gov­ern­ments which, under var­i­ous excus­es, may start to pro­file peo­ple based on their online polit­i­cal activ­i­ties and pre­pare, for exam­ple, black­lists who do not fit with the pro­file of ‘nor­mal’ cit­i­zens,” the groups said.

    So the “impor­tant objec­tives of gen­er­al pub­lic inter­est” can include some­thing oth­er than “nation­al secu­ri­ty, defense and pub­lic secu­ri­ty rea­sons”, which rais­es the ques­tion of what on earth could the “oth­er impor­tant objec­tives” be that don’t fall under the gen­er­al “nation­al secu­ri­ty, defense and pub­lic secu­ri­ty” umbrel­la? Is the EU about to make up a whole new cat­e­go­ry of jus­ti­fi­ca­tions for cit­i­zen pro­fil­ing? Iron­i­cal­ly, if so, the EU’s new data-pri­va­cy rules are prob­a­bly a lot more like­ly to go glob­al than you might expect.

    Posted by Pterrafractyl | March 5, 2015, 10:29 pm
  12. There was a pret­ty devel­op­ment in EU-US data pri­va­cy arrange­ment last week. It does­n’t guar­an­tee that the the “Safe Har­bor” data trans­fer agree­ment that allows US firms like Face­book and Google to trans­fer the per­son­al data of EU res­i­dents back to their US oper­a­tions will be over­turned, but it def­i­nite­ly increas­es the like­li­hood of exact­ly that hap­pen­ing:
    A top advis­er to the EU’s top con­sti­tu­tion­al court cit­ed NSA spy­ing as the pri­ma­ry rea­son for his rec­om­men­da­tion that the EU sus­pend “Safe Har­bor”. It’s a non-bind­ing res­o­lu­tion, but his advice is usu­al­ly fol­lowed, so it’s a pre­dic­tive non-bind­ing res­o­lu­tion:

    Bloomberg Busi­ness
    EU‑U.S. Data Shar­ing Deal Can’t Be Trust­ed, Top Court Aide Says

    Advo­cate Gen­er­al critizes EU for not sus­pend­ing EU‑U.S. pact
    U.S. com­pa­nies such as Face­book may face greater scruti­ny

    Stephanie Bodoni
    Sep­tem­ber 23, 2015 — 3:10 AM CDT
    Updat­ed on Sep­tem­ber 23, 2015 — 6:56 AM CDT

    Amer­i­can spies have almost unfet­tered access to infor­ma­tion about Euro­pean users of Face­book Inc. and oth­er social media thanks to an ille­gal trans-Atlantic pact on data-trans­fers, an advis­er to the EU’s top court warned on Wednes­day.

    Secret U.S. orders forc­ing tech­nol­o­gy com­pa­nies to hand over per­son­al data linked to EU cit­i­zens can’t con­tin­ue under an “invalid” data-trans­fer accord struck 15 years ago, Advo­cate Gen­er­al Yves Bot of the Lux­em­bourg-based tri­bunal said in a non-bind­ing opin­ion. The EU court fol­lows such advice in a major­i­ty of cas­es.

    EU cit­i­zens “who are Face­book users are not informed that their per­son­al data will be gen­er­al­ly acces­si­ble to the Unit­ed States secu­ri­ty agen­cies,” said Bot. Nation­al data pri­va­cy watch­dogs have the pow­er, “where appro­pri­ate,” to sus­pend the trans­fer of such data to servers locat­ed in the U.S., includ­ing in the case con­cern­ing the data of Euro­pean Face­book users, he said.

    Unwar­rant­ed Inter­fer­ence

    The EU Court of Jus­tice should scrap the 2000 Safe Har­bor deci­sion because it doesn’t pro­tect cit­i­zens from the 28-nation bloc enough from an “unwar­rant­ed inter­fer­ence” with their rights and a “large-scale col­lec­tion of per­son­al data,” he said.

    The EU‑U.S. data-shar­ing accord gives U.S. intel­li­gence ser­vices “wide-rang­ing” access to EU cit­i­zens’ data that “must be con­sid­ered to be par­tic­u­lar­ly seri­ous, giv­en the large num­ber of users con­cerned and the quan­ti­ties of data trans­ferred,” said Bot.

    Those fac­tors and “the secret nature” of the U.S. agen­cies’ access to such data via the servers of com­pa­nies based in the U.S. “make the inter­fer­ence extreme­ly seri­ous.”

    The EU’s top court has been weigh­ing the valid­i­ty of the data-shar­ing accord fol­low­ing rev­e­la­tions by for­mer Nation­al Secu­ri­ty Agency con­trac­tor Edward Snow­den about U.S. gov­ern­ment sur­veil­lance activ­i­ties and mass data col­lec­tion. An Irish judge last year called on the EU’s tri­bunal to decide whether the deal still pro­tects pri­va­cy and whether nation­al reg­u­la­tors have the pow­er to sus­pend ille­gal data flows from the EU to the U.S.

    Too Lax

    Bot crit­i­cized the Euro­pean Com­mis­sion for hav­ing nei­ther “sus­pend­ed nor adapt­ed” the deci­sion even though “it was aware of short­com­ings” all along. The com­mis­sion has been in nego­ti­a­tions with the U.S. for two years in a bid to address its con­cerns with the Safe Har­bor deci­sion of too lax shar­ing of people’s per­son­al data.

    The Brus­sels-based EU exec­u­tive arm said it “has been work­ing tire­less­ly with the U.S. on the final details of a deal in the last weeks and we are con­fi­dent that we can reach a pos­i­tive con­clu­sion soon,” accord­ing to an e‑mailed state­ment Wednes­day.

    Aus­tri­an pri­va­cy activist Max Schrems trig­gered the case with a com­plaint he filed against Face­book with the pri­va­cy watch­dog in Ire­land, where the U.S. social net­work com­pa­ny has its Euro­pean base. He alleged that Facebook’s Irish unit ille­gal­ly hand­ed over data to U.S. spies. Schrems had pre­vi­ous­ly filed 22 com­plaints against the Men­lo Park, Cal­i­for­nia-based com­pa­ny.

    ...

    NSA Sur­veil­lance

    If fol­lowed by the court, it would mean that Facebook’s Euro­pean branch in Ire­land “would be barred from pro­cess­ing its data in the U.S., but would have to process its data in a place where those data are not sub­ject to NSA mass-sur­veil­lance,” Her­wig Hof­mann, a lawyer rep­re­sent­ing Schrems, told reporters at the EU court today. All U.S. com­pa­nies would have to fol­low the same rules, he said.

    Face­book “oper­ates in com­pli­ance with EU Data Pro­tec­tion law. Like the thou­sands of oth­er com­pa­nies who oper­ate data trans­fers across the Atlantic we await the full judg­ment,” said spokes­woman Sal­ly Aldous.

    “We have repeat­ed­ly said that we do not pro­vide ‘back­door’ access to Face­book servers and data to intel­li­gence agen­cies or gov­ern­ments,” she said.

    All U.S. com­pa­nies that are cer­ti­fied under Safe Har­bor — there are more than 4,000 such com­pa­nies — will be affect­ed by the EU court’s deci­sion, which should fol­low in the next four to six months.

    Dig­i­talEu­rope, a trade group that rep­re­sents com­pa­nies such as Apple Inc.,
    Google Inc. and Microsoft Corp., said it is “con­cerned about the poten­tial
    dis­rup­tion to inter­na­tion­al data flows if the court fol­lows today’s
    opin­ion,” accord­ing to a state­ment by John Hig­gins, its direc­tor gen­er­al.

    “If the safe har­bor sys­tem is gone, it is very like­ly that the data pro­tec­tion author­i­ties in the 28 EU mem­ber states will not allow data trans­fers to U.S. com­pa­nies that are sub­ject to mass sur­veil­lance laws,” said Schrems in an e‑mailed state­ment. “This may have major com­mer­cial down­sides for the U.S. tech indus­try.”

    ...

    Note that this rec­om­men­da­tion appears to be com­ing at a time when the EU and US have been attempt­ing to final­ize a deal for over­haul­ing the exist­ing Safe Har­bor agree­ment:

    ...
    Bot crit­i­cized the Euro­pean Com­mis­sion for hav­ing nei­ther “sus­pend­ed nor adapt­ed” the deci­sion even though “it was aware of short­com­ings” all along. The com­mis­sion has been in nego­ti­a­tions with the U.S. for two years in a bid to address its con­cerns with the Safe Har­bor deci­sion of too lax shar­ing of people’s per­son­al data.

    The Brus­sels-based EU exec­u­tive arm said it “has been work­ing tire­less­ly with the U.S. on the final details of a deal in the last weeks and we are con­fi­dent that we can reach a pos­i­tive con­clu­sion soon,” accord­ing to an e‑mailed state­ment Wednes­day.
    ...

    But also note that the par­tic­u­lar deal the US and EU were attempt­ing to final­iz­ing in recent weeks was­n’t the deal over a new Safe Har­bor agree­ment, although close­ly relat­ed. It was a security/terrorism data-shar­ing agree­ment that places new lim­it US access to EU cit­i­zen data and opens US courts up to law­suits by EU cit­i­zens if they feel their pri­va­cy rights have been vio­lat­ed and pred­i­cat­ed on Con­gress pass­ing some addi­tion­al data-pri­va­cy laws:

    The Wall Street Jour­nal
    EU‑U.S. Agree­ment on Per­son­al-Data Pro­tec­tions Reached
    Pact should pro­mote expand­ed data shar­ing in coun­tert­er­ror­ism probes
    By Julian E. Barnes
    Sept. 8, 2015 4:20 p.m. ET

    BRUSSELS—U.S. and Euro­pean Union offi­cials have reached agree­ment on a set of pro­tec­tions for per­son­al data, which should allow for expand­ed data shar­ing in coun­tert­er­ror­ism inves­ti­ga­tions.

    The deal is con­tin­gent on the U.S. Con­gress pass­ing a law to allow cit­i­zens of EU coun­tries to sue in U.S. courts if they feel their pri­va­cy rights have been vio­lat­ed.

    EU Jus­tice Com­mis­sion­er Vera Jourová said the agree­ment will guar­an­tee a “high lev­el of pro­tec­tion” for per­son­al data exchanged between Amer­i­can and Euro­pean inves­ti­ga­tors.

    “The final­iza­tion of the Umbrel­la Agree­ment nego­ti­a­tions is there­fore an impor­tant step to strength­en the fun­da­men­tal right to pri­va­cy effec­tive­ly and to rebuild trust in EU‑U.S. data flows,” she said in a state­ment.

    Coun­tert­er­ror­ism coop­er­a­tion and data shar­ing between the U.S. and Europe came under intense scruti­ny in the wake of the release of Nation­al Secu­ri­ty Agency doc­u­ments by for­mer NSA con­trac­tor Edward Snow­den.

    EU offi­cials said that the agree­ment will lim­it data for the pur­pose of pre­vent­ing, inves­ti­gat­ing or pros­e­cut­ing crim­i­nal offens­es. It will also put lim­its on the abil­i­ty of the U.S., or a Euro­pean coun­try, from pass­ing the shared data to a third coun­try.

    U.S. offi­cials didn’t imme­di­ate­ly com­ment.

    Under the agree­ment, the U.S. will have to pub­lish how long it will con­fi­den­tial­ly hold per­son­al data. It pro­hibits them from being retained indef­i­nite­ly. The agree­ment says that EU and U.S. will need to cre­ate a mech­a­nism if a data breach expos­es per­son­al data.

    Rep. Jim Sensen­bren­ner (R., Wis.), one of the archi­tects of the orig­i­nal Patri­ot Act, intro­duced in March a mea­sure called the Judi­cial Redress Bill giv­ing cit­i­zens of U.S. allies the right to sue in Amer­i­can courts over pri­va­cy breach­es, the key demand of Euro­pean nego­tia­tors.

    Mr. Sensen­bren­ner said the agree­ment was a step for­ward for “inter­na­tion­al safe­ty and pros­per­i­ty.” He said he was opti­mistic that his bill, which has received bipar­ti­san sup­port, would be brought to a vote in Con­gress.

    Pass­ing the law, he said, “remains a crit­i­cal piece in our part­ner­ship with the Euro­pean Union and is crit­i­cal to ensure con­tin­ued shar­ing of law-enforce­ment intel­li­gence.”

    The agree­ment is sep­a­rate from oth­er ongo­ing talks between the U.S. and the EU to update a pact used by Google and oth­er U.S. com­pa­nies that allows them to trans­fer per­son­al data to U.S.-based servers.

    The nego­ti­a­tions over the so-called Safe Har­bor agree­ment have hit road blocks over data-col­lec­tion prac­tices by U.S. secu­ri­ty ser­vices, but Ms. Jourová on Tues­day reit­er­at­ed that a deal was impend­ing.

    So the US and EU agree to expand gov­ern­ment-to-gov­ern­ment data shar­ing on cit­i­zens, but in exchange for greater inter­nal and legal safe­guards. This seems like the kind of devel­op­ment that should be a rather big deal in the post-Snow­den era. Then again, it’s all con­tin­gent on the US Con­gress pass­ing Mr. Sensen­bren­ner’s bill that allows EU cit­i­zens to sue in US courts if they feel their pri­va­cy rights have been vio­lat­ed, so maybe this deal is assumed to be most­ly sym­bol­ic:

    ...

    The deal is con­tin­gent on the U.S. Con­gress pass­ing a law to allow cit­i­zens of EU coun­tries to sue in U.S. courts if they feel their pri­va­cy rights have been vio­lat­ed.

    ...

    Rep. Jim Sensen­bren­ner (R., Wis.), one of the archi­tects of the orig­i­nal Patri­ot Act, intro­duced in March a mea­sure called the Judi­cial Redress Bill giv­ing cit­i­zens of U.S. allies the right to sue in Amer­i­can courts over pri­va­cy breach­es, the key demand of Euro­pean nego­tia­tors.

    Mr. Sensen­bren­ner said the agree­ment was a step for­ward for “inter­na­tion­al safe­ty and pros­per­i­ty.” He said he was opti­mistic that his bill, which has received bipar­ti­san sup­port, would be brought to a vote in Con­gress.

    Pass­ing the law, he said, “remains a crit­i­cal piece in our part­ner­ship with the Euro­pean Union and is crit­i­cal to ensure con­tin­ued shar­ing of law-enforce­ment intel­li­gence.”

    The agree­ment is sep­a­rate from oth­er ongo­ing talks between the U.S. and the EU to update a pact used by Google and oth­er U.S. com­pa­nies that allows them to trans­fer per­son­al data to U.S.-based servers.

    The nego­ti­a­tions over the so-called Safe Har­bor agree­ment have hit road blocks over data-col­lec­tion prac­tices by U.S. secu­ri­ty ser­vices, but Ms. Jourová on Tues­day reit­er­at­ed that a deal was impend­ing.
    ...

    Keep in mind that this agree­ment was worked out before John Boehn­er resigned as Speak­er of the US House and poten­tial­ly hand­ed the keys to the Con­gres­sion­al car to the extra crazy wing of the extra crazy par­ty. So it’s not real­ly clear what to expect in terms of the pas­sage of the bill by Con­gress as required by the deal going into an elec­tion year.

    But if that bill isn’t passed, Safe Har­bor might actu­al­ly get repealed, which could cre­ate mas­sive headache for at least parts of the the US tech sec­tor oper­at­ing in Europe. The large com­pa­nies like Face­book and Google may not care very much since the giants already have EU-based data ware­hous­es and oper­a­tions. But for the tiny US firms with lim­it­ed resources oper­at­ing in the EU, the repeal of Safe Har­bor may not be very fun. And the pas­sage, or refusal to pass, by a GOP-con­trolled Con­gress of the Judi­cial Redress Bill could be about exact­ly one of those fac­tors that deter­mines whether or not Safe Har­bor gets repealed.

    So it’s very that the repeal of Safe Har­bor is up to the yet to be deter­mined GOP House lead­er­ship to shep­herd the pas­sage of the Judi­cial Redress Bill. The yet to be deter­mined GOP House lead­er­ship.

    But it’s also worth keep­ing in mind that the EU par­lia­ment has to pass the agree­ment too. And there is no short­age of ques­tions about what the “Umbrel­la agree­ment” actu­al­ly means, in parts because it’s still not known if the EU’s future data pri­va­cy laws that have yet to be worked out (the “future data pro­tec­tion direc­tives” referred to below) will take prece­dence over the “Umbrel­la agree­ment”. So even when you ignore the insti­tu­tion­al­ized mad­ness that has gripped the US con­gress, there’s going to be no short­age of ques­tions from the EU too:

    The Reg­is­ter
    In EU-US data shar­ing we trust – but can we have that in writ­ing, say MEPs
    Signs of split between EU appa­ratchiks and elect­ed reps

    16 Sep 2015 at 14:33, Jen­nifer Bak­er

    Euro­pean law­mak­ers won’t blind­ly accept an EU-US agree­ment on new data shar­ing laws with­out impor­tant legal ques­tions being answered and fine print being read, accord­ing to sev­er­al promi­nent MEPs.

    After four years of talks, the EU and the US reached a “gentleman’s agree­ment” on data shar­ing for law enforce­ment last week.

    On Tues­day evening, the so-called Umbrel­la Agree­ment was pre­sent­ed to the Euro­pean Parliament’s civ­il lib­er­ties com­mit­tee by Paraske­vi Michou, act­ing direc­tor gen­er­al of the EU Commission’s jus­tice depart­ment, which led nego­ti­a­tions from the east of the Atlantic.

    ...

    Despite the com­mis­sion pre­sent­ing the agree­ment as a done deal, it will not take effect until it is approved by the Euro­pean Par­lia­ment and a Judi­cial Redress Bill has been signed by the US Con­gress.

    This bill would put Euro­peans on a lev­el foot­ing with Amer­i­cans in the US; US cit­i­zens already have data pro­tec­tion rights in Europe.

    Although the deal would give EU cit­i­zens the same rights as Amer­i­cans to seek judi­cial redress before US courts if US author­i­ties deny access to, or rec­ti­fi­ca­tion of, their per­son­al data, those rights are not absolute. Cer­tain types of data are exempt.

    Michou was nonethe­less buoy­ant, say­ing that the agree­ment goes even fur­ther than the antic­i­pat­ed EU Data Pro­tec­tion Direc­tive.

    “This is a step for­ward so safe­guards do not have to be rene­go­ti­at­ed from scratch every time,” she said, urg­ing MEPs to “use your con­tacts in Con­gress to insist on the pass­ing of the judi­cial redress bill, as it is essen­tial to improve law enforce­ment coop­er­a­tion.”

    How­ev­er, although wel­com­ing the move towards greater data pro­tec­tion, Green MEP Jan Philipp Albrecht said he would like the text of the agree­ment to be exam­ined by the parliament’s own legal depart­ment.

    “Judi­cial address is a huge step for­ward. Most of our demands in the text of this agree­ment are met, but with two pre­con­di­tions,” he said.

    The first is the judi­cial redress bill. The sec­ond, in Albrecht’s view, is that the agree­ment “should not com­pro­mise the exist­ing leg­is­la­tion on data pro­tec­tion that we have in the EU. The commission’s view is that it would not, but I think as par­lia­men­tar­i­ans we should ask our own legal ser­vice to assess this”.

    Dutch MEP Sophie in ’t Veld (ALDE) was also in favour of hav­ing the lawyers look at the small print, as she appeared to dis­agree with Michou’s asser­tion that the deal would go fur­ther than the EU’s own data pro­tec­tion pro­pos­als.

    “I think we need a lit­tle more time to look at the text in detail,” she said. “It is not just me; it is also the cit­i­zens of Europe who are enti­tled to know the sta­tus of this doc­u­ment. The pro­tec­tions are low­er than the EU rules that we hope to adopt.”

    “But if it’s true that this only fills the gaps between the data pro­tec­tion direc­tive and Mutu­al Legal Assis­tance Treaties, then that is good,” she added.

    “I want to be sure before we vote on this, that this agree­ment will nev­er over­ride the future data pro­tec­tion direc­tive. As a cit­i­zen if I have a com­plaint, I want to know which agree­ment takes prece­dence?” added in ’t Veld.

    Ger­man EPP MEP Axel Voss, not nor­mal­ly on exact­ly the same page as Albrecht and In’t Veld, also wants the agree­ment sub­ject­ed to scruti­ny. “I have noth­ing against the legal ser­vices, but it might be use­ful to get ideas from the court ahead of time,” he said.

    Final­ly, Ger­man MEP Cor­nelia Ernst (Nordic Green Left) want­ed to know: “What hap­pens in the case of a non-US or non-EU cit­i­zen who lives here in Europe?”
    The timetable for the agree­ment is still hazy and depen­dent on a lot of bill­able hours for the lawyers. Offi­cial­ly, nego­tia­tors are say­ing it has been agreed, but not yet “inked”. The commission’s “break­through” may turn out to be noth­ing of the sort.

    “This bill would put Euro­peans on a lev­el foot­ing with Amer­i­cans in the US; US cit­i­zens already have data pro­tec­tion rights in Europe.”
    That’s some­thing worth keep­ing in mind: US cit­i­zens already enjoys the pro­tec­tions the EU cit­i­zens will receive if the “Umbrel­la agree­ment” is imple­ment­ed.
    And then there’s the addi­tion ques­tion of whether or not the yet to be final­ized EU data pri­va­cy direc­tives will take pre­ce­cent:

    ...
    “I want to be sure before we vote on this, that this agree­ment will nev­er over­ride the future data pro­tec­tion direc­tive. As a cit­i­zen if I have a com­plaint, I want to know which agree­ment takes prece­dence?” added in ’t Veld.
    ...

    So there could be some sig­nif­i­cant legal bar­ri­ers to US spy­ing on Eu cit­i­zens com­ing up, which is espe­cial­ly notable since the “Five Eyes” is pre­sum­ably doing much of the domes­tic spy­ing, as a proxy, for the “Nine Eyes” and “Four­teen Eyes”, which includes a lot of the EU.

    So the in-hous­ing of EU domes­tic spy­ing oper­a­tions could be some­thing to keep in eye on if the shake­up in how the US and EU divide up their spy­ing labor and share the results. We’ll see what hap­pens but it’s look­ing like a num­ber of new data cen­ters are prob­a­bly about to be built in Europe. Filled with domes­tic data. Deli­cious domes­tic data.

    In oth­er news...

