1
00:00:00,000 --> 00:00:09,520
<i>32C3 preroll music</i>

2
00:00:09,520 --> 00:00:13,210
Herald: Our next talk is
called “Safe Harbor”.

3
00:00:13,210 --> 00:00:18,019
Background is: back in October, in
the light of the Snowden revelations

4
00:00:18,019 --> 00:00:22,829
the Court of Justice of the European
Union – that’s the “EuGH” in German

5
00:00:22,829 --> 00:00:29,159
declared the Safe Harbor agreement
between the EU and the US invalid.

6
00:00:29,159 --> 00:00:32,500
This talk is about how we got there
as well as further implications

7
00:00:32,500 --> 00:00:37,470
of that decision. Please believe me when
I say our speaker is ideally suited

8
00:00:37,470 --> 00:00:42,730
to talk about that topic. Please give it
up for the man actually suing Facebook

9
00:00:42,730 --> 00:00:45,990
over Data Protection concerns:
Max Schrems!

10
00:00:45,990 --> 00:00:50,940
<i>applause and cheers</i>

11
00:00:50,940 --> 00:00:53,290
Max Schrems: Hallo! Hey!
<i>applause and cheers</i>

12
00:00:53,290 --> 00:01:01,770
<i>applause</i>

13
00:01:01,770 --> 00:01:05,420
It’s cheerful like some Facebook Annual
conference where the newest things

14
00:01:05,420 --> 00:01:09,920
are kind of presented. I’m doing a little
intro basically where I got there.

15
00:01:09,920 --> 00:01:13,330
This was my nice little university in
California. And I was studying there

16
00:01:13,330 --> 00:01:15,259
for half a year and there were a
couple of people from Facebook

17
00:01:15,259 --> 00:01:18,149
and other big companies and
they were talking about

18
00:01:18,149 --> 00:01:21,289
European Data Protection law. And
the basic thing they said – it was

19
00:01:21,289 --> 00:01:25,219
not an original quote but basically what
they said is: “Fuck the Europeans,

20
00:01:25,219 --> 00:01:28,050
you can fuck their law as much as you
want and nothing is going to happen.”

21
00:01:28,050 --> 00:01:31,919
And that was kind of the start of the
whole story because I thought: “Okay,

22
00:01:31,919 --> 00:01:35,639
let’s just make a couple of
complaints and see where it goes.”

23
00:01:35,639 --> 00:01:41,219
I originally got 1.300 pages Facebook data
back then, because you can exercise

24
00:01:41,219 --> 00:01:45,420
your right to access. And Facebook
actually sent me a CD with a PDF file

25
00:01:45,420 --> 00:01:49,069
on it with all my Facebook data.
It was by far not everything

26
00:01:49,069 --> 00:01:51,880
but it was the first time that someone
really got the data and I was asking

27
00:01:51,880 --> 00:01:54,889
someone from Facebook why they were so
stupid to send me all this information.

28
00:01:54,889 --> 00:01:59,100
Because a lot of it was obviously illegal.
And the answer was “We had internal

29
00:01:59,100 --> 00:02:04,090
communications problems.” So someone was
just stupid enough to burn it on a CD and

30
00:02:04,090 --> 00:02:09,158
send it on. One of the CDs actually was
first going to Sydney in Australia because

31
00:02:09,158 --> 00:02:12,819
they put “Australia” instead of “Austria”
on the label which was one of the things

32
00:02:12,819 --> 00:02:15,050
as well.
<i>applause</i>

33
00:02:15,050 --> 00:02:20,010
Anyway, this was basically how
my interest in Facebook started;

34
00:02:20,010 --> 00:02:23,450
and the media got crazy about it because
there is like a little guy that does

35
00:02:23,450 --> 00:02:27,280
something against the big guy. And this
is basically how the whole thing got

36
00:02:27,280 --> 00:02:30,980
this big. This is like a cartoon from my
Salzburg newspaper. This should be me,

37
00:02:30,980 --> 00:02:34,640
and it’s like basically the reason why
the story got that big because it’s

38
00:02:34,640 --> 00:02:37,790
a small guy doing something against
Facebook, not necessarily because

39
00:02:37,790 --> 00:02:41,770
what I was doing was so especially smart.
But the story was just good for the media,

40
00:02:41,770 --> 00:02:45,879
’cause data protection is generally a very
dry topic that they can’t report about

41
00:02:45,879 --> 00:02:50,019
and they’re they had like
the guy that did something.

42
00:02:50,019 --> 00:02:54,299
A couple of introductions. We actually
had 3 procedures. So if you heard about

43
00:02:54,299 --> 00:02:58,290
what I was doing… There was originally
a procedure at the Irish Data Protection

44
00:02:58,290 --> 00:03:02,310
Commission, on Facebook itself – so what
Facebook itself does with the data.

45
00:03:02,310 --> 00:03:06,620
This procedure has ended after 3 years.
There’s a “Class Action” in Vienna

46
00:03:06,620 --> 00:03:09,930
right now that’s still ongoing. It’s in
front of the Supreme Court in Austria

47
00:03:09,930 --> 00:03:14,900
right now. And there is the procedure
that I’m talking about today which is

48
00:03:14,900 --> 00:03:19,920
the procedure on Safe Harbor at the
Irish Data Protection Commission.

49
00:03:19,920 --> 00:03:22,719
A couple of other background
informations: I personally don’t think

50
00:03:22,719 --> 00:03:25,159
Facebook is the issue. Facebook
is just a nice example for

51
00:03:25,159 --> 00:03:29,609
an overall bigger issue. So I was never
personally concerned with Facebook but

52
00:03:29,609 --> 00:03:32,969
for me the question is how we enforce
Data Protection or kind of stuff.

53
00:03:32,969 --> 00:03:35,909
<i>applause</i>
So it’s not a Facebook talk; Facebook is

54
00:03:35,909 --> 00:03:39,290
<i>applause</i>
the example. And of course the whole thing

55
00:03:39,290 --> 00:03:42,599
is just one puzzle piece. A lot of people
are saying: “This was one win but there

56
00:03:42,599 --> 00:03:46,279
are so many other issues!” – Yes, you’re
totally right! This was just one issue.

57
00:03:46,279 --> 00:03:49,439
But you got to start somewhere.
And the whole thing is also

58
00:03:49,439 --> 00:03:53,209
not an ultimate solution. So I can
not present you the final solution

59
00:03:53,209 --> 00:03:57,530
for everything, but probably a couple
of possibilities to do something.

60
00:03:57,530 --> 00:04:00,969
If you’re interested in the documents
– we pretty much publish everything

61
00:04:00,969 --> 00:04:05,469
on the web page. It’s a very old style web
page. But you can download the PDF files

62
00:04:05,469 --> 00:04:10,379
and everything if you’re interested
in the facts and (?) the details.

63
00:04:10,379 --> 00:04:15,779
Talking about facts, the whole thing
started with the Snowden case,

64
00:04:15,779 --> 00:04:19,019
where we kind of for the first time had
documents proving who is actually

65
00:04:19,019 --> 00:04:23,500
forwarding data to the NSA in this case.
And this is the interesting part, because

66
00:04:23,500 --> 00:04:26,530
we have a lot of rumours but if you’re in
a Court room you actually have to prove

67
00:04:26,530 --> 00:04:30,180
everything and you cannot just suspect
that very likely they’re doing it. But you

68
00:04:30,180 --> 00:04:35,199
need actual proof. And thanks to Snowden
we had at least a bunch of information

69
00:04:35,199 --> 00:04:40,550
that we could use. These are the slides,
you all know them. The first very

70
00:04:40,550 --> 00:04:46,880
interesting thing was the FISA act and we
mainly argued under 1881a as an example

71
00:04:46,880 --> 00:04:51,509
for the overall surveillance in the US. So
we took this law as an example but it was

72
00:04:51,509 --> 00:04:55,560
not the only thing we relied on. And I
think it’s interesting for Europeans to

73
00:04:55,560 --> 00:05:01,030
understand how the law actually works.
The law actually goes after data and not

74
00:05:01,030 --> 00:05:08,849
after people. We typically have laws in
criminal procedures that go after people.

75
00:05:08,849 --> 00:05:13,289
This law goes after data. So it totally
falls outside of our normal thinking of

76
00:05:13,289 --> 00:05:15,229
“we’re going after a suspect,
someone that

77
00:05:15,229 --> 00:05:17,810
may have committed a crime”. Basically the

78
00:05:17,810 --> 00:05:21,430
law says that there’s an electronic
communications service provider that holds

79
00:05:21,430 --> 00:05:25,270
foreign intelligence information. That’s
much more than just terrorist prevention,

80
00:05:25,270 --> 00:05:29,919
that’s also things that the US is
generally interested in.

81
00:05:29,919 --> 00:05:33,739
And this is the level that’s publicly
known and everything else is basically

82
00:05:33,739 --> 00:05:38,139
classified. So under the law the FISA
Court can do certification for one year

83
00:05:38,139 --> 00:05:43,669
that basically says “the NSA can access
data”. In this certifications there are

84
00:05:43,669 --> 00:05:46,240
these minimization and targeting
procedures that they have to describe.

85
00:05:46,240 --> 00:05:48,099
But they’re not public.
We don’t know how

86
00:05:48,099 --> 00:05:51,210
they look like. And basically they’re here

87
00:05:51,210 --> 00:05:56,370
to separate data from US people out of
the data set. So it doesn’t really help

88
00:05:56,370 --> 00:06:00,690
a European. And then there is a so called
Directive that goes to the individual

89
00:06:00,690 --> 00:06:04,210
service provider which basically says:
“Give us the data in some technical

90
00:06:04,210 --> 00:06:08,020
format.” So very likely it’s some kind
of API or some kind of possibility

91
00:06:08,020 --> 00:06:12,569
that they can retrieve the data. That’s
what the law says. We don’t know

92
00:06:12,569 --> 00:06:17,440
how it actually looks and we don't
have perfect proof of it. So there are

93
00:06:17,440 --> 00:06:20,530
a lot of things that are disputed and
still disputed by the US government.

94
00:06:20,530 --> 00:06:24,809
So the exact technical implementations,
the amount of data that’s actually pulled,

95
00:06:24,809 --> 00:06:28,830
all the review mechanisms they have
internally. That’s all stuff that was

96
00:06:28,830 --> 00:06:34,110
not 100% sure, and not sure enough
to present it to a Court. Which was

97
00:06:34,110 --> 00:06:38,940
the basic problem we had. First of
all after the Snowden thing broke

98
00:06:38,940 --> 00:06:44,460
we had different reactions. And that was
kind of how I started the procedure.

99
00:06:44,460 --> 00:06:48,020
The first reaction was demonstrations.
We were all walking in the streets.

