Internet of Things and Security - The Challenges

I had the pleasure of speaking at an event organised by the European Data Protection Supervisor (EDPS) on the Internet of Things. While the EDPS is focused on data protection, I tried to widen the perspective and also address the more pressing issues around IoT security. My final words addressed some of the issues around the economic aspects of the IoT, including data ownership. I used a lot of recent examples from the real world, including car hacking, pacemaker snitching, and hotel door ramsomware.

The video of the whole event is now available, I speak at 55:55.

Edited to add: The other speakers before me were: Giovanni Butarelli (EDPS, @Butarelli_G), Wojtek Wiewiorowski (assistant EDPS, @W_Wiewiorowski), Joe McNamee (EDRi, @why0hy), Riccardo Masucci (Intel, @riccardomasucci, Irene Kamara (Universities of Brussels & Tilburg, @kamara_irene), in that order.

Minutes from EU Court of Justice on #DataRetention

On 19th July 2016, Advocate General Øe Saugmandsgaard will present the Court of Justice of the European Union (CJEU) his opinion in the joined cases C-203/15 and C-698/15,Tele2 Sverige and Davis and Others. They concern the validity of national laws in Sweden and the UK for the retention of telecommunications data under EU law and the EU Charter of Fundamental Rights. This is a very relevant question, since the Court invalidated the EU Data retention directive in 2014.

To see what is to be expected, it is helpful to know what happened at the oral hearing on 5th April 2016. Our legal trainee Antonia Latsch attended the hearing (which is public, but not streamed or recorded). She live-tweeted from there, and has allowed me to re-publish her tweets in chronological order here. I have done minor editing to clean up the language, correct typos, etc. So here we go:

Court is in session #dataretention #dripa

Judgement first, hearing about to start #dataretention #CJEU

Hearing started. Johansson addressing question of what constitutes electronic processing of personal data #dataretention

Tele2 Lawyer Johansson: Law needs to be proportional to what is strictly necessary for the concrete objectives #tele2 #CJEU

Tele2: legislation needs to limit access of data, only to fight serious crimes & subject to ex ante court control #dataretention

Tele2: Swedish data collection law is not limited to serious crimes, nor does it grant ex ante court control #tele2 #dataretention

Watson/Davis Lawyer: The United Kingdom does not provide sufficient safeguards for personal data collection #DRIPA #dataretention

Davis/Watson: Minimum safeguards need to be in place to protect personal data to prevent abuse #dataretention #DRIPA

Davis: Court should give guidance to what necessary safeguards are, UK does not meet the safeguards #dataretention

Davis: UK allows collection of data for purposes that are not in regards to suspected crimes, constitutes breach of Art. 51 #dataretention

Brice: authorization and purpose for what it is granted for are connected; intrusiveness needs to meet seriousness of crime #dataretention

Brice: Authorization to access to data must me be granted by structural independent body #dataretention

Brice: purpose of law is only in case of serious crimes. Domestic legislation goes way beyond, including tax purposes #dataretention

Open Rights Group: Case is of global significance, challenging the courts position on personal data protection #dataretention

ORG/Privacy International: states need to be able to prevent passing of data to states that don't comply with EU privacy law #dataretention

PI: Art. 15 e-privacy directive is lex specialis, it does not allow for the individual to be completely stripped of their privacy rights #dataretention

Law Society: Limitation by independent authorization for the kind of data that can be stored is missing #dataretention

Sweden: general obligation to keep data can be proportional for very important measures #dataretention

Sweden: not all access to general data needs to be directly related to a serious crime, but be strictly necessary #dataretention

Sweden: investigations have shown that it is impossible to limit retention of data prior for measurements to be effective #dataretention

Sweden: possibility of rapid decisions is necessary for effectiveness, therefore outside review is unpractical #dataretention

UK: Law requires commercial service providers to keep the data, not authorities #dataretention

UK: We cannot know in advance what data is necessary and valuable #dataretention

UK: in matters concerning national security, member states must make assessments of what is necessary and proportionate #dataretention

UK: objective requirements for necessity of the taken measurements are different from specific rules laid out by the court #dataretention

UK: it should be up to national courts to check that specific requirements and set standards are met #dataretention

Czech: important how domestic law allows access and safety of data, if safeguards are in place, it is not disproportionate #dataretention

