The CJEU agreed.The EC has also been negotiating a new EU-US data transfer deal to replace Safe Harbor — although it is not clear whether that agreement, called Privacy Shield, will pass muster with the CJEU either.Meanwhile Europe s article WP29 group, the body made up of the heads of EU Member State DPAs, has signaled it is not satisfied with Privacy Shield in its current form.However given individual DPA action, such as the referral by the Irish authority today, those alternatives are looking on increasingly shaky ground.The Irish DPA has been investigating model clauses following another complaint filed by Schrems, who is clearly not about to pack up his law books and give up campaigning for European data rights.All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with.
The CJEU ruling against Safe Harbor mainly related to mass surveillance conducted by the US NSA, whose PRISM snooping programme allowed them access to EU citizens' personal data collected by US corporations.While governments, under EU regulations, are required to provide a means of redress to citizens who believe their rights have been infringed by the spooks, such applications cannot be submitted to anyone in the United States.As The Register reported, despite the CJEU's declaration of the incompatibility of the EU and US data protection regimes, the American corporations, who do so love shipping bytes across the Atlantic, simply shrugged.He continued:I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws.All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with."While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commission in its investigation.
The UK government has agreed to an independent review of so called bulk collection — aka mass surveillance — powers in proposed new surveillance legislation, one of the most controversial elements of the Investigatory Powers bill which is currently before parliament.A further provision relating to state hacking capabilities set out in a Code of Practice associated with the draft bill notes that communications service providers may be required to maintain a technical capability to enable their users data to be intercepted — including having user data harvested in bulk — a scenario that human rights group Privacy International described to TechCrunch as the worst form of backdoor .Burnham said substantial changes were needed before the party would consider supporting the bill.Liberty for example, which is challenging the legality of bulk collection/mass interception in the European Court of Human Rights, criticized the earlier report for offering only six Agency case studies as justification for bulk collection — arguing that this vague and limited information was not substantial enough to assess security outcomes had other more targeted surveillance methods been used.Since his prior report, multiple parliamentary committees have scrutinized the draft bill and been critical of its overly broad powers, a lack of clarity and not enough privacy safeguards.Update: Burnham s spokesman has now confirmed the review will not include ISCs but only focus on capabilities badged as bulk in the bill.
"When you're dealing with fundamental human rights, it's probably worth taking a bit of time to make sure you've got the right protections in place," says Tamzin Evershed, Legal Director at Veritas, who insists that the global data processing arena is a new and complex place."Safe Harbour was created in a different era – pre-9/11, pre-cloud and pre-Snowden – and wasn't intended for the massive volumes of cross-border data traffic we see today," says Willy Leichter, global director of CipherCloud."In terms of their legal and regulatory obligations, these companies should host EU citizens' data exclusively within the EU borders and suspend transfer of data to the US," says James Henry, UK Southern Region Manager, Auriga Consulting."In France, US companies will have to consider 'blocking statutes', and in Switzerland the Swiss Blocking Statute and Bank Secrecy laws, before transferring data out of the country," adds Duthie.The UK's Data Protection Act and Italy's Data Protection Code also make data transfers difficult.The Palais de la Cour de Justice, Luxembourg, is where the GDPR will be judged Image Credit: Wikimedia Crimes and punishments"The German Data Protection Authority has already taken legal action against three companies still relying on Safe Harbour, and we expect more to follow," says Nicky Stewart, Commercial Director at Skyscape Cloud Services, who points out that Google, Facebook and Fitbit are all still relying on Safe Harbour regulations.
Snowden appeared via satellite link in the Australian city of Melbourne last night, live from Russia where he resides under temporary asylum after leaking classified documents that revealed the extent of the modern global western government intelligence apparatus.The AFP Friday raided the office of Labor power-broker and former comms minister Stephen Conroy and the home of a staffer of shadow communications minister Jason Clare."Snowden cites the nation's "drag net" data retention and anti-whistleblower laws in which citizen metadata is retained for two years, and those who leak national security documents may be imprisoned.Former Pentagon investigator John Crane has today told The Guardian how the agency became a trap for whistleblowers, including forerunner NSA leaker Thomas Drake."If someone is saying I don't care about the right to privacy because I've got nothing to hide' that's no different to saying 'I don't care about freedom of speech because I have nothing to say'," Snowden says.Snowden also spoke of the power of metadata, suggesting it is more valuable than content because it provides the investigator with similar intelligence while often foregoing the need to acquire warrants.
European officials sitting on the Article 31 committee, which contains representatives from member states and is chaired by a European Commission official, reportedly concluded they need more time to consider the agreement, otherwise known now as the Privacy Shield.The WP29 said the proposed Privacy Shield was inadequate in a number of key areas, and that exceptions to allow the US to carry out mass surveillance of EU citizens were not acceptable.And now after that watchdog rejection, the proposed deal has been hit with another setback after the Article 31 committee concluded that more time was needed to consider the implications of the proposal.It is understood that the Article 31 group is seeking to incorporate a number of recommendations by the data protection authorities WP29 into the proposed agreement.Ongoing UncertaintyThe proposed transatlantic Privacy Shield was finally agreed in early February to replace the previous Safe Harbour legislation.The proposed replacement is designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data transfer rules.
Regulatory captureCanada's internet is regulated by the Canadian Radio-television and Telecommunications Commission CRTC .Only when heavily funded, well-coordinated campaigns by civil liberties organizations are put together does the CRTC even seem to consider regulating against the interests of the incumbent providers.This concept of regulatory capture is important.Even when the people win a victory, it is often pyrrhic, or at least very limited in scope.Also, we have laws that make the WiFi owner responsible for all traffic on their network, and the algorithms for the passwords are provider units and well known and discoverable remotely.Incumbent providers are thus unable to charge the "heavy users" more than a few hundred dollars a month.