100
00:06:48,020 --> 00:06:51,080
Which is good and which is important,
but we all know that this is something

101
00:06:51,080 --> 00:06:55,710
we have to do but not something that’s
gonna change the world. Second thing:

102
00:06:55,710 --> 00:06:58,849
we had parliaments like the European
Parliament doing resolutions saying

103
00:06:58,849 --> 00:07:03,110
that we should strike down the Safe Harbor
and this is all bad and evil. We had

104
00:07:03,110 --> 00:07:07,030
the Commission pretty much saying the
same thing. We had national politicians

105
00:07:07,030 --> 00:07:11,569
saying the same thing. And we all knew
that basically this means that they all

106
00:07:11,569 --> 00:07:16,580
send an angry letter to the US. Then they
can walk in front of the media and say:

107
00:07:16,580 --> 00:07:19,879
“Yes, we’ve done something, we sent
an angry letter to the US”, and the US

108
00:07:19,879 --> 00:07:25,229
is just thrown basically in some trash bin
of crazy Europeans wanting strange things

109
00:07:25,229 --> 00:07:31,960
and that was it. So I was actually called
by a journalist and asked if there’s

110
00:07:31,960 --> 00:07:36,610
some other option. And I was then
starting to think about it and there’s

111
00:07:36,610 --> 00:07:42,300
the so called Safe Harbor agreement. To
explain the “Safe Harbor”: In Europe

112
00:07:42,300 --> 00:07:46,490
we have Data Protection law that is on
the papers but factually not enforced.

113
00:07:46,490 --> 00:07:50,569
But at least, in theory, we have it. And
we have a couple of other countries

114
00:07:50,569 --> 00:07:54,819
that have the same level of protection
or similar laws. And generally

115
00:07:54,819 --> 00:07:58,460
Data Protection only works if you keep
the data within the protected sphere so

116
00:07:58,460 --> 00:08:01,150
you’re not allowed to send personal
data to a third country that

117
00:08:01,150 --> 00:08:04,819
doesn’t have adequate protection. There
are a couple of other countries that do;

118
00:08:04,819 --> 00:08:09,740
and therefore you can transfer data e.g.
to Switzerland. This is what the law says.

119
00:08:09,740 --> 00:08:13,460
And there are certain servers that
are outside these countries where

120
00:08:13,460 --> 00:08:17,009
we can have contractual relationships. So
basically if you have a server in India,

121
00:08:17,009 --> 00:08:20,090
you have a contract with your
Indian hosting provider saying:

122
00:08:20,090 --> 00:08:24,199
“You apply proper Data Protection to it”.
So you can transfer data there, too.

123
00:08:24,199 --> 00:08:27,740
All of this is approved by the European
Commission. This is how data

124
00:08:27,740 --> 00:08:33,299
flows legally outside of the EU – personal
data. This all doesn’t apply

125
00:08:33,299 --> 00:08:38,539
to any other kind of data, only personal
data. And we had a basic problem

126
00:08:38,539 --> 00:08:42,469
with the US because there was this
Directive saying you can forward data

127
00:08:42,469 --> 00:08:46,850
to other countries but there is no Data
Protection Law in the US. So basically

128
00:08:46,850 --> 00:08:48,810
you wouldn’t be allowed to send
data there unless you have

129
00:08:48,810 --> 00:08:52,870
some contractual relationship which
is always kind of complicated.

130
00:08:52,870 --> 00:08:58,110
So the solution was to have a self
certification to EU principles

131
00:08:58,110 --> 00:09:01,839
and this was put into an Executive
Decision by the European Commission.

132
00:09:01,839 --> 00:09:06,940
So basically how Safe Harbor is working
is that e.g. Google can walk up and say:

133
00:09:06,940 --> 00:09:12,540
“Hereby I pledge that I follow European
Data Protection Law. I solemnly swear!”.

134
00:09:12,540 --> 00:09:15,110
And then they do whatever they
want to do. And basically

135
00:09:15,110 --> 00:09:17,750
that’s the Safe Harbor system and the
Europeans can walk around saying:

136
00:09:17,750 --> 00:09:22,250
“Yeah, there is some seal saying
that everything is fine, so don’t worry.”

137
00:09:22,250 --> 00:09:25,380
Everybody knew that this is a fucked-up
system but for years and years

138
00:09:25,380 --> 00:09:29,399
everyone was looking away because politics
is there and economics is there and

139
00:09:29,399 --> 00:09:33,560
they just needed it. So basically Safe
Harbor works that way that a US company

140
00:09:33,560 --> 00:09:38,360
can follow the Safe Harbor principles
and say: “We follow them”, then

141
00:09:38,360 --> 00:09:41,519
the Federal Trade Commission and private
arbitrators are overlooking them

142
00:09:41,519 --> 00:09:46,700
– in theory, in practice they never do –
and this whole thing was packaged

143
00:09:46,700 --> 00:09:50,160
into decision by the European
Commission. And this is the so called

144
00:09:50,160 --> 00:09:55,600
Safe Harbor system. So from a European
legal point of view it’s not an agreement

145
00:09:55,600 --> 00:10:01,010
with the US, it’s a system that the US has
set up that we approved as adequate. So

146
00:10:01,010 --> 00:10:04,300
there’s no binding thing between the US
and Europe, we can kind of trash it

147
00:10:04,300 --> 00:10:10,790
any time. They’ve just never done that.
Which brings me to the legal argument.

148
00:10:10,790 --> 00:10:14,930
Basically if I’m this little Smiley down
there, I’m sitting in Austria and

149
00:10:14,930 --> 00:10:20,920
transfer my data to Facebook Ireland,
because worldwide – 82% of all users

150
00:10:20,920 --> 00:10:23,890
have a contract with Facebook Ireland.
Anyone that lives outside the US

151
00:10:23,890 --> 00:10:28,600
and Canada. So anyone from China,
South America, Africa has a contract

152
00:10:28,600 --> 00:10:33,670
with Facebook in Ireland. And legally they
forward the data to Facebook in the US;

153
00:10:33,670 --> 00:10:37,170
technically the data is directly
forwarded. So the data is actually flowing

154
00:10:37,170 --> 00:10:41,529
right to the servers in the US. However
legally it goes through Ireland. And

155
00:10:41,529 --> 00:10:46,029
my contract partner is an Irish company.
And under the law they can only transfer

156
00:10:46,029 --> 00:10:49,839
data to the US if there is adequate
protection. At the same time we know

157
00:10:49,839 --> 00:10:53,550
that the PRISM system is hooked up in
the end. So I was basically walking up

158
00:10:53,550 --> 00:10:56,720
to the Court and saying: “Mass
Surveillance is very likely not

159
00:10:56,720 --> 00:11:01,669
adequate protection, he?” And
that was basically the argument.

160
00:11:01,669 --> 00:11:08,980
<i>applause</i>

161
00:11:08,980 --> 00:11:12,250
The interesting thing in this situation
was actually the strategic approach.

162
00:11:12,250 --> 00:11:17,899
So, we have the NSA and other surveillance
organizations that use private companies.

163
00:11:17,899 --> 00:11:21,880
So we have kind of a public-private
surveillance partnership. It’s PPP in

164
00:11:21,880 --> 00:11:28,540
a kind of surveillance way. Facebook is
subject to US law, so under US law they

165
00:11:28,540 --> 00:11:32,110
have to forward all the data. At the same
time Facebook Ireland is subject to

166
00:11:32,110 --> 00:11:35,040
European law so they’re not
allowed to forward all this data.

167
00:11:35,040 --> 00:11:41,550
Which is interesting because
they’re split. The EU law regulates

168
00:11:41,550 --> 00:11:45,570
how these third cwountry transfers work.
And all of this has to be interpreted

169
00:11:45,570 --> 00:11:49,959
under Fundamental Rights. So this was
basically the system were looking at.

170
00:11:49,959 --> 00:11:53,459
And the really crucial thing is that we
have this public-private surveillance.

171
00:11:53,459 --> 00:11:56,930
Because we do have jurisdiction over
private company. We don’t have

172
00:11:56,930 --> 00:12:00,680
jurisdication over the NSA. We can
send angry letters to the NSA. But

173
00:12:00,680 --> 00:12:04,070
we do have jurisdiction over Facebook,
Google etc. because they’re basically

174
00:12:04,070 --> 00:12:08,769
based here. Mainly for tax reasons.
And this was the interesting thing that

175
00:12:08,769 --> 00:12:11,720
in difference to the national surveillance
where we can pretty much just send

176
00:12:11,720 --> 00:12:15,240
the angry letters we can do something
about the private companies. And

177
00:12:15,240 --> 00:12:19,230
without the private companies there is
almost no mass surveillance in this scale

178
00:12:19,230 --> 00:12:22,810
because the NSA is not in our phones,
it’s the Googles and Apples and whatever.

179
00:12:22,810 --> 00:12:29,000
And without them you’re not really
able to get this mass surveillance.

180
00:12:29,000 --> 00:12:32,579
This is like the legal chart. Basically
what we argued is: there’s 7 and 8

181
00:12:32,579 --> 00:12:35,490
of the Charta of Fundamental Rights.
That’s your right to Privacy and

182
00:12:35,490 --> 00:12:39,420
your right to Data Protection. There
is an article in the Directive that

183
00:12:39,420 --> 00:12:44,149
has to be interpreted in light of it. Then
there’s the Executive Decision of the EU.

184
00:12:44,149 --> 00:12:48,750
This is basically the Safe Harbor
decision which refers to Paragraph 4

185
00:12:48,750 --> 00:12:52,990
of the Safe Harbor principles. And the
Safe Harbor principles basically say

186
00:12:52,990 --> 00:12:56,540
that the FISA Act is okay. So
you have kind of this circle

187
00:12:56,540 --> 00:13:01,579
of different legal layers which is getting
really crazy. I’ll try to break it down

188
00:13:01,579 --> 00:13:05,339
a little bit. Basically 7 and 8 of the
Charta we basically compared

189
00:13:05,339 --> 00:13:08,690
to Data Retention, so the
“Vorratsdatenspeicherung”.

190
00:13:08,690 --> 00:13:13,820
We basically said PRISM is much worse. If
“Vorratsdatenspeicherung” (Data Retention)

191
00:13:13,820 --> 00:13:18,300
was invalid then PRISM has to be 10 times
as bad. That was basically the argument.

192
00:13:18,300 --> 00:13:22,240
Very simple. We just compared: the
one was content data – the other one

193
00:13:22,240 --> 00:13:25,779
was meta data. The one is storage
– the other one is making available.