Czech: "We live in troubled times, do we really want to constrain the member states in this way?"#dataretention

Denmark: data retention must be general to be effective as a crime fighting tool #dataretention

Denmark: Rules on access to and retention of date go hand in hand and can not be separated #dataretention

Denmark: proportionality test strikes the right balance, provided it gives clear and precise rules/guarantees of protection #dataretention

Denmark: approach to data retention should be all or nothing #dataretention

Denmark: no reason to assess these national measures more stringent than other national measures #dataretention

Germany: active passing of data by private sector allows government access, this must be compatible with fundamental rights #dataretention

Germany: objective safeguard criteria can be sufficient, therefore concrete implementation determines if law is proportionate #dataretention

Antonia Latsch re-tweeted ‏@TetsuwanAstro:
Germany: Data protection guarantees should be assessed as a whole, access AND retention rules together #dataprotection

Estonia: We consider it necessary in the fight against terrorism to collect data of all people #dataretention

Estonia: Saving someone's life and effectively fighting crime is worth allowing government's intervention #dataretention

Ireland: access of data is not directly governed by EU law #dataretention

Ireland: court is providing guidance for interpretation of EU law to national courts #dataretention

Ireland: member states must be given discretion on how to provide proportional measures #dataretention

Ireland: access of data is not directly governed by EU law #dataretention

Antonia Latsch re-tweeted @JanAlbrecht

Jan Philipp Albrecht quoted Antonia Latsch:
Rubbish. The ePrivacy Directive regulates use of personal telecom data, therefore governed by EU law. #dataretention

Ireland: access of data is not directly governed by EU law #dataretention

Ireland: Diversity of different member states needs to be respected by the court #dataretention

Spain: The burden that data retention puts on the internal market and private actors should not be underestimate #dataretention

Spain: The upholding of fundamental rights must be the upper limit to granted discretion #dataretention

Spain: General data retention cannot be seen as an indispensable measure taken by all means #dataretention

France: Data can be used for prosecution as well for proof of innocence. It is impossible to know in advance what is needed. #dataretention

France: French government finds the retention period of 1 year for data absolutely necessary to combat crime and terrorism #dataretention

European Commission: Interference must be proportional as well as respect the essence of the interfered right #dataretention

Finland: Connection between retention and use means that retention can only be justified if the later use is also justified #dataretention

Finland: Practical reasons necessitate a system of universal retention of data that can be compensated by limitation #dataretention

European Commission: procedural safeguards in their entirety need to be assessed to their efficiency #dataretention

after questioned by Judge Rapporteur von Danwitz, Tele2: about 10.000 data request have been made to tele2. No overall statistic available #dataretention

von Danwitz to UK: Does DRIPA enable public authority to collect data from persons outside of the UK? #dataretention

UK: Scope of data retention of DRIPA applies to all data generated and processed in the UK #dataretention

v. Danwitz:"how far are we taking this logic that we don't know who will be a criminal tomorrow and therefore need all data?" #dataretention

v. Danwitz: "Isn't there always something more effective and also more intrusive? Where do we stop?" #dataretention

Advoc. General Saugmandsgaard to UK: can you be more precise to when general retention is indispensable? #dataretention

UK: retention of general data is vital to prevent terrorism and preventing crime but also for protecting people in general #dataretention

Advoc. General to Tele2: Are Swedish authority demanding you to secure data you would otherwise not acquire? #dataretention

Tele2: No, its data that is there, but would not be kept and deleted at once. #dataretention

Advoc. General to Sweden: Is there information about the misuse of this data retention? #dataretention

Germany: data retention is not useful if limited to specific geographical locations #dataretention

Sweden: The chancellor of the data protection agency must be informed of mistakes; here ex-post control is more efficient #dataretention

Tele2: All retention of data carries a risk of misuse, member states should look closely at what is stored and for how long #dataretention

Davis: Case regards the lack of safeguards. Access to data takes place in secret; high demands cannot be monitored adequately #dataretention

Davis: Although individuals can, it's unlikely they will bring a complaint if they don't know their information was accessed #dataretention

Sweden: if data retention is to be an effective measure in fighting crime it needs to be general by nature #dataretention

Session is closed. Advocate General opinion will be delivered on the 19th of July 2016. #dataretention

Minutes from EU Court of Justice on #CanadaPNR

On 5th April, I attended the oral hearing of the Court of Justice of the European Union (CJEU) on the draft agreement between the EU and Canada on the transfer, use, and retention of air passenger data (EU-Canada PNR agreement). The European Parliament has submitted this agreement to the Court in November 2014.