    Posted by Pterrafractyl | September 29, 2015, 10:49 pm
  13. It looks like it’s time to say “so long” to Safe Har­bour

    Reuters
    Europe‑U.S. data trans­fer deal used by thou­sands of firms is ruled invalid
    BRUSSELS | By Julia Fioret­ti

    Tue Oct 6, 2015 11:37am EDT
    Relat­ed: Tech

    The EU’s high­est court struck down a deal that allows thou­sands of com­pa­nies to eas­i­ly trans­fer data from Europe to the Unit­ed States, in a land­mark rul­ing on Tues­day that fol­lows rev­e­la­tions of mass U.S. gov­ern­ment snoop­ing.

    Many com­pa­nies, par­tic­u­lar­ly tech firms, use the Safe Har­bour sys­tem to help them get round cum­ber­some checks to trans­fer data between offices on both sides of the Atlantic, includ­ing pay­roll and human resources infor­ma­tion as well as lucra­tive data used for online adver­tis­ing.

    But the deci­sion by the Court of Jus­tice of the Euro­pean Union (ECJ) sounds the death knell for the sys­tem, set up by the Euro­pean Com­mis­sion 15 years ago and used by over 4,000 firms includ­ing IBM (IBM.N), Google (GOOGL.O) and Eric­s­son (ERICb.ST).

    The court said Safe Har­bour did not suf­fi­cient­ly pro­tect EU cit­i­zens’ per­son­al data as Amer­i­can com­pa­nies were “bound to dis­re­gard, with­out lim­i­ta­tion” the pri­va­cy safe­guards where they come into con­flict with the nation­al secu­ri­ty, pub­lic inter­est and law enforce­ment require­ments of the Unit­ed States.

    In addi­tion, EU cit­i­zens have no means of legal recourse against the stor­age or mis­use of their data in the Unit­ed States, the court said. A bill is cur­rent­ly wind­ing its way through the U.S. Con­gress to give Euro­peans the right to legal redress.

    The ECJ cit­ed U.S. sur­veil­lance and author­i­ties’ access to data as a rea­son behind its rul­ing. In its sum­ma­ry of the case it referred to rev­e­la­tions from for­mer Nation­al Secu­ri­ty Agency con­trac­tor Edward Snow­den, which includ­ed that the Prism pro­gramme allowed U.S. author­i­ties to har­vest pri­vate infor­ma­tion direct­ly from big tech com­pa­nies such as Apple (AAPL.O), Face­book (FB.O) and Google.

    The Euro­pean Com­mis­sion said it would con­tin­ue to work with the Unit­ed States on a revamped data trans­fer deal that could fill the void left by the rul­ing on Safe Har­bour, which came into effect imme­di­ate­ly.

    “In the light of the rul­ing, we will con­tin­ue this work towards a new and safe frame­work for the trans­fer of per­son­al data across the Atlantic,” Com­mis­sion Vice Pres­i­dent Frans Tim­mer­mans told a news con­fer­ence.
    Relat­ed Cov­er­age

    With­out Safe Har­bour, com­pa­nies will be forced to draw up con­tracts estab­lish­ing pri­va­cy pro­tec­tions between groups or seek approval from data pro­tec­tion author­i­ties for infor­ma­tion trans­fers to coun­tries the EU deems to have low­er pri­va­cy stan­dards, includ­ing the Unit­ed States.

    “The EU’s high­est court has pulled the rug under the feet of thou­sands of com­pa­nies that have been rely­ing on Safe Har­bour,” said Moni­ka Kuschewsky, spe­cial coun­sel at law firm Cov­ing­ton. “All these com­pa­nies are now forced to find an alter­na­tive mech­a­nism for their data trans­fers to the U.S.”

    The Com­mis­sion said it would issue guid­ance to nation­al data pro­tec­tion author­i­ties to ensure a coor­di­nat­ed approach in deal­ing with data trans­fer requests to the Unit­ed States.

    The group of EU data pro­tec­tion author­i­ties, known as the Arti­cle 29 Work­ing Par­ty, said it would hold dis­cus­sions this week to “deter­mine the con­se­quences on trans­fers” of data and sched­ule an extra­or­di­nary meet­ing short­ly.

    How­ev­er, lawyers said most multi­na­tion­als would prob­a­bly be able to con­tin­ue with busi­ness as usu­al as they already had alter­na­tive legal chan­nels for trans­fer­ring data to the Unit­ed States.

    ‘UNCERTAINTY FOR FIRMS’

    The court case stemmed from a com­plaint by Aus­tri­an law stu­dent Max Schrems, who chal­lenged Face­book’s trans­fers of Euro­pean users’ data to its Amer­i­can servers because of the risk of U.S. snoop­ing, in light of Snow­den’s rev­e­la­tions in 2013.

    The Euro­pean Com­mis­sion sep­a­rate­ly demand­ed a review of Safe Har­bour to ensure that U.S. author­i­ties’ access to Euro­peans’ data would be pro­por­tion­ate and lim­it­ed to what is absolute­ly nec­es­sary.

    Wash­ing­ton and Brus­sels have been in talks for two years to strength­en Safe Har­bour in a way that could allay Europe’s pri­va­cy con­cerns, and Tues­day’s judge­ment heaps pres­sure on the Com­mis­sion to accel­er­ate the talks.

    “The Court put pret­ty high stan­dards on a new Safe Har­bour,” Kuschewsky said.

    Chris­t­ian Borggreen, direc­tor at the Com­put­er & Com­mu­ni­ca­tions Indus­try Asso­ci­a­tion, whose mem­bers include Google, Face­book and Ama­zon (AMZN.O), said the rul­ing would hit small and medi­um-sized busi­ness­es most.

    Schrems filed his com­plaint to the Irish Data Pro­tec­tion Com­mis­sion­er, as Face­book has its Euro­pean head­quar­ters in Ire­land. The case even­tu­al­ly wound its way up to the Lux­em­bourg-based ECJ, which was asked to rule on whether nation­al data pri­va­cy watch­dogs could uni­lat­er­al­ly sus­pend the Safe Har­bour frame­work if they had con­cerns about U.S. pri­va­cy safe­guards.

    “The judg­ment makes it clear that U.S. busi­ness­es can­not sim­ply aid U.S. espi­onage efforts in vio­la­tion of Euro­pean fun­da­men­tal rights,” said 28-year-old Schrems.

    ...

    Well that should teach US tech giants that are actu­al­ly col­lect­ing the bulk of EU cit­i­zen pri­vate data a les­son:

    ...
    The group of EU data pro­tec­tion author­i­ties, known as the Arti­cle 29 Work­ing Par­ty, said it would hold dis­cus­sions this week to “deter­mine the con­se­quences on trans­fers” of data and sched­ule an extra­or­di­nary meet­ing short­ly.

    How­ev­er, lawyers said most multi­na­tion­als would prob­a­bly be able to con­tin­ue with busi­ness as usu­al as they already had alter­na­tive legal chan­nels for trans­fer­ring data to the Unit­ed States.
    ...

    So now we get to not only find out what, if any, agree­ment replaces Safe Har­bour but also how indi­vid­ual EU gov­ern­ments that were out­sourc­ing their domes­tic spy­ing to the NSA are going to do now which may not be obvi­ous because new meth­ods used by gov­ern­ments for domes­tic sur­veil­lance aren’t nec­es­sar­i­ly dis­cussed in the dai­ly news. Although some­times they are:

    Truth-Out
    France’s Gov­ern­ment Aims to Give Itself — and the NSA — Carte Blanche to Spy on the World

    Sun­day, 04 Octo­ber 2015 00:00 By Dan­ny O’Brien, Elec­tron­ic Fron­tier Foun­da­tion | Op-Ed

    The Unit­ed States makes an improp­er divi­sion between sur­veil­lance con­duct­ed on res­i­dents of the Unit­ed States and the sur­veil­lance that is con­duct­ed with almost no restraint upon the rest of the world. This dou­ble stan­dard has proved poi­so­nous to the rights of Amer­i­cans and non-Amer­i­cans alike. In the­o­ry, Amer­i­cans enjoy bet­ter pro­tec­tions. In prac­tice there are no mag­i­cal sets of servers and Inter­net con­nec­tions that car­ry only Amer­i­can con­ver­sa­tions. To vio­late the pri­va­cy of every­one else in the world, the U.S. inevitably scoops up its own cit­i­zens’ data. Estab­lish­ing nation­al­i­ty as a basis for dis­crim­i­na­tion also encour­ages intel­li­gence agen­cies to make the obvi­ous end-run: spy­ing on each oth­er’s cit­i­zens, and then shar­ing that data. Treat­ing two sets of inno­cent tar­gets dif­fer­ent­ly is already a vio­la­tion of inter­na­tion­al human rights law. In real­i­ty, it reduces every­one to the same, low­er stan­dard.

    Now France’s gov­ern­ment is about the make the same error as US prac­tice with its new “Sur­veil­lance des com­mu­ni­ca­tions élec­tron­iques inter­na­tionales” bill, cur­rent­ly being rushed through the French Par­lia­ment. As an open let­ter led by France’s La Quad­ra­ture du Net and signed by over thir­ty civ­il soci­ety groups includ­ing EFF, states, France’s leg­is­la­tors’ must reject this bill to pro­tect the rights of indi­vid­u­als every­where, includ­ing those in France.

    By legal­iz­ing France’s own plans to spy on the rest of the world, France would take a step to estab­lish­ing the NSA mod­el as an accept­able glob­al norm. Pass­ing the law would under­mine France’s already weak sur­veil­lance pro­tec­tions for its own cit­i­zens, includ­ing lawyers, jour­nal­ists and judges. And it would make chal­leng­ing the NSA’s prac­tices far more dif­fi­cult for France and oth­er states.

    The new bill comes as a result of France’s Con­sti­tu­tion­al Coun­cil review of the coun­try’s last mass sur­veil­lance bill, which passed with lit­tle par­lia­men­tary oppo­si­tion in July. The Coun­cil passed most of that bill on the basis of its minor con­ces­sions to over­sight and pro­por­tion­al­i­ty, but reject­ed the sec­tions on inter­na­tion­al sur­veil­lance, which con­tained no lim­its to what France might do.

    France already spies on the world. In July, the French news mag­a­zine L’Obs revealed a secret decree dat­ing from at least 2008, which fund­ed a French intel­li­gence ser­vice project to inter­cept and ana­lyze inter­na­tion­al data traf­fic pass­ing through through sub­ma­rine cable inter­cepts. The decree autho­rized the inter­cep­tion of cable traf­fic from 40 coun­tries includ­ing Alge­ria, Moroc­co, Tunisia, Iraq, Syr­ia, Sub-Saha­ran Africa, Rus­sia, Chi­na, India and the Unit­ed States. The report states that France’s intel­li­gence agency, the Gen­er­al Direc­torate for Exter­nal Secu­ri­ty (DGCE), spent $775 mil­lion on the project.

    Giv­en that the Con­sti­tu­tion­al Coun­cil implied that such prac­tices are almost cer­tain­ly unlaw­ful as is, the French gov­ern­ment has now scram­bled to cre­ate a frame­work that could excuse it.

    Under the new pro­posed law, France’s intel­li­gence agen­cies still have an incred­i­bly broad remit. The law con­cen­trates the pow­er to grant wide-rang­ing sur­veil­lance per­mis­sion in the office of the Prime Min­is­ter, who can sign off on mass sur­veil­lance of com­mu­ni­ca­tions sent or received from over­seas. Such sur­veil­lance can be con­duct­ed when in the “essen­tial inter­ests of for­eign pol­i­cy” or “[the] essen­tial eco­nom­ic and sci­en­tif­ic inter­ests of France”, giv­ing the exec­u­tive the widest pos­si­ble scope to con­duct sur­veil­lance.

    The orig­i­nal sur­veil­lance law includ­ed lim­its on data reten­tion when spy­ing on French nation­als (30 days for the con­tent of com­mu­ni­ca­tions, four years for meta­da­ta, six years for encrypt­ed data). The new inter­na­tion­al lim­its are much longer — one year, six years, and eight years respec­tive­ly. The law’s authors do not jus­ti­fy this longer peri­od, nor do they explain how the intel­li­gence agen­cies will be able to sep­a­rate data from each class of tar­get with­out col­lect­ing, ana­lyz­ing and fil­ter­ing them all.

    The col­laps­ing divide between the law­ful, war­rant­ed sur­veil­lance of ordi­nary cit­i­zens, and the wide-rang­ing capa­bil­i­ties of the intel­li­gence ser­vices to col­lect sig­nals intel­li­gence on for­eign pow­ers and agents, has end­ed up cor­rod­ing both domes­tic and glob­al pri­va­cy rights. The U.S. has tak­en advan­tage of the less­er pro­tec­tions for non‑U.S. per­sons to intro­duce the drag­net sur­veil­lance of every­one who uses the Inter­net out­side the U.S. Because unpro­tect­ed for­eign­ers’ data is mixed up with some­what more pro­tect­ed com­mu­ni­ca­tions of Amer­i­cans, the U.S. gov­ern­ment believes that it can “inci­den­tal­ly” scoop up its own cit­i­zens’ data, and sort it out lat­er under nobody’s over­sight but its own.

    If the French Par­lia­ment pass­es this bill, it will mean that France has decid­ed to embody and excuse the same prac­tices as the NSA in its own law. It is a short-sight­ed attempt to cov­er France’s exist­ing secret prac­tices, but the con­se­quences are far-reach­ing. The lim­it­ed pro­tec­tions that were includ­ed in the orig­i­nal sur­veil­lance bill — includ­ing assur­ances that French jour­nal­ists, judges and lawyers would be pro­tect­ed from drag­net sur­veil­lance — will be under­mined by their inevitable inclu­sion in the vac­u­um­ing up of all inter­na­tion­al traf­fic.

    Any attempt by the EU coun­tries to rein back the NSA’s sur­veil­lance plan by calls for the Unit­ed States to respect data pro­tec­tion prin­ci­ples, and data pro­tec­tion prin­ci­ples, will pro­voke the response that the U.S. is sim­ply exer­cis­ing the pow­ers that an EU mem­ber has already grant­ed itself.

    ...

    So if you’ve been a web ser­vice based in France it was prob­a­bly spied on already, but now that spy­ing should have more legal pro­tec­tions:

    ...

    France already spies on the world. In July, the French news mag­a­zine L’Obs revealed a secret decree dat­ing from at least 2008, which fund­ed a French intel­li­gence ser­vice project to inter­cept and ana­lyze inter­na­tion­al data traf­fic pass­ing through through sub­ma­rine cable inter­cepts. The decree autho­rized the inter­cep­tion of cable traf­fic from 40 coun­tries includ­ing Alge­ria, Moroc­co, Tunisia, Iraq, Syr­ia, Sub-Saha­ran Africa, Rus­sia, Chi­na, India and the Unit­ed States. The report states that France’s intel­li­gence agency, the Gen­er­al Direc­torate for Exter­nal Secu­ri­ty (DGCE), spent $775 mil­lion on the project.

    Giv­en that the Con­sti­tu­tion­al Coun­cil implied that such prac­tices are almost cer­tain­ly unlaw­ful as is, the French gov­ern­ment has now scram­bled to cre­ate a frame­work that could excuse it.

    ...

    The col­laps­ing divide between the law­ful, war­rant­ed sur­veil­lance of ordi­nary cit­i­zens, and the wide-rang­ing capa­bil­i­ties of the intel­li­gence ser­vices to col­lect sig­nals intel­li­gence on for­eign pow­ers and agents, has end­ed up cor­rod­ing both domes­tic and glob­al pri­va­cy rights. The U.S. has tak­en advan­tage of the less­er pro­tec­tions for non‑U.S. per­sons to intro­duce the drag­net sur­veil­lance of every­one who uses the Inter­net out­side the U.S. Because unpro­tect­ed for­eign­ers’ data is mixed up with some­what more pro­tect­ed com­mu­ni­ca­tions of Amer­i­cans, the U.S. gov­ern­ment believes that it can “inci­den­tal­ly” scoop up its own cit­i­zens’ data, and sort it out lat­er under nobody’s over­sight but its own.

    If the French Par­lia­ment pass­es this bill, it will mean that France has decid­ed to embody and excuse the same prac­tices as the NSA in its own law. It is a short-sight­ed attempt to cov­er France’s exist­ing secret prac­tices, but the con­se­quences are far-reach­ing. The lim­it­ed pro­tec­tions that were includ­ed in the orig­i­nal sur­veil­lance bill — includ­ing assur­ances that French jour­nal­ists, judges and lawyers would be pro­tect­ed from drag­net sur­veil­lance — will be under­mined by their inevitable inclu­sion in the vac­u­um­ing up of all inter­na­tion­al traf­fic.

    ...

    “If the French Par­lia­ment pass­es this bill, it will mean that France has decid­ed to embody and excuse the same prac­tices as the NSA in its own law”

    Posted by Pterrafractyl | October 6, 2015, 11:03 am
  14. With Safe Har­bor no longer valid, the scram­ble is under­way among US tech firms to fig­ure how how to adapt. And as the arti­cle below points out, if firms are assum­ing that they’re going to now have to move their servers over to an EU nation they might be dis­ap­point­ed because based on the new rul­ing, each EU nation could decide to set up its own local stor­age require­ment:

    The Wall Street Jour­nal
    Small Firms Wor­ry, as Big-Data Pact Dies
    High­er costs loom amid needs to rene­go­ti­ate con­tracts and relo­cate servers

    By Eliz­a­beth Dwoskin and
    Robert McMil­lan
    Updat­ed Oct. 8, 2015 10:36 a.m. ET

    Tech­nol­o­gy giants hard­ly flinched when news broke on Tues­day that the Euro­pean Union’s high­est court had struck down the 15-year-old agree­ment that allowed U.S. busi­ness­es to trans­fer Euro­peans’ per­son­al infor­ma­tion to the U.S. But many small­er com­pa­nies were caught flat-foot­ed.

    The­Mo­bi­leYo­gi, which offers a col­lec­tion of apps for yoga afi­ciona­dos, wasn’t pre­pared. The Ohio-based soft­ware devel­op­er has about 200,000 users, and Chief Exec­u­tive Sebas­t­ian Holst sus­pects that one-third of them might be in Europe. He says he thinks so because the com­pa­ny col­lects a mobile-device iden­ti­fi­er that is gen­er­al­ly asso­ci­at­ed with a region or coun­try and the rough loca­tion of the device when it signs in. But this infor­ma­tion isn’t pre­cise, so he can’t be sure.

    The rul­ing left him flum­moxed. “Two days ago, my appli­ca­tion on a Ger­man phone was total­ly cov­ered [by the pact]. Now it’s not,” he said. “With a swipe of a pen, they’ve made [the abil­i­ty to col­lect data on Euro­pean users] invalid. Now I need to know: Am I in jeop­ardy?”

    Amazon.com Inc., Airbnb Inc. Face­book Inc. and Fair Isaac Corp. , the data col­lec­tor referred to as FICO, are among the many large com­pa­nies that said lawyers had been work­ing on their behalf for some time to find tech­ni­cal workarounds and legal alter­na­tives to the now-defunct accord, known as Safe Har­bor. Many have been rac­ing to build sprawl­ing Euro­pean data-stor­age facil­i­ties. Last year, Amazon’s cloud-com­put­ing ser­vice AWS opened a data cen­ter in Frank­furt, its first large data cen­ter in con­ti­nen­tal Europe, in part to show it com­plied with strict Ger­man data-pri­va­cy laws.

    How­ev­er, small­er com­pa­nies such as the­Mo­bi­leYo­gi face uncer­tain prospects after the rul­ing by the Euro­pean Court of Jus­tice. Some exec­u­tives fear they must rene­go­ti­ate con­tracts with their clients or relo­cate data­base servers. Oth­ers, such as Mr. Holst, are strug­gling to parse whether they even have data on Euro­pean cit­i­zens, who aren’t required to spec­i­fy their cit­i­zen­ship when they sign up for many apps.

    Set­ting up servers in Europe or buy­ing cloud stor­age there could dou­ble the oper­a­tional costs of small busi­ness­es, said Chris Babel, chief exec­u­tive of Truste, which advis­es com­pa­nies about data-pri­va­cy laws.

    Among the 4,400 com­pa­nies cer­ti­fied by the U.S. Com­merce Depart­ment to take advan­tage of Safe Har­bor, some 60% are small or mid­size busi­ness­es, accord­ing to the gov­ern­ment agency.

    ...

    Com­pa­nies seek­ing to com­ply with the rul­ing have options, but they are large­ly unex­plored by small busi­ness­es and thus rep­re­sent sig­nif­i­cant risk. Some com­pa­nies are tak­ing advan­tage of an alter­na­tive known as a mod­el con­tract. This option involves updat­ing con­tracts with ven­dors and cus­tomers, as well as their pri­va­cy poli­cies, with legal lan­guage pub­lished by Euro­pean offi­cials, said Har­ri­et Pear­son, a part­ner at the law firm Hogan Lovells who has rep­re­sent­ed Uber Tech­nolo­gies Inc. and Bloomberg LP.

    Tak­ing advan­tage of mod­el con­tracts can entail sub­stan­tial work and costs. “We’re poten­tial­ly going to see a mas­sive num­ber of con­tracts be rene­go­ti­at­ed,” said Michael Over­ly, a lawyer with Foley & Lard­ner LLP who advis­es com­pa­nies on legal issues relat­ed to cloud com­put­ing.

    Cor­po­ra­tions need to not only ensure that they them­selves com­ply with Euro­pean law but also that their ser­vice providers com­ply, Mr. Over­ly said. That includes cloud-com­put­ing providers that oper­ate flu­id­ly across nation­al bor­ders over the Inter­net.

    The chal­lenge of shar­ing data between Europe and the U.S. might become more com­plex. Tuesday’s rul­ing gives more pow­er to local reg­u­la­tors to chal­lenge the Euro­pean Com­mis­sion, the EU’s exec­u­tive arm, on data-pro­tec­tion issues. Indi­vid­ual Euro­pean coun­tries could require local stor­age, said Mr. Babel of Truste.

    Mor­gan Reed, direc­tor of the App Asso­ci­a­tion, which rep­re­sents 5,000 app devel­op­ers and is spon­sored by Apple Inc., AT&T Inc., Black­Ber­ry Ltd., Microsoft Corp. and Face­book, said the Euro­pean deci­sion pushed the Inter­net fur­ther toward becom­ing a two-tiered sys­tem in which small busi­ness­es faced a high­er bar­ri­er to entry than large ones. “Our small busi­ness­es are the col­lat­er­al dam­age of this case,” he said.