194
00:13:25,779 --> 00:13:29,519
And the one is endless – the other
one is 24 months. So basically

195
00:13:29,519 --> 00:13:33,540
in all these categories PRISM was much
worse. And if the one has to be illegal

196
00:13:33,540 --> 00:13:37,639
the other one has to be as well. And
what’s interesting – and that’s something

197
00:13:37,639 --> 00:13:42,740
that the US side is typically not getting
– is that Article 8 is already covering

198
00:13:42,740 --> 00:13:47,459
“making available of data”. So the
fun thing is I only had to prove

199
00:13:47,459 --> 00:13:51,190
that Facebook makes data available,
so basically it’s possible

200
00:13:51,190 --> 00:13:55,420
the NSA is pulling it. I didn’t even have
to prove that the NSA is factually pulling

201
00:13:55,420 --> 00:14:00,190
my personal data. And this was like the
relevant point because under US law

202
00:14:00,190 --> 00:14:04,220
basically your Fundamental Rights only
kick in when they factually look at your

203
00:14:04,220 --> 00:14:07,850
data and actually surveil you. So I was
only: “They’re making it available

204
00:14:07,850 --> 00:14:11,740
– that’s good enough for me!” which
was making all these factual evidence

205
00:14:11,740 --> 00:14:16,789
much easier. So basically I only had
to say: “Look at the XKeyscore slides

206
00:14:16,789 --> 00:14:22,180
where they say ‘user name Facebook’
they can get somehow the data out of it.

207
00:14:22,180 --> 00:14:26,860
It’s at least made available; that’s
all I need to prove”. And this is

208
00:14:26,860 --> 00:14:30,360
the big difference between the US
– it’s very simplified, but basically

209
00:14:30,360 --> 00:14:34,649
between the US approach and the European
approach; is that in the US you have to

210
00:14:34,649 --> 00:14:38,639
prove that your data is actually pulled.
I only had to prove that my data is made

211
00:14:38,639 --> 00:14:44,399
available. So I had to… I was able to
get out of all the factual questions.

212
00:14:44,399 --> 00:14:48,100
This is a comparison – you basically…
in the US we have very strict laws

213
00:14:48,100 --> 00:14:53,149
for certain types of surveillance while in
Europe we have a more flexible system

214
00:14:53,149 --> 00:14:56,730
that covers much more. So it’s a
different approach that we just have

215
00:14:56,730 --> 00:15:00,279
in the two legal spheres. We’re both
talking about your Fundamental

216
00:15:00,279 --> 00:15:03,750
Right to Privacy, but in details it’s
very different. And that’s kind of

217
00:15:03,750 --> 00:15:07,909
the differences what we used. The fun
thing is if you’re European you don’t have

218
00:15:07,909 --> 00:15:11,509
any rights in the US anyways because
the Bill Of Rights only applies to people

219
00:15:11,509 --> 00:15:15,829
that live in the US and US citizens so
you’re out of luck anyways. So you’re

220
00:15:15,829 --> 00:15:20,209
only left with the European things.
Basically the law which is

221
00:15:20,209 --> 00:15:23,550
the second level after the Fundamental
Rights is saying that there has to be

222
00:15:23,550 --> 00:15:28,250
an adequate level of protection as I said
and this third country has to ensure it

223
00:15:28,250 --> 00:15:33,279
by domestic law or international
commitments. And I was saying: “You know

224
00:15:33,279 --> 00:15:36,180
there’s the FISA Act, you can read
it, it definitely doesn’t ensure

225
00:15:36,180 --> 00:15:38,630
your fundamental rights and an
adequate protection. So we're

226
00:15:38,630 --> 00:15:45,110
kind of out of Article 25”. And there is
paragraph 4 of the Safe Harbor principles

227
00:15:45,110 --> 00:15:50,829
which say that all these wonderful privacy
principles that US companies sign up to

228
00:15:50,829 --> 00:15:56,579
do not apply whenever a national law
in the US is overruling it. So there are

229
00:15:56,579 --> 00:16:01,690
principles that companies say: “We
follow!” but if there is a city in Texas

230
00:16:01,690 --> 00:16:05,649
saying: “We have a local ordinance
saying: ‘You have to do differently!’”

231
00:16:05,649 --> 00:16:09,029
all these Safe Harbor principles
don’t apply anymore. And this is

232
00:16:09,029 --> 00:16:12,699
the fundamental flaw of the self
certification system that it only works

233
00:16:12,699 --> 00:16:17,240
if there is no law around that conflicts
with it. And as there are tons of laws

234
00:16:17,240 --> 00:16:22,519
that conflict with it you’re hardly
able to hold up a system like that.

235
00:16:22,519 --> 00:16:26,220
So basically if you go through all these
different legal layers you end up with

236
00:16:26,220 --> 00:16:29,730
a conflict between the US FISA Act
and the European Fundamental Rights.

237
00:16:29,730 --> 00:16:33,069
So you’re going through different layers
of the system but you’re basically making

238
00:16:33,069 --> 00:16:41,009
a circle. This is what we did which was
a little bit complicated but worked.

239
00:16:41,009 --> 00:16:53,719
<i>applause</i>

240
00:16:53,719 --> 00:16:57,430
Basically now to the procedure,
so how the whole thing happened.

241
00:16:57,430 --> 00:17:01,639
First I went through the Safe Harbor. Safe
Harbor allows you to go to TRUSTe or

242
00:17:01,639 --> 00:17:06,630
the Federal Trade Commission and there’s
an online form to make your complaint. And

243
00:17:06,630 --> 00:17:10,270
I was making a complaint and I think you
were only allowed to put in 60 characters

244
00:17:10,270 --> 00:17:13,650
to explain what your complaint is. Which
is a little bit complicated if you’re

245
00:17:13,650 --> 00:17:17,779
trying to explain NSA mass surveillance.
So I only wrote: “Stop Facebook, Inc.’s

246
00:17:17,779 --> 00:17:20,410
involvement in PRISM!”. That
was everything I could actually

247
00:17:20,410 --> 00:17:24,280
put in the text box; that was
the absolute maximum.

248
00:17:24,280 --> 00:17:27,690
And the answer I got back was: “TRUSTe
does not have the authority to address

249
00:17:27,690 --> 00:17:31,280
the matter you raise.” Which is obvious,
it’s a private arbitration company

250
00:17:31,280 --> 00:17:35,370
that can hardly tell Facebook to not
follow the NSA’s guidelines. So

251
00:17:35,370 --> 00:17:39,310
this was the arbitration mechanism under
Safe Harbor. You can also go to the

252
00:17:39,310 --> 00:17:43,390
Federal Trade Commission and have your
complaint filed there. But they basically

253
00:17:43,390 --> 00:17:50,290
just ignore them. This was the letter I
got back, that they received it. But

254
00:17:50,290 --> 00:17:53,760
I was talking to the people at the FTC and
they say: “Yeah, we get these complaints

255
00:17:53,760 --> 00:17:59,130
but they’re ending up in a huge storage
system where they stay for ever after”.

256
00:17:59,130 --> 00:18:02,530
So this was enforcement done by
Safe Harbor. And we knew that

257
00:18:02,530 --> 00:18:05,640
in the private field already; but in this
case it was especially interesting.

258
00:18:05,640 --> 00:18:08,720
To be fair, both of these institutions
have no power to do anything

259
00:18:08,720 --> 00:18:11,260
about mass surveillance. So
there was really a reason why

260
00:18:11,260 --> 00:18:14,330
they didn’t do anything.
The next step you have is

261
00:18:14,330 --> 00:18:17,330
the national Data Protection Commissioner.
So we have 28 countries

262
00:18:17,330 --> 00:18:21,640
with 28 [Commissioners]; plus Germany has
– I think – a Data Protection Commissioner

263
00:18:21,640 --> 00:18:26,940
in every province. And you end up at
this. And this is my most favourite slide.

264
00:18:26,940 --> 00:18:30,500
This is the Irish Data
Protection Commissioner.

265
00:18:30,500 --> 00:18:33,910
<i>applause</i>

266
00:18:33,910 --> 00:18:36,450
To be super precise
– I don’t know if you

267
00:18:36,450 --> 00:18:38,100
can see the laser pointer. But this is a

268
00:18:38,100 --> 00:18:41,570
super market. And this is the Irish Data
Protection Commissioner back there.

269
00:18:41,570 --> 00:18:45,040
<i>laughter, applause</i>

270
00:18:45,040 --> 00:18:48,370
To be a little more fair, actually they’re
up here and they’re like 20 people

271
00:18:48,370 --> 00:18:51,720
when we filed it originally. The fun thing
is back at the times they didn’t have

272
00:18:51,720 --> 00:18:54,730
a single lawyer and not a single
technician. So they were 20

273
00:18:54,730 --> 00:18:58,470
public employees that were dealing
with Data Protection and no one

274
00:18:58,470 --> 00:19:02,960
had any clue of the technical
or the legal things about it.

275
00:19:02,960 --> 00:19:06,140
The fun thing is: this is Billy Hawkes,
the Data Protection Commissioner

276
00:19:06,140 --> 00:19:09,720
at the time. He went on the
national radio in the morning.

277
00:19:09,720 --> 00:19:12,960
And in Ireland radio is a really big
thing. So it was a morning show.

278
00:19:12,960 --> 00:19:16,540
And he was asked about these complaints.
And he actually said on the radio:

279
00:19:16,540 --> 00:19:21,170
“I don’t think it will come
as much of a surprise

280
00:19:21,170 --> 00:19:24,880
that the US services have access
to all the US companies”.

281
00:19:24,880 --> 00:19:28,510
And this was the craziest thing!
I was sitting in front of the radio

282
00:19:28,510 --> 00:19:34,560
and was like: “Strike! He just
acknowledged that all this is true!”.

283
00:19:34,560 --> 00:19:38,040
And the second thing, he said: “This US
surveillance operation is not an issue

284
00:19:38,040 --> 00:19:42,500
of Data Protection”. Interesting.

285
00:19:42,500 --> 00:19:47,570
It’s actually online and you can listen
to it. But the fun thing was really that

286
00:19:47,570 --> 00:19:52,180
the factual level is so hard to prove that
I was afraid that they would dispute:

287
00:19:52,180 --> 00:19:55,380
“Hah, who knows if all this is true?
We don’t have any evidence!

288
00:19:55,380 --> 00:19:58,710
The companies say we are
not engaging in all of this.”

289
00:19:58,710 --> 00:20:02,770
So having the Data Protection Commissioner
saying: “Sure they surveil you!

290
00:20:02,770 --> 00:20:06,330
Are you surprised?” was great
because we were kind of out of

291
00:20:06,330 --> 00:20:10,180
the whole factual debate.