It was my first time at the Court, and the Grand Chamber is really impressive. However, I watched the hearing from the press room next door in order to be able to use the laptop and wifi.

Colleague Thomas van der Valk was also tweeting.

Here are my tweets in chronological order and with some typos corrected:

EU Court of Justice hearing on EU-Canada PNR agreement about to start. I'll tweet from there.

"The Court is in session". Two short judgements are announced first, then #CanadaPNR hearing in a few minutes. #CJEU
#CanadaPNR hearing started. First: legal service of @Europarl_EN, which submitted the agreement to the Court.
.@Europarl_EN: 2 questions: lack of data protection rights, wrong legal basis of the agreement. Candadian law only allows Canadians remedy.
 .@Europarl_EN questions compatibility with Art. 8 of the Charter of Fundamental Rights (data protection): independent oversight? #CanadaPNR

.@ThmsvdVlk is also live-tweeting from the #CanadaPNR hearing at the #CJEU. 

.@Europarl_EN: Article 47 of the Charter (judicial redress / legal remedies) not met with the PNR agreement?

.@Europarl_EN: Article 52 of the Charter (proportionality and necessity) not met either, see #dataretention judgement?
.@Europarl_EN lists the several typed of processing of PNR data: transfer, access, analysis, retention, onward transfer. #CanadaPNR
 .@Europarl_EN: systematic analysis of all passenger data (profiling) not yet covered by #CJEU case law such as #dataretention or #Schrems.
.@Europarl_EN: Canadian privacy Commissioner has been critical about large-scale PNR data analysis. "mega-data" not "meta-data" #CanadaPNR
.@Europarl_EN: PNR data will be transferred to US authorities under the "beyond the border" agreement, https://www.dhs.gov/beyond-border  #CanadaPNR
Now: Council legal service, defending the #CanadaPNR agreement. "@Europarl_EN also accepted PNR agreements with USA and Australia."
(Reason for @Europarl_EN to submit #CanadaPNR agreement was CJEU #dataretention judgement. It came after USA and Australia PNR agreements.)

Council now on legal arguments about opt-out options for Denmark, Ireland and UK, Court had asked about this as well. #CanadaPNR

Council: Canadian general law allows for legal remedies for anyone, not just people in Canada. #CanadaPNR 

Funny to see the @Europarl_EN agents sitting behind the Council agent who is speaking now. They shake their heads quite often. #CanadaPNR 

Council: Legal basis for #CanadaPNR agreement (Art. 82 TFEU, judicial cooperation) is correct, we maintain our position.

Council: @Europarl_EN did not contest same legal basis for EU-Australia PNR agreement. #CanadaPNR 

.@EUCouncil conclusion: All is fine with the #CanadaPNR agreement.

 .@EU_Commission quotes EU anti-terror coordinator: number of convictions based on PNR "irrelevant". Court had asked about those! #CanadaPNR

.@EU_Commission: The #PNR data is "anonymised" after 30 days. #dataretention judgement is not applicable here. #CanadaPNR

.@EU_Commission: #CanadaPNR agreement provides for legal remedies and independent oversight: Passengers can complain with EU DPAs.
.@EU_Commission: Dispute settlement mechanism in Art. 25 of #CanadaPNR agreement is sufficient. If no solution, EU DPAs can act, cf #Schrems
.@EU_Commission on legal basis: Art. 16 TFEU (#dataprotection) cannot ovver-rule all provisions on police / judicial cooperation. #CanadaPNR
.@EU_Commission: Existing data exchange agreements (Europol etc.) Can't out-rule this agreement, because we need data exchange #CanadaPNR
.@EU_Commission: Critical report by Canadian privacy commissioner shows that independent oversight works. #CanadaPNR

Some laughter in the press room on the last argument by @EU_Commission. (I am here, so I can use the laptop.) #CanadaPNR

Estonia starts their argument with an analogy of two piles of hay. Seems to boil down to "We can eat the cake and still have it". #CanadaPNR 

Estonia: #CanadaPNR data is limited. Helps police to determine criminal intent of travellers. #Schrems not comparable, based on 1995/46/EC.