    “The chal­lenge of shar­ing data between Europe and the U.S. might become more com­plex. Tuesday’s rul­ing gives more pow­er to local reg­u­la­tors to chal­lenge the Euro­pean Com­mis­sion, the EU’s exec­u­tive arm, on data-pro­tec­tion issues. Indi­vid­ual Euro­pean coun­tries could require local stor­age, said Mr. Babel of Truste.
    Keep in mind we don’t actu­al­ly know if any EU mem­bers are going to spec­i­fy that you have to store their cit­i­zen data in that spe­cif­ic coun­try, but it sounds like that could be an option to nation­al leg­is­la­tors going for­ward. And either way, a lot more of the data gen­er­at­ed by EU cit­i­zens on US-owned inter­net ser­vices is going to end up being stored some­where in the EU. All safe and sound.

    Posted by Pterrafractyl | October 8, 2015, 10:50 am
  15. US inter­net com­pa­nies cur­rent­ly fret­ting over the col­lapse of the US/EU Safe Har­bor data shar­ing agree­ment can fret a bit less. The EU recent­ly announced an agree­ment in prin­ci­ple with the US on Safe Har­bor 2.0:

    The Wall Street Jour­nal
    EU, U.S. Agree in Prin­ci­ple on New Data-Trans­fer Pact
    Euro­pean court had struck down pre­vi­ous trans-Atlantic deal dubbed Safe Har­bor

    By Natalia Droz­di­ak
    Updat­ed Oct. 26, 2015 6:32 p.m. ET

    BRUSSELS—The Euro­pean Union on Mon­day said it had agreed in prin­ci­ple with the U.S. on a new trans-Atlantic data-trans­fer pact, as both sides race to com­plete the deal after the bloc’s high­est court junked a pre­vi­ous frame­work used by thou­sands of firms.

    The Euro­pean Court of Jus­tice this month inval­i­dat­ed a 15-year old agree­ment, known as Safe Har­bor, which allowed busi­ness­es to move Euro­peans’ data, such as pay­roll infor­ma­tion, to servers in the U.S. The court ruled that Euro­peans’ data was insuf­fi­cient­ly pro­tect­ed when trans­ferred to the U.S., where it could fall prey to nation­al intel­li­gence ser­vices.

    Wash­ing­ton and Brus­sels have been nego­ti­at­ing for around two years to update the Safe Har­bor frame­work after EU offi­cials demand­ed changes to the agree­ment in 2013 fol­low­ing Nation­al Secu­ri­ty Agency con­trac­tor Edward Snowden’s dis­clo­sures of wide­spread U.S. spy­ing.

    “There is agree­ment on these mat­ters in prin­ci­ple, but we are still dis­cussing how to ensure that these com­mit­ments are bind­ing enough to ful­ly meet the require­ments of the court,” Jus­tice Com­mis­sion­er Vera Jouro­va told Euro­pean law­mak­ers Mon­day.

    The nego­ti­a­tions between the EU and U.S. became more urgent after the court’s rul­ing, which rais­es ques­tions about how much legal cer­tain­ty a new ver­sion could bring busi­ness­es because it enshrines the pow­er for nation­al data pro­tec­tion author­i­ties to inde­pen­dent­ly review, and poten­tial­ly sus­pend, data trans­fers to the U.S.

    Ms. Jouro­va didn’t set a hard dead­line for a com­plet­ed deal, but she said she expect­ed both sides to make sig­nif­i­cant progress on the remain­ing tech­ni­cal points of dis­cus­sion by the time she vis­its the U.S. in mid-Novem­ber. The com­mis­sion wants to ensure the new agree­ment com­plies “a hun­dred per­cent” with the court’s rul­ing, she said.

    Among the issues that still need to be addressed, the com­mis­sion­er said the EU was still look­ing for clear con­di­tions and lim­its to the extent to which U.S. intel­li­gence ser­vices have access to Euro­peans’ per­son­al data.

    Fol­low­ing the court rul­ing, nation­al data pri­va­cy reg­u­la­tors set an end-Jan­u­ary dead­line for the EU and U.S. to replace the frame­work and said they would also look into impli­ca­tions the court’s rul­ing has on oth­er arrange­ments for trans­fer­ring per­son­al data, which are more cum­ber­some for busi­ness­es to use but are cur­rent­ly the only options avail­able.

    On Mon­day, Ms. Jouro­va said the new frame­work would include stronger over­sight by the U.S. Depart­ment of Com­merce to ensure that com­pa­nies com­ply with rules to pro­tect Euro­peans’ data as well as greater coop­er­a­tion between nation­al data pro­tec­tion reg­u­la­tors and Amer­i­can author­i­ties.

    The new deal would also bring con­sumers more trans­paren­cy about the way com­pa­nies han­dle their data and would estab­lish free of charge redress mech­a­nisms as well as strict rules for com­pa­nies about the onward trans­fer of data to addi­tion­al par­ties, she said.

    Ms. Jouro­va also said the new deal would estab­lish an annu­al review mech­a­nism run by author­i­ties on both sides of the Atlantic that would mon­i­tor whether law enforce­ment and nation­al secu­ri­ty ser­vices com­plied with lim­its on access to Euro­peans’ data.

    “This will trans­form the sys­tem from a pure­ly self-reg­u­lat­ing one to an over­sight sys­tem that is more respon­sive as well as proac­tive and backed up by sig­nif­i­cant enforce­ment, includ­ing sanc­tions,” she said.

    Aus­tri­an pri­va­cy activist Max Schrems, whose com­plaint to the Irish data pro­tec­tion author­i­ty helped tor­pe­do the orig­i­nal Safe Har­bor agree­ment, was still skep­ti­cal of the new plans.

    “Over­all, Vera Jourova’s state­ments showed will­ing­ness, but inabil­i­ty [of the com­mis­sion] to come up with a sol­id mas­ter plan after Safe Har­bor,” Mr. Schrems said on Twit­ter.

    ...

    Ms. Jouro­va said the com­mis­sion would soon issue a state­ment explain­ing the con­se­quences of the so-called Schrems rul­ing and would set guid­ance for inter­na­tion­al data trans­fers, with­out over­rid­ing the author­i­ty of nation­al data pri­va­cy reg­u­la­tors.

    “Ms. Jouro­va also said the new deal would estab­lish an annu­al review mech­a­nism run by author­i­ties on both sides of the Atlantic that would mon­i­tor whether law enforce­ment and nation­al secu­ri­ty ser­vices com­plied with lim­its on access to Euro­peans’ data.”
    So it sounds like an annu­al review mech­a­nism might be a key part of the new Safe Har­bor agree­ment. But it also sounds like Max Schrems, the Aus­tri­an law stu­dent and plain­tiff in the case against Face­book that actu­al­ly result­ed in the Euro­pean con­sti­tu­tion­al court rul­ing that killed Safe Har­bor, remains skep­ti­cal that an agree­ment that meets the court’s stan­dards will actu­al­ly be achiev­able because that would require the end of US mass sur­veil­lance poli­cies:

    The Wall Street Jour­nal
    Real Time Brus­sels
    Max Schrems, Who Tor­pe­doed Safe Har­bor 1, Sees No Safe Har­bor 2

    By Natalia Droz­di­ak
    10:16 am ET
    Oct 22, 2015

    He’s just helped bring down a long­stand­ing trans-Atlantic data-trans­fer pact used by thou­sands of busi­ness­es and Aus­tri­an pri­va­cy activist Max Schrems is already pour­ing cold water on the framework’s impend­ing replace­ment now being ham­mered out by Euro­pean Union and U.S. offi­cials.

    In a case stem­ming from a com­plaint sent to Irish pri­va­cy reg­u­la­tors by the 28-year old Mr. Schrems, the Euro­pean Court of Jus­tice ear­li­er this month junked a 15-year old agree­ment, known as Safe Har­bor, which allowed busi­ness­es to move Euro­peans’ data, such as pay­roll infor­ma­tion, to servers in the U.S. The court ruled that Euro­peans’ data was insuf­fi­cient­ly pro­tect­ed when trans­ferred to the U.S., where it could fall prey to nation­al intel­li­gence ser­vices.

    EU and U.S. offi­cials are now rac­ing to the replace the deal but the court’s rul­ing rais­es ques­tions about how much legal cer­tain­ty even a new ver­sion would bring busi­ness­es.

    “I don’t think we’re going to see a sec­ond Safe Har­bor,” Mr. Schrems said at an event in Brussels.“If we find an agree­ment, it’s very like­ly that it will be chal­lenged in the court again and if it’s not total­ly sol­id, it will be inval­i­dat­ed again and then com­pa­nies will be in the same sit­u­a­tion again.”

    Euro­pean Union pri­va­cy reg­u­la­tors are giv­ing nego­tia­tors until the end of Jan­u­ary to reach a deal before poten­tial­ly sus­pend­ing data trans­fers. EU offi­cials after the court rul­ing had said more time was need­ed to com­plete the new agree­ment in order to address con­cerns about data-col­lec­tion by U.S. nation­al secu­ri­ty ser­vices.

    “The inter­est of a new Safe Har­bor may be lim­it­ed in the U.S. when they real­ize what they have to meet in a new Safe Har­bor,” Mr. Schrems said. “If you look at the [court’s] judgment…it would basi­cal­ly require the end of U.S. mass sur­veil­lance.”

    Vis­it­ing from Wash­ing­ton, the Fed­er­al Trade Commission’s direc­tor for con­sumer pro­tec­tion told jour­nal­ists in Brus­sels that U.S. offi­cials were aware busi­ness­es want­ed more cer­tain­ty than they have at the moment and were work­ing with Euro­pean coun­ter­parts to address the court’s con­cerns in the new Safe Har­bor agree­ment.

    “There’s a lot of spec­u­la­tion as to what‘s going to hap­pen and what will sat­is­fy the court and what won’t– I’m not sure we’re going to know right now, the answers to that,” the FTC’s Jes­si­ca Rich said. “The best thing for us to do right now is to try to nego­ti­ate a new agree­ment… and take it from there.”

    ...

    “The inter­est of a new Safe Har­bor may be lim­it­ed in the U.S. when they real­ize what they have to meet in a new Safe Harbor,...If you look at the [court’s] judgment…it would basi­cal­ly require the end of U.S. mass sur­veil­lance.”
    That’s the view from Schrem, and if Ger­many’s data-pro­tec­tion author­i­ties are any indi­ca­tion of the like­li­hood of this ten­ta­tive Safe Har­bor 2.0 frame­work, Schrem’s skep­ti­cism might be war­rant­ed:

    The Wall Street Jour­nal
    Real Time Brus­sels
    Germany’s Tough Line on Data Trans­fers to U.S. Is Crit­i­cized

    By Natalia Droz­di­ak
    6:24 am ET Oct 29, 2015

    Germany’s fed­er­al and region­al data-pro­tec­tion author­i­ties this week said they wouldn’t approve any new trans­fers of data to the U.S. — even for trans­fers based on arrange­ments dif­fer­ent from the trans-Atlantic data-trans­fer pact knocked down by the Euro­pean Union’s high­est court.

    The Euro­pean Court of Jus­tice this month inval­i­dat­ed a 15-year old agree­ment, known as Safe Har­bor, which allowed busi­ness­es to move Euro­peans’ data, such as employ­ee infor­ma­tion, to servers in the U.S. The court ruled that Euro­peans’ data was insuf­fi­cient­ly pro­tect­ed when trans­ferred to the U.S., where it could be accessed by nation­al intel­li­gence ser­vices.

    Busi­ness­es can still trans­fer that data using more time-con­sum­ing and bureau­crat­ic meth­ods, but the court’s rul­ing calls into ques­tion the legal foot­ing for those arrange­ments as well because it bless­es the EU’s nation­al data pro­tec­tion author­i­ties – even those with harsh­er views of U.S. data pri­va­cy rules – with the pow­er to review and chal­lenge those trans­fers.

    After the court’s deci­sion, the EU’s 28 nation­al data-pri­va­cy reg­u­la­tors set an end-Jan­u­ary dead­line to replace the Safe Har­bor agree­ment with a new ver­sion that respects EU cit­i­zens’ pri­va­cy rights. The reg­u­la­tors said they would look into the impli­ca­tions the rul­ing had on oth­er arrange­ments for trans­fer­ring per­son­al data, but until the Jan­u­ary dead­line, those meth­ods would still be legit­i­mate to use.

    But in this week’s posi­tion paper stat­ing they wouldn’t approve new data trans­fers, Ger­man reg­u­la­tors went beyond what was agreed by the bloc’s data pro­tec­tion author­i­ties, draw­ing the ire of some busi­ness asso­ci­a­tions.

    “The state­ment of the Ger­many data pro­tec­tion author­i­ties goes in direct con­tra­dic­tion to the coor­di­nat­ed approach between mem­ber state author­i­ties,” said John Hig­gins, Direc­tor Gen­er­al of Dig­i­tal Europe, a busi­ness asso­ci­a­tion rep­re­sent­ing dig­i­tal com­pa­nies.

    Mr. Hig­gins said their deci­sion would lead to unnec­es­sary mar­ket volatil­i­ty. In addi­tion to with­hold­ing con­sent for new data trans­fers, at least one Ger­man reg­u­la­tor encour­aged com­pa­nies to think twice about send­ing data to the U.S. at all and con­sid­er stor­ing it on Europe-based servers instead.

    “Who­ev­er wants to remain unaf­fect­ed by the legal and polit­i­cal con­se­quences of the judg­ment, should con­sid­er stor­ing per­son­al data only on EU-based servers in the future,” said Johannes Cas­par, super­vi­sor at the Ham­burg data pro­tec­tion author­i­ty, which claims juris­dic­tion in Ger­many for U.S. tech com­pa­nies like Alphabet’s Google and Face­book.

    ...

    Yes, Ger­many’s data-pro­tec­tion author­i­ties “said they wouldn’t approve any new trans­fers of data to the U.S. — even for trans­fers based on arrange­ments dif­fer­ent from the trans-Atlantic data-trans­fer pact knocked down by the Euro­pean Union’s high­est court.” And that’s some­thing that could hap­pen for years to come giv­en the court’s rul­ing since nation­al data-pro­tec­tion author­i­ties are free to pro­tect their cit­i­zens’ data as they see fit...

    ...

    Busi­ness­es can still trans­fer that data using more time-con­sum­ing and bureau­crat­ic meth­ods, but the court’s rul­ing calls into ques­tion the legal foot­ing for those arrange­ments as well because it bless­es the EU’s nation­al data pro­tec­tion author­i­ties – even those with harsh­er views of U.S. data pri­va­cy rules – with the pow­er to review and chal­lenge those trans­fers.

    ...

    And how does Ger­many’s data-pro­tec­tion author­i­ties rec­om­mend busi­ness­es deal with the all the legal and reg­u­la­to­ry uncer­tain­ty? Just store the data on EU servers in the future:

    ...
    “Who­ev­er wants to remain unaf­fect­ed by the legal and polit­i­cal con­se­quences of the judg­ment, should con­sid­er stor­ing per­son­al data only on EU-based servers in the future,” said Johannes Cas­par, super­vi­sor at the Ham­burg data pro­tec­tion author­i­ty, which claims juris­dic­tion in Ger­many for U.S. tech com­pa­nies like Alphabet’s Google and Face­book.
    ...

    Well, the EU data stor­age indus­try is prob­a­bly ok with that sug­ges­tion. And if a new Safe Har­bor agree­ment can’t be reach in the next few months it may not be just a sug­ges­tion. Shut­ting down EU oper­a­tions or set­ting up data stor­age in the EU might be the only two remain­ing options for inter­net busi­ness oper­at­ing in the EU.

    Of course, this still leaves the ques­tion of which EU nation you should store your busi­ness’s data in since the data pro­tec­tion rules are going to vary from nation to nation. You have a num­ber of options, although thanks to the array of new domes­tic sur­veil­lance laws that have being passed by nations across the EU that curi­ous­ly don’t seem to be a part of the Safe Har­bor debate, your many Euro­pean options may not be great options:

    The New York Times
    The Opin­ion Pages
    Europe Is Spy­ing on You

    By NILS MUIZNIEKS
    OCT. 27, 2015

    STRASBOURG, France — When Edward Snow­den dis­closed details of America’s huge sur­veil­lance pro­gram two years ago, many in Europe thought that the response would be increased trans­paren­cy and stronger over­sight of secu­ri­ty ser­vices. Euro­pean coun­tries, how­ev­er, are mov­ing in the oppo­site direc­tion. Instead of more pub­lic scruti­ny, we are get­ting more snoop­ing.
    Sto­ries from Our Adver­tis­ers

    Pushed to respond to the atro­cious attacks in Paris and Copen­hagen and by the threats posed by the Islam­ic State to Europe’s inter­nal secu­ri­ty, sev­er­al coun­tries are amend­ing their coun­tert­er­ror­ism leg­is­la­tion to grant more intru­sive pow­ers to secu­ri­ty ser­vices, espe­cial­ly in terms of mass elec­tron­ic sur­veil­lance.

    France recent­ly adopt­ed a con­tro­ver­sial law on sur­veil­lance that per­mits major intru­sions, with­out pri­or judi­cial autho­riza­tion, into the pri­vate lives of sus­pects and those who com­mu­ni­cate with them, live or work in the same place or even just hap­pen to be near them.

    The Ger­man Par­lia­ment adopt­ed a new data reten­tion law on Oct. 16 that requires telecom­mu­ni­ca­tions oper­a­tors and Inter­net ser­vice providers to retain con­nec­tion data for up to 10 weeks. And the British gov­ern­ment intends to increase the author­i­ties’ pow­ers to car­ry out mass sur­veil­lance and bulk col­lec­tion of inter­cept­ed data.

    Mean­while, Aus­tria is set to dis­cuss a draft law that would allow a new secu­ri­ty agency to oper­ate with reduced exter­nal con­trol and to col­lect and store com­mu­ni­ca­tion data for up to six years. The Nether­lands is con­sid­er­ing leg­is­la­tion allow­ing drag­net sur­veil­lance of all telecom­mu­ni­ca­tions, indis­crim­i­nate gath­er­ing of meta­da­ta, decryp­tion and intru­sion into the com­put­ers of non-sus­pects. And in Fin­land, the gov­ern­ment is even con­sid­er­ing chang­ing the Con­sti­tu­tion to weak­en pri­va­cy pro­tec­tions in order to ease the adop­tion of a bill grant­i­ng the mil­i­tary and intel­li­gence ser­vices the pow­er to con­duct elec­tron­ic mass sur­veil­lance with lit­tle over­sight.

    Gov­ern­ments now argue that to guar­an­tee our secu­ri­ty we have to sac­ri­fice some rights. This is a spe­cious argu­ment. By shift­ing from tar­get­ed to mass sur­veil­lance, gov­ern­ments risk under­min­ing democ­ra­cy while pre­tend­ing to pro­tect it.

    They are also betray­ing a long polit­i­cal and judi­cial tra­di­tion afford­ing broad pro­tec­tion to pri­va­cy in Europe, where demo­c­ra­t­ic legal sys­tems have evolved to pro­tect indi­vid­u­als from arbi­trary inter­fer­ence by the state in their pri­vate and fam­i­ly life. The Euro­pean Court of Human Rights has long upheld the prin­ci­ple that sur­veil­lance inter­feres with the right to pri­va­cy. Although the court accepts that the use of con­fi­den­tial infor­ma­tion is essen­tial in com­bat­ing ter­ror­ist threats, it has held that the col­lec­tion, use and stor­age of such infor­ma­tion should be autho­rized only under excep­tion­al and pre­cise con­di­tions, and must be accom­pa­nied by ade­quate legal safe­guards and inde­pen­dent super­vi­sion. The court has con­sis­tent­ly applied this prin­ci­ple for decades when it was called to judge the con­duct of sev­er­al Euro­pean coun­tries, which were com­bat­ing domes­tic ter­ror­ist groups.

    More recent­ly, as new tech­nolo­gies have offered more avenues to increase sur­veil­lance and data col­lec­tion, the court has reit­er­at­ed its posi­tion in a num­ber of lead­ing cas­es against sev­er­al coun­tries, includ­ing France, Roma­nia, Rus­sia and Britain, con­demned for hav­ing infringed the right to pri­vate and fam­i­ly life that in the inter­pre­ta­tion of the court cov­ers also “the phys­i­cal and psy­cho­log­i­cal integri­ty of a per­son.”

    Last year, the Euro­pean Court of Jus­tice set lim­its on telecom­mu­ni­ca­tion data reten­tion. By inval­i­dat­ing a Euro­pean Union direc­tive for its unnec­es­sary “wide-rang­ing and par­tic­u­lar­ly seri­ous inter­fer­ence with the fun­da­men­tal right to respect for pri­vate life” and per­son­al data, this court reaf­firmed the out­stand­ing place pri­va­cy holds in Europe. This judg­ment echoed a 2006 Ger­man Con­sti­tu­tion­al Court rul­ing that the Ger­man police had breached the indi­vid­ual right to self-deter­mi­na­tion and human dig­ni­ty after they con­duct­ed a com­put­er­ized search of sus­pect­ed ter­ror­ists.

    Regret­tably, these judg­ments are often ignored by key deci­sion-mak­ers. Many of the sur­veil­lance poli­cies that have recent­ly been adopt­ed in Europe fail to abide by these legal stan­dards. Worse, many of the new intru­sive mea­sures would be applied with­out any pri­or judi­cial review estab­lish­ing their legal­i­ty, pro­por­tion­al­i­ty or neces­si­ty. This gives exces­sive pow­er to gov­ern­ments and cre­ates a clear risk of arbi­trary appli­ca­tion and abuse.

    ...

    Nils Muiznieks is the Coun­cil of Europe Com­mis­sion­er for Human Rights.

    So that’s where we are: the US and EU have a cou­ple months left to work out Safe Har­bor 2.0 or else all EU-to-US data trans­fers become ille­gal. And even if a new agree­ment in worked out, it looks like Ger­many’s data pro­tec­tion author­i­ties are going to con­tin­ue to ban Ger­many-to-US trans­fers unless the US basi­cal­ly adopts exact­ly the same sur­veil­lance laws as the EU and applies them equal­ly to EU cit­i­zens.

    How’s But as the arti­cle above points out, this entire debate is hap­pen­ing with­in the con­text of grow­ing domes­tic sur­veil­lance pow­ers in one EU coun­try after anoth­er that don’t meet the EU stan­dards either:

    ....
    Last year, the Euro­pean Court of Jus­tice set lim­its on telecom­mu­ni­ca­tion data reten­tion. By inval­i­dat­ing a Euro­pean Union direc­tive for its unnec­es­sary “wide-rang­ing and par­tic­u­lar­ly seri­ous inter­fer­ence with the fun­da­men­tal right to respect for pri­vate life” and per­son­al data, this court reaf­firmed the out­stand­ing place pri­va­cy holds in Europe. This judg­ment echoed a 2006 Ger­man Con­sti­tu­tion­al Court rul­ing that the Ger­man police had breached the indi­vid­ual right to self-deter­mi­na­tion and human dig­ni­ty after they con­duct­ed a com­put­er­ized search of sus­pect­ed ter­ror­ists.