292
00:20:10,180 --> 00:20:13,070
I actually got a letter back from them
saying that they’re not investigating

293
00:20:13,070 --> 00:20:17,850
any of it. And I was asking them why. And
they were naming 2 sections of the law,

294
00:20:17,850 --> 00:20:21,600
a combination thereof. So there was one
thing where it says they shall investigate

295
00:20:21,600 --> 00:20:25,130
– which means they have to – or
they may investigate. And they say

296
00:20:25,130 --> 00:20:28,060
they only “may” investigate complaints
and they just don’t feel like

297
00:20:28,060 --> 00:20:32,710
investigating PRISM and Facebook
and all of this. Secondly they say

298
00:20:32,710 --> 00:20:36,920
that a complaint could be “frivolous
and vexatious” – I love the word!

299
00:20:36,920 --> 00:20:41,130
And therefor they’re not investigating
it. “A combination thereof or indeed

300
00:20:41,130 --> 00:20:47,980
any other relevant matter.” So we
transferred this letter into a picture

301
00:20:47,980 --> 00:20:51,630
which is basically what they said: “So
why did you not investigate PRISM?”

302
00:20:51,630 --> 00:20:54,140
– “‘Shall’ means ‘may’, frivolous
or

303
00:20:54,140 --> 00:20:55,700
vexatious, a combination of A and B

304
00:20:55,700 --> 00:20:58,820
or any other reason.”
So this was the answer

305
00:20:58,820 --> 00:21:01,450
by the Irish Data Protection Commissioner
why they wouldn’t want to investigate

306
00:21:01,450 --> 00:21:05,710
the complaint. Just to give
you background information:

307
00:21:05,710 --> 00:21:08,350
these are the complaints that the Irish
Data Protection Commissioner is receiving

308
00:21:08,350 --> 00:21:10,510
– the blue line – and the red line is
all

309
00:21:10,510 --> 00:21:13,380
of the complaints they’re not deciding.

310
00:21:13,380 --> 00:21:17,420
Which is 96..98% of the complaints

311
00:21:17,420 --> 00:21:20,680
they receive on an average year.
Which is interesting because you have

312
00:21:20,680 --> 00:21:24,130
a right to get a decision but they don’t.

313
00:21:24,130 --> 00:21:27,180
To give you the bigger picture: we
also made complaints on Apple

314
00:21:27,180 --> 00:21:30,510
and all the other PRISM companies.
And Ireland basically said

315
00:21:30,510 --> 00:21:35,310
what I just told you. Luxembourg, where
Skype and Microsoft are situated, said

316
00:21:35,310 --> 00:21:38,760
that they do not have enough evidence for
the participation of Microsoft and Skype

317
00:21:38,760 --> 00:21:43,070
[in PRISM]. And the funniest thing
about the answer was that they said

318
00:21:43,070 --> 00:21:46,030
that they’re restricted by their
investigations to the territory

319
00:21:46,030 --> 00:21:50,220
of Luxembourg. And since all of this is
happening in the US they have no way

320
00:21:50,220 --> 00:21:54,050
of ever finding out what was going on.
So I was telling them: “You know,

321
00:21:54,050 --> 00:21:57,890
most of this is online and if you’re not
able to download it I can print it out

322
00:21:57,890 --> 00:22:02,890
for you and ship it to Luxembourg.” But
the problem is why we didn’t go down

323
00:22:02,890 --> 00:22:06,460
in Luxembourg is because they went down
this factual kind of argument. They said:

324
00:22:06,460 --> 00:22:10,010
“It’s all illegal but factually we
don’t believe it’s true”. And

325
00:22:10,010 --> 00:22:15,280
then there was Germany that are
still investigating until today.

326
00:22:15,280 --> 00:22:18,300
This was Yahoo. Actually that was
Yahoo in Munich but they now

327
00:22:18,300 --> 00:22:21,140
moved to Ireland as well. So I don’t
know what happened to this complaint.

328
00:22:21,140 --> 00:22:23,800
We never heard back. But whenever we sent
an email they were like: “Yeah, we’re

329
00:22:23,800 --> 00:22:29,820
still investigating.” So what happened now
is that I went to the Irish High Court.

330
00:22:29,820 --> 00:22:34,150
To jeopardize the non-decision of the
Irish Data Protection Commissioner.

331
00:22:34,150 --> 00:22:37,350
This is the case that then went down as
“Schrems vs. the Data Protection

332
00:22:37,350 --> 00:22:40,790
Commissioner” which is so strange because
I never wanted to have my name

333
00:22:40,790 --> 00:22:43,690
on any of this and now the decision is
actually called after my second name

334
00:22:43,690 --> 00:22:46,990
which is always freaking me out in a way.
Because you’re fighting for Privacy and

335
00:22:46,990 --> 00:22:51,480
suddenly your name is all over the place.
<i>applause and laughter</i>

336
00:22:51,480 --> 00:22:56,010
<i>applause</i>

337
00:22:56,010 --> 00:23:00,160
And this is the Irish High Court. So you…

338
00:23:00,160 --> 00:23:04,130
It’s very complicated to
get a procedure like that.

339
00:23:04,130 --> 00:23:07,610
The biggest issue is that you need money.
If you’re in front of an Irish Court

340
00:23:07,610 --> 00:23:10,100
and you lose a case you
end up with a legal bill of

341
00:23:10,100 --> 00:23:13,280
a couple of hundred thousand
Euros. Which is the reason why

342
00:23:13,280 --> 00:23:17,600
never anybody ever challenged the
Irish Data Protection Commissioner.

343
00:23:17,600 --> 00:23:21,510
Because you just gonna
lose your house over it!

344
00:23:21,510 --> 00:23:25,900
So what I did is: we did a little
bit of crowd-funding! And

345
00:23:25,900 --> 00:23:29,420
we actually got about 70.000 Euros out
of it. This was a crowd-funding platform

346
00:23:29,420 --> 00:23:32,180
that basically worked in a way
that people could donate

347
00:23:32,180 --> 00:23:35,950
and if we don’t need the money we either
donate it to another Privacy cause

348
00:23:35,950 --> 00:23:39,710
or we actually give people the money
back. Which we got to have to do

349
00:23:39,710 --> 00:23:43,490
because we won the case. And all
our costs are paid by the other side.

350
00:23:43,490 --> 00:23:49,960
<i>applause</i>

351
00:23:49,960 --> 00:23:55,660
So the fun thing is you then have to
walk into this wonderful old Court here

352
00:23:55,660 --> 00:23:59,710
on Mondays at 11:30. And
there’s a room where you can

353
00:23:59,710 --> 00:24:03,990
make your application. And about 100 other
people making their application as well.

354
00:24:03,990 --> 00:24:06,850
And there is no number. So there
are 100 lawyers sitting in a room,

355
00:24:06,850 --> 00:24:11,240
waiting for the judge to call out your
case. So we were sitting there until 4 PM

356
00:24:11,240 --> 00:24:15,430
or something until suddenly our case was
called up. And we actually got kind of

357
00:24:15,430 --> 00:24:19,260
the possibility to bring our case and then
it’s postponed to another date and

358
00:24:19,260 --> 00:24:24,400
blablablablabla. In the end you
end up with something like this.

359
00:24:24,400 --> 00:24:28,380
Which is all the paperwork
because in Ireland the Courts

360
00:24:28,380 --> 00:24:33,020
are not computerized so far. So you
have to bring all the paperwork,

361
00:24:33,020 --> 00:24:38,200
anything you rely on, in 3 copies.
And it’s all paper, noted of the pages,

362
00:24:38,200 --> 00:24:43,260
so all these copies have pages 1 to 1000.
Someone’s writing all of them on the page.

363
00:24:43,260 --> 00:24:46,010
And then they copy it 3 times and it’s
then in this wonderful little thing.

364
00:24:46,010 --> 00:24:49,810
I thought it’s great. And
what happened is that

365
00:24:49,810 --> 00:24:53,630
we walked into the judge’s room and you
get a judge assigned on the same day.

366
00:24:53,630 --> 00:24:57,690
So you end up in front of a judge
that has never heard about Privacy,

367
00:24:57,690 --> 00:25:00,570
never heard about Facebook and
never heard about Snowden and PRISM

368
00:25:00,570 --> 00:25:03,710
and any of this. So you walk into the
room as like “We would like to debate

369
00:25:03,710 --> 00:25:08,220
the Safe Harbor with you” and he was like
“What the fuck is the Safe Harbor?”.

370
00:25:08,220 --> 00:25:12,250
So what happened is that he told us to
kind of explain what it is for 15 minutes.

371
00:25:12,250 --> 00:25:16,280
And then he postponed the
whole thing for 2 hours I think

372
00:25:16,280 --> 00:25:19,960
and we walked over to a pub and had a
beer. So that the judge could remotely

373
00:25:19,960 --> 00:25:24,540
read what he’s about to look into.

374
00:25:24,540 --> 00:25:27,150
And Ireland is very interesting because
you need a Solicitor and a Counsel

375
00:25:27,150 --> 00:25:30,900
and then the Counsel is actually talking
to the Judge. So I actually had 2 filters.

376
00:25:30,900 --> 00:25:34,010
If I’m the client down here I had to
talk to my Solicitor. The Solicitor

377
00:25:34,010 --> 00:25:38,520
was telling the Counsel what to say to the
Judge. So half of it was lost on the way.

378
00:25:38,520 --> 00:25:41,730
And when I was asking if I could
just address the Judge personally

379
00:25:41,730 --> 00:25:44,770
they were like “No, no way that you could
possibly address the Judge personally

380
00:25:44,770 --> 00:25:46,240
even though you’re the claimant”.
Which is

381
00:25:46,240 --> 00:25:48,110
funny ’cause they talk about this “person”

382
00:25:48,110 --> 00:25:52,060
in the room. It’s like “What’s the problem
of this Mr. Schrems?”. And you’re like

383
00:25:52,060 --> 00:25:57,040
sitting right here, it’s like
“This would be me!”.

384
00:25:57,040 --> 00:26:01,060
So what happened in Ireland is that we
had about 10 reasons why under Irish law

385
00:26:01,060 --> 00:26:05,960
the Irish Data Protection Commissioner
would have to do its job but the Court

386
00:26:05,960 --> 00:26:09,880
actually wiped all of this from the table
and said actually the Safe Harbor

387
00:26:09,880 --> 00:26:12,580
is the issue, which legally they’re
not allowed to do what politically

388
00:26:12,580 --> 00:26:16,500
was very wise and forwarded this
wonderful easy-to-understand question

389
00:26:16,500 --> 00:26:19,710
to the European Court of Justice.

390
00:26:19,710 --> 00:26:23,480
The reason why they put this kind
of very random question is that

391
00:26:23,480 --> 00:26:27,710
if you jeopardize a law in Ireland you
have to get some Advocate General engaged.

392
00:26:27,710 --> 00:26:30,090
And they didn’t want to do that
so they kind of “asked a question

393
00:26:30,090 --> 00:26:33,890
around the actual question”
to not really get them engaged.

