thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Saturday, February 28, 2015

White House releases draft Consumer Privacy Bill

The US "Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015" was released yesterday. It follows up to the 2012 "Consumer Privacy Bill of Rights" from President Obama. 

The draft bill sets out some basic definitions and principles, such as "reasonable" collection of personal data, and consumer rights, such as access to their own data. For enforcement, it gives the Federal Trade Commission the powers to approve and enforce Codes of Conduct submitted by different industry sectors. So far, the FTC has enforced certain data protection rules under Title V of the FTC act, which prohibits "unfair and deceptive trade practices".

At first glance, the draft has a number of serious issues, especially if you look at it from an EU data protection perspective. A few points are worth mentioning:

1) The bill exempts "Cybersecurity data" from the scope:
The term “personal data” shall not include cyber threat indicators collected, processed, created, used, retained, or disclosed in order to investigate, mitigate, or otherwise respond to a cybersecurity threat or incident, when processed for those purposes."
This does not make any sense. It may be reasonable to allow the processing of personal data for IT security purposes (as certain drafts of the planned EU data protection regulation do), but with this approach, things such as IP addresses are removed from the scope of the privacy bill.

2) The bill is contradictory. It states in section 103:
"If a covered entity processes personal data in a manner that is reasonable in light of context, this section does not apply",
and then in section 104, it says
"Each covered entity may only collect, retain, and use personal data in a manner that is reasonable in light of context."
To me it is completely unclear when section 103 would apply at all...

3) Title III of the bill recycles the "Safe Harbor" term and the idea of self-certification which has consistently been criticised by the European Parliament and privacy experts from around the world since the EU Commission and the US Department of Commerce came up with the Safe Harbor approach in 2000:
"Safe Harbor Protection.—In any suit or action brought under Title II of this Act for alleged violations of Title I of this Act, the defendant shall have a complete defense to each alleged violation of Title I of this Act if it demonstrates with respect to such an alleged violation that it has maintained a public commitment to adhere to a Commission-approved code of conduct that covers the practices that underlie the suit or action and is in compliance with such code of conduct."
At least compliance is required, not just the mere committment, but the underlying problem is that the FTC would only be able to review submitted codes, not develop and issue their own ones.

4) The draft would preempt state laws, some of which, such as the Californian one, are stronger than the White House proposal.

5) The bill would exempt start-ups from data privacy requirements for the first 18 months. This will encourage an approach such as "grow quickly and ruthlessly while collecting as much data as you can, and sell to the highest bidder after 18 months". I don't think this is good for a sustainable long-term business strategy.

6) The penalties section (203) is quite interesting, however:
"(1) The civil penalty shall be calculated by multiplying the number of days that the covered entity violates the Act by an amount not to exceed $35,000; or
(2) If the Commission provides notice to a covered entity, stated with particularity, that identifies a violation of this Act, the civil penalty shall be calculated by multiplying the number of directly affected consumers by an amount not to exceed $5,000 (...)"
This could easily exceed the 5% annual global turnover which the European Parliament has set as the maximum penalty in its version of the coming Data Protection Regulation.

This Washington Post article gives a good summary of the reactions (in short: The FTC is not happy, the NGOs are not happy, industry is partially happy, except for the libertarians).

The White House apparently did not manage to find bipartisan congressional sponsors before releasing it, so this and the timing (Friday afternoon) has lead some observers to believe already that it's "dead in the water".

Senator Ed Markey, known as a strong privacy defender, has criticised the draft for not doing enough  for consumers here. As a result, he has announced that he will present his own draft next week (!).

There will be loads of things to discuss for the European Parliament delegation that will visit Washington mid-March. Among the MEPs taking part are Jan Philipp Albrecht, vice-chair of the Civil Liberties, Justice and Home Affairs Committee and rapporteur for the EU Data Protection Regulation and for the EU-US Data Protection Umbrella Agreement, and Claude Moraes, chair of the same committee and rapporteur for the NSA mass surveillance inquiry and its upcoming follow-up.

Labels: , ,

Friday, October 03, 2014

The Ballad of Google Spain

The judgement of the European Court of Justice in the case Google Spain from May 2014 has caused a very diverse and intense debate that is not finished by far. Though the ruling does not contain this, it has become known as the "right to be forgotten"-ruling, or #R2BF.