    Regret­tably, these judg­ments are often ignored by key deci­sion-mak­ers. Many of the sur­veil­lance poli­cies that have recent­ly been adopt­ed in Europe fail to abide by these legal stan­dards. Worse, many of the new intru­sive mea­sures would be applied with­out any pri­or judi­cial review estab­lish­ing their legal­i­ty, pro­por­tion­al­i­ty or neces­si­ty. This gives exces­sive pow­er to gov­ern­ments and cre­ates a clear risk of arbi­trary appli­ca­tion and abuse.

    ...

    And that all may point us towards a like­ly long-term res­o­lu­tion to the “Safe Har­bor” debate: the EU con­sti­tu­tion­al court ruled that US’s laws must meet EU pri­va­cy stan­dards while, at the same time, EU mem­bers are pass­ing laws that don’t meet those stan­dards either. So there’s clear­ly a fight com­ing up between the EU’s con­sti­tu­tion­al court and EU mem­ber states, and there’s no guar­an­tee that the con­sti­tu­tion­al court won’t rule in favor of allow­ing greater sur­veil­lance. After all, those future fights could very well be tak­ing place in a very dif­fer­ent secu­ri­ty envi­ron­ment where the US has already dra­mat­i­cal­ly scaled back its sur­veil­lance of EU cit­i­zens. And since the NSA has basi­cal­ly been act­ing as a proxy domes­tic sur­veil­lance agency for EU nations for decades, those future fights with­in the EU could be tak­ing place when the choice real­ly is between hav­ing domes­tic sur­veil­lance capa­bil­i­ties or not.

    All indi­ca­tions right now are that EU mem­bers want to end their long-stand­ing use of the NSA as Europe’s proxy-spy agency, but all indi­ca­tions are also that these same EU mem­bers want to simul­ta­ne­ous­ly and dra­mat­i­cal­ly ramp up their own domes­tic spy­ing capa­bil­i­ties. So while it’s wide­ly assumed that the US has to cut back on spy­ing to get a new “Safe Habor” agree­ment, which might be the case in the short-run, the long-run impli­ca­tions of the EU court’s rul­ings may not be that sig­nif­i­cant on US sur­veil­lance laws if the EU is simul­ta­ne­ous­ly increas­ing its own domes­tic spy­ing.

    So we prob­a­bly should­n’t be super sur­prised if a large num­ber of US firms start trans­fer­ring and keep­ing their EU data on EU servers next year. Whether or not that data is forced to stay there due to a lack of har­mo­niza­tion between US and EU pri­va­cy laws, how­ev­er, seems like more of an open ques­tion.

    Posted by Pterrafractyl | November 3, 2015, 7:45 pm
  16. If you man­age a US-based IT com­pa­ny with a sig­nif­i­cant mar­ket in the EU and your com­pa­ny did­n’t rely on the now-invalid US/EU Safe Har­bor agree­ment for data-shar­ing but instead used one of the alter­nate mech­a­nisms like Bind­ing Cor­po­rate Rules or Mod­el Claus­es, you’re prob­a­bly giv­ing thanks this for those rely­ing on those mech­a­nisms instead of Safe Har­bor dur­ing your Thanks­giv­ing Day feast. And if your one of those thank­ful indi­vid­u­als and you need a lit­tle adren­line to knock you out of that Tofurkey-coma, this should do the trick:

    The Wall Street Jour­nal

    EU Data Trans­fer Mech­a­nisms May Keep Tum­bling

    By Stephen Dock­ery
    4:54 pm ET, Nov 23, 2015

    Data trans­fer sys­tems that com­pa­nies have been rely­ing on in the wake of the end of the U.S.-EU Safe Har­bor agree­ment are like­ly to be picked apart by the Euro­pean Court of Jus­tice for the same rea­sons the broad pri­va­cy agree­ment was tossed out, data pri­va­cy experts said Mon­day.

    The recent EU data pri­va­cy court rul­ing inval­i­dat­ing the Safe Har­bor agree­ment with the U.S. has sent rip­ples through con­sumer ser­vice busi­ness­es, leav­ing many com­pa­nies scram­bling to find a replace­ment sys­tem to gov­ern their data trans­fers. The pri­va­cy rul­ing found that the U.S. was fun­da­men­tal­ly com­pro­mised in pro­tect­ing indi­vid­u­als’ per­son­al data because of its mass sur­veil­lance sys­tems.

    Bind­ing Cor­po­rate Rules, Mod­el Claus­es and use of White List coun­tries have all been tout­ed by law and tech firms in the wake of the Safe Har­bor rul­ing as the best ways to stay on the right side of the law while diplo­mats ham­mer out a new inter­na­tion­al agree­ment to gov­ern data. Those rules and claus­es gov­ern a group of com­pa­nies’ pri­va­cy poli­cies and are laid out to noti­fy reg­u­la­tors about how the busi­ness­es han­dle infor­ma­tion.

    But advo­cat­ing those solu­tions miss­es the fun­da­men­tal issues that led the EU Court of Jus­tice to get rid of safe har­bor, said Stew­art Room, head of cyber secu­ri­ty and data pro­tec­tion at PwC.

    “Right now these oth­er solu­tions are still legal­ly valid…the prob­lem is they have the same par­ent and the same archi­tec­ture and the same legal vul­ner­a­bil­i­ty” as Safe Har­bor, Mr. Room said in a web­cast Mon­day.

    Mr. Room said the EU work­ing par­ty on the issue had already sig­naled that it was encour­ag­ing chal­lenges to those mech­a­nisms and was like­ly those solu­tions would be inval­i­dat­ed as well.

    Because mass sur­veil­lance, a sta­ple of the U.S.’s nation­al secu­ri­ty pro­gram, is at the heart of the case, that means a new agree­ment will be unlike­ly to offer a solu­tion for future data trans­fers, said Jay Cline, a data pro­tec­tion expert at PwC.

    “Safe Har­bor 2 is not going to fix our prob­lems,” he said , adding that “After [the attacks in] Paris, it’s hard to see any­body rolling back their sur­veil­lance.”

    Instead of look­ing for oth­er paper com­pli­ance sys­tems to take the place of Safe Har­bor, such as con­sent-based pro­grams that can be dif­fi­cult to imple­ment, com­pa­nies would be bet­ter off adopt­ing a data-shar­ing plan that looks at the issue of pri­va­cy in a dif­fer­ent way alto­geth­er, Mr. Room and Mr. Cline said.

    Europe’s extend­ing reg­u­la­to­ry arm in the pri­va­cy realm means com­pa­nies should adopt a “vision” of data shar­ing that can with­stand tests over the notion of pri­va­cy that the Euro­pean court has sup­port­ed in its rul­ing, Mr. Room said.

    He said the court picked apart sce­nar­ios where com­pa­nies can be legal­ly in the clear but not pro­tect­ing people’s data. Mr. Room endorsed an approach that includes fre­quent pri­va­cy tests, prov­ing the sys­tem is meet­ing EU require­ments.

    ...

    Have fun digest­ing this one:

    ...

    Because mass sur­veil­lance, a sta­ple of the U.S.’s nation­al secu­ri­ty pro­gram, is at the heart of the case, that means a new agree­ment will be unlike­ly to offer a solu­tion for future data trans­fers, said Jay Cline, a data pro­tec­tion expert at PwC.

    “Safe Har­bor 2 is not going to fix our prob­lems,” he said , adding that “After [the attacks in] Paris, it’s hard to see any­body rolling back their sur­veil­lance.
    ...

    Yes, it is indeed hard to see any­body rolling back their sur­veil­lance fol­low­ing the Paris attacks. Maybe they’re even going to increase those efforts. *burp*

    In oth­er news...

    Posted by Pterrafractyl | November 26, 2015, 7:40 pm
  17. Well, after almost three years of nego­ti­a­tions (a time frame that includ­ed the Snow­den Affair and the fol­low­ing implo­sion of the US/EU “Safe Har­bor” treaty) the EU’s new data pri­va­cy reg­u­la­tions are ready. This is fol­low­ing a four and a half month secret ‘tri­logue’ nego­ti­a­tion that start­ed in July 2015 and end­ed in Decem­ber with the final nego­ti­at­ed text. But it’s here. The EU’s data pri­va­cy rules are final­ly final­ized:

    The Nation­al Law Review
    EU Final­izes Text of New Gen­er­al Data Pro­tec­tion Reg­u­la­tion

    Joseph D. McClen­don
    Polsinel­li PC

    Tues­day, Jan­u­ary 5, 2016

    Three years after Lux­em­bourg politi­cian Viviane Red­ing orig­i­nal­ly pro­posed over­haul­ing the EU Data Pro­tec­tion Direc­tive (“Direc­tive”), Euro­pean Union offi­cials final­ly reached an agree­ment to replace the Direc­tive with new com­pre­hen­sive pri­va­cy leg­is­la­tion called the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (“GDPR”). The GDPR is not yet EU law; how­ev­er, the EU Par­lia­ment is expect­ed to approve the GDPR when it next meets in Jan­u­ary 2016. When approved, the GDPR will become law in 2018 across all 28 EU Mem­ber States and will super­sede the incon­sis­tent laws the EU Mem­ber States imple­ment­ed in order to com­ply with the min­i­mum data pro­tec­tion require­ments set out in the Direc­tive.

    Enact­ed in 1995, the Direc­tive was in severe need of updat­ing to keep up with the near con­stant change in the tech­nol­o­gy sec­tor. The EU gov­ern­ment intends to syn­chro­nize pri­va­cy laws across the Euro zone using the GDPR, with heavy fines for a company’s fail­ure to imple­ment the new pri­va­cy require­ments.

    The GDPR in its cur­rent form con­tains pro­vi­sions that will change how data is col­lect­ed, stored and trans­mit­ted in and out of the EU, includ­ing:

    * Mak­ing the require­ments for obtain­ing an individual’s con­sent for col­lect­ing that individual’s infor­ma­tion more rig­or­ous;

    * Rais­ing the age of con­sent for col­lect­ing an individual’s infor­ma­tion from 13 years old to 16 years old;

    * Memo­ri­al­iz­ing the “right to be for­got­ten”, mean­ing that a com­pa­ny must delete an individual’s data if the com­pa­ny is no longer using the data for the pur­pose it was col­lect­ed or if the indi­vid­ual revokes his or her con­sent for the com­pa­ny to hold the data;

    * Requir­ing com­pa­nies to noti­fy the EU gov­ern­ment of data breach­es with­in 72 hours of learn­ing about the breach;

    * Estab­lish­ing a sin­gle nation­al office for mon­i­tor­ing and han­dling com­plaints brought under the GDPR; and

    * Fines up to 4% of a company’s glob­al rev­enue for its non-com­pli­ance with the rules set out in the GDPR.

    The most crit­i­cal change brought about by the GDPR is that juris­dic­tion is not a phys­i­cal or geo­graph­i­cal bar­ri­er – juris­dic­tion will be mea­sured dig­i­tal­ly, mean­ing that com­pa­nies out­side of the EU will be affect­ed by these new reg­u­la­tions by virtue of col­lect­ing data that belongs to an EU cit­i­zen. With fines for non-com­pli­ance being set at 4% of a company’s glob­al rev­enue, the finan­cial impact to com­pa­nies like Google, Face­book, Apple, and Microsoft for non-com­pli­ance can poten­tial­ly result in bil­lions of dol­lars in fines alone. How strict­ly the EU gov­ern­ment will enforce and mon­i­tor com­pli­ance with the GDPR remains to be seen; how­ev­er, com­pa­nies should begin plan­ning and imple­ment­ing new busi­ness prac­tices into their work­flows with the expec­ta­tion that EU reg­u­la­tors will be aggres­sive with their enforce­ment when the 2018 dead­line hits.

    Final­ly, the GDPR does rec­og­nize stan­dard con­trac­tu­al claus­es and bind­ing cor­po­rate rules as autho­rized frame­works for trans­fer­ring EU cit­i­zen data out of the EU. With Safe Har­bor inval­i­dat­ed in 2015 in the wake of Edward Snowden’s dis­clo­sure of the U.S.’s com­pre­hen­sive sur­veil­lance pro­grams, recog­ni­tion of stan­dard con­trac­tu­al claus­es and bind­ing cor­po­rate rules should pro­vide some relief to busi­ness own­ers who chose to rely on self-cer­ti­fy­ing their company’s com­pli­ance with the Safe Har­bor prin­ci­ples rather than using stan­dard con­trac­tu­al claus­es or bind­ing cor­po­rate rules to trans­fer data out of the EU. The EU is cur­rent­ly in nego­ti­a­tions with the U.S. gov­ern­ment to estab­lish “Safe Har­bor 2.0”, with both par­ties push­ing to final­ize the frame­work by the end of Jan­u­ary 2016, there­by pro­vid­ing anoth­er avenue for data trans­fer to the rough­ly 4,000 com­pa­nies that pre­vi­ous­ly relied on Safe Har­bor to col­lect and trans­fer data out of the EU.

    ...

    While inter­net firms every­where that do busi­ness in the EU are prob­a­bly at least some­what pleased to see a final set of rules they can plan for, it’s going to be very inter­est­ing to see how much fear we see in the busi­ness com­mu­ni­ty over poten­tial fines of 4 per­cent of glob­al rev­enues for non-com­pli­ance:

    ...
    With fines for non-com­pli­ance being set at 4% of a company’s glob­al rev­enue, the finan­cial impact to com­pa­nies like Google, Face­book, Apple, and Microsoft for non-com­pli­ance can poten­tial­ly result in bil­lions of dol­lars in fines alone.
    ...

    Yeah, Google, Face­book, Apple, and Microsoft prob­a­bly weren’t super-enthu­si­as­tic about that part.

    But some­thing worth keep­ing in mind is that the inter­net giants of today may aren’t nec­es­sar­i­ly going to be the per­son­al data giants of tomor­row. The “Inter­net of Things” (IoT) is going to pro­vide an oppor­tu­ni­ty for a large chunk of the per­son­al dig­i­tal data we gen­er­ate in the future to get splin­tered off into a vari­ety of dif­fer­ent busi­ness­es beyond the Sil­i­con Val­ley giants of today.

    Sure, Googles of tomor­row will prob­a­bly play a role in shar­ing and pro­cess­ing data with the IoT man­u­fac­tur­ers and might be the main hold­ers of per­son­al data as the IoT con­tin­ues to get more and more insert­ed into the meat space. Or maybe there will be a rad­i­cal change in how peo­ple han­dle their per­son­al dig­i­tal data and the inter­net giants of today lose their grip on the data streams of our lives. Either way, the IoT is only going to get more and more incor­po­rat­ed into our lives, and if Ger­many’s auto indus­try gives us a hint of what to expect, the new EU data pri­va­cy laws are about to become a giant IoT turf war over who gets to own the data col­lect­ed by their prod­ucts. Not sur­pris­ing­ly, Google is seen as the indus­try’s mor­tal threat that must be stopped before the data ser­vices giant gains too strong of a grip on the per­son­al data col­lect­ed via our future smart cars. And as the arti­cle below makes clear, Ger­many’s auto man­u­fac­tur­ers want to use the EU’s data pri­va­cy laws to keep Google out of Ger­many’s (and pre­sum­ably Europe’s) cars. And Merkel’s gov­ern­ment is recep­tive. And that’s just one sec­tor, albeit of big one, of the com­ing “Inter­net of Things”.

    So with the new EU data pri­va­cy laws com­ing into effect in 2018 there’s no doubt going to be a grow­ing num­ber of ques­tions that arise, espe­cial­ly as the IoT evolves. But one thing is clear: EU data pri­va­cy lawyers like the fel­low that wrote the above arti­cle are going to be real­ly busy for the next few decades:

    PC Mag­a­zine
    Why Ger­man Automak­ers Are Uneasy Over Google’s Growth

    By Doug New­comb
    June 12, 2015

    Audi’s CEO is con­cerned about Google’s incur­sion into Ger­many’s auto indus­try.

    As con­nect­ed car tech­nol­o­gy goes, Google got in ear­ly with Ger­man lux­u­ry automak­ers. The tech giant’s Local Search first appeared in BMW vehi­cles way back in 2007, while Audi intro­duced Google Earth map­ping to give own­ers a more real­is­tic pic­ture of nav­i­ga­tion in 2009. In 2013, Mer­cedes-Benz added Google Street View to help graph­i­cal­ly guide dri­vers to a des­ti­na­tion.

    But recent­ly the same automak­ers, along with the Ger­man gov­ern­ment, have expressed cau­tion over Google’s incur­sion into the car busi­ness on two fronts. As Google pre­pares to begin test­ing its pro­to­type self-dri­ving cars on pub­lic roads this sum­mer, and is set to roll out the Android Auto info­tain­ment plat­form that takes over a vehi­cle’s in-dash dis­play and con­trols, Ger­man car­mak­ers and law­mak­ers have become increas­ing­ly vocal about keep­ing the com­pa­ny’s auto­mo­tive ambi­tions in check, espe­cial­ly as it relates to data min­ing.

    Audi CEO Rupert Stadler voiced con­cerns about Google this week dur­ing a Berlin con­fer­ence also attend­ed by Google exec Eric Schmidt. “A car today is a sec­ond liv­ing room—and that’s pri­vate,” Stadler said. He added that the automak­er’s “cus­tomers want to be at the cen­ter” of the ben­e­fits that come from con­nec­tiv­i­ty “and not exploit­ed for it.”

    “They want to be in con­trol of their data,” he added, “and not sub­ject to mon­i­tor­ing.”

    While a group of automak­ers here in the U.S. recent­ly devel­oped a set of Pri­va­cy Prin­ci­ples to pro­pose what data should be col­lect­ed from vehi­cles and how it should and should not be used, the focus of the Ger­man com­pa­nies is more on who con­trols the data gen­er­at­ed by con­nect­ed cars. “The data that we col­lect is our data and not Google’s data,” Stadler said late last year. “When it gets close to our oper­at­ing sys­tem, it’s hands off.”

    VW Group CEO Mar­tin Win­terko­rn also said at the time that the Ger­man automak­ers “seek con­nec­tion to Google’s data sys­tems, but we still want to be the mas­ters of our own cars.” Dieter Zetsche, CEO of Mer­cedes Ben­z’s par­ent com­pa­ny Daim­ler, added that the auto indus­try needs to devel­op ways to process and store vehi­cle data so it does­n’t have to rely on third par­ties. “That’ll boost our posi­tion when work­ing with Google,” he said.

    Source of Nation­al Pride and Rev­enue
    For Ger­many, the auto indus­try and its tech­nol­o­gy is not only a source nation­al pride but also the largest source of tax rev­enue in the coun­try’s man­u­fac­tur­ing sec­tor. The Ger­man auto indus­try has lob­bied reg­u­la­tors to take a restric­tive line on data pri­va­cy, mak­ing it more dif­fi­cult for a com­pa­ny like Google to estab­lish a data-dri­ven foothold in the car busi­ness.

    The Ger­man gov­ern­ment is sym­pa­thet­ic to the automak­ers’ con­cerns. A posi­tion paper that Ger­man Chan­cel­lor Angela Merkel’s Chris­t­ian Democ­rats par­ty pre­sent­ed at its annu­al con­fer­ence late last year not­ed that “soon the per­for­mance of car dig­i­tal sys­tems will play at least as big a role in con­sumers’ pur­chas­ing deci­sions as the com­pa­ny that builds the car.”

    Chan­cel­lor Merkel’s gov­ern­ment has also made it a pri­or­i­ty to pre­vent Google and oth­ers from build­ing a monop­oly posi­tion in self-dri­ving cars. “We must­n’t under any cir­cum­stances let our devel­op­ment become depen­dent on com­pa­nies like Google,” com­ment­ed Joachim Pfeif­fer, spokesman for Merkel’s par­lia­men­tary bloc on eco­nom­ic and ener­gy pol­i­cy.

    ...

    Giv­en the slug­gish pace at which the auto­mo­tive indus­try moves—and that Google is already entrenched in Ger­man lux­u­ry cars—this could be a slow war of attri­tion that will play out over the course of sev­er­al years. In the mean­time, Google’s Eric Schmidt struck a con­cil­ia­to­ry tone at the con­fer­ence where Stadler made his com­ments this week.

    Google wants “to empha­size we’re doing this with part­ners. In our case, we’re work­ing with a whole infra­struc­ture here in Ger­many,” Schmidt said. But Google has to con­vince the Ger­man automak­ers and gov­ern­ment that it can work with them with­out com­pet­ing for dri­ver data and help them “make mon­ey with­out doing evil

    “Google tries to accom­pa­ny peo­ple through­out their day, to gen­er­ate data and then use that data for eco­nom­ic gain,” said Damil­er’s Zetsche. “It’s at that point where a con­flict with Google seems pre-pro­grammed.” And inevitable.

    “A car today is a sec­ond liv­ing room—and that’s private...customers want to be at the cen­ter [of the ben­e­fits that come from con­nec­tiv­i­ty] and not exploit­ed for it...They want to be in con­trol of their data and not sub­ject to mon­i­tor­ing.”
    That was how Audi CEO Rupert Stadler put in last July when he about the poten­tial dam­age the all see­ing eye of Google could do to the dig­i­tal car expe­ri­ence. And not sur­pris­ing­ly, the Ger­man gov­ern­ment is on board with the idea:

    ...
    Chan­cel­lor Merkel’s gov­ern­ment has also made it a pri­or­i­ty to pre­vent Google and oth­ers from build­ing a monop­oly posi­tion in self-dri­ving cars. “We must­n’t under any cir­cum­stances let our devel­op­ment become depen­dent on com­pa­nies like Google,” com­ment­ed Joachim Pfeif­fer, spokesman for Merkel’s par­lia­men­tary bloc on eco­nom­ic and ener­gy pol­i­cy.
    ...

    As far as nation­al brand­ing goes, that’s not a bad move. At least assum­ing these auto man­u­fac­tur­ers don’t get caught com­mer­cial­iz­ing or oth­er­wise abus­ing that data for their own ends. It’s some­thing VW CEO Mar­tin Win­terko­rn no doubt rec­og­nizes these days:

    ...
    VW Group CEO Mar­tin Win­terko­rn also said at the time that the Ger­man automak­ers “seek con­nec­tion to Google’s data sys­tems, but we still want to be the mas­ters of our own cars.” Dieter Zetsche, CEO of Mer­cedes Ben­z’s par­ent com­pa­ny Daim­ler, added that the auto indus­try needs to devel­op ways to process and store vehi­cle data so it does­n’t have to rely on third par­ties. “That’ll boost our posi­tion when work­ing with Google,” he said.
    ...