394
00:26:33,890 --> 00:26:35,720
Which was very complicated
because we didn’t know how

395
00:26:35,720 --> 00:26:38,610
the European Court of Justice ’d kind of
react to this random question because

396
00:26:38,610 --> 00:26:41,530
it was so broad that they could just walk
any other direction and not address

397
00:26:41,530 --> 00:26:47,330
the real issue. What was wonderful is
that in the judgment by the Irish Court

398
00:26:47,330 --> 00:26:50,640
they have actually said that
all of this is factually true.

399
00:26:50,640 --> 00:26:54,170
All the mass surveillance is factually
true. And the fun thing to understand

400
00:26:54,170 --> 00:26:58,720
is that the factual assessment is done by
the national Courts. So the European

401
00:26:58,720 --> 00:27:02,000
Court of Justice is not engaging in
factual matters anymore. They only

402
00:27:02,000 --> 00:27:06,800
ask legal questions: “Is this legal or
not”. So we had a split of responsibility.

403
00:27:06,800 --> 00:27:10,680
The Irish Court only said that all of this
is true. And Luxembourg only said

404
00:27:10,680 --> 00:27:15,050
that all of this would be legal if all of
this would be true. Which was kind of

405
00:27:15,050 --> 00:27:19,530
an interesting situation. But to be
fair no one before the European

406
00:27:19,530 --> 00:27:23,010
Court of Justice has ever questioned
that this is true. So even the UK

407
00:27:23,010 --> 00:27:26,270
that was in front of the Court and that
should possibly know if all of this

408
00:27:26,270 --> 00:27:30,270
is true or not, they have never
questioned the facts. <i>laughs</i>

409
00:27:30,270 --> 00:27:34,930
There is a pretty good factual basis.
What was interesting as well is

410
00:27:34,930 --> 00:27:39,150
that I said I’m not gonna go in front
of the European Court of Justice.

411
00:27:39,150 --> 00:27:44,240
Because the cost is so high that even the
60 or 70.000 Euros I got in donations

412
00:27:44,240 --> 00:27:47,970
wouldn’t cover it. And I knew the judge
wants to get this hot potato off his table

413
00:27:47,970 --> 00:27:52,280
and down to Luxembourg. So I was asking
for a so called “protective cost order”

414
00:27:52,280 --> 00:27:55,470
which kind of tells you beforehand that
there is a maximum amount you have to pay

415
00:27:55,470 --> 00:27:57,960
if you lose a case. And it
was actually the first one

416
00:27:57,960 --> 00:28:01,960
to ever get protective cost
order in Ireland granted.

417
00:28:01,960 --> 00:28:06,020
Which was really cool and the Irish
were like outraged about it, too.

418
00:28:06,020 --> 00:28:09,760
<i>applause</i>

419
00:28:09,760 --> 00:28:12,960
So we basically walked into the
European Court of Justice which is

420
00:28:12,960 --> 00:28:17,150
a really hefty procedure.
In this room were…

421
00:28:17,150 --> 00:28:20,520
13 judges are in front of you. The
European Court of Justice has assigned it

422
00:28:20,520 --> 00:28:24,150
to the Great Chamber. So there is a
Small, a Medium and a Great Chamber.

423
00:28:24,150 --> 00:28:28,480
Which is the highest thing you can
possibly end up in Europe. And

424
00:28:28,480 --> 00:28:31,490
it’s chaired by the President of the
European Court of Justice. And this is

425
00:28:31,490 --> 00:28:36,350
kind of where the really really basic,
really important questions are dealt with.

426
00:28:36,350 --> 00:28:38,890
So I was like: “Cool, I’m getting to the
European Court of Justice!”. And it’s

427
00:28:38,890 --> 00:28:41,930
funny because all the lawyers that were in
the room, everyone was like “I can pledge

428
00:28:41,930 --> 00:28:44,580
in front of the European Court of
Justice!”. They all took pictures like

429
00:28:44,580 --> 00:28:47,040
they were in Disneyland or something.
<i>audience laughing</i>

430
00:28:47,040 --> 00:28:52,970
And it was – lawyers can be
very… kind of… interesting. And

431
00:28:52,970 --> 00:28:57,250
we ended up in front of these 3 major
people. It was the President,

432
00:28:57,250 --> 00:29:00,860
Thomas von Danwitz – who is the German
judge and he also wrote the lead decision.

433
00:29:00,860 --> 00:29:03,710
He’s the Judge Rapporteur, so within
the 13 judges there’s one that is

434
00:29:03,710 --> 00:29:07,130
the reporting judge and actually drafts
the whole case. And he was also

435
00:29:07,130 --> 00:29:12,760
doing the Data Retention. And then there
was Yves Bot as the Advocate General.

436
00:29:12,760 --> 00:29:15,220
The hearing was interesting
because we got questions

437
00:29:15,220 --> 00:29:18,480
from the European Court of Justice before
the hearing. And in these questions

438
00:29:18,480 --> 00:29:21,600
they were actually digging down into
the core issues of mass surveillance

439
00:29:21,600 --> 00:29:25,930
in the US. When I got the questions
I was like “We won the case!” because

440
00:29:25,930 --> 00:29:30,810
there’s no way they can decide differently
as soon as they address the question.

441
00:29:30,810 --> 00:29:34,790
There were participants from all over
Europe. These are the countries,

442
00:29:34,790 --> 00:29:37,660
then there was the European Parliament,
the European Data Protection Supervisor

443
00:29:37,660 --> 00:29:40,770
and the European Commission.
There was me – MS down there,

444
00:29:40,770 --> 00:29:44,940
the Data Protection Commissioner
and Digital Rights Ireland. And

445
00:29:44,940 --> 00:29:49,310
what was interesting was the countries
that were not there. Like Germany, e.g.

446
00:29:49,310 --> 00:29:53,000
was not there in this major procedure.
And as far as I’ve heard there were

447
00:29:53,000 --> 00:30:00,300
reasons of not getting too engaged in
the Transatlantic Partnership problem.

448
00:30:00,300 --> 00:30:04,800
So this was kind of interesting because
the UK walked up but Germany was like:

449
00:30:04,800 --> 00:30:08,130
“No, we rather don’t want
to say anything about this.”

450
00:30:08,130 --> 00:30:12,370
What was interesting as well is that there
were interventions by the US Government.

451
00:30:12,370 --> 00:30:16,470
So I heard… we were… on a Tuesday we
were actually in the Court. And on Mondays

452
00:30:16,470 --> 00:30:20,430
I got text messages from people of
these different countries telling me that

453
00:30:20,430 --> 00:30:25,040
the US just called them up. And
I was like: “This is interesting”

454
00:30:25,040 --> 00:30:28,180
because I know a lot of these people from
conferences and stuff. So they were like

455
00:30:28,180 --> 00:30:31,210
telling me: “The US just called me
up and said they wanna talk to my

456
00:30:31,210 --> 00:30:34,520
lead lead lead supervisor and tell me
what to say tomorrow in the Court”.

457
00:30:34,520 --> 00:30:38,050
It was like: “This is very interesting!”.

458
00:30:38,050 --> 00:30:44,070
I was actually in the Court room and there
was the justice person from the US embassy

459
00:30:44,070 --> 00:30:47,650
to the European Union. And he was actually
watching the procedure and watching

460
00:30:47,650 --> 00:30:50,430
what everybody was arguing.
Where I had a feeling this is

461
00:30:50,430 --> 00:30:54,130
like a watchdog situation. And someone
pointed out that this is the guy,

462
00:30:54,130 --> 00:30:57,420
so I knew who it is. And he was walking up
to me and asked: “Are you the plaintiff?”

463
00:30:57,420 --> 00:31:02,960
And I said: “Yeah, hey!” and he was
trying to talk to me and I said:

464
00:31:02,960 --> 00:31:06,420
“Did you manage calling everybody by now
or do you still need a couple of numbers?”

465
00:31:06,420 --> 00:31:06,870
<i>audience laughing</i>

466
00:31:06,870 --> 00:31:11,650
And he was like: “(?) arrogant!”. He was
like: “He didn’t just ask this question?”.

467
00:31:11,650 --> 00:31:15,590
He said: “No, we kind of we’re in contact
with all of our colleagues and of course

468
00:31:15,590 --> 00:31:19,280
we have to kind of push for the interest
of the US” and blablabla. I thought:

469
00:31:19,280 --> 00:31:22,840
“This is very interesting!”. But
anyway, it didn’t help them.

470
00:31:22,840 --> 00:31:27,720
No one of them was really kind
of arguing for the US, actually.

471
00:31:27,720 --> 00:31:30,440
The findings of the European Court of
Justice, so what was in the judgment

472
00:31:30,440 --> 00:31:36,050
in the end. First of all, Safe Harbor
is invalid. Which was the big news.

473
00:31:36,050 --> 00:31:39,340
And this was over night. We were expecting
that they would have a grace period

474
00:31:39,340 --> 00:31:43,700
so it’s invalid within 3 months or
something like this. But in the minute

475
00:31:43,700 --> 00:31:48,450
they were saying it there all your data
transfers to the US were suddenly illegal.

476
00:31:48,450 --> 00:31:58,710
<i>applause</i>
Which was kind of big.

477
00:31:58,710 --> 00:32:02,070
The second biggie was that they actually
said that the essence of your rights

478
00:32:02,070 --> 00:32:04,850
is violated. Now this, for an average
person, doesn’t mean too much.

479
00:32:04,850 --> 00:32:10,270
But for a lawyer it says: “Oh my
god, the essence is touched!!”.

480
00:32:10,270 --> 00:32:14,170
To explain to you what the essence is and
why everybody is so excited about it is:

481
00:32:14,170 --> 00:32:17,820
basically if you have a violation of
your rights you have no interference.

482
00:32:17,820 --> 00:32:20,420
So if a policeman was walking
down the street and watching you

483
00:32:20,420 --> 00:32:24,030
there’s no interference with any of your
rights. If they probably tapped your phone

484
00:32:24,030 --> 00:32:27,450
there is some kind of proportionality
issue which is what we typically debate

485
00:32:27,450 --> 00:32:30,950
before a Court. There is a system how
you argue if something is proportionate

486
00:32:30,950 --> 00:32:34,750
or not. So e.g. Data Retention
was not proportionate.

487
00:32:34,750 --> 00:32:37,950
And Data Retention would be somewhere
here probably. <i>points to slide</i>

488
00:32:37,950 --> 00:32:41,800
So not legal anymore but
still in a proportionality test.