The best summary by far has been provided by Paul Bernal. The analysis is very much to the point, but even better: For the national poetry day yesterday, he wrote it in the form of a poem!
The Ballad of Google Spain

There was a case, called ‘Google Spain’
That caused us all no end of pain
Do we have a right to be forgotten?
Are Google’s profits a touch ill-gotten?

read the full poem

Labels: , , , , , ,

TTIP and TiSA: big pressure to trade away privacy

I have been asked by Statewatch before the summer to contribute to their collection of essays and analyses on transatlantic relations. I wrote an analysis of the pressure on European data protection and privacy rules, including strategic discourses and lobbying around it. It is based on the documents that are available so far.

The paper has finally been published in September, very timely after the end of the Brussels and Washington summer break.
TTIP and TiSA: big pressure to trade away privacy, Statewatch Analysis 257, September 2014

Labels: , , , , , ,

Saturday, December 14, 2013

layers of the struggle privacy vs surveillance, in my picture of the year

This is the picture of the year for me, on so many different layers: 
Stewart Baker, ex-NSA general counsel, and Jacob Appelbaum, internet freedom activist/hacker/journalist (left, right).
Eingebetteter Bild-Link
  • They pretty much symbolise the two sides of the global scandal of the year.
  • They also symbolise the attitudes of both sides.
  • This struggle has defined a large part of my professional life in 2013.
  • I was involved in defining much of this struggle (at least on the EU Parliament side) as a large part of my professional life in 2013.
  • I was on a panel with both of them yesterday, which was one of the most unlikely things I ever imagined in my life.
  • This picture was one of the more unlikely pictures in my life of which I imagined to be there when they were taken. 
  • But hey, I was involved in pulling that panel together.
  • Most basic question that says it all: With whom of these guys would you prefer to hang out and collaborate and try to change the world? The answers to this one again can be on many layers, but they actually converge to the same answer.
  • [fill in your own layer in the comments / shares] 
(picture by Omer Tene, who also moderated the panel) 

Update, 6 April 2014: Jake and Stewart now finally got into the heated discussion they were supposed to have back in December. 

Labels: ,

Sunday, December 09, 2012

EU Commission: No new law enforcement databases needed

In a communication and a press release, somewhat hidden on a Saturday Friday for whatever reasons, European Union Home Affairs Commissioner Cecilia Malmström announced that her services had done an assessment of EU-wide law enforcement information exchange mechanisms. She concluded that
information exchange generally works well, and no new EU-level law enforcement databases are therefore needed at this stage.
This is the first time in a long while that a top-level home affairs official has said that they don't need more new databases. Emphasis is added in the quote for a reason!

This conclusion is based on an "Overview of information management in the area of freedom, security and justice" which the Commission had released in 2010 and which introduced a number of criteria for further policy development in this field:
  • Safeguarding fundamental rights, in particular the right to privacy and data protection
  • Necessity
  • Subsidiarity
  • Accurate risk management
  • Cost-effectiveness
  • Bottom-up policy design
  • Clear allocation of responsibilities
  • Review and sunset clauses
In the new communication, the Commission examines a number of EU-wide information exchange instruments among law enforcement agencies. Oddly enough, they mix existing EU stuff such as Europol and the Schengen Information System (SIS) with projects started by a number of member states which have not yet been Europeanised, such as the Püm Decision or the European Border Surveillance System EUROSUR.

The Commission does also not address a number of other initiatives and databases that are currently in the legislative pipeline:
  • Eurodac, the database of fingerprints of asylum seekers, where Parliament and Council are currently debating law enforcement access;
  • EU-PNR, the proposed system of EU-wide gathering, profiling, and retention of data on all air passengers entering or leaving Europe (and with an extension to inner-European flights under discussion);
  • Smart Borders, a legislative package probably coming in early 2013, which would collect data about everbody entering and leaving the EU, including fingerprints (Entry-Exit System) and which would allow easier entering of the EU if travellers were pre-checked and profiled.
The Commission is to be applauded for such a sober look at the state of play in information exchange. Members of the European Parliament as well as several stakeholders had repretedly asked "when is it enough?" after the Commission in alliance with the Member States had pushed through massive surveillance projects such as telecommunications data retention, bulk bank data transfers to U.S.  financial intelligence services through the SWIFT agreement or air passenger mass surveillance through the PNR-agreements with Australia and the U.S. Good to finally see a red line here.