    And when we con­sid­er VW’s ongo­ing fraud scan­dal, it high­lights part of what’s going to make the new EU data pri­va­cy rules so fas­ci­nat­ing to watch unfold: There’s clear­ly a push to make the EU the glob­al per­son­al data ware­house of choice under the premise that users will get greater per­son­al data pro­tec­tions when its under EU juris­dic­tion. And who knows, maybe there’s going to be real­ly vig­i­lant enforce­ment of all the new EU data pri­va­cy laws, which would be amaz­ing and great.

    If that EU per­son­al data haven does come to fruition we would expect a much larg­er share of the glob­al per­son­al data to fall under EU juris­dic­tion. But, of course, the more per­son­al data EU busi­ness­es col­lect, the more tempt­ed those busi­ness­es are going to be to find ways to make some mon­ey off that data. And if you lis­ten to the just the fret­ting on the part of Ger­man auto man­u­fac­tur­ers over the prospect of Google get­ting its hands on that data it might seem like the plan is to cre­ate inter­net-con­nect­ed cars that are effec­tive­ly per­son­al data havens and use that “brand­ing” as a way to sell more cars. But when you lis­ten the all the oth­er plans the indus­try has for the future it’s becom­ing increas­ing­ly clear that the auto man­u­fac­tur­ers want to keep Google’s (and Apple’s) hands off that data most­ly so the automak­ers are the only ones to prof­it on it:

    Bloomber Busi­ness
    Google Auto Faces Ger­man Resis­tance as Audi Guards Data

    Cor­nelius Rahn, Bri­an Parkin and Elis­a­beth Behrmann
    Decem­ber 18, 2014 — 5:01 PM CST
    Updat­ed on Decem­ber 19, 2014 — 6:21 AM CST

    Google Inc.’s push into cars is meet­ing grow­ing oppo­si­tion in Ger­many, where law­mak­ers are back­ing the likes of Audi and Mer­cedes-Benz as they seek to lim­it the soft­ware company’s access under the hood.

    Like in a smart­phone, Google’s Android Auto will let dri­vers inter­act with their cars’ music and nav­i­ga­tion sys­tems. What car­mak­ers don’t want, though, is for Android to con­trol cars just as it does phones and tablets.

    That also wor­ries Ger­man politi­cians. They don’t want the country’s flag­ship indus­try to have its impor­tance dilut­ed if Google gains access to data on the behav­ior and where­abouts of cars and their pas­sen­gers. And if the Ger­man man­u­fac­tur­ers who dom­i­nate the tech­no­log­i­cal­ly inno­v­a­tive lux­u­ry seg­ment aren’t ready to play along, Google may find it more dif­fi­cult to pen­e­trate the indus­try as a whole.

    “The data that we col­lect is our data and not Google’s data,” Audi Chief Exec­u­tive Offi­cer Rupert Stadler said, echo­ing com­ments from Volk­swa­gen AG CEO Mar­tin Win­terko­rn and Daim­ler AG CEO Dieter Zetsche. “When it gets close to our oper­at­ing sys­tem, it’s hands off.”

    Already con­cerned about Google’s mar­ket pow­er, Ger­man Chan­cel­lor Angela Merkel’s gov­ern­ment wants to pre­vent the Moun­tain View, Cal­i­for­nia-based com­pa­ny from build­ing a monop­oly posi­tion as a part­ner for devel­op­ing cars that will ulti­mate­ly dri­ve them­selves. The auto­mo­tive indus­try account­ed for 6.5 per­cent of all tax­able rev­enue in Ger­many in 2012, accord­ing to the Fed­er­al Sta­tis­ti­cal Office, mak­ing it the country’s biggest man­u­fac­tur­ing sec­tor.

    Google-Depen­dent

    “We mustn’t under any cir­cum­stances let our devel­op­ment become depen­dent on com­pa­nies like Google,” said Joachim Pfeif­fer, spokesman for Merkel’s par­lia­men­tary bloc on eco­nom­ic and ener­gy pol­i­cy.

    The mar­ket for assist­ed-dri­ving soft­ware may reach 20 bil­lion euros ($25 bil­lion) by 2030, con­sult­ing firm Roland Berg­er said this month.

    Google spokesman Klaas Flech­sig declined to com­ment on polit­i­cal oppo­si­tion to the soft­ware maker’s plans.

    The com­pa­ny no longer has a tar­get for the first Android Auto cars to be on the streets by the end of this year, Flech­sig said. He declined to com­ment fur­ther on tim­ing.

    When Econ­o­my and Ener­gy Min­is­ter Sig­mar Gabriel met Google Chair­man Eric Schmidt in Berlin on Oct. 14, he told the Amer­i­can exec­u­tive that he “admires Google — but I also admire the skills of an engi­neer who can build a car.” The Euro­pean Union wants to estab­lish its own “data archi­tec­ture” to sup­port eco­nom­ic growth, Gabriel said.

    Indus­try Lessons

    Lessons from the mobile-phone indus­try are fresh on exec­u­tives’ and reg­u­la­tors’ minds. As more con­sumers relied on mobile appli­ca­tions and ser­vices, Android forced hand­set mak­ers such as Sam­sung Elec­tron­ics Co. and HTC Corp. to com­ply with its stan­dards, large­ly strip­ping them of their indi­vid­ual strengths. With­in five years of the oper­at­ing system’s intro­duc­tion, Euro­pean play­ers Nokia Oyj and Eric­s­son AB quit mak­ing phones entire­ly.

    The more Google and oth­er soft­ware mak­ers man­age to embed them­selves in the ecosys­tem of a car, the more con­sumer mon­ey will go to tech­nol­o­gy com­pa­nies instead of car­mak­ers, said Juer­gen Rein­er, a part­ner at con­sult­ing com­pa­ny Oliv­er Wyman.

    “There’s one point where car­mak­ers can pro­tect them­selves from some­one wedg­ing them­selves in between the pro­duc­ers and the cus­tomers,” Rein­er said. “It’s about the data that’s cre­at­ed in and around the car.”

    ...

    The more Google and oth­er soft­ware mak­ers man­age to embed them­selves in the ecosys­tem of a car, the more con­sumer mon­ey will go to tech­nol­o­gy com­pa­nies instead of car­mak­ers, said Juer­gen Rein­er, a part­ner at con­sult­ing com­pa­ny Oliv­er Wyman.”
    And with all that poten­tial mon­ey at risk, it’s no sur­prise that the politi­cians of a coun­try like Ger­many, where 1 in 7 jobs are auto-relat­ed, are keen on see­ing an EU-made data-archi­tec­ture become the indus­try stan­dard:

    ...
    When Econ­o­my and Ener­gy Min­is­ter Sig­mar Gabriel met Google Chair­man Eric Schmidt in Berlin on Oct. 14, he told the Amer­i­can exec­u­tive that he “admires Google — but I also admire the skills of an engi­neer who can build a car.” The Euro­pean Union wants to estab­lish its own “data archi­tec­ture” to sup­port eco­nom­ic growth, Gabriel said.
    ...

    And while it would be great to assume an EU-made “data archi­tec­ture” for the future of inter­net-con­nect­ed cars would be one where per­son­al pri­va­cy is made a pre­mi­um and all that poten­tial mon­ey that could be made from exploit­ing that data is inten­tion­al­ly not made, it’s also pret­ty hard to believe that’s how it’s going to be. Espe­cial­ly when you read about stud­ies like this:

    IDG News Ser­vice

    Con­nect­ed cars gath­er too much data about their dri­vers, say motorists asso­ci­a­tions
    Cars report on how hard you dri­ve and brake, but also on where you’re going and who you know

    Peter Say­er

    Nov 26, 2015 8:21 AM

    Car dri­vers may imag­ine they have greater pri­va­cy than pub­lic trans­port users, but that isn’t nec­es­sar­i­ly the case in mod­ern, con­nect­ed cars, Euro­pean motor­ing orga­ni­za­tions warned this week.

    To help iden­ti­fy faults or plan main­te­nance, man­u­fac­tur­ers are able to gath­er per­for­mance data from con­nect­ed cars such as the total dis­tance trav­elled, or the length and num­ber of trips made.

    But dri­vers may be unaware of just how much oth­er infor­ma­tion such cars allow man­u­fac­tur­ers to gath­er about them.

    A study con­duct­ed by Ger­man motorists orga­ni­za­tion ADAC for Euro­pean lob­by group FIA Region 1 found that in addi­tion to trip and dis­tance data, one recent mod­el report­ed max­i­mum engine rev­o­lu­tions, the sta­tus of vehi­cle lights — and far more besides.

    The car, a BMW 320d, also record­ed the length of time the dri­ver used dif­fer­ent dri­ving modes, and record­ed when the seat­belt tight­ened due to sud­den brak­ing. More sin­is­ter­ly, it also trans­mit­ted the lat­est des­ti­na­tions entered into the car’s nav­i­ga­tion sys­tem, and per­son­al infor­ma­tion such as con­tacts syn­chro­nized from mobile phones.

    ADAC only exam­ined one car, and wants to extend the study to see how oth­er brands behave, a spokes­woman said.

    But FIA wants car man­u­fac­tur­ers to come clean them­selves, with­out wait­ing to be unmasked: It asked them to pub­lish an eas­i­ly under­stand­able list for each mod­el of all the data col­lect­ed, processed, stored and trans­mit­ted exter­nal­ly.

    With the risk that the data might be inter­cept­ed or the car hacked and the data tak­en, FIA wants car­mak­ers to secure the data, and to make it pos­si­ble for dri­vers to block the pro­cess­ing or trans­mis­sion of non-essen­tial data.

    It will soon be impos­si­ble for car buy­ers to pur­chase non-con­nect­ed vehi­cles in Europe, as from April 2018 all new vehi­cles must include sup­port for eCall, a sys­tem that in case of acci­dent auto­mat­i­cal­ly com­mu­ni­cates its exact loca­tion to emer­gency ser­vices, with the time of inci­dent and the direc­tion of trav­el (most impor­tant on motor­ways). To do that, it will need to be con­tin­u­ous­ly mon­i­tor­ing its posi­tion and have a mobile data con­nec­tion to report back in case of inci­dent.

    Once auto­mo­tive man­u­fac­tur­ers have gone to the trou­ble of installing such hard­ware, it’s unlike­ly they will pass up the oppor­tu­ni­ty to link in poten­tial­ly rev­enue-gen­er­at­ing ser­vices such as music stream­ing, traf­fic infor­ma­tion or loca­tion-based rec­om­men­da­tions.

    Should they take that step, though, FIA wants them to give car own­ers the oppor­tu­ni­ty to switch providers for such ser­vices, as it believes that that way they will get the low­est prices and the most inno­v­a­tive prod­ucts.

    ...

    “The car, a BMW 320d, also record­ed the length of time the dri­ver used dif­fer­ent dri­ving modes, and record­ed when the seat­belt tight­ened due to sud­den brak­ing. More sin­is­ter­ly, it also trans­mit­ted the lat­est des­ti­na­tions entered into the car’s nav­i­ga­tion sys­tem, and per­son­al infor­ma­tion such as con­tacts syn­chro­nized from mobile phones.
    Wow, so the FIA decides to study what con­sumer infor­ma­tion is get­ting sent back to man­u­fac­tur­ers, they choose a sin­gle mod­el to start their study, the BMW 320d, and it turns out the car sends per­son­al infor­ma­tion like con­tacts syn­chro­nized from mobile phones back to BMW. And what’s FIA’s rec­om­men­da­tion? That inter­net-con­nect­ed cars should offer own­ers the oppor­tu­ni­ty to switch ser­vice providers, which is basi­cal­ly the oppo­site of the “it our data!” atti­tude expressed by the man­u­fac­tur­ers. And start­ing in 2018, the EU is man­dat­ing that ALL new cars be inter­net-con­nect­ed and con­stant­ly stream­ing data:

    ...
    It will soon be impos­si­ble for car buy­ers to pur­chase non-con­nect­ed vehi­cles in Europe, as from April 2018 all new vehi­cles must include sup­port for eCall, a sys­tem that in case of acci­dent auto­mat­i­cal­ly com­mu­ni­cates its exact loca­tion to emer­gency ser­vices, with the time of inci­dent and the direc­tion of trav­el (most impor­tant on motor­ways). To do that, it will need to be con­tin­u­ous­ly mon­i­tor­ing its posi­tion and have a mobile data con­nec­tion to report back in case of inci­dent.
    ...

    So there’s a pret­ty mas­sive con­flict of inter­ests emerg­ing in the auto indus­try and it’s not just a con­flict between con­sumers and a man­u­fac­tur­er. It’s a con­flict between con­sumers and ALL the dif­fer­ent man­u­fac­tur­er’s whose tech­nol­o­gy might have access to the per­son­al data gen­er­at­ed by the vehi­cle. And also a con­flict between all those man­u­fac­tur­ers who all have an eco­nom­ic incen­tive to be the sole col­lec­tors of that data.

    But there’s anoth­er inter­est­ing poten­tial con­flict on the hori­zon and that involves each nation’s data pri­va­cy reg­u­la­tors. The way the new laws work, each nation is going to be in charge of enforc­ing the data pri­va­cy rules accord­ing to its own inter­pre­ta­tions of those ruls and a com­pa­ny only needs to fol­low the rules of the EU coun­try it’s head­quar­tered in. This was seen as one of the biggest ben­e­fits from the new EU data pri­va­cy rules for com­pa­nies oper­at­ing in the EU.

    But there’s a catch: since EU mem­ber states have the flex­i­bil­i­ty to inter­pret and enforce rules some­what dif­fer­ent­ly, a com­pro­mise was made where oth­er the data pri­va­cy author­i­ties of oth­er EU mem­ber states can “object” to a par­tic­u­lar mem­ber’s data pri­va­cy rul­ings. And if they can’t come to an agree­ment the whole dis­pute is arbi­trat­ed by the Euro­pean Data Pro­tec­tion Board (EDPB). And as we saw with the Ger­many auto man­u­fac­tur­ers and Google, there’s going to be A LOT of poten­tial com­mer­cial dis­putes as var­i­ous indus­tries try to use data pri­va­cy rules to influ­ence which firms can com­pete in dif­fer­ent dig­i­tal mar­kets, whether its the tra­di­tion­al inter­net or the “Inter­net of Things”.

    So while inter­net com­pa­nies can be pleased to see the final rules EU data pri­va­cy rules final­ly take shape, ques­tions of how the con­flicts get worked out between EU mem­bers over the inevitably dif­fer­ing inter­pre­ta­tion of those rules (that might involved con­flict­ing com­mer­cial inter­ests and dig­i­tal turf wars) and which mem­bers’ desires end up get­ting favored by the EDPB that resolves those con­flicts is going to be some­thing data pri­va­cy advo­cates (and every­one else) real­ly needs to watch:

    Reuters
    EU data pro­tec­tion reform may promise more than it deliv­ers

    Tue Jan 5, 2016 7:44am EST

    This Decem­ber 21 sto­ry has been cor­rect­ed to read Sid­ley Austin in para­graph 18)

    By Julia Fioret­ti

    Imple­ment­ing the biggest shake-up to Europe’s frag­ment­ed data pro­tec­tion laws in two decades may fail to pro­vide com­pa­nies with the con­sis­ten­cy and sim­plic­i­ty that had been promised across the 28-nation bloc.

    A patch­work of pri­va­cy laws in the Euro­pean Union, dat­ing back to 1995 when the inter­net was in its infan­cy, was crit­i­cized for lack­ing teeth and being inter­pret­ed dif­fer­ent­ly across the EU.

    To tack­le those fail­ings, the EU last week agreed a sweep­ing over­haul of data pro­tec­tion rules which would intro­duce a sin­gle rule book, fines of up to 4 per­cent of a com­pa­ny’s glob­al turnover and sim­pler sys­tem of enforce­ment.

    ...

    The expo­nen­tial growth in data — from peo­ple’s cred­it card habits, social media post­ings and wear­able fit­ness devices track­ing their sleep and move­ments — have fueled con­cerns that indi­vid­u­als do not have enough con­trol over such infor­ma­tion.

    The new rules should be a boon for web com­pa­nies such as Google, Face­book and Ama­zon which do busi­ness across Europe and who cur­rent­ly have to deal with a series of nation­al reg­u­la­tors.

    EU Jus­tice Com­mis­sion­er Vera Jouro­va said on Mon­day that a sin­gle data pro­tec­tion law would save busi­ness­es around 2.3 bil­lion euros ($2.5 bil­lion) a year.

    How­ev­er, crit­ics of the new mea­sures ques­tion whether reg­u­la­tors will be able to cope with an increased work­load and whether the reg­u­la­to­ry over­lap has gen­uine­ly been removed.

    “We are con­cerned that investors will be scared off from invest­ing in Europe and will look out­side the con­ti­nent to finance the next big thing in tech­nol­o­gy,” said the Indus­try Coali­tion for Data Pro­tec­tion, whose mem­bers include Google, Face­book, Ama­zon and IBM.

    NATIONAL CONCERNS

    The rules are tougher in some obvi­ous ways.

    Not all pri­va­cy reg­u­la­tors cur­rent­ly have the pow­er to levy fines. When they do, the amounts are often pal­try com­pared to the bil­lions of dol­lars of rev­enues of the busi­ness­es involved.

    One of the most sig­nif­i­cant changes that com­pa­nies were look­ing for­ward to was the “one-stop-shop”.

    Under the new law, which will come into force in two years, com­pa­nies oper­at­ing across the EU should only have to deal with the reg­u­la­tor in the coun­try where they have their Euro­pean head­quar­ters.

    But it was watered down by mem­ber states who were eager to pro­tect the pow­er of their nation­al reg­u­la­tors to inves­ti­gate U.S. tech com­pa­nies — which hold swathes of Euro­peans’ data — and ensure cit­i­zens could still com­plain to their local author­i­ty about a com­pa­ny locat­ed else­where.

    That means any “con­cerned” author­i­ty will have the pow­er to object to the deci­sion made by the “lead” author­i­ty — the one where the com­pa­ny has its EU head­quar­ters.

    Lawyers say that the def­i­n­i­tion of a con­cerned author­i­ty is too broad and for some com­pa­nies it will not be clear where their main Euro­pean base is.

    “There is con­cern that the trig­ger for oth­er data pro­tec­tion author­i­ties to get involved is too low,” said William Long, Part­ner at law firm Sid­ley Austin LLP.

    But con­sumer groups say ensur­ing that cit­i­zens can still com­plain to their local reg­u­la­tor is impor­tant for pro­tect­ing their pri­va­cy.

    “If that prox­im­i­ty to the cit­i­zen is assured in a way that I, as a con­sumer, can eas­i­ly com­plain to my nation­al super­vi­so­ry authority...that is a vic­to­ry for cit­i­zens,” said David Mar­tin, senior legal offi­cer at BEUC, the Euro­pean Con­sumer Organ­i­sa­tion.

    Lawyers also point out it that the new EU rules leave many issues to the dis­cre­tion of indi­vid­ual coun­tries and there is still a risk that reg­u­la­tors could inter­pret them dif­fer­ent­ly.

    “It would be bad if an Ital­ian com­pa­ny were sanc­tioned more than a French one for the same thing,” Jouro­va said in an inter­view.

    If there is dis­agree­ment between reg­u­la­tors the case will be referred to a Euro­pean Data Pro­tec­tion Board (EDPB), yet to be cre­at­ed, to take bind­ing deci­sions.

    “The mech­a­nism laid down in the data pro­tec­tion reg­u­la­tion estab­lish­es a hyper bureau­crat­ic pro­ce­dure that will lead to more com­plex­i­ty and longer pro­ce­dures of law enforce­ment,” said Johannes Cas­par, head of Ham­burg’s data pro­tec­tion author­i­ty in Ger­many, which has juris­dic­tion over com­pa­nies includ­ing Google and Face­book.

    “If there is dis­agree­ment between reg­u­la­tors the case will be referred to a Euro­pean Data Pro­tec­tion Board (EDPB), yet to be cre­at­ed, to take bind­ing deci­sions.”
    Yep, reg­u­la­to­ry dis­agree­ments are going to get sent to the yet to be cre­at­ed EDPB. So it’s going to be pret­ty crit­i­cal to see how the EDPB final­ly takes shape. Espe­cial­ly since its rul­ings will pre­sum­ably impact the rul­ings like the new fines that could reach 4 per­cent of glob­al rev­enues for cor­po­ra­tions. And note how the cre­ation of the EDPB was appar­ent­ly done to assuage con­cerns that mem­bers states would­n’t be able to ade­quate inves­ti­gate US tech firms for pri­va­cy vio­la­tions of their cit­i­zens:

    ...

    Under the new law, which will come into force in two years, com­pa­nies oper­at­ing across the EU should only have to deal with the reg­u­la­tor in the coun­try where they have their Euro­pean head­quar­ters.

    But it was watered down by mem­ber states who were eager to pro­tect the pow­er of their nation­al reg­u­la­tors to inves­ti­gate U.S. tech com­pa­nies — which hold swathes of Euro­peans’ data — and ensure cit­i­zens could still com­plain to their local author­i­ty about a com­pa­ny locat­ed else­where.
    ...

    Yep, the the whole sys­tem involv­ing “objec­tions” between mem­ber states and the cre­ation of the EDPB was set up because some nation­al data reg­u­la­tors were keen on ensur­ing com­pa­nies like Google and Apple could­n’t find an EU mem­ber that’s more lenient on pri­va­cy vio­la­tions (like Ire­land), and shield them­selves from, say, Ger­man data pri­va­cy reg­u­la­tors while still oper­at­ing across the EU.

    But with the EDPB sys­tem set up to allow for fights between EU mem­ber states on data pri­va­cy issues that could have huge poten­tial impacts on crit­i­cal nation­al indus­tries, why would, for instance, Ger­many automak­ers be ONLY inter­est­ed in keep­ing US or oth­er for­eign firms out of its inter­net-con­nect­ed car mar­kets? What about oth­er poten­tial EU com­peti­tors in the “dig­i­tal cars” soft­ware that might be head­quar­tered in, say, France? And don’t for­get the mass sur­veil­lance poli­cies of most EU mem­ber states have become much more mass sur­veil­lance friend­ly in recent years despite the the post-Snow­den freak out (and despite the pas­sage of big new data pri­va­cy reg­u­la­tions). so if com­pli­ance with US mass sur­veil­lance poli­cies are viewed as a viable rea­son for fin­ing or block­ing com­pa­nies like Google or Apple out the EU mar­kets, what oppor­tu­ni­ties will the mass sur­veil­lance poli­cies of indi­vid­ual EU states cre­ate for waged intra-EU com­mer­cial turf wars?