Estonia: PRISM programme was covert, allowed unlimited data sharing. Completely different for #CanadaPNR: Protects against covert processing

Estonia: We can't limit (target) the amount of passengers, but the profiling limits the group of suspicious passengers anyway. #CanadaPNR 

Estonia: PNR data is broader than API (passport) data. But any border agent could ask you about your credit card number as well. #CanadaPNR 

Estonia: No reason to believe that Canada would process data without good faith. #CanadaPNR will pass #Schrems "eye of the needle" test.

Estonia: We cannot allow the risk of having potentially dangerous people board airplanes. #CanadaPNR is "unavoidably necessary".

Now Ireland on #CanadaPNR: International problems demand international responsed. Agreement is necessary.

Ireland: @Europarl_EN has agreed to PNR agreements with USA and Australia!

Ireland: Choice of legal basis important for us because of our opt-in choice for judicial cooperation. (We'll participate anyway) #CanadaPNR 

 Ireland: Data and number of people affected is much more limited than data in DRI and Schrems cases. #CanadaPNR 

Ireland: @Europarl_EN is endangering international cooperation by its challenge of #CanadaPNR.

Next in #CanadaPNR hearing is Spain: We must regard the specific circumstances of the #CanadaPNR case.

Spain: #dataretention period of 5 years is absolutely necessary for criminal investigations. #CanadaPNR 

Spain: Charter requirement of "independent" DPAs is different than "total independence" under 1995/46/EC. #CanadaPNR guarantees independence

(re last argument: #CanadaPNR is overseen in Canada by an ombudsperson, not by the Canadian DPA.)

After short break, now France on #CanadaPNR: Canada provides essentially equivalent data protection rights. PNR data not intrusive anyway.

France: Judicial approval of transfer of #CanadaPNR data would make the whole approach meaningless. Agreement necessary and proportionate.

Impression so far: Everybody refers to "necessary and proportionate", but hardly anyone except @Europarl_EN is giving criteria. #CanadaPNR 

France: Investigations into crimial networks take 4 to 5 years, therefore we need 5 years #dataretention. Useful. #CanadaPNR 

France: Terrorist groups exist some years before they actually become active. #CanadaPNR 

France insisting that recent CJEU and ECtHR case-law on mass surveillance was about communications, not PNR. #CanadaPNR 

Now UK, their agent in full "Queen's Counsel" style with a wig: We must check purpose, nature of data, safeguards. #CanadaPNR 

UK: There are things we know, and there are things we don't know. We need PNR data to find unknown terrorists and trafficers. #CanadaPNR 

RT @ThmsvdVlk:#CanadaPNR UK says it provided examples to Parliament. Anekdotal yes, not evidence. UK now again providing an example

UK: Use of term "profiling" by @Europarl_EN is wrong. PNR relates to travel pattern, not person's character. [well: "terrorist"?] #CanadaPNR 

UK: Vast majority of #CanadaPNR data will never be subject to human review, only sifted through by computers.

UK attacks @Europarl_EN legal service agent: "His assertions about Canadian law are just wrong".

UK repeats @EU_Commission: Critical report by Canadian DPA shows that independent oversight works. #CanadaPNR.

Last statement by @EU_EDPS, agent is @buchtan. Refers to PNR data demands by other countries, incl. Saudi-Arabia, Russia. #CanadaPNR 

.@EU_EDPS Art. 5 of #CanadaPNR agreement presumes adequacy for Canada without additional safgeguards. No judicial remedy for Europeans.

.@EU_EDPS argues that PNR data can as well be very intrusive, including revealing religious beliefs by means of food preferences. #CanadaPNR 

.@EU_EDPS: Use of #CanadaPNR data is about predictive policing, based on abstract definitions of what is "suspicious" & big data. Like US.

.@EU_EDPS Profiling of #CanadaPNR similar to "Rasterfahndung" (pattern searches) in DE after 9/11. Ruled out by consitutional court in 2006.

.@EU_EDPS dissects claims by Member States & Comission about oversight in #CanadaPNR. Not equivalent to independent authority, EU DPAs out.

Statements in #CJEU #CanadaPNR hearing are over. Thomas von Danwitz, judge rapporteur, now summarising for Q&A.

Danwitz: Passengers are not informed about collection & consequences when they book a flight. Therefore, #CanadaPNR implies purpose change.