489
00:32:41,800 --> 00:32:44,320
And then there is “the essence”
which means whatever the fuck

490
00:32:44,320 --> 00:32:47,190
you’re trying to do here is totally
illegal because what you’re doing

491
00:32:47,190 --> 00:32:49,690
is so much out of the scale
of proportionality that

492
00:32:49,690 --> 00:32:53,530
it will never be legal. And on Data
Retention it actually said that

493
00:32:53,530 --> 00:32:56,590
for the first time…
<i>applause</i>

494
00:32:56,590 --> 00:33:01,890
<i>applause</i>

495
00:33:01,890 --> 00:33:04,160
…and this was actually the
first time as far as I saw

496
00:33:04,160 --> 00:33:07,290
that the European Court of Justice has
ever said that under the convention.

497
00:33:07,290 --> 00:33:11,410
So the convention is only
in place since 2008, I think.

498
00:33:11,410 --> 00:33:13,640
But it’s the first time they actually
found that in a case which was

499
00:33:13,640 --> 00:33:18,120
huge for law in general. There
was a couple of findings

500
00:33:18,120 --> 00:33:21,660
on Data Protection powers that
are not too interesting for you.

501
00:33:21,660 --> 00:33:26,450
What may be interesting is that

502
00:33:26,450 --> 00:33:29,760
– there is a story to this picture
that’s the reason I put it in –

503
00:33:29,760 --> 00:33:32,310
basically they said that a
third country doesn’t have

504
00:33:32,310 --> 00:33:35,600
to provide adequate protection, as
I said before. So the story was

505
00:33:35,600 --> 00:33:39,210
that third countries originally had
to provide equivalent protection.

506
00:33:39,210 --> 00:33:42,270
But there was lobbying going on,
so the word “equivalent” was

507
00:33:42,270 --> 00:33:47,090
changed to “adequate”. And
“adequate” means basically nothing.

508
00:33:47,090 --> 00:33:51,120
Because anything and nothing can be
adequate. “Adequate” has no legal meaning.

509
00:33:51,120 --> 00:33:55,910
I mean if you ask what an adequate
dressing is – you don’t really know.

510
00:33:55,910 --> 00:33:59,500
So they changed that actually back to the
law… to the wording that was lobbied

511
00:33:59,500 --> 00:34:02,880
out of the law and said it has to be
“essentially equivalent” and that’s how

512
00:34:02,880 --> 00:34:05,980
we now understand “adequate”. Which is
cool because any third country now

513
00:34:05,980 --> 00:34:10,110
has to provide more or less the same
level of protection than Europe has.

514
00:34:10,110 --> 00:34:15,469
There has to be effective detention
and supervision mechanisms. And

515
00:34:15,469 --> 00:34:18,199
there has to be legal redress. Just
a really short thing on the picture:

516
00:34:18,199 --> 00:34:20,899
I was actually just pointing at two
people and they were taking a picture

517
00:34:20,899 --> 00:34:24,530
from down there to make it a Victory
sign. And that’s how the media

518
00:34:24,530 --> 00:34:27,929
is then doing: “Whoo”.
<i>making short Victory gesture</i>

519
00:34:27,929 --> 00:34:31,899
I have to speed up a little bit.
Not too much but a little bit.

520
00:34:31,899 --> 00:34:36,070
The future, and I think that’s probably
relevant for you guys as well…

521
00:34:36,070 --> 00:34:40,820
First of all, what this whole judgment
means. First of all the US

522
00:34:40,820 --> 00:34:44,070
basically lost its privileged
status as being a country

523
00:34:44,070 --> 00:34:47,480
that provides adequate [data] protection.
Which is kind of the elephant in the room

524
00:34:47,480 --> 00:34:50,860
that everyone knew anyway, that they’re
not providing it. And now, officially,

525
00:34:50,860 --> 00:34:55,300
they’re not providing it anymore. And the
US is now like any third country.

526
00:34:55,300 --> 00:35:00,320
So like China or Russia or India or
any country we usually transfer data to.

527
00:35:00,320 --> 00:35:03,750
So it’s not like you cannot transfer
data to the US anymore.

528
00:35:03,750 --> 00:35:06,840
But they lost their special status.
Basically what the judgment said:

529
00:35:06,840 --> 00:35:09,080
“You can’t have mass surveillance
and be at the same time

530
00:35:09,080 --> 00:35:13,490
an adequately [data] protecting country”.
Which is kind of logical anyway.

531
00:35:13,490 --> 00:35:16,540
The consequence is that you have to
use the derogations that are in the law

532
00:35:16,540 --> 00:35:20,100
that we have for other countries as well.
So a lot of people said: “You know,

533
00:35:20,100 --> 00:35:23,610
the only result will be that there will be
a consent box saying ‘I consent that my

534
00:35:23,610 --> 00:35:27,480
[personal] data is going to the US.’”
Now the problem is: consent has to be

535
00:35:27,480 --> 00:35:32,160
freely given, informed, unambiguous
and specific; under European law.

536
00:35:32,160 --> 00:35:34,350
Which is something all the Googles
and Facebooks in the world have

537
00:35:34,350 --> 00:35:36,870
never understood. That’s the reason
why all these Privacy Policies are

538
00:35:36,870 --> 00:35:41,270
typically invalid. But anyway. So if
you have any of these wordings that

539
00:35:41,270 --> 00:35:45,190
they’re currently using, like “Your data
is subject to all applicable laws” it’s

540
00:35:45,190 --> 00:35:48,300
very likely not “informed” and
“unambiguous”. Because you don’t have

541
00:35:48,300 --> 00:35:52,120
any fucking idea that your data is
ending up at the NSA if you read this.

542
00:35:52,120 --> 00:35:55,510
So what they would have to do is to have
some Policy saying: “I agree that all of

543
00:35:55,510 --> 00:35:59,530
my personal data is made available to the
NSA, FBI and whatsoever – YES/NO”.

544
00:35:59,530 --> 00:36:02,080
<i>applause</i>
Because it has to be “freely given”, so

545
00:36:02,080 --> 00:36:04,410
<i>applause</i>
I have to have the option to say “No”.

546
00:36:04,410 --> 00:36:09,050
Now this would theoretically be possible
but under US law they’re placed under

547
00:36:09,050 --> 00:36:10,510
a “gag order”, so they’re
not allowed to

548
00:36:10,510 --> 00:36:13,610
say this. So they’re in a legal kind of

549
00:36:13,610 --> 00:36:17,030
Limbo because on the one hand they have to
say: “It’s this way” but on the other hand

550
00:36:17,030 --> 00:36:22,210
they have to say “No it’s not”. So consent
is not going to give you any solution.

551
00:36:22,210 --> 00:36:25,760
Then there are Standard Contractual
Clauses. That’s the one from Apple that

552
00:36:25,760 --> 00:36:28,130
they’re using right now.

553
00:36:28,130 --> 00:36:31,940
And Standard Contractual Clauses allow
you to have a contract with a provider

554
00:36:31,940 --> 00:36:36,220
in a third country. And that
pledges to you in a contract

555
00:36:36,220 --> 00:36:40,950
that all your data is safe. The problem
is that they have exception clauses.

556
00:36:40,950 --> 00:36:45,140
That basically say: “If there’s mass
surveillance your whole contract is void”

557
00:36:45,140 --> 00:36:48,860
because you cannot have a contract
saying: “Hereby I pledge full Privacy”

558
00:36:48,860 --> 00:36:52,870
and at the same time be subject to these
laws. And this is the interesting thing:

559
00:36:52,870 --> 00:36:56,130
all these companies are saying: “Now we’re
doing Standard Contractual Clauses”,

560
00:36:56,130 --> 00:36:58,400
but none of them are going to hold
up in Courts and everybody knows,

561
00:36:58,400 --> 00:37:00,450
but of course to their shareholders
they have to tell: “Oh we have

562
00:37:00,450 --> 00:37:04,160
a wonderful solution for this.”

563
00:37:04,160 --> 00:37:07,860
The big question here is if we have
a factual or legal assessment.

564
00:37:07,860 --> 00:37:12,690
So do we have to look at factually what
data is actually processed by the NSA

565
00:37:12,690 --> 00:37:16,470
and what are they actually doing. Or do we
just have to look at the laws in a country

566
00:37:16,470 --> 00:37:21,550
and the possibility of mass access. So the
factual assessment works fine for Apple,

567
00:37:21,550 --> 00:37:26,120
Google etc. who are all in these Snowden
slides. If you look at the abstract and

568
00:37:26,120 --> 00:37:30,660
legal assessment which is legally the
thing that probably we have to do

569
00:37:30,660 --> 00:37:34,950
you actually end up with questions like
Amazon. Amazon was not a huge

570
00:37:34,950 --> 00:37:38,280
cloud provider when the Snowden slides
were actually drafted and written.

571
00:37:38,280 --> 00:37:42,410
They’re huge now. And very likely
they’re subject to all of these laws.

572
00:37:42,410 --> 00:37:45,130
So how do we deal with a company like
this? Can we still forward [personal] data

573
00:37:45,130 --> 00:37:48,500
to an Amazon cloud? If we know
they’re subject to these US laws.

574
00:37:48,500 --> 00:37:51,480
So this is the question of which
companies are actually falling

575
00:37:51,480 --> 00:37:56,310
under this whole judgment.

576
00:37:56,310 --> 00:37:59,510
Basically you still have a couple of
other exemptions. So this basic thing

577
00:37:59,510 --> 00:38:03,130
that a couple of people say that you’re
not allowed to book a hotel [room]

578
00:38:03,130 --> 00:38:06,580
in the US anymore is not true. There
are a lot of exceptions in the law e.g.

579
00:38:06,580 --> 00:38:10,580
the performance of a contract. So if
I book a hotel [room] in New York online

580
00:38:10,580 --> 00:38:14,540
my [personal] data has to go to New York
to actually book my hotel [room]. So

581
00:38:14,540 --> 00:38:17,950
in all these cases you can still transfer
[personal] data. The ruling is mainly

582
00:38:17,950 --> 00:38:20,550
on outsourcing. So if you could
theoretically have your [personal] data

583
00:38:20,550 --> 00:38:24,210
in Europe you’re just not choosing because
it’s cheaper to host it in the US or

584
00:38:24,210 --> 00:38:29,280
it’s easier or it’s more convenient. In
these cases we actually get problems.

585
00:38:29,280 --> 00:38:33,700
So what we did is we had a second round
of complaints. That is now taking

586
00:38:33,700 --> 00:38:38,290
these judgments onboard. You can download
them on the web page as well. And there’s

587
00:38:38,290 --> 00:38:43,440
also the deal that Facebook Ireland
with Facebook US has signed.

588
00:38:43,440 --> 00:38:48,760
To have safety to your data. And this is
currently under investigation in Ireland.