    And keep in mind that this just the auto indus­try we’re talk­ing about. Now imag­ine the rest of the “Inter­net of Things” that pops up going for­ward, all these dig­i­tal things talk­ing to each oth­er, shar­ing data, and cre­at­ing fun new data pri­va­cy headaches but also fun new oppor­tu­ni­ties for man­u­fac­tur­ers to become the sole soft­ware provider (and sole data col­lec­tor). Aren’t the man­u­fac­tur­ers across the whole IoT going to have an inter­est in ensur­ing that they, and they alone, col­lect and prof­it from the per­son­al data their devices col­lect? It’s hard to see why that would­n’t be the case.

    So there’s no short­age of major ques­tions about how the EU’s new data pri­va­cy regime will unfold and reshape the dig­i­tal econ­o­my of the future. But one thing is very clear: Google is going to get sued. A lot. And Apple and prob­a­bly the rest of the Sil­i­con Val­ley per­son­al data giants oper­at­ing in the EU are total­ly get­ting sued too. Repeat­ed­ly. That’s basi­cal­ly a giv­en at this point. The EDPB was set up for that pur­pose.

    Posted by Pterrafractyl | January 6, 2016, 8:19 pm
  18. Here’s a peek at all the fun new fea­tures cur­rent­ly under devel­op­ment by Audi for the next gen­er­a­tion of inter­net-con­nect­ed cars that will like­ly also be self-dri­ving cars that allow the pas­sen­gers to basi­cal­ly treat the car as a liv­ing room on the road (as Audi’s CEO once put it), with inter­net brows­ing and all sorts of oth­er options. Also includ­ed is a sys­tem for mea­sur­ing the pas­sen­gers’ phys­i­cal vital signs, like heart rate and skin tem­per­a­ture, and then using that infor­ma­tion to make assess­ments about the pas­sen­gers’ state of mind and mod­i­fy the inter­nal envi­ron­ment accord­ing to make it was relax­ing and reju­ve­nat­ing a trip as pos­si­ble. And then there’s the fea­ture that turns each car into one part of a larg­er “swarm” that’s con­stant­ly feed­ing infor­ma­tion to the cloud for the pur­pose of updat­ing every­one about chang­ing road con­di­tions. All pret­ty neat! It’s also a whole new data pri­va­cy night­mare:

    The Auto Chan­nel
    Pilot­ed, Elec­tri­fied and Ful­ly Con­nect­ed — Audi at the 2016 CES

    Inte­ri­or mod­el with new oper­at­ing and dis­play con­cept

    Audi e‑tron quat­tro con­cept study with full-elec­tric dri­ve

    Evo­lu­tion of the Audi con­nect port­fo­lio to include Car-to‑X com­mu­ni­ca­tion and remote vehi­cle ser­vices

    Livestream and sub­se­quent down­load of the Audi Press Con­fer­ence at CES on Wednes­day, Jan­u­ary 6 at 7pm GMT avail­able on Audi TV and Audi Media Cen­ter

    INGOLSTADT/LAS VEGAS –Jan­u­ary 6, 2016: – At the 2016 Con­sumer Elec­tron­ics Show (CES), Audi is pre­sent­ing its lat­est tech­nolo­gies in the form of attrac­tive solu­tions for today and vision­ary ideas for tomor­row. The world’s most impor­tant elec­tron­ics show takes place Jan­u­ary 6–9, 2016, in Las Vegas, Neva­da (USA) and the focus for the brand with the four rings is on the three future auto­mo­tive trends of elec­tri­fi­ca­tion, dig­i­tal­i­sa­tion and pilot­ed dri­ving.

    The Audi e‑tron quat­tro con­cept com­bines all of these inno­va­tions which build upon tech­nolo­gies that are used in its pro­duc­tion cars today. Vis­i­tors will be able to expe­ri­ence the new con­trol and dis­play con­cept that has been imple­ment­ed in an inte­ri­or mock-up of the Audi e‑tron quat­tro con­cept. Advanced devel­op­ment of Audi con­nect as well as new devel­op­ments in light­ing tech­nol­o­gy will be also be show­cased.

    New approach­es: con­trols and dis­plays

    User-friend­ly oper­a­tion is an Audi strength, and now the brand with the four rings is expand­ing its oper­at­ing and dis­play con­cept (HMI, human-machine inter­face) with new solu­tions. The con­cept is being pre­sent­ed in an inte­ri­or mock-up of the Audi e‑tron quat­tro con­cept car. The curved OLED (OLED: Organ­ic Light Emit­ting Diodes) of the new Audi vir­tu­al cock­pit lies in the driver’s imme­di­ate visu­al field.

    The AMOLED (AMOLED: Active Matrix Organ­ic Light Emit­ting Diodes) tech­nol­o­gy that is used offers new cre­ative free­doms in design­ing dis­play shapes. The two dis­plays of the Audi MMI on the cen­tre con­sole offer an out­look on the dig­i­tal future. Key func­tions can also be con­trolled con­ve­nient­ly by voice. Both dis­plays exploit the advan­tages of a new type of touch recog­ni­tion – what is known as Audi MMI touch response. Here, the select­ed func­tions are acti­vat­ed by gen­tle yet defined pres­sure on the dis­play. This makes it pos­si­ble to oper­ate the sys­tem safe­ly and with few dis­trac­tions while dri­ving.

    Behind the new oper­at­ing and dis­play con­cept is the lat­est exten­sion stage of the Audi Mod­u­lar Info­tain­ment Plat­form, MIB2+. Its fur­ther boost­ed com­put­ing pow­er makes it pos­si­ble to dri­ve sev­er­al high-res­o­lu­tion dis­plays.

    MIB2+ has been pre­pared for the lat­est mobile com­mu­ni­ca­tions stan­dard: LTE Advanced. It can down­load data into the car at a max­i­mum speed of 300 Mbit/s. LTE Advanced also enables mobile tele­pho­ny using the VoLTE (VoLTE = Voice over LTE) method, which short­ens the time need­ed to make a phone con­nec­tion and increas­es voice qual­i­ty. Voice con­trol has also become more pow­er­ful – it utilis­es both the on-board address book and a serv­er in the cloud.

    The con­trol and dis­play con­cepts from Audi are already vision­ary today. The Audi vir­tu­al cock­pit – a ful­ly dig­i­tal instru­ment clus­ter with a 12.3‑inch TFT dis­play – pro­vides all infor­ma­tion in intri­cate­ly cal­cu­lat­ed and bril­liant 3D graph­ics, in which dri­vers can choose between dif­fer­ent views. The lat­est Audi mod­els have MMI ter­mi­nals on board that fol­low a new oper­at­ing log­ic. This resem­bles the con­cept that is famil­iar from mod­ern smart­phones – flat hier­ar­chies instead of com­plex menu trees. Voice con­trol is avail­able as an alter­na­tive.

    Audi con­nect

    The term Audi con­nect cov­ers all appli­ca­tions and devel­op­ments that net­work an Audi with its own­er, the Inter­net, infra­struc­ture and oth­er vehi­cles. Audi con­tin­ues to extend its lead in this tech­nol­o­gy field. An LTE/UMTS mod­ule of Audi con­nect con­nects to the Inter­net with down­load speeds of up to 100 MBit/s.

    The inte­grat­ed Wi-Fi hotspot lets pas­sen­gers freely surf the web, stream and text/e‑mail with up to eight mobile devices. Cus­tomised ser­vices from the Audi con­nect port­fo­lio are deliv­ered to the car for the dri­ver. They include traf­fic infor­ma­tion online, Google Earth and Google Street View, park­ing infor­ma­tion, fuel prices and flight, train and gate infor­ma­tion. The Audi con­nect line­up is round­ed out by City Events, indi­vid­u­al­ly con­fig­urable news, trav­el and weath­er infor­ma­tion and oth­er ser­vices.

    Audi will also be offer­ing addi­tion­al new ser­vices in Europe, and soon in the USA.

    They include emer­gency call that alerts the Audi Emer­gency Call Cen­tre after an acci­dent, online road­side assis­tance that calls the Audi Ser­vice Cen­tre and Audi ser­vice request with which cus­tomers can sched­ule a ser­vice appoint­ment.

    The free Audi MMI con­nect app brings more ser­vices into the car such as Online Media Stream­ing, which offers access to the ser­vices of the sub­scrip­tion music por­tals Nap­ster and Rhap­sody and the Aupeo! radio ser­vice. For own­ers of the new A4 and Q7 mod­els, the Audi MMI con­nect app also offers remote vehi­cle ser­vices. From a smart­phone, they can lock or unlock the doors or view the lat­est car sta­tus report. They can also have the park­ing loca­tion and park­ing time dis­played. Oth­er func­tions have been added for the Audi e‑tron mod­els – remote con­trol of bat­tery charg­ing and cli­mate con­trol and access to dri­ving data. The app’s remote func­tions can also be acti­vat­ed by a smart­watch, and effec­tive at the begin­ning of 2016 by a fourth-gen­er­a­tion Apple TV.

    In just a few months, the Audi con­nect SIM will be avail­able for the new A4 and Q7 mod­els in Euro­pean mar­kets. It is a per­ma­nent­ly installed embed­ded SIM (e‑SIM) that auto­mat­i­cal­ly brings Audi con­nect ser­vices into the car across Europe and does not require that the dri­ver per­form an acti­va­tion pro­ce­dure.

    It per­mits EU-wide roam­ing, because the SIM card can be auto­mat­i­cal­ly set to spe­cif­ic coun­try providers as nec­es­sary. This elim­i­nates coun­try-spe­cif­ic roam­ing fees and annoy­ing roam­ing con­fir­ma­tions.

    Regard­less of which con­nect ser­vices are inte­grat­ed, Audi own­ers can choose addi­tion­al data pack­ages for the Audi con­nect SIM at eco­nom­i­cal rates to oper­ate the Wi-Fi hotspot. Here too, the data trans­fer auto­mat­i­cal­ly con­tin­ues at the fixed price when cross­ing a bor­der, i.e. when switch­ing providers.

    In 2016, Audi is expand­ing its con­nect line­up to include the first Car-to‑X tech­nolo­gies. The ser­vices traf­fic sign infor­ma­tion and haz­ard infor­ma­tion make the new Audi mod­els part of a swarm. They report detect­ed speed lim­its and haz­ardous loca­tions, e.g. at points where a vehi­cle has bro­ken down or the road ser­vice is slip­pery, to a serv­er in the cloud via the mobile phone net­work. The serv­er col­lects the data, process­es it, and pro­vides it to oth­er Audi dri­vers who have suit­able equip­ment. The updat­ed infor­ma­tion also flows into reg­u­lar map updates for the MMI nav­i­ga­tion plus sys­tem, mak­ing it avail­able to the entire Audi fleet.

    The traf­fic light infor­ma­tion ser­vice con­nects the new mod­els in the USA via the mobile phone net­work to the cen­tral traf­fic com­put­er that con­trols traf­fic lights in the city. Based on the infor­ma­tion from this sys­tem, the Audi vir­tu­al cock­pit rec­om­mends a speed to the dri­ver for reach­ing the next traf­fic light while it is green.

    Audi elec­tri­fi­ca­tion strat­e­gy

    The Audi e‑tron quat­tro con­cept, the brand’s con­cep­tu­al study at CES, is an all elec­tri­cal­ly pow­ered sport SUV. Three elec­tric motors with a total out­put of up to 370 kW enable a quat­tro dri­ve sys­tem and elec­tric torque vec­tor­ing for max­i­mum dynam­ic per­for­mance and sta­bil­i­ty. The 95 kWh bat­tery, locat­ed between the axles and there­fore in an ide­al posi­tion in terms of the cen­tre of grav­i­ty, enables a range of over 310 miles. The Audi e‑tron quat­tro con­cept car is a pre­view of a future pro­duc­tion mod­el that will arrive on the mar­ket in 2018.

    Pilot­ed dri­ving

    The Audi e‑tron quat­tro con­cept has pilot­ed dri­ving tech­nolo­gies on board, which Audi will be launch­ing into pro­duc­tion in the near future. They include pilot­ed dri­ving in traf­fic jams and pilot­ed park­ing. These ser­vices rep­re­sent greater safe­ty, time sav­ings, effi­cien­cy, com­fort and con­ve­nience. The sys­tems can make a valu­able con­tri­bu­tion toward safe­ty, espe­cial­ly in sit­u­a­tions in which the dri­ver is either over­whelmed or under­whelmed by dri­ving tasks. The core com­po­nent of future sys­tems will be the cen­tral dri­ver assis­tance con­troller, known as the zFAS. Infor­ma­tion is con­tin­u­al­ly acquired from all of the car’s sen­sors and processed in this com­pact mod­ule. They include sig­nals from the 3D cam­eras, the laser scan­ner and radar and ultra­son­ic sen­sors. The high com­put­ing pow­er of the zFAS gives it the abil­i­ty to con­tin­u­al­ly com­pare the data of vehi­cle sen­sors to the envi­ron­men­tal mod­el of the road.

    Espe­cial­ly in this area, Audi will ben­e­fit from the high­ly up-to-date HERE maps data­base, which AUDI AG acquired togeth­er with the BMW Group and Daim­ler AG in Decem­ber 2015. In the future, self-dri­ving vehi­cles will need to be based on a new data source with cen­time­tre accu­ra­cy. The live data approach of HERE makes it pos­si­ble to eval­u­ate all sorts of changes and move­ments and recog­nise poten­tial haz­ards in an extreme­ly short time. In addi­tion, vehi­cle sen­sors will send anonymised feed­back to the cloud in real time – not only about the cur­rent traf­fic sit­u­a­tion, but also about changes, e.g. relat­ed to the road con­di­tion, detours or oth­er dis­tur­bances. In addi­tion, HERE serves as a data­base with infor­ma­tion on hotels and busi­ness­es, park­ing places and events. This is an exam­ple of how Audi is gen­er­at­ing swarm intel­li­gence with a high lev­el of rel­e­vance.

    ...

    The Audi VR expe­ri­ence

    Audi is the world’s first car­mak­er to devel­op its own soft­ware and hard­ware solu­tion for vir­tu­al real­i­ty appli­ca­tions by intro­duc­ing the Audi VR expe­ri­ence in 2016. Cus­tomers can use vir­tu­al real­i­ty glass­es to expe­ri­ence the car of their choice at a deal­er­ship with unprece­dent­ed real­ism – in 3D, with a 360-degree panoram­ic view, sound effects and all avail­able fea­tures.

    Audi Fit Dri­ver

    The Audi Fit Dri­ver project is focus­ing on the well-being of the dri­ver. Audi has a vision of dri­vers who step out of their cars at their des­ti­na­tions feel­ing more relaxed than when they stepped into them. A wear­able – a fit­ness wrist­band or watch – mon­i­tors impor­tant vital para­me­ters such as heart rate and skin tem­per­a­ture. The car’s sen­sors sup­ple­ment them with infor­ma­tion on dri­ving style, breath­ing rate and rel­e­vant envi­ron­men­tal data such as the weath­er or traf­fic sit­u­a­tion. By analysing the com­bi­na­tion of this data, the car can deduce the cur­rent state of the dri­ver, e.g. whether the dri­ver is stressed or over­ly tired. The vehi­cle sys­tems then adjust their modes of oper­a­tion to relax, vitalise, or even pro­tect the dri­ver.

    In a lat­er exten­sion phase, Audi Fit Dri­ver will also incor­po­rate dri­ver assis­tance and safe­ty sys­tems as well as sys­tems for pilot­ed dri­ving – with func­tions that extend all the way to pilot­ed emer­gency stops with emer­gency call­ing. When it comes to data pro­tec­tion, the usu­al strict reg­u­la­tions by Audi apply.

    ...

    “The Audi Fit Dri­ver project is focus­ing on the well-being of the dri­ver. Audi has a vision of dri­vers who step out of their cars at their des­ti­na­tions feel­ing more relaxed than when they stepped into them. A wear­able – a fit­ness wrist­band or watch – mon­i­tors impor­tant vital para­me­ters such as heart rate and skin tem­per­a­ture. The car’s sen­sors sup­ple­ment them with infor­ma­tion on dri­ving style, breath­ing rate and rel­e­vant envi­ron­men­tal data such as the weath­er or traf­fic sit­u­a­tion. By analysing the com­bi­na­tion of this data, the car can deduce the cur­rent state of the dri­ver, e.g. whether the dri­ver is stressed or over­ly tired. The vehi­cle sys­tems then adjust their modes of oper­a­tion to relax, vitalise, or even pro­tect the dri­ver.”

    That’s quite a car. And while such fea­tures are cut­ting edge today, they’re prob­a­bly going to be stan­dard­ized over the next decade. And while pas­sen­gers can pre­sum­ably just not wear the wristband/watch if they aren’t super com­fort­able with a car that can “deduce the cur­rent stat of the dri­ver”, it would be inter­est­ing to learn if this inter­nal pas­sen­ger-focused sen­sor data is part of the rest of the vehic­u­lar sen­sor data that’s get­ting streamed back to to Audi:

    ...

    The Audi e‑tron quat­tro con­cept has pilot­ed dri­ving tech­nolo­gies on board, which Audi will be launch­ing into pro­duc­tion in the near future. They include pilot­ed dri­ving in traf­fic jams and pilot­ed park­ing. These ser­vices rep­re­sent greater safe­ty, time sav­ings, effi­cien­cy, com­fort and con­ve­nience. The sys­tems can make a valu­able con­tri­bu­tion toward safe­ty, espe­cial­ly in sit­u­a­tions in which the dri­ver is either over­whelmed or under­whelmed by dri­ving tasks. The core com­po­nent of future sys­tems will be the cen­tral dri­ver assis­tance con­troller, known as the zFAS. Infor­ma­tion is con­tin­u­al­ly acquired from all of the car’s sen­sors and processed in this com­pact mod­ule. They include sig­nals from the 3D cam­eras, the laser scan­ner and radar and ultra­son­ic sen­sors. The high com­put­ing pow­er of the zFAS gives it the abil­i­ty to con­tin­u­al­ly com­pare the data of vehi­cle sen­sors to the envi­ron­men­tal mod­el of the road.

    Espe­cial­ly in this area, Audi will ben­e­fit from the high­ly up-to-date HERE maps data­base, which AUDI AG acquired togeth­er with the BMW Group and Daim­ler AG in Decem­ber 2015. In the future, self-dri­ving vehi­cles will need to be based on a new data source with cen­time­tre accu­ra­cy. The live data approach of HERE makes it pos­si­ble to eval­u­ate all sorts of changes and move­ments and recog­nise poten­tial haz­ards in an extreme­ly short time. In addi­tion, vehi­cle sen­sors will send anonymised feed­back to the cloud in real time – not only about the cur­rent traf­fic sit­u­a­tion, but also about changes, e.g. relat­ed to the road con­di­tion, detours or oth­er dis­tur­bances. In addi­tion, HERE serves as a data­base with infor­ma­tion on hotels and busi­ness­es, park­ing places and events. This is an exam­ple of how Audi is gen­er­at­ing swarm intel­li­gence with a high lev­el of rel­e­vance.

    ...

    Could the “Audi Fit Dri­ver” data get sent back to Audi too? We’ll have to wait for more prod­uct infor­ma­tion to find out but it’s an exam­ple of the kind of data that cars are going to be gen­er­at­ing in the future and it’s hard to see how access­ing and com­mer­cial­iz­ing that data isn’t going to be increas­ing­ly tempt­ing. Let’s hope those data pri­va­cy reg­u­la­tors keep an eye on this.

    Also keep in mind that the kind of per­son­al data gen­er­at­ing for these next gen­er­a­tion cars isn’t just use­ful for poten­tial­ly sell­ing to third par­ties or more effec­tive­ly mar­ket­ing to your own cus­tomers. It’s also incred­i­bly valu­able to devel­op­ing the next-gen­er­a­tion of that same tech­nol­o­gy. Espe­cial­ly when it comes to the arti­fi­cial intel­li­gence sys­tems that use “deep learn­ing” to intel­li­gent­ly nav­i­gate the car’s envi­ron­ment:

    Audiusa.com
    Deep learn­ing is at the core of Audi pilot­ed dri­ving

    June 04, 2015 | HERNDON, Vir­ginia

    Work­ing with part­ners such as NVIDIA, Audi uses machine learn­ing to advance pilot­ed dri­ving
    Arti­fi­cial intel­li­gence in pilot­ed Audi cars sim­u­lates human learn­ing
    Deep learn­ing was key to the 550-mile pilot­ed dri­ving run of Jack the A7 in Jan­u­ary

    As Audi per­fects its approach to pilot­ed dri­ving, its engi­neers are rely­ing on an advance­ment that devel­op­ers call “deep learn­ing” to train com­put­ers to imi­tate the human brain.

    Progress in this form of machine learn­ing was cru­cial for the pilot­ed-dri­ving run of “Jack,” the Audi A7 Sedan that trans­port­ed a group of auto­mo­tive jour­nal­ists some 550 miles from Sil­i­con Val­ley to the Inter­na­tion­al Con­sumer Elec­tron­ics Show in Las Vegas in Jan­u­ary.

    And deep learn­ing is at the cen­ter of the fast evo­lu­tion of pilot­ed dri­ving toward a com­mer­cial­ly avail­able vehi­cle that can get itself to any des­ti­na­tion with lit­tle human help.

    Work­ing with key sup­pli­ers such as NVIDIA, the dig­i­tal-tech com­pa­ny based in San­ta Clara, Cal­i­for­nia, we are cre­at­ing an auto­mo­bile-com­put­er mod­el that sim­u­lates the way the brain process­es new infor­ma­tion.

    Think of the car’s way of learn­ing as sim­i­lar to a child’s. Care­givers teach a baby to iden­ti­fy things she per­ceives with her sens­es: a cir­cle, a square, col­ors. Object edges are very impor­tant in this process. The edges form mean­ing­ful, dis­tinct shapes, which the brain starts to rec­og­nize. A fire truck is red, has a cer­tain shape and wheels, but at first, the baby might think all trucks are fire engines. Then the child learns to dif­fer­en­ti­ate between dif­fer­ent kinds of trucks.