.@EU_Commission: "As Article 11 of #CanadaPNR provides..." Danwitz: "We're still at the travel agency now, not in the agreement!"

.@EU_Commission: Well, that is far-fetched. Countries can demand anything from people entering their territory. #CanadaPNR 

Danwitz: DRI judgement requires clear guarantees for data subjects. Should #CanadaPNR data categories be clarified by law, not in annex?

Danwitz: What exactly does "frequent flyer information" mean? All my previous flights under a given loyalty programme? #CanadaPNR 

Danwitz: What does "etc." stand for in point 5 of #CanadaPNR agreement? Is that sufficiently precise?

.@Europarl_EN lawyers are cracking up in the background.

Danwitz now really grilling @EU_Commission on the #CanadaPNR annex. They already have two agents at the bar in order to deal with it.

.@EU_Commission: We were told that all the data can be used for finding terrorists or criminals. #CanadaPNR 

Danwitz: That's not my question. My question is about precision of the annex of #CanadaPNR, and "mandatory" vs "optional" data. Inequality?

Danwitz: Nothing in the #CanadaPNR agreement limits databases for cross-checking to Canadian databases. Is that correct?

.@EU_Commission: Data is used for profiling first, only suspicious data compared with other databases. Danwitz: It's not in the agreement!

Danwitz: The @EU_EDPS asked you to exclude sensitive data. No explicit exclusion in #CanadaPNR agreement, however. Reason (except "useful")?

.@EU_Commission: See Article 8. Danwitz: Hmh, ok.

Danwitz: Why do you not demand statistics in #CanadaPNR agreement, as in the EU directive? .@EU_Commission: Canadians still do statistics.

Danwitz: So you don't have any data on how many convicted passengers were, let's say, muslims? - No. #CanadaPNR 

Danwitz: Can all data be freely exchanged with other Canadian authorities, subject to Art. 18? - COM: Yes, but case-by-case only #CanadaPNR 

Danwitz: Should adequacy finding better be made by EU institutions (c.f. #Schrems), not negotiated with the third country? #CanadaPNR 

Danwitz: Art. 19 only limits 3rd country transfer for "Canadian Competent Authority". What about other Canadian authorities? #CanadaPNR 

Danwitz: The whole "a posteriori" approach of rights enforcement worries me. #CanadaPNR 

Danwitz: Could I object to the algorithm that sifted through my data? - COM: No. Danwitz: Why not? COM: "Prevention" #CanadaPNR 

Danwitz: Even when I leave Canada again, my data stays with their authorities for five years. Why? I have a difficulty with this. #CanadaPNR 

Danwitz: Are all 28 Mio passengers who go to Canada each year subject to such measures, even if completely unsuspicious? COM: yes #CanadaPNR 

#CanadaPNR hearing now into lunch break until 15:00. #CJEU

#CJEU #CanadaPNR hearing has started again. @EU_Commission to answer question from before lunch - "should we all be subject to surveilance"?

.@EU_Commission also now claims there is no "profiling". And then explains what kind of profiling is done with #CanadaPNR data. m(

.@EU_Commission to answer on lack of statistics on use of data, but merely makes false claims on "anonymous" and "deleted". #CanadaPNR 

Judge von Danwitz lectures COM that data are actually not "anonymised" after 30 days. "It bothers me when you're not precise" #CanadaPNR 

Danwitz: You could really anonymise data after 30 days. Or delete data of non-suspicious persons at after they leave Canada. #CanadaPNR 

Danwitz now lecturing on ECtHR case-law re possible discrimination of persons by data stored about them. #CanadaPNR 

Danwitz: Does the data "stigmatise" everyone or just some? That's the question. #CanadaPNR. Now questions from AG and other judges.

Now Paolo Mengozzi, advocate-general for this case, with questions on the legal basis of #CanadaPNR. "COM can rest, but just for a bit"

Council legal service on special carve-out protocols for UK, Ireland and Denmark on judicial cooperation. Q: Have they voted on #CanadaPNR?

AG Mengozzi with Q for COM: Why limitation on sensitive data only for "competent authority", not Canada as a whole? - COM: "..." #CanadaPNR 

Mengozzi: Why limitations for transfers to 3rd countries also only for "competent authority", and no limitations for recipients? #CanadaPNR 

.@EU_Commission: 3rd country authorities not really a concern for us, as they only receive already "filtered" data case-by-case. #CanadaPNR 

AG Mengozzi: "This seems absurd to me." Chance for survival of #CanadaPNR getting slimmer by the minute.

