Category: Data Protection

FAQ: EU-US Privacy Shield

“There are a few improvements, the most obvious being on the purpose limitation and the duration of data retention by private companies. But even here, the EU standard that data can only be stored as long as this is “necessary” is watered down to “relevant”. Of course, any data can be relevant for the company, but that does not mean it meets the necessity test.”

“At the very least, it should get a sunset clause and expire in two years, when the new EU data protection rules have to be applied. The negotiations should in the meantime continue with the next US administration, which also should amend its laws in the next two years. I know this is difficult given the current situation on Capitol Hill in Washington, but we can’t give US companies such privileged access to EU data transfers market if they don’t follow our standards.”

“All I have seen is a funny attempt to define “bulk collection” as not being “mass surveillance”. The US government is still allowed to do bulk data collection in at least six cases, including gathering “foreign intelligence information”, which can be information on anything from illicit arms trade to legitimate trade agreement protests.”

German Green MEP Jan Philipp Albrecht on the EU-U.S. Privacy Shield.

Link: EU-US “Privacy Shield” – Background and Frequently Asked Questions (FAQ) »

EU-US Privacy Shield adopted by the EU despite privacy flaws

The much criticized EU-U.S. Privacy Shield agreement concerning data protection for personal data transferred from the EU to the U.S. has – as expected – been approved by EU member states.

• Statement by Vice-President Ansip and Commissioner Jourová on the occasion of the adoption by Member States of the EU-U.S. Privacy Shield »

• Privacy Shield data pact gets European approval »

• EU-U.S. commercial data transfer pact clears final hurdle »

• New Privacy Shield Could Face Legal Challenge in Europe, Experts Say »

• Official: Privacy Shield dragged across finish line »

Most likely this agreement will end up in the European Court of Justice – as it is suffering from many of the same shortcomings as its predecessor, the Safe Harbour agreement. The latter was invalidated by the court for violating citizens rights to privacy.

EU to adopt EU-US Privacy Shield shotrly

Privacy Shield—the much maligned replacement to the Safe Harbour deal between the European Union and the US—looks set to be approved by national representatives on Friday, Ars understands.

The scheme, which will allow the transfer of personal data from the EU to the US despite privacy and data protection concerns, has faced an uphill battle. Brussels officials who negotiated the deal on behalf of the EU have been desperate to push it through in the face of criticism from the European Data Protection Supervisor, national data protection authorities, and the European Parliament, in order to give some legal certainty to companies that rely on transatlantic data flows. (…)

The agreement is expected to be formally adopted by the European Commission next Monday, followed by the deal being inked by justice commissioner Vera Jourová and US secretary of commerce Penny Pritzker on Tuesday.

Jennifer Baker in Ars Technica: Privacy Shield to be dragged across finish line—sources »

Next up: EU e-Privacy Directive

The EU General Data Protection Regulation (GDPR) and the Data Protection Directive for Law Enforcement Agencies (LEDP) have now been approved — after being watered down as the result of an unprecedented lobbying campaign.

Next up is the EU e-Privacy Directive. EDRi explains…

The e-Privacy Directive contains specific rules on data protection in the area of telecommunication in public electronic networks. It is hugely important, as it is the only EU legislation that regulates confidentiality of communications. (…)

Specifically, the ePrivacy Directive regulates aspects related to the right to confidentiality of communications and the right to freedom of expression.

Once again, we can expect a massive lobby campaign to weaken citizens rights.

To get up to date with what is at stake, read this blog post from EDRi:

• e-Privacy Directive revision: An analysis from the civil society »

/ HAX

Belgian court: Facebook can keep tracking non-users

A Belgian court has overturned a ruling that would have forced Facebook to stop tracking non-users who had visited its pages, The Wall Street Journal reported yesterday. A Brussels appeals court found that the Belgian Privacy Commission, which brought a case against Facebook last year, does not have jurisdiction over the company’s Ireland-based European headquarters. As The Guardian reports, it also rejected a claim that the case was urgent and needed to be expedited.

This reverses a decision made last year, when a court ordered Facebook to stop using cookies to keep tabs on the web browsing of people who were not logged into accounts or had otherwise opted out of tracking

The Verge: Facebook wins Belgian privacy case over tracking logged-out users »

Ars Technica: Facebook wins privacy case, can track any Belgian it wants »

Data Protection: Is the EU just incompetent or… evil?

According to usually well informed sources the Council of the European Union (the member states representatives) is ready to greenlight the so called EU US Privacy Shield.

The Privacy Shield is supposed to replace the previous Safe Harbour agreement on protection of personal data being transferred from the EU to the US. The latter was used in a sloppy way by US companies and it did not offer sufficient protection against US mass surveillance. The European Parliament has frequently called for the Safe Harbour agreement to be revoked – and finally the European Court of Justice (ECJ) invalidated it on grounds that it did not respect European citizens right to privacy.

Since then, the EU and US have been working hard to secure a new agreement – the Privacy Shield.

The problem is that the Privacy Shield, ruffly speaking, has the same problems as the Safe Harbour agreement. So much so that the ECJ have found that it ought to look into the matter once again. (The Max Schrems case, part 2.)

So, why is the EU so eager to give the Privacy Shield its approval? First off all both the EU and the US is under pressure from Big Data to get this stumbling block out of the way. Second, some US government agencies are getting quite frustrated. Third, the EU screwed up in the negotiations, but hopes that no one will notice (!) if they hurry to adopt the agreement.

In other words, protection of European citizens data and privacy has not been an EU priority. The Council (and the Commission) seems to be more interested in good relations with the NSA and Big Data.

Is the EU just incompetent or… evil?

/ HAX

Links:
• Previous blog post on the EU US Privacy Shield, with many useful links »
• The latest leaked EU documents (PDF) »
• Reuters: EU, United States agree on changes to strengthen data transfer pact »
• German IT Law: Data flows to the US: Why the EU Model Clauses may soon be no longer state of the art »
• The Irish Times: Data protection groups seek to join key High Court case »
• NSA Mass Surveillance: US Government wants to intervene in European Facebook-Case (PDF) »

Thanks to Amelia Andersdotter and Dataskydd.net for digging up relevant links and documents.

Silicon Valley on mass surveillance: Enough is enough

Washington Post:

Like many Silicon Valley start-ups, Larry Gadea’s company collects heaps of sensitive data from his customers.

Recently, he decided to do something with that data trove that was long considered unthinkable: He is getting rid of it.

The reason? Gadea fears that one day the FBI might do to him what it did to Apple in their recent legal battle: demand that he give the agency access to his encrypted data. Rather than make what he considers a Faustian bargain, he’s building a system that he hopes will avoid the situation entirely.

WP: What’s driving Silicon Valley to become ‘radicalized’ »

Big Brotherism – the next step

A British startup has created a system for offering landlords continuous surveillance of their tenants’ online activity to determine whether they are likely to be asset risks. The system, named Tenant Assured, connects to the tenants’ social media accounts and mines their status updates, photos and private messages, feeding them to an algorithmic model, which is claimed to find potential signs of financial stress (which include posts with keywords like “loan” or “staying in”) or crime. The landlord gets an online dashboard, showing the tenant’s social connections, and a histogram of their online activity times, as well as flagging up any potential danger signs, as well as a five-factor psychometric profile of the tenant, annotated with what a landlord should look for.

Via Metafilter: Renting in the panopticon »

Main article, Washington Post: Creepy startup will help landlords, employers and online dates strip-mine intimate data from your Facebook page »