    That’s how the nexus of our pilot­ed dri­ving tech­nol­o­gy – the zFAS cen­tral dri­ver-assis­tance con­troller – works. Pix­els are gen­er­at­ed by cam­era images, sim­i­lar to how the human eye­ball trans­fers images to the brain. The Audi proces­sor, about the size of a tablet PC and pow­ered by NVIDIA’s Tegra proces­sor, ana­lyzes every frame of video that comes in, and it sens­es edges which it groups into shapes. It learns that the shapes are objects, then learns to dif­fer­en­ti­ate those objects.

    This arti­fi­cial intel­li­gence enables the Audi proces­sor to detect, for instance, fea­tures such as eyes, a nose and mouth, and it fig­ures out that they all fit into a face. It also allows Audi vehi­cles to detect and iden­ti­fy oth­er vehi­cles. All of this infor­ma­tion goes into a data­base to fos­ter future advances in such recog­ni­tion. The sys­tem serves as one of the impor­tant bases of intel­li­gence for pilot­ed dri­ving.

    With every mile, the car gets smarter. But it takes more than ter­abytes of such data to make for suc­cess­ful autonomous dri­ving. The data also must be processed very quick­ly: 30 video frames a sec­ond. The infor­ma­tion must be trans­mit­ted, rec­og­nized, processed, ana­lyzed – and pro­vide a reac­tion – almost instan­ta­neous­ly, in case an Audi dri­ver is encoun­ter­ing tricky con­di­tions.

    That’s why one of the most impor­tant objec­tives of deep learn­ing is to ensure that every bit of object recog­ni­tion is embed­ded in the proces­sor in the Audi vehi­cle, not depen­dent on the inter­net cloud.

    ...

    Move over KITT!

    ...
    That’s how the nexus of our pilot­ed dri­ving tech­nol­o­gy – the zFAS cen­tral dri­ver-assis­tance con­troller – works. Pix­els are gen­er­at­ed by cam­era images, sim­i­lar to how the human eye­ball trans­fers images to the brain. The Audi proces­sor, about the size of a tablet PC and pow­ered by NVIDIA’s Tegra proces­sor, ana­lyzes every frame of video that comes in, and it sens­es edges which it groups into shapes. It learns that the shapes are objects, then learns to dif­fer­en­ti­ate those objects.

    This arti­fi­cial intel­li­gence enables the Audi proces­sor to detect, for instance, fea­tures such as eyes, a nose and mouth, and it fig­ures out that they all fit into a face. It also allows Audi vehi­cles to detect and iden­ti­fy oth­er vehi­cles. All of this infor­ma­tion goes into a data­base to fos­ter future advances in such recog­ni­tion. The sys­tem serves as one of the impor­tant bases of intel­li­gence for pilot­ed dri­ving.
    ...

    Now your car is going to devel­op facial/auto recog­ni­tion tech­nol­o­gy that gets “smarter” the more you let it observe the world. And this “deep learn­ing” is intend­ed to take place in the car itself and not rely on a con­stant inter­net con­nec­tion and remote servers to process the data, which makes sense for some­thing like a mov­ing vehi­cle. But as Audi also points out, part of the improve­ment in arti­fi­cial intel­li­gence will come from using the data gath­ered in the ear­ly mod­els and throw­ing it into “a data­base to fos­ter future advances in such recog­ni­tion.” That sure sound like all that data is get­ting sent back to Audi.

    So in the not too dis­tant future our cars could be equipped for “deep learn­ing” tech­nol­o­gy that includes facial and vehic­u­lar recog­ni­tion tech­nol­o­gy that’s con­stant­ly mon­i­tor­ing your car’s sur­round­ings and send­ing that info back to your auto man­u­fac­tur­er for the pur­pose of devel­op­ing the next gen­er­a­tion of the tech­nol­o­gy. At least, let’s hope that’s all they use it for. As Audi points out above, ““When it comes to data pro­tec­tion, the usu­al strict reg­u­la­tions by Audi apply.” And tech­nol­o­gy like the “Audi Fit Dri­ver” sys­tem that mon­i­tors the pas­sen­ger’s mood is only avail­able in Audi’s Ger­man mod­els for the time being, and Ger­many, at least offi­cial­ly, has some of the strongest data pri­va­cy laws in the world. But at some point tech­nol­o­gy like that is going to be export­ed to coun­tries with dif­fer­ent data pri­va­cy stan­dards which is going to make it very inter­est­ing to see just how much data our future cars start sweep­ing up as cars fit­ted with an array of sen­sors and “deep learn­ing” arti­fi­cial intel­li­gence becomes the norm and what the laws are regard­ing who “owns” that data and how it can be used.

    Also don’t for­get that Audi is owned by VW. So while there are indeed laws that will deter­mine how that per­son­al data is used, whether or not those laws are respect­ed is a very open ques­tion.

    Posted by Pterrafractyl | January 8, 2016, 12:03 pm
  19. Here’s anoth­er look at how the issue of own­er­ship over the data gath­ered by the vehi­cles we dri­ve (or ride in while they dri­ve them­selves) is poised to become an increas­ing­ly com­plex ques­tion. Data own­er­ship is going to be enough of a headache when you have car man­u­fac­tur­ers fight­ing with dig­i­tal ser­vice providers like Google over who owns what. But how about the cars you rent or lease? That’s a big­ger headache:

    Fleet News

    Fleets call for clar­i­ty on data access of con­nect­ed cars

    Author: Tom Sey­mour
    11/01/2016 in Fleet Indus­try News

    The fleet indus­try is grow­ing increas­ing­ly con­cerned at the lack of clar­i­ty around how man­u­fac­tur­ers are col­lect­ing data on vehi­cles and dri­vers, as more con­nect­ed car fea­tures are intro­duced to the new car mar­ket.

    Fleet rep­re­sen­ta­tive body ACFO and the British Vehi­cle Rental and Leas­ing Asso­ci­a­tion (BVRLA) are seek­ing clar­i­fi­ca­tion on who owns the data col­lect­ed, used and pro­tect­ed by fleets and man­u­fac­tur­ers.

    John Pry­or, ACFO chair­man, believes that while some larg­er fleets may be aware of the lev­el at which brands are col­lect­ing data on vehi­cles, gen­er­al­ly aware­ness is low.

    He said: “The big trou­ble is with who owns this data. Is it the man­u­fac­tur­er? Is it the fleet? Is it the leas­ing com­pa­ny? Who has the right to know and is it pos­si­ble to switch off that data col­lec­tion when cars are being used away from work for per­son­al use?

    “There are still big ques­tions that need address­ing and there is so much to look at with this.”

    With an esti­mat­ed 80% of cars expect­ed to be con­nect­ed by 2016, the indus­try is expe­ri­enc­ing an explo­sion in the amount of data that is gen­er­at­ed and processed.

    An increas­ing num­ber of fleets are hav­ing telem­at­ics devices installed into their vehi­cles, and man­u­fac­tur­ers are keen to gain mar­ket share.

    Mer­cedes-Benz has its own telem­at­ics divi­sion, Fleet­board, and is look­ing to take a more cen­tral role in pro­vid­ing telem­at­ics and fleet soft­ware ser­vices direct­ly to fleets.

    “The telem­at­ics sup­pli­ers have been first to mar­ket,” Pierre Lussier, Fleet­board man­ag­er at Mer­cedes-Benz France said. “But who is bet­ter to sup­ply ser­vices for vehi­cles than the man­u­fac­tur­ers them­selves?”

    How­ev­er, he said the big chal­lenge is not only whether man­u­fac­tur­ers have the abil­i­ty to tech­ni­cal­ly han­dle and inter­pret the mass­es of data col­lect­ed from vehi­cles, but the legal impli­ca­tions that come with that.

    New EU data pro­tec­tion laws are due to be intro­duced in 2016 as reg­u­la­tors seek to catch-up with the increased shar­ing and use of data via the inter­net.

    Rather than being leg­is­la­tion that can be inter­pret­ed, new data pro­tec­tion reg­u­la­tions will be bind­ing across all 28 mem­ber states.

    Car­los Ghosn, Renault Nis­san Alliance chair­man and CEO and pres­i­dent of ACEA, the body which rep­re­sents vehi­cle man­u­fac­tur­ers in Europe, said man­u­fac­tur­ers across Europe have set out five prin­ci­ples of data pro­tec­tion which the indus­try will adhere to.

    These prin­ci­ples include trans­paren­cy, cus­tomer choice, ‘pri­va­cy by design’, data secu­ri­ty and pro­por­tion­ate use of data.

    Ghosn said: “Data pro­tec­tion is an issue car­mak­ers take very seri­ous­ly, as we are com­mit­ted to pro­vid­ing our cus­tomers with a high lev­el of pro­tec­tion and main­tain­ing their trust.”

    Mod­els like the new Vol­vo XC90 do not have an OBD port for exter­nal par­ties to access diag­nos­tic infor­ma­tion and man­u­fac­tur­ers are wide­ly expect­ed to move to a cloud-based sys­tem in the future where all diag­nos­tic infor­ma­tion gained from mod­ern vehi­cles’ sophis­ti­cat­ed sen­sors are shared to the inter­net through an online por­tal.

    Lussier, who was speak­ing at the recent TU-Auto­mo­tive ‘mon­e­tise con­nect­ed fleet data’ webi­nar, said man­u­fac­tur­ers will be look­ing to track data on engines, emis­sions, dri­ver behav­iour, fuel effi­cien­cy and wear and tear as well as advanced real-time map­ping and traf­fic infor­ma­tion.

    That data could then be passed on to fleets and leas­ing com­pa­nies to improve oper­at­ing effi­cien­cies, plus fran­chised deal­er­ships, tax­a­tion ser­vices, insur­ers, emer­gency ser­vices and road author­i­ties.

    Lussier said: “The sen­sors in vehi­cles can now pick up a lot of infor­ma­tion and the cam­eras built into mod­ern cars make what we can col­lect extreme­ly accu­rate.”

    He sees a future in which every car could be like a ‘Google Maps’ car, analysing every road they are on, updat­ing routes and traf­fic prob­lems in real time for every oth­er car to access.

    “At the moment, we’re at the fron­tier and the sit­u­a­tion with vehi­cle data is a bit like the wild west, from a legal per­spec­tive,” he said.

    The BVRLA is cam­paign­ing for vehi­cle own­ers and dri­vers to be in charge of how their data is used and wants the Gov­ern­ment to sup­port the intro­duc­tion of open, stan­dard­ised and secure plat­forms to enable this to hap­pen.

    Ger­ry Keaney, BVRLA chief exec­u­tive, said: “The arrival of the con­nect­ed car means that the dash­board is now a point of sale for all kinds of prod­ucts and ser­vices, while vehi­cles them­selves have becomes telem­at­ics devices, capa­ble of deliv­er­ing giga­bytes of valu­able real-time data.

    “Reg­u­la­tors and leg­is­la­tors are try­ing to ensure they keep pace with this new envi­ron­ment, but the fact is that cur­rent data pro­tec­tion, type approval and block exemp­tion reg­u­la­tions are well out of date.”

    Keaney recog­nis­es it will take time to put a new reg­u­la­to­ry envi­ron­ment in place, but he wants to make sure vehi­cle own­ers have the right to opt out of any con­nect­ed offer­ings that might con­flict with the ser­vices BVRLA mem­bers offer, for exam­ple break­down or road­side assis­tance, acci­dent ser­vices and the arrange­ment of any ser­vic­ing and repairs.

    He said: “We are also seek­ing clar­i­fi­ca­tion around which dri­ver data is col­lect­ed by man­u­fac­tur­ers and who is respon­si­ble for meet­ing data pro­tec­tion rules.”

    How­ev­er, as more and more con­nect­ed data becomes avail­able, Chevin Fleet Solu­tions says that basic ques­tions remain unan­swered.

    Ash­ley Sower­by, man­ag­ing direc­tor at Chevin Fleet Solu­tions, said: “This is a fast-mov­ing area but one where the poten­tial ben­e­fits for fleets are sub­stan­tial so it is impor­tant that, as an indus­try, we work to get things right.

    “There are many ques­tions to resolve but prob­a­bly the one that con­cerns us most is who con­trols the data gen­er­at­ed by con­nect­ed cars and who has access to it?

    “Man­u­fac­tur­ers may want to act as gate­keep­ers to this infor­ma­tion but it is doubt­ful that they can claim to have own­er­ship of the data.

    “After all, it is gen­er­at­ed by the fleets [or leas­ing com­pa­nies] that own the vehi­cles in ques­tion.”

    Sower­by told Fleet News it was dif­fi­cult to pre­dict whether man­u­fac­tur­ers would replace the cur­rent telem­at­ics sec­tor. But he added: “What­ev­er the out­come, there will def­i­nite­ly be a need for ever-more sophis­ti­cat­ed fleet man­age­ment soft­ware to enable man­agers to make sense of the huge amount of infor­ma­tion that will become avail­able to them.”

    He is call­ing for key stake­hold­ers in the fleet indus­try to “ham­mer out some basic stan­dards”.

    Chevin holds oper­a­tional data on more than 850,000 vehi­cles that are man­aged using its Fleet­Wave soft­ware, so has some expe­ri­ence of the kind of issues that con­nect­ed vehi­cle data bring.

    Sower­by said: “The data that we hold has a com­mer­cial val­ue. We can access infor­ma­tion on how thou­sands of dif­fer­ent types of vehi­cles oper­ate in real world con­di­tions.

    “From time to time, we have been approached by organ­i­sa­tions who would like access to that data and we have refused, but it shows that there is an appetite for the kind of infor­ma­tion that the con­nect­ed car and van will pro­vide.”

    Sower­by wants the indus­try to have an open dia­logue to raise con­cerns, “rather than stum­bling into com­pro­mis­es”.

    ...

    “The data that we hold has a com­mer­cial val­ue. We can access infor­ma­tion on how thou­sands of dif­fer­ent types of vehi­cles oper­ate in real world conditions...From time to time, we have been approached by organ­i­sa­tions who would like access to that data and we have refused, but it shows that there is an appetite for the kind of infor­ma­tion that the con­nect­ed car and van will pro­vide.”

    Posted by Pterrafractyl | January 19, 2016, 10:44 am
  20. @Pterrafractyl

    Thanks for all you do to shed the light that you shed. When it comes to big data and car fleets and big data in gen­er­al the inter­net of things def­i­nite­ly and who con­trols the data are huge issues. I think Dave is right and it is most­ly going to be the milieu Paul Man­ning wrote about and they are most­ly going to run the show.

    Sin­cere thanks,
    GK

    Posted by GK | January 22, 2016, 10:59 pm
  21. @GK: One of the things to keep in mind regard­ing who owns the data on car fleets is that the data pri­va­cy rights for the dig­i­tal cars and the Inter­net of Things in gen­er­al are almost cer­tain­ly going to be weak­er for devices that rented/leased vs pri­vate­ly owned. In oth­er words, Google or Volk­swa­gen might both poten­tial­ly gain access to some of the pri­vate data pri­vate­ly owned by an indi­vid­ual who uses the car’s var­i­ous dig­i­tal tools. But Google, Volk­swa­gen, fleet oper­a­tors, and all sorts of oth­er third-par­ties are poten­tial­ly going to have access to a lot more car-derived pri­vate data if that dig­i­tal car hap­pens to be rent­ed or leased.

    So with that pub­lic vs pri­vate dual­i­ty in data pri­va­cy pro­tec­tions in mind, it’s worth not­ing that Gen­er­al Motors just announced a part­ner­ship with Lyft to cre­ate a fleet of self-dri­ving cars, and the pres­i­dent of Gen­er­al Motors lat­er stat­ed that self-dri­ving car tech­nol­o­gy will first get released to the pub­lic in the form of car-shar­ing ser­vices oper­at­ing by com­pa­nies like GM and Lyft, as opposed to pri­vate­ly owned self-dri­ving cars. He also pre­dict­ed that these car-shar­ing fleets of self-dri­ving cars will know you per­son­al­ly and be cus­tomized to your dig­i­tal tastes. So the self-dri­ving car rev­o­lu­tion, as envi­sioned by the cur­rent major stake­hold­ers, is going to start off as a self-dri­ving car-shar­ing rental ser­vice:

    Mash­able
    Self-dri­ving cars will come to car shar­ing before show­rooms, GM says

    By Nick Jaynes
    Jan­u­ary 13, 2016

    DETROIT — Turns out, the first self-dri­ving car you will ride in won’t be one you own; it’ll be one you order up on your smart­phone from Lyft.

    “The first main­stream deploy­ment of autonomous vehi­cles won’t be to cus­tomers but to a ride-share plat­form,” Gen­er­al Motors Pres­i­dent Dan Ammann told Mash­able at the North Amer­i­can Inter­na­tion­al Auto Show.

    “We’re going to have a car that oper­ates only in down­town Austin that has a max­i­mum speed of 30 mph and oper­ates in con­trolled con­di­tions”

    Ammann lat­er clar­i­fied he was speak­ing hypo­thet­i­cal­ly; Although GM recent­ly announced a part­ner­ship with Lyft, self-dri­ving robo-taxis in Austin are not immi­nent.

    This rev­e­la­tion comes just days after GM announced it was invest­ing $500 mil­lion in a strate­gic part­ner­ship with the ride-shar­ing com­pa­ny.

    The GM-pow­ered Lyft cars could be more than just self-dri­ving Chevy Volts or Mal­ibu Hybrids, they will be dig­i­tal­ly per­son­al­ized to you — even before you open the door.

    With your Lyft pro­file, the car will know who you are and your pref­er­ences and will arrive pre­set with all the things you like — think Spo­ti­fy playlists and ide­al seat set­tings. All you’ll have to do is tell it where you’re going with­in down­town Austin and it’ll take you there autonomous­ly.

    Though Ammann was unwill­ing to give a spe­cif­ic time­line for the roll­out of this autonomous test fleet, he said it would be soon­er than a self-dri­ving car being offered for sale to cus­tomers. There are two strong rea­sons why. First, the aver­age car today sits unused 95% of the time, which is huge­ly inef­fi­cient. An autonomous Bolt in a Lyft fleet would be in use around 60–70% of the time.

    Plain­ly, full autonomous tech­nol­o­gy is expen­sive — so is bat­tery-elec­tric tech­nol­o­gy as well as hydro­gen fuel cells (Ammann tossed those three in togeth­er — not me). So right out the door, the eco­nom­ics are stacked against the like­li­hood of a cus­tomer choos­ing a self-dri­ving car over a human-dri­ven one. Lyft, how­ev­er, could afford to pay such a price because it could run the car 16 hours a day while earn­ing income for years on end. It makes much more sense.

    The sec­ond rea­son is that it is eas­i­er for GM to cre­ate a car that works in a known city with­in cer­tain lim­its at or below 30 mph. Unlike a car you might dri­ve to the moun­tain or past a parade or through a desert, the autonomous sys­tem has much less pro­gram­ming to han­dle.

    Impor­tant­ly, expand­ing into car-shar­ing, Gen­er­al Motors isn’t sac­ri­fic­ing its cur­rent busi­ness mod­el but rather expand­ing it. Ammann explained that the major­i­ty of the car­mak­er’s prof­its come from sell­ing trucks and SUVs to peo­ple who live out­side urban cen­ters. Chang­ing their busi­ness mod­el inside cities does­n’t affect that but rather opens up a big new prof­it oppor­tu­ni­ty.

    That said, Ammann does see a busi­ness case for offer­ing self-dri­ving cars to retail cus­tomers some time down the road. In the short-term, how­ev­er, GM is going to cut its autonomous teeth with Lyft.

    ...

    “With your Lyft pro­file, the car will know who you are and your pref­er­ences and will arrive pre­set with all the things you like — think Spo­ti­fy playlists and ide­al seat set­tings. All you’ll have to do is tell it where you’re going with­in down­town Austin and it’ll take you there autonomous­ly.”
    For the car-shar­ers of the future, car-shar­ing ser­vices like what Lyft and GM are envi­sion­ing could become the more afford­able ver­sion of a own­ing a per­son­al car. And if few­er cars are need­ed to trans­port peo­ple that is a real increase in effi­cien­cy that’s exact­ly what a resource-con­strained world need. But it’s an effi­cien­cy that’s going to poten­tial­ly turn com­pa­nies like Lyft and GM into new per­son­al data col­lec­tors of a sim­i­lar vein to what Google or your cell­phone com­pa­ny already do. The “Lyft Pro­file” sure does sound like a Google-ish dig­i­tal pro­file and it seems like­ly that GM has sim­i­lar ambi­tions to the Ger­man auto man­u­fac­tur­ers that made it clear they want to restrict access to the per­son­al digital/internet infor­ma­tion gen­er­at­ed from the dig­i­tal cars they man­u­fac­ture to them­selves.

    And that’s just inter­net-con­nect­ed car-shar­ing at the very expen­sive end of con­sumer prod­ucts. Offer­ing cus­tomized dig­i­tal ser­vices like inter­net access when you’re in the car (but then also qui­et­ly track­ing the usage of that ser­vice) could be one of those things that gets incor­po­rat­ed into all sorts of shared inter­net-con­nect­ed phys­i­cal objects going for­ward, espe­cial­ly at the free-or-near­ly-free end of the spec­trum because giv­ing peo­ple dig­i­tal devices because free devices offer­ing inter­net usage ser­vices will even­tu­al­ly be able to pay for them­selves by min­ing that usage. Sort of like what 21 Inc is doing with free bit­coin-min­ing devices, but instead of min­ing bit­coins, the devices could offer inter­net ser­vices in exchange for track­ing your usage of those ser­vices. Who knows what’s going to be pos­si­ble in that sec­tor as wire­less inter­net access becomes more and more avail­able and the Inter­net of Things explodes. Mark Zucker­berg’s con­tro­ver­sial Internet.org ini­tia­tive to pro­vide free access to poor Indi­ans to a Face­book-select­ed sub­set of the Inter­net (Face­book also gets to track your usage on it) is a great exam­ple of the kind of “free” inter­net ser­vices that the inter­net con­tent giants like Face­book are going to be inter­est­ed in pro­vid­ing, but that’s just the con­tent side of things. The Inter­net of Things is going to cre­ate oppor­tu­ni­ties to pro­vide free (but spy­ing) inter­net access, espe­cial­ly if its to a free (but spied on) inter­net walled-gar­den like Zucker­berg’s

    At the same time, even if the Inter­net of Things explodes with free spy­ware, the dig­i­tal cars real­ly are going to be unique­ly pow­er sources of per­son­al infor­ma­tion sim­ply because they’re going to be bristling with more and more sophis­ti­cat­ed envi­ron­men­tal sens­ing devices as self-dri­ving tech­nol­o­gy advances that are going to be col­lect­ing data that goes far beyond your inter­net usage. Inter­net con­nect­ed cars with cam­eras and “deep learn­ing” facial recog­ni­tion soft­ware turn every dig­i­tal car into a some­thing anal­o­gous to a Google-Maps car, except they’ll poten­tial­ly be map­ping the out­door move­ments of the ran­dom peo­ple in your town as they get picked up on the cam­eras of grow­ing fleets of self-dri­ving inter­net-con­nect­ed cars cov­ered with sen­sors and facial recog­ni­tion tech­nol­o­gy.