589
00:38:48,760 --> 00:38:52,720
Basically I argued that they have a
contract but the contract is void because

590
00:38:52,720 --> 00:38:56,650
US law says they have to do all this mass
surveillance. I just got the letter that

591
00:38:56,650 --> 00:39:01,350
on November, 18th Facebook has actually
given them [to the DPC] a huge amount

592
00:39:01,350 --> 00:39:06,650
of information on what they’re actually
doing with the data. This is now going

593
00:39:06,650 --> 00:39:10,160
to be under investigation. The big
question is if the DPC in Ireland is

594
00:39:10,160 --> 00:39:13,260
actually giving us access to this
information. Because so far all these

595
00:39:13,260 --> 00:39:17,470
evidence that they had they said:
“it’s all secret and you cannot know

596
00:39:17,470 --> 00:39:20,500
what Facebook is doing with your data
even though you’re fully informed about

597
00:39:20,500 --> 00:39:24,220
what they’re doing with your data.”
Which is kind of interesting as well. But

598
00:39:24,220 --> 00:39:30,260
– different issue. A big question was also
if there’s gonna be a Safe Harbor 2.0.

599
00:39:30,260 --> 00:39:33,010
I already was told by everybody they’re
not gonna call it a Safe Harbor anymore

600
00:39:33,010 --> 00:39:37,350
because they’re stuck with media
headlines like “Safe Harbor is sunk”

601
00:39:37,350 --> 00:39:40,270
or something like this.

602
00:39:40,270 --> 00:39:43,320
And what happened is that the US has done
a huge lobbying effort. They have said

603
00:39:43,320 --> 00:39:46,490
right on the day that all of this is based
on wrong facts and they’ve never done

604
00:39:46,490 --> 00:39:50,720
any of this; and all of this
is Trade War; and blablablabla.

605
00:39:50,720 --> 00:39:53,510
So they put a lot of pressure on them.
I was actually talking to Jurova,

606
00:39:53,510 --> 00:39:57,210
the Justice Commissioner. And I was
impressed by her. She actually took

607
00:39:57,210 --> 00:40:00,650
a whole hour and she really knew what
was going on. And at the time they had

608
00:40:00,650 --> 00:40:04,120
press releases saying: “We’re really
deeply working on the new Safe Harbor”.

609
00:40:04,120 --> 00:40:07,390
And I was asking Jurova: “Did you get
any of the evidence you need to make

610
00:40:07,390 --> 00:40:10,850
such a finding?” And the answer
was: “Yeah, we’re still waiting for it.

611
00:40:10,850 --> 00:40:13,770
We should get it next week”.
Which basically meant this

612
00:40:13,770 --> 00:40:17,810
is never going to work out anymore. But
of course I think there’s a blame game

613
00:40:17,810 --> 00:40:21,700
going on. The EU has to say: “We
tried everything to find a solution”

614
00:40:21,700 --> 00:40:24,940
and the US is saying: “We tried
everything to find a solution, too”.

615
00:40:24,940 --> 00:40:27,220
And then in the end they will blame
each other for not finding a solution.

616
00:40:27,220 --> 00:40:30,530
That’s my guess. But
we’ll see what happens.

617
00:40:30,530 --> 00:40:34,350
The basic problem with a Safe Harbor 2
is that in the government sector

618
00:40:34,350 --> 00:40:38,380
they’d basically have to rewrite the whole
US legal system. Which they haven’t done

619
00:40:38,380 --> 00:40:43,660
for their own citizens. So they will very
likely not do it for European citizens.

620
00:40:43,660 --> 00:40:46,640
Like judicial redress. Not even an
American has judicial redress. So

621
00:40:46,640 --> 00:40:50,110
they would never give that to a European.
And the private area: they actually

622
00:40:50,110 --> 00:40:53,750
have to redraft the whole Safe Harbor
principles because they now have to be

623
00:40:53,750 --> 00:40:57,460
essentially equivalent of
what Europe is doing.

624
00:40:57,460 --> 00:41:00,380
So this would also protect people on
the private sphere much more but it

625
00:41:00,380 --> 00:41:05,200
would really take a major overhaul of
the whole system. To give you an idea:

626
00:41:05,200 --> 00:41:08,300
all of these processing operations
are covered by European law. So

627
00:41:08,300 --> 00:41:12,580
from collection all the way
to really deleting the data.

628
00:41:12,580 --> 00:41:16,610
This is what’s covered by the Safe
Harbor principles. Only 2 operations

629
00:41:16,610 --> 00:41:20,250
which is at the closure by “transmission”
and the “change of purpose”. Anything else

630
00:41:20,250 --> 00:41:23,730
they can do as fully as they wanna do
under the current Safe Harbor things.

631
00:41:23,730 --> 00:41:26,960
So if you talk about “essentially
equivalent” you see on these spaces

632
00:41:26,960 --> 00:41:30,540
already <i>points to slide </i>
that this is miles apart.

633
00:41:30,540 --> 00:41:35,350
So what is the future of US-EU-US data
flows? We will have massive problems

634
00:41:35,350 --> 00:41:38,130
for the PRISM companies. Because
what they’re doing is just a violation

635
00:41:38,130 --> 00:41:40,950
of our Fundamental Rights. Give or take
it – you can change the law as much

636
00:41:40,950 --> 00:41:44,680
as you want but you cannot
change the Fundamental Rights.

637
00:41:44,680 --> 00:41:47,770
And you’ll have serious problems
for businesses that are subject

638
00:41:47,770 --> 00:41:51,490
to US surveillance law in
general. So I’m wondering

639
00:41:51,490 --> 00:41:54,580
what the final solution is. And that
was part of the issue that I had

640
00:41:54,580 --> 00:41:57,500
with the cases. Typically I like
to have a solution for all of this.

641
00:41:57,500 --> 00:42:01,450
In this case I could only point at the
problems but I couldn’t really come up

642
00:42:01,450 --> 00:42:05,980
with solutions. Because solutions are
something that has to be done politically.

643
00:42:05,980 --> 00:42:11,190
An interesting question was: “How
about EU surveillance, actually?”

644
00:42:11,190 --> 00:42:15,380
Because aren’t they doing more or
less the same thing? Which is true.

645
00:42:15,380 --> 00:42:18,690
And the problem is that the Charta of
Fundamental Rights only applies

646
00:42:18,690 --> 00:42:23,300
to anything that’s regulated by the EU.
And national surveillance is exempt

647
00:42:23,300 --> 00:42:28,720
from any EU law. It’s something that
member states are doing all by themselves.

648
00:42:28,720 --> 00:42:32,650
So you’re out of luck here. You
can possibly argue it through

649
00:42:32,650 --> 00:42:37,840
a couple of circles; but it’s hard to
do. However, 7 and 8 of the Charta

650
00:42:37,840 --> 00:42:42,210
– exactly the same wording as the
European Convention of Human Rights.

651
00:42:42,210 --> 00:42:46,270
And this applies to National Security
cases. So the relevant Court here

652
00:42:46,270 --> 00:42:49,640
is actually in Strasbourg. So you
could probably end up at this Court

653
00:42:49,640 --> 00:42:53,030
with the same argument and say: if they
already found that this is a violation

654
00:42:53,030 --> 00:42:56,370
of your essence in Luxembourg – don’t
you want to give us the same rights

655
00:42:56,370 --> 00:43:00,520
in Strasbourg as well? And these cool
Courts are in kind of a fight about

656
00:43:00,520 --> 00:43:04,370
kind of providing proper Privacy
protection and protection in general.

657
00:43:04,370 --> 00:43:08,240
So very likely you can walk up with
a German case or with a UK case

658
00:43:08,240 --> 00:43:11,240
or a French case and pretty much do
the same thing here. So the judgment

659
00:43:11,240 --> 00:43:13,710
will be interesting for European
surveillance as well because

660
00:43:13,710 --> 00:43:16,690
it’s a benchmark. And you can hardly
argue that the US is bad and we’re

661
00:43:16,690 --> 00:43:21,200
not doing the same thing. Either solutions
are possibly technical solutions.

662
00:43:21,200 --> 00:43:26,260
So what Microsoft did with the cloud
services and hosting it with the Germans.

663
00:43:26,260 --> 00:43:31,190
And the German Telekom. And there
is really the issue that if you can get

664
00:43:31,190 --> 00:43:36,090
a technical solution of not having any
access from the US side you can actually

665
00:43:36,090 --> 00:43:39,440
get out of the whole problem. So you can
try with encryption or data localization;

666
00:43:39,440 --> 00:43:43,210
all this kind of stuff. However none
of this is really a very sexy solution

667
00:43:43,210 --> 00:43:48,530
to the whole issue. However it's
something that you can possibly do.

668
00:43:48,530 --> 00:43:53,660
Last thing: enforcement. And this a
little bit of a pitch, I got to confess.

669
00:43:53,660 --> 00:43:57,170
We have the problem so far that

670
00:43:57,170 --> 00:44:00,430
we have Data Protection law in Europe.

671
00:44:00,430 --> 00:44:03,090
But we don’t really have enforcement. And
the problem is that the lawyers don’t know

672
00:44:03,090 --> 00:44:06,940
what’s happening technically. The
technical people hardly know

673
00:44:06,940 --> 00:44:10,550
what the law says. And then you
have a funding issue. So the idea

674
00:44:10,550 --> 00:44:13,210
that I have right now is to create some
kind of an NGO or some kind of

675
00:44:13,210 --> 00:44:17,570
a “Stiftung Warentest for Privacy”. To
kind of look into the devices we all have

676
00:44:17,570 --> 00:44:20,880
and kind of have a structured system of
really looking into it. And then probably

677
00:44:20,880 --> 00:44:24,670
do enforcement as well if your
stuff that you have on your device

678
00:44:24,670 --> 00:44:28,750
is not following European law.
I think this is an approach that

679
00:44:28,750 --> 00:44:31,860
probably changes a lot of the issues.
It’s not gonna change everything.

680
00:44:31,860 --> 00:44:35,680
But this could possibly be a solution to
a lot of what we had. And that’s kind of

681
00:44:35,680 --> 00:44:39,650
what we did in other fields of law as
well. That we have NGOs or organizations

682
00:44:39,650 --> 00:44:42,780
that take care of these things. I think
that would be a solution and probably

683
00:44:42,780 --> 00:44:48,090
helps a little bit. Last - before we
have a question/answer session –

684
00:44:48,090 --> 00:44:51,910
a little Bullshit Bingo to probably get a
couple of questions answered right away.

685
00:44:51,910 --> 00:44:55,990
So the first thing is that a lot
of questions are if the EU

686
00:44:55,990 --> 00:44:59,100
does the same thing. I just answered it:
Of course they do the same thing and

687
00:44:59,100 --> 00:45:01,720
we’ll have to do something about it
as well. And I hope that my case

688
00:45:01,720 --> 00:45:06,850
is a good case to bring other cases
against member states of the EU.