Mengozzi now with question to @Europarl_EN on #CanadaPNR: Legal basis: data protection or judicial cooperation? Could it be both? #CanadaPNR 

.@Europarl_EN: We think it's data protection (Art. 16 TFEU), but could be both. One reason we submitted #CanadaPNR to you.

Mengozzi: Article 4(1) of #CanadaPNR: "EU shall ensure air carriers are not prevented from transferring PNR data" But there are limits!

Mengozzi: Where does the /obligation/ for transfers come from then?#CanadaPNR 

.@Europarl_EU: Our problem is that we don't know Canada's or even the EU's interpretation of this. Canadian law not referenced. #CanadaPNR 

.@Europarl_EN: We also don't know who will be the supervisory authority / body in Canada either. Should be specified! #CanadaPNR 

.@Europarl_EN: Art. 4(1) would neutralise any EU data protection legislation with regards to data transfers. #CanadaPNR 

Judge Rosas to Council with question on legal basis: Should certain Member States vote on instruments that do not bind them? #CanadaPNR 

Council: Well, on the new #EUdataP directive for law enforcement, Denmark will vote, but still unclear if and how it is bound. #CanadaPNR 

Q: Has a link to the Schengen acquis been considered, including to cover Norway, Switzerland, Iceland? #CanadaPNR 

Council (other lawyer): Schengen link was not considered. Re DK, IE, UK: They are bound to a certain extent, therefore can vote. #CanadaPNR 

Judge Regan to @Europarl_EU: How do you reconcile your dataprotection arguments with your declared comittment to fight terrorism? #CanadaPNR 

.@Europarl_EU: You can have general #EUdataP rules, but you can also have special DP rules for anti-terror instruments. #CanadaPNR 

.@Europarl_EN: Look at Art. 5 #CanadaPNR: Canadian authoriy "is deemed to provide an adequate level of protection" - problematic!

Judge Rosa to COM: Which PNR data in the annex are sensitive? Art. 2(e) (sensitive data) doesn't refer to specific data types. #CanadaPNR 

.@EU_Commission: Only point 17, Special Service Request Information etc. Judge: How can we be sure none of the others? Unclear. #CanadaPNR 

Judge Rosas grilling COM now: Why is Art. 2(e) then not directly referencing point 17 of annex? #CanadaPNR 

Judge von Danwitz: What about point 18 annex? "API data collected for reservation purposes"? COM: No. Judge: How can we be sure? #CanadaPNR 

Closing statements now. .@EU_Commission, pretty deperate: Data protection must not turn into an area of fear! #CanadaPNR 

UK lawyer by far with strongest and most well-informed arguments in favour of #CanadaPNR. Must be the wig.

UK: WHole purpose of #CanadaPNR is to ensure that Canada has equivalent protections. Not to install EU DPA oversight over Candian DPA.

Advocate-General Paolo Mengozzi will present his opinion on #CanadaPNR on 30th June. Session is closed.

The @Europarl_EN inofficial twitter team says thanks for RTs and favs! #CanadaPNR @ThmsvdVlk

Trade Agreements and the Internet - and the Zombies

I had the pleasure of speaking about what trade agreements such as TTIP or TiSA may do to the internet at re:publica, the greatest European conference about the digital society. The talk was together with Estelle Massé, Gaelle Krikorian, and Sanya Reid Smith.

Here are the slides, and here is the video recording. They may contain Plants and Zombies.

White House releases draft Consumer Privacy Bill

The US "Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015" was released yesterday. It follows up to the 2012 "Consumer Privacy Bill of Rights" from President Obama. 

The draft bill sets out some basic definitions and principles, such as "reasonable" collection of personal data, and consumer rights, such as access to their own data. For enforcement, it gives the Federal Trade Commission the powers to approve and enforce Codes of Conduct submitted by different industry sectors. So far, the FTC has enforced certain data protection rules under Title V of the FTC act, which prohibits "unfair and deceptive trade practices".