    So in the future a num­ber of us are prob­a­bly going to be access­ing the inter­net on our way to work as we ride in our shared autonomous car, with the inter­net device man­u­fac­tur­er, auto man­fac­tur­er, and car-shar­ing fleet oper­a­tor like Lyft all poten­tial­ly claim­ing access to that inter­net usage data. And your car will be con­stant­ly scan­ning and iden­ti­fy­ing peo­ple in your envi­ron­ment and poten­tial­ly send­ing it back to a head­quar­ters. The age of the smart­phone data pri­va­cy night­mare is grow­ing alarm­ing­ly quaint.

    Posted by Pterrafractyl | January 24, 2016, 11:34 pm
  22. With the US and EU still try­ing to ham­mer out some sort of replace­ment for the Safe Har­bor data shar­ing agree­ment, it’s worth not­ing that the Safe Har­bor agree­ment with the EU was­n’t the only Safe Har­bor agree­ment to dis­solve in recent years fol­low­ing the Snow­den affair. As the arti­cle below notes, the US-Swiss Safe Har­bor agree­ment was also deemed invalid. And as a new US/Swiss data shar­ing agree­ment gets works out, one thing is clear: once Swiss data leaves Switzer­land and trav­els to the US, the Swiss would like the replace­ment for Safe Har­bor to min­i­mize access to that data by US law enforce­ment and nation­al secu­ri­ty ser­vices to the great­est extent pos­si­ble. And don’t for­get that Swiss law also views busi­ness data as per­son­al data, and per­son­al data has extreme­ly high legal pro­tec­tions in Switzer­land. So if you’re an extreme­ly high-net worth indi­vid­ual that does­n’t just have a lot of mon­ey to hide, but also a lot of per­son­al or busi­ness data you’d real­ly like to keep out of author­i­ties’ hands, and you had­n’t already con­sid­ered mov­ing to Switzer­land, it might be time to con­sid­er­ing a life in Switzer­land:

    The Dai­ly Dot

    Can Switzer­land become a safe haven for the world’s data?

    By Jonathan Keane
    Apr 19, 2016, 10:43am CT

    As Unit­ed States and Euro­pean Union reg­u­la­tors debate a sweep­ing new data-pri­va­cy agree­ment, Switzer­land is pre­sent­ing itself as a viable neu­tral loca­tion for stor­ing the world’s data thanks to strict pri­va­cy laws and ide­al infra­struc­ture.

    The Swiss con­sti­tu­tion guar­an­tees data pri­va­cy under Arti­cle 13. The country’s laws pro­tect­ing pri­va­cy are sim­i­lar to those enact­ed by the E.U. Swiss data pro­tec­tions are also, in some cas­es, much stricter than those of the E.U., accord­ing to Nico­la Benz, attor­ney at Swiss law firm Fror­iep. And since Switzer­land is not part of the E.U., data stored there remains out­side the reach of the union’s author­i­ties.

    “Swiss law con­tains things that we call block­ing statutes,” Benz said, “which mean that for­eign author­i­ties can’t con­duct their authority’s func­tions on Swiss soil unless they fol­low the prop­er judi­cial chan­nels.” The country’s tight pri­va­cy laws could make the small nation more attrac­tive to pri­va­cy-focused start-ups. And it already has that momen­tum.

    After the for­mer NSA con­trac­tor Edward Snow­den 2013 rev­e­la­tions about the Nation­al Secu­ri­ty Agency’s secret sur­veil­lance activ­i­ties, Switzer­land wit­nessed some­thing of a boom in its data-cen­ter busi­ness. Phil Zim­mer­mann, cre­ator of the pop­u­lar PGP encryp­tion pro­to­col and founder of Silent Cir­cle, even left the U.S. for Switzer­land last year, cit­ing the over­reach of Amer­i­can author­i­ties.

    Andy Yen, CEO of Swiss-based encrypt­ed email ser­vice Pro­ton­mail, said that the coun­try has robust process­es in how it car­ries out data requests from author­i­ties.

    Data requests have to go through a court like in most coun­tries, said Yen, but “the per­son that’s hav­ing their data request­ed needs to be noti­fied even­tu­al­ly about the request hap­pen­ing and there’s an oppor­tu­ni­ty to fight it in an open court. This is quite dif­fer­ent than the U.S., where things can go through a so-called FISA court.”

    Hop­ing to make the most of the oppor­tu­ni­ty, data cen­ter oper­a­tors are try­ing to woo com­pa­nies into stor­ing data in the coun­try.

    Vigiswiss, a trade group of Swiss data cen­ter com­pa­nies, is pro­mot­ing Switzer­land as the “world’s safe haven for data” through its pri­va­cy laws and a char­ter for mem­bers to abide by, such as the types of data they store.

    “For com­pa­ny data, the lev­el [of pro­tec­tion] is high­er than in the E.U. because we con­sid­er com­pa­ny data as per­son­al data, which is not the case in the E.U., so that’s why com­pa­nies have an inter­est in putting their data in Switzer­land,” said Flo­ri­an Ducom­mun, a lawyer and mem­ber of Vigiswiss’ strate­gic board.

    “We do things prop­er­ly, and we fol­low the rules, and we are com­mit­ted to the secu­ri­ty of your data.”

    ...

    But stor­ing data in Switzer­land is one thing. Trans­fer­ring data to and from the U.S. is anoth­er issue, as we have seen with the col­lapse of Safe Har­bor, whichthe E.U.’s top court struck down in Octo­ber over con­cerns about U.S. sur­veil­lance, and the debate over its suc­ces­sor, a pact known as Pri­va­cy Shield.

    When Safe Har­bor died last year, it left a lot of ques­tion marks around Switzerland’s own agree­ments with the U.S., known as the U.S.-Swiss Safe Har­bor frame­work, which is also now invalid. The loss of Safe Har­bor also caused con­se­quen­tial com­pli­ca­tions for U.S. tech­nol­o­gy firms, like Google and Face­book, which reg­u­lar­ly trans­fer data to Euro­pean coun­tries and back to the U.S.

    A spokesper­son for Switzerland’s Fed­er­al Data Pro­tec­tion and Infor­ma­tion Com­mis­sion­er (FDPIC) told the Dai­ly Dot that it is cur­rent­ly rec­om­mend­ing Swiss busi­ness­es and author­i­ties “enter into addi­tion­al con­trac­tu­al guar­an­tees and arrange­ments to secure bet­ter pro­tec­tion for per­son­al data” trans­ferred to the U.S.

    In March, Switzer­land appoint­ed a new data pro­tec­tion com­mis­sion­er, Adri­an Lob­siger. The ongo­ing Pri­va­cy Shield dis­cus­sions will like­ly inform the path that his office takes, accord­ing to law firm Prager Drei­fuss in a paper pub­lished in Jan­u­ary, but con­cerns still linger over sur­veil­lance once data leaves the coun­try.

    “Cer­tain­ly our rec­om­men­da­tion to most clients is that even once this new Pri­va­cy Shield comes into play, they should prob­a­bly keep their [con­tract] agree­ments in future,” said Benz. “We’re still not con­fi­dent that the Pri­va­cy Shield will stand up to test.”

    For all its promis­es of data secu­ri­ty with­in the coun­try, Swiss data-cen­ter providers and the Swiss gov­ern­ment can­not, at this time, pre­vent abus­es once data leaves its bor­ders.

    “Oth­er gov­ern­ments, we’ve seen with the whole Snow­den affair, may still be look­ing at the data, so it’s very much a ques­tion of what tech­ni­cal safe­guards are in place. There’s noth­ing that Switzer­land can do as a state, any more than any oth­er state, to stop that,” said Benz.

    Domes­tic sur­veil­lance is a con­cern, too. In Sep­tem­ber 2015, the gov­ern­ment passed a new law to expand law enforcement’s sur­veil­lance capac­i­ties. How­ev­er, giv­en Switzerland’s mod­el of direct democ­ra­cy, any­one who gath­ers more than 50,000 sig­na­tures in oppo­si­tion with­in 90 days will halt the law com­ing into effect, push­ing it instead to a pub­lic bal­lot.

    Pro­ton­mail and sev­er­al oth­er oppo­si­tion groups did just that ear­li­er this year, and that ref­er­en­dum will take place lat­er in 2016.

    “This is very pow­er­ful because out­side pres­sure can be put on the Swiss gov­ern­ment to intro­duce new laws, but these laws can­not actu­al­ly come to pow­er unless the pop­u­la­tion approves of it,” Yen said of the ref­er­en­dum.

    Even with these vic­to­ries and the country’s com­mit­ment to pri­va­cy, Switzerland’s posi­tion as a future “data refuge” will be put to the test, accord­ing to for­mer FDPIC chief Hanspeter Thür.

    “We all know the Unit­ed States like to enforce their laws abroad,” he said, “the future will show if Swiss insti­tu­tions will be able to resist them.”

    “We all know the Unit­ed States like to enforce their laws abroad...the future will show if Swiss insti­tu­tions will be able to resist them.”
    Those were the words of the for­mer Fed­er­al Data Pro­tec­tion and Infor­ma­tion Com­mis­sion­er chief Hanspeter Thür. It’s quite a sales pitch. On top of all the oth­er sales pitch­es. Time to start pack­ing those bags.

    Posted by Pterrafractyl | April 21, 2016, 9:22 pm
  23. Now that the US and EU final­ly ham­mered out the “Pri­va­cy Shield” transat­lantic data shar­ing agree­ment to replace the “Safe Har­bor” agree­ment the EU can­celled in the wake of the Snow­den affair the next step is review­ing the imple­men­ta­tion of “Pri­va­cy Shield”. For­ev­er. Annu­al­ly. And the first review is com­ing up in Sep­tem­ber. That should be fun. Espe­cial­ly since, as the arti­cle below points out, one of the main reser­va­tions the EU still has with Pri­va­cy Shield is the bulk US data col­lec­tion for poten­tial use by US intel­li­gence and law enforce­ment (and also poten­tial­ly shared with the US’s EU partners...EU gov­ern­ments don’t com­plain about that as much). And in a motion passed by the EU par­lia­men­t’s Com­mit­tee on Civ­il Lib­er­ties, Jus­tice and Home Affairs a cou­ple weeks ago, the EU is still offi­cial­ly con­cerned about US bulk data col­lec­tion. And as the arti­cle below notes, that EU par­lia­ment motion also includes a call for all mem­bers of the review team to have “full and unre­strict­ed access to all doc­u­ments and premis­es nec­es­sary for the per­for­mance of their tasks, includ­ing ele­ments allow­ing a prop­er eval­u­a­tion of the neces­si­ty and pro­por­tion­al­i­ty of the col­lec­tion and access to data trans­ferred by pub­lic author­i­ties, for either law enforce­ment or nation­al secu­ri­ty pur­pos­es”. Which sounds like a call to make the var­i­ous facil­i­ties used by US and EU gov­ern­ments to col­lect data open for inspec­tion by US and EU review teams, along with a review of that actu­al bulk data col­lec­tion poli­cies. And the review­ers will then get to talk about what they saw and did­n’t like. That’s what the EU’s com­mit­tee that cov­ers things like data pri­va­cy for the pub­lic is call­ing for going into the first review in Sep­tem­ber.

    And this is going to keeps hap­pen­ing annu­al­ly, so if that EU com­mit­tee motion does­n’t pass this year, there’s always next year. And one of Trump’s first moves was to low­er the bar­ri­ers between data shar­ing between US gov­ern­ment agen­cies. So it’s not like the EU won’t have plen­ty of stuff to com­plain about if it decides to make review team inspec­tions a stick­ing point going into the first review. Or the sec­ond. So that’s all going to be rather fas­ci­nat­ing:

    Out-law.com

    First EU-US Pri­va­cy Shield annu­al review to take place in Sep­tem­ber 2017

    The inau­gur­al annu­al review into the oper­a­tion of the EU-US Pri­va­cy Shield is to take place in Sep­tem­ber this year.

    03 Apr 2017

    EU jus­tice com­mis­sion­er Vera Jourová con­firmed the tim­ing of the review in a speech in Wash­ing­ton late last week.

    ...

    The Pri­va­cy Shield facil­i­tates the trans­fer of per­son­al data between the EU and US busi­ness­es signed-up to the scheme. The frame­work was put in place last year to replace a pre­vi­ous sys­tem which was effec­tive­ly inval­i­dat­ed by the EU’s high­est court in 2015.

    The Euro­pean Com­mis­sion has deemed that data trans­fers han­dled in accor­dance with the Pri­va­cy Shield prin­ci­ples will adhere to EU data pro­tec­tion law require­ments. The Com­mis­sion nego­ti­at­ed amend­ments with US coun­ter­parts to an ear­li­er draft of the frame­work fol­low­ing crit­i­cisms raised by EU data pro­tec­tion author­i­ties. How­ev­er, the frame­work has con­tin­ued to draw crit­i­cism from pri­va­cy cam­paign­ers and is the sub­ject of two sep­a­rate legal chal­lenges.

    A recent motion put for­ward by MEPs cit­ed con­cerns with the Pri­va­cy Shield, includ­ing how the scheme address­es US bulk sur­veil­lance pow­ers and accounts for judi­cial redress for EU cit­i­zens in the US. It also high­light­ed con­cerns about lim­i­ta­tions on the rights of data sub­jects and incon­sis­ten­cies in word­ing com­pared with EU data pro­tec­tion law.

    The motion also referred to the forth­com­ing annu­al review of the frame­work, which will be con­duct­ed joint­ly by EU and US offi­cials. It said the review should con­sist of “a thor­ough and in-depth exam­i­na­tion of all the short­com­ings and weak­ness­es” it and oth­ers, such as EU data pro­tec­tion author­i­ties, have iden­ti­fied with the Pri­va­cy Shield, and that review­ers should “demon­strate” how those issues have been addressed to ensure the frame­work is com­pli­ant with fun­da­men­tal EU rights and laws.

    In addi­tion, the motion called for all mem­bers of the review team to have “full and unre­strict­ed access to all doc­u­ments and premis­es nec­es­sary for the per­for­mance of their tasks, includ­ing ele­ments allow­ing a prop­er eval­u­a­tion of the neces­si­ty and pro­por­tion­al­i­ty of the col­lec­tion and access to data trans­ferred by pub­lic author­i­ties, for either law enforce­ment or nation­al secu­ri­ty pur­pos­es”. The review­ers should also each be giv­en the free­dom to “express their own dis­sent­ing opin­ions in the final report”.

    In addi­tion, the motion called for all mem­bers of the review team to have “full and unre­strict­ed access to all doc­u­ments and premis­es nec­es­sary for the per­for­mance of their tasks, includ­ing ele­ments allow­ing a prop­er eval­u­a­tion of the neces­si­ty and pro­por­tion­al­i­ty of the col­lec­tion and access to data trans­ferred by pub­lic author­i­ties, for either law enforce­ment or nation­al secu­ri­ty pur­pos­es”. The review­ers should also each be giv­en the free­dom to “express their own dis­sent­ing opin­ions in the final report”.”

    Yep, this new annu­al review team thing is going to be inter­est­ing. Annu­al­ly. Even when the review isn’t inter­est­ing, that’s sort of inter­est­ing.

    And, again, who knows what more Trump will do to piss off the EU between now and Sep­tem­ber? Oh wait, we do know. Trump and the GOP will the FCC reg­u­la­tion that would have pre­vent­ed inter­net ser­vice providers in the US from sell­ing the per­son­al data they col­lect on their cus­tomers. That should do won­ders for the Sep­tem­ber Pri­va­cy Shield review:

    Lex­ol­o­gy

    Grow­ing con­cern in Europe that pri­va­cy safe­guards in the US are being under­mined

    De Berti Jac­chia Fran­chi­ni For­lani Stu­dio Legale
    Euro­pean Union, Italy, USA
    April 7 2017

    On April 6, 2017, MEPs passed a res­o­lu­tion call­ing on the Com­mis­sion to con­duct a prop­er assess­ment to ensure that the Pri­va­cy Shield pro­vides enough per­son­al data pro­tec­tion for Euro­pean cit­i­zens to com­ply with the EU Char­ter of Fun­da­men­tal Rights and new EU rules on data pro­tec­tion. The Pri­va­cy Shield was labo­ri­ous­ly nego­ti­at­ed and agreed in 2016 between the Unit­ed States and the Euro­pean Union to cov­er per­son­al data trans­fers between these two mar­kets cru­cial to world trade, in replace­ment of the pre­vi­ous Safe Har­bor rules, which had been found by the Euro­pean Court of Jus­tice not to pro­vide an ade­quate lev­el of data pro­tec­tion.

    The Euro­pean MPs con­cern regards a num­ber of issues includ­ing:

    * new rules which entered into force in Jan­u­ary 2017 allow­ing the US Nation­al Secu­ri­ty Agency to share vast amounts of pri­vate data, gath­ered with­out court over­sight, with a num­ber of oth­er agen­cies, includ­ing the FBI
    * insuf­fi­cient inde­pen­dence of the Ombudsper­son mech­a­nism, added to the fact that the Trump admin­is­tra­tion has not yet appoint­ed a new Ombudsper­son
    * the fact that nei­ther the Pri­va­cy Shield Prin­ci­ples nor let­ters from the US admin­is­tra­tion demon­strate the exis­tence of effec­tive judi­cial redress rights for EU indi­vid­u­als whose data are trans­ferred to the US
    * the vote of the US Con­gress to repeal rules adopt­ed by the Fed­er­al Com­mu­ni­ca­tions Com­mis­sion dur­ing the Oba­ma admin­is­tra­tion, which were due to come into force lat­er this year, and would have oblig­ed inter­net ser­vice providers to give users an infor­ma­tion notice and obtain their con­sent before col­lect­ing and sell­ing their per­son­al data.

    The Ital­ian Data Pro­tec­tion Com­mis­sion­er a few days ear­li­er also expressed con­cern in rela­tion to the repeal of the FCC rules. He point­ed out that this is a regres­sive move, going against the increas­ing­ly pre­vail­ing trend world­wide in the direc­tion of a greater pro­tec­tion of con­sumers’ data, since it allows providers to freely sell not only user pro­files and pur­chase pref­er­ences, but even data reveal­ing polit­i­cal and reli­gious opin­ions and health data, classed in Euro­pean law as sen­si­tive data deserv­ing a high lev­el of pro­tec­tion. He said that this could have seri­ous reper­cus­sions putting the Pri­va­cy Shield at risk.

    The bill repeal­ing the FCC rules was signed by Pres­i­dent Trump only days after a speech to the Cen­ter for Strate­gic and Inter­na­tion­al Stud­ies in Wash­ing­ton by Vera Jourovà, EU Com­mis­sion­er for Jus­tice, Con­sumers and Gen­der Equal­i­ty in which she empha­sized the poten­tial of the Pri­va­cy Shield to strength­en the transat­lantic econ­o­my while reaf­firm­ing shared val­ues, but stressed at the same time the impor­tance of ensur­ing that its key foun­da­tions remain in place. The repeal of the FCC rules and the removal of the pri­va­cy pro­tec­tion they entailed does indeed raise doubts as to whether some of the key prin­ci­ples of the Pri­va­cy Shield, includ­ing the Notice Prin­ci­ple, the Choice Prin­ci­ple and the Data Lim­i­ta­tion and Pur­pose Lim­i­ta­tion Prin­ci­ple can be upheld.

    The Jus­tice Com­mis­sion­er in her speech also par­tic­u­lar­ly men­tioned that “there would be no Pri­va­cy Shield with­out Pres­i­den­tial Pol­i­cy Direc­tive no. 28 and the Ombudsper­son. Both are cen­tral ele­ments of the rep­re­sen­ta­tions and com­mit­ments on which the [Pri­va­cy Shield] frame­work is built”. The ref­er­ence to Pres­i­den­tial Pol­i­cy no. 28 (which sets out poli­cies and pro­ce­dures gov­ern­ing the safe­guard­ing by US intel­li­gence oper­a­tors of per­son­al infor­ma­tion col­lect­ed from sig­nals intel­li­gence activ­i­ties, and extends to non-US cit­i­zens safe­guards that require that sur­veil­lance of US cit­i­zens be lim­it­ed to defined and legit­i­mate pur­pos­es) may not have been casu­al, since the Euro­pean MPs’s res­o­lu­tion also express­es con­cern in rela­tion to recent rev­e­la­tions about sur­veil­lance activ­i­ties con­duct­ed at the request of the NSA and FBI in 2015, a year after Pres­i­den­tial Pol­i­cy Direc­tive no. 28.

    ...

    The bill repeal­ing the FCC rules was signed by Pres­i­dent Trump only days after a speech to the Cen­ter for Strate­gic and Inter­na­tion­al Stud­ies in Wash­ing­ton by Vera Jourovà, EU Com­mis­sion­er for Jus­tice, Con­sumers and Gen­der Equal­i­ty in which she empha­sized the poten­tial of the Pri­va­cy Shield to strength­en the transat­lantic econ­o­my while reaf­firm­ing shared val­ues, but stressed at the same time the impor­tance of ensur­ing that its key foun­da­tions remain in place. The repeal of the FCC rules and the removal of the pri­va­cy pro­tec­tion they entailed does indeed raise doubts as to whether some of the key prin­ci­ples of the Pri­va­cy Shield, includ­ing the Notice Prin­ci­ple, the Choice Prin­ci­ple and the Data Lim­i­ta­tion and Pur­pose Lim­i­ta­tion Prin­ci­ple can be upheld.

    Just a few days after the EU Com­mis­sion­er for Jus­tice, Con­sumers and Gen­der Equal­i­ty gives a speech in Wash­ing­ton about con­cerns over ensur­ing the foun­da­tions of the new Pri­va­cy Shield agree­ment remain in place, Trump and the GOP unleash the ISPs.

    So it looks like we’re head­ed towards a ‘nobody knew how com­pli­cat­ed inter­na­tion­al data pri­va­cy pro­tec­tion agree­ments were’ moment for Trump (and his fel­low GOP enablers) in Sep­tem­ber. Your ISP def­i­nite­ly knew it was com­ing.

    Posted by Pterrafractyl | April 14, 2017, 9:26 pm

Post a comment