689
00:45:06,850 --> 00:45:10,460
The second question is these whole PRISM
companies are saying they don’t do this.

690
00:45:10,460 --> 00:45:14,420
It’s absurd because they’re all placed
under gag orders. Or the people that are

691
00:45:14,420 --> 00:45:17,360
talking to us don’t even have the
security clearance to talk about

692
00:45:17,360 --> 00:45:20,990
the surveillance system. So it’s insane
when a PR person comes up and says:

693
00:45:20,990 --> 00:45:25,040
“I hereby read the briefing from Facebook
that we’re not doing this!”. Which

694
00:45:25,040 --> 00:45:28,620
basically is what we have right now.
And that’s what a lot of the media

695
00:45:28,620 --> 00:45:32,530
is referring to as well. Another thing
that Facebook and the US government

696
00:45:32,530 --> 00:45:36,110
have argued later is that they weren’t
asked. They were not invited to the Court

697
00:45:36,110 --> 00:45:40,510
procedure. The fun thing is: both of them
totally knew about the Court procedure.

698
00:45:40,510 --> 00:45:44,780
They just decided not to step in and not
to get a party of the procedure. So they

699
00:45:44,780 --> 00:45:46,620
were like first: “Ouh,
we don’t wanna talk

700
00:45:46,620 --> 00:45:49,720
about it” and then when the decision

701
00:45:49,720 --> 00:45:53,520
came around they were like:
“Oh we weren’t asked”.

702
00:45:53,520 --> 00:45:56,970
Of course it’s a win-on-paper mainly
but we’re trying to get it implemented

703
00:45:56,970 --> 00:46:01,250
in practice as well. And there
is kind of this argument

704
00:46:01,250 --> 00:46:05,490
“The EU has broken the Internet”
which I typically rebut in “No, the US

705
00:46:05,490 --> 00:46:08,990
has broken the Internet and
the EU is reacting to it”.

706
00:46:08,990 --> 00:46:16,150
<i>applause</i>

707
00:46:16,150 --> 00:46:19,490
Another issue that was interesting
is that a lot of the US side said that

708
00:46:19,490 --> 00:46:23,710
this is protectionism. So the EU is only
enforcing these Fundamental Rights

709
00:46:23,710 --> 00:46:28,870
to hurt US companies. Which is funny
because I’m not involved in kind of

710
00:46:28,870 --> 00:46:31,940
getting more trade to Europe. I’m
just like someone interested in

711
00:46:31,940 --> 00:46:36,340
my Fundamental Rights. And secondly the
European politics has done everything

712
00:46:36,340 --> 00:46:40,610
to kind of not get this case to cross.
So kind of this idea that this is

713
00:46:40,610 --> 00:46:45,100
a protectionist thing is kind of strange,
too. And the last question which is:

714
00:46:45,100 --> 00:46:49,200
“What about the Cables? What about all
the other types of surveillance we have?”

715
00:46:49,200 --> 00:46:53,940
They’re an issue, too. In these cases you
just have more issues of actual hacking,

716
00:46:53,940 --> 00:46:58,870
government hacking, basically. So
illegal access to servers and cables.

717
00:46:58,870 --> 00:47:02,050
Which is harder to tackle with than
these companies. Because we have

718
00:47:02,050 --> 00:47:05,720
this private interference. So there are a
lot of other issues around here as well,

719
00:47:05,720 --> 00:47:09,130
I was just happy to kind of get one thing
across. And I’m happy for questions,

720
00:47:09,130 --> 00:47:13,470
as well.
<i>applause</i>

721
00:47:13,470 --> 00:47:21,300
Herald: Alright…
<i>applause</i>

722
00:47:21,300 --> 00:47:22,989
Max: <i>at lowered voice</i>
Wie lange haben wir noch für Fragen?

723
00:47:22,989 --> 00:47:30,000
Herald: We have about
10 minutes for questions.

724
00:47:30,000 --> 00:47:33,960
I would ask you to please line up at
the microphones here in the hall.

725
00:47:33,960 --> 00:47:37,260
We have 6 microphones. And we have also

726
00:47:37,260 --> 00:47:40,420
questions from the IRC.
While you guys queue up

727
00:47:40,420 --> 00:47:44,220
I would take one from the internet.

728
00:47:44,220 --> 00:47:48,410
Signal Angel: Yeah, just
one – for the first time.

729
00:47:48,410 --> 00:47:51,650
Does TTIP influence any of this?

730
00:47:51,650 --> 00:47:55,600
Max: Basically, not really. Because
the judgment that was done was

731
00:47:55,600 --> 00:47:58,240
on the Fundamental Rights. So if they
have some kind of wording in TTIP

732
00:47:58,240 --> 00:48:02,740
it would again be illegal. And there was
actually a push to get something like that

733
00:48:02,740 --> 00:48:08,750
into TTIP. And as far as I know this idea
was done, after the judgment. <i>laughs</i>

734
00:48:08,750 --> 00:48:13,410
Just a little intro: EDRI has organized
an ask-me-anything thing at 7 PM as well.

735
00:48:13,410 --> 00:48:17,530
So if you got specific questions, you
can also go there. Just as a reminder.

736
00:48:17,530 --> 00:48:20,980
Herald: OK, great.
Microphone No.2, please.

737
00:48:20,980 --> 00:48:25,220
Question: Thank you for your
efforts. The question would be:

738
00:48:25,220 --> 00:48:28,260
Could US businesses
under these findings ever

739
00:48:28,260 --> 00:48:33,930
be again employed
in critical sectors? E.g.

740
00:48:33,930 --> 00:48:39,380
public sector, Windows in the
Bundestag, e.g. and stuff like that?

741
00:48:39,380 --> 00:48:44,230
Max: Yep, yip. That’s a huge problem.
And that’s a problem we had for a while.

742
00:48:44,230 --> 00:48:48,650
I was mainly talking actually with people
in the business area. I’m mainly invited

743
00:48:48,650 --> 00:48:51,460
to conferences there. And people
were telling me: “Yeah, we’re doing

744
00:48:51,460 --> 00:48:55,400
all our bank data on Google
now”. And I was like: WTF?

745
00:48:55,400 --> 00:48:58,670
Because this is not only Privacy.
That’s also trade secrets, all of

746
00:48:58,670 --> 00:49:02,680
this kind of stuff. So there is this
huge issue and if you talk about

747
00:49:02,680 --> 00:49:06,970
the new Windows that is talking home a
little more than the old did, you probably

748
00:49:06,970 --> 00:49:11,010
have the same issue here because
Microsoft is falling under the same thing.

749
00:49:11,010 --> 00:49:14,200
Q: No plausible deniability,
therefor culpability.

750
00:49:14,200 --> 00:49:16,170
M: Yep, yep, yep.
Q: Thank you!

751
00:49:16,170 --> 00:49:18,119
Max: Thank you!

752
00:49:18,119 --> 00:49:20,970
Herald: OK, microphone No.3,
please, for your next question.

753
00:49:20,970 --> 00:49:24,920
Question: How would you assess
Microsoft saying they put up

754
00:49:24,920 --> 00:49:29,060
a huge fight that they… well,

755
00:49:29,060 --> 00:49:32,680
they said they had customers’
data in Ireland and they said

756
00:49:32,680 --> 00:49:36,070
they refuse to give it to the FBI.
What’s to think of that?

757
00:49:36,070 --> 00:49:38,450
Max: I think to be fair a lot of
these companies have realized

758
00:49:38,450 --> 00:49:42,780
that there is an issue. And that
they are the “Feuer am Arsch”.

759
00:49:42,780 --> 00:49:47,170
And Microsoft… actually a couple of
Microsoft people is talking to me

760
00:49:47,170 --> 00:49:50,780
and is like: “We’re actually not
unhappy about this case because

761
00:49:50,780 --> 00:49:54,620
we have a good argument in the US
now that we’re getting troubles here…”

762
00:49:54,620 --> 00:49:59,330
But the companies are between
these 2 chairs. The US law says:

763
00:49:59,330 --> 00:50:02,500
“We kill you if you’re not giving us all
the data” and the problem so far is

764
00:50:02,500 --> 00:50:06,170
that in the EU… e.g. in Austria

765
00:50:06,170 --> 00:50:09,800
the maximum penalty is 25.000 Euro
if you don’t comply with this.

766
00:50:09,800 --> 00:50:11,950
Q: Peanuts.
M: Which is absurd.

767
00:50:11,950 --> 00:50:15,430
And in most other countries it’s the same.
We now have the Data Protection regulation

768
00:50:15,430 --> 00:50:18,060
that is coming up which gives
you a penalty of a maximum

769
00:50:18,060 --> 00:50:21,580
of 4% of the worldwide turnover,
which is a couple of millions.

770
00:50:21,580 --> 00:50:25,060
And if you want to thank someone there’s
Jan Philipp Albrecht, probably in the room

771
00:50:25,060 --> 00:50:28,520
or not anymore, who is the member of [EU]
Parliament from the Green Party, that’s

772
00:50:28,520 --> 00:50:31,920
actually from Hamburg who
has negotiated all of this.

773
00:50:31,920 --> 00:50:34,500
And this actually could possibly
change a couple of these things.

774
00:50:34,500 --> 00:50:38,290
But you have this conflict of laws
and solutions like the Telekom thing –

775
00:50:38,290 --> 00:50:41,650
that you host the data with the Telekom –
could possibly allow them to argue

776
00:50:41,650 --> 00:50:44,690
in the US that they don’t have any factual
access anymore so they can’t give the data

777
00:50:44,690 --> 00:50:49,150
to the US Government. But we’re splitting
the internet here. And this is not really

778
00:50:49,150 --> 00:50:53,270
something I like too much, but
apparently the only solution.

779
00:50:53,270 --> 00:50:55,850
Herald: OK, thank you for your
question. We have another one

780
00:50:55,850 --> 00:51:00,210
at microphone 4, please.

781
00:51:00,210 --> 00:51:07,369
Q: Thank you very much for your
efforts, first of all. And great result!

782
00:51:07,369 --> 00:51:09,630
M: Thank you.
Q: The question from me would also be:

783
00:51:09,630 --> 00:51:12,800
Is there any change in the system
in Ireland now? So somebody has

784
00:51:12,800 --> 00:51:16,190
a similar struggle to yours – the
next round might be easier or not?

785
00:51:16,190 --> 00:51:19,650
Max: Basically what the Irish DPC got
is a wonderful new building. And

786
00:51:19,650 --> 00:51:22,590
the press release is too funny.
Because it says: “We have a very nice

787
00:51:22,590 --> 00:51:27,540
Victorian building now downtown Dublin
in a very nice neighborhood“ and blablabla

788
00:51:27,540 --> 00:51:30,020
and they get double the staff of what
they had before. The key problem