At first glance, the draft has a number of serious issues, especially if you look at it from an EU data protection perspective. A few points are worth mentioning:

1) The bill exempts "Cybersecurity data" from the scope:

The term “personal data” shall not include cyber threat indicators collected, processed, created, used, retained, or disclosed in order to investigate, mitigate, or otherwise respond to a cybersecurity threat or incident, when processed for those purposes."

This does not make any sense. It may be reasonable to allow the processing of personal data for IT security purposes (as certain drafts of the planned EU data protection regulation do), but with this approach, things such as IP addresses are removed from the scope of the privacy bill.

2) The bill is contradictory. It states in section 103:

"If a covered entity processes personal data in a manner that is reasonable in light of context, this section does not apply",

and then in section 104, it says

"Each covered entity may only collect, retain, and use personal data in a manner that is reasonable in light of context."

To me it is completely unclear when section 103 would apply at all...

3) Title III of the bill recycles the "Safe Harbor" term and the idea of self-certification which has consistently been criticised by the European Parliament and privacy experts from around the world since the EU Commission and the US Department of Commerce came up with the Safe Harbor approach in 2000:

"Safe Harbor Protection.—In any suit or action brought under Title II of this Act for alleged violations of Title I of this Act, the defendant shall have a complete defense to each alleged violation of Title I of this Act if it demonstrates with respect to such an alleged violation that it has maintained a public commitment to adhere to a Commission-approved code of conduct that covers the practices that underlie the suit or action and is in compliance with such code of conduct."

At least compliance is required, not just the mere committment, but the underlying problem is that the FTC would only be able to review submitted codes, not develop and issue their own ones.

4) The draft would preempt state laws, some of which, such as the Californian one, are stronger than the White House proposal.

5) The bill would exempt start-ups from data privacy requirements for the first 18 months. This will encourage an approach such as "grow quickly and ruthlessly while collecting as much data as you can, and sell to the highest bidder after 18 months". I don't think this is good for a sustainable long-term business strategy.

6) The penalties section (203) is quite interesting, however:

"(1) The civil penalty shall be calculated by multiplying the number of days that the covered entity violates the Act by an amount not to exceed $35,000; or
(2) If the Commission provides notice to a covered entity, stated with particularity, that identifies a violation of this Act, the civil penalty shall be calculated by multiplying the number of directly affected consumers by an amount not to exceed $5,000 (...)"

This could easily exceed the 5% annual global turnover which the European Parliament has set as the maximum penalty in its version of the coming Data Protection Regulation.

This Washington Post article gives a good summary of the reactions (in short: The FTC is not happy, the NGOs are not happy, industry is partially happy, except for the libertarians).

The White House apparently did not manage to find bipartisan congressional sponsors before releasing it, so this and the timing (Friday afternoon) has lead some observers to believe already that it's "dead in the water".

Senator Ed Markey, known as a strong privacy defender, has criticised the draft for not doing enough  for consumers here. As a result, he has announced that he will present his own draft next week (!).

There will be loads of things to discuss for the European Parliament delegation that will visit Washington mid-March. Among the MEPs taking part are Jan Philipp Albrecht, vice-chair of the Civil Liberties, Justice and Home Affairs Committee and rapporteur for the EU Data Protection Regulation and for the EU-US Data Protection Umbrella Agreement, and Claude Moraes, chair of the same committee and rapporteur for the NSA mass surveillance inquiry and its upcoming follow-up.

The Ballad of Google Spain

The judgement of the European Court of Justice in the case Google Spain from May 2014 has caused a very diverse and intense debate that is not finished by far. Though the ruling does not contain this, it has become known as the "right to be forgotten"-ruling, or #R2BF.

The best summary by far has been provided by Paul Bernal. The analysis is very much to the point, but even better: For the national poetry day yesterday, he wrote it in the form of a poem!

The Ballad of Google Spain

There was a case, called ‘Google Spain’
That caused us all no end of pain
Do we have a right to be forgotten?
Are Google’s profits a touch ill-gotten?

read the full poem

TTIP and TiSA: big pressure to trade away privacy

I have been asked by Statewatch before the summer to contribute to their collection of essays and analyses on transatlantic relations. I wrote an analysis of the pressure on European data protection and privacy rules, including strategic discourses and lobbying around it. It is based on the documents that are available so far.

The paper has finally been published in September, very timely after the end of the Brussels and Washington summer break.
TTIP and TiSA: big pressure to trade away privacy, Statewatch Analysis 257, September 2014