However, this raises urgent questions about the need for the above-mentioned measures still in the pipeline. The European Parliament is about to vote on the negotiation mandate for EU-PNR and Eurosur, and on the final agreements for law enforcement access to Eurodac. And one can wonder how the Commission will justify its "smart borders" package next year.

It seems the EU institutions should stop current initiatives and have a more general debate on further databases and information exchange in the field of justice and home affairs. It would make sense to align this with the debates on the work programme of the upcoming Irish Council presidency as well as the legislative reports from the Parliament on the EU data protection reform, which both will be debated in the Civil Liberties, Justice and Home Affairs Committee on 10th January 2013. 

Saturday, July 07, 2012

Post-ACTA: declassified negotiation documents on criminal provisions

Immediately after the defeat of the notorious Anti-Counterfeiting Trade Agreement (ACTA) in the European Parliament on 4th of July, it seems the institutions are quickly wrapping it up. Right on the next day, the Council of the European Union has declassfied the different (and still secret) negotiation versions of the ACTA criminal sanctions chapter (these fall under Council competence, whereas the Commission was in charge of the general trade provisions). A list in chronological order is provided below. Let's see if the Commission will also declassify the other chapters.

21 November 2008
http://register.consilium.europa.eu/pdf/en/08/st15/st15588-re02.en08.pdf

3 December 2008
http://register.consilium.europa.eu/pdf/en/08/st15/st15588-re03.en08.pdf

25 March 2009
http://register.consilium.europa.eu/pdf/en/09/st08/st08031-re01.en09.pdf

9 October 2009
http://register.consilium.europa.eu/pdf/en/09/st13/st13867-re01.en09.pdf

19 October 2009
http://register.consilium.europa.eu/pdf/en/09/st14/st14696-re01.en09.pdf

29 October 2009
http://register.consilium.europa.eu/pdf/en/09/st15/st15044-re01.en09.pdf

22 December 2009
http://register.consilium.europa.eu/pdf/en/09/st17/st17779-re01.en09.pdf

Labels: , ,

Wednesday, July 04, 2012

EU Commission will link data retention reform to e-privacy reform in 2013

EU home affairs commissioner Cecila Malmström has announced in an interview with German newspaper Frankfurter Allgemeine Zeitung that she will not propose a revision of the notorious data retention directive this year. Instead, she will work with information society commissioner Neelie Kroes to review the e-privacy directive and the data retention directive together in 2013.

This is big news. Malmström and her services have been struggling with the data retention reform for almost two years. Now she and Kroes want to reform it together with the e-privacy directive in a package, both closing loopholes for further data use in the latter and reducing retention periods and police access in the former.

My reading is this: The liberal Malmström does not know how to get out of this data retention mess in one piece, with activists and "the internet" (c.f. ACTA) on one side, and home affairs ministers in Council on the other side. So she is now siding with Kroes in a hope to get anything agreed under the stewartship of an experienced telco regulator. They will try to ease industry opposition and in return get an okay for a limited version of data retention.

The big question is: How will this interact with the data protection reform package proposed by justice commissioner Viviane Reding in January? It was supposed to also amend and have an impact on the e-privacy directive with the data protection regulation for the internal market, and the proposed directive on data protection in the law enforcement field would need some rules on access of police investigators to corporate databases about their customers.

Time for some interesting coalition-building of institutional players, activists and lobbyists all across the field.

Competing schools in political science would suggest:
  1. Whoever gets the major conflict lines and narratives set up first and firmly, will win (constructivism);
  2. Whoever controls the institutional agenda, will win (institutionalism);
  3. Whoever is in better understanding of economic and political interests, will win (realism).
And this finally reminds me of my academic years and also shows how unpredictable all of this is in theory. Think ACTA, again.

Labels: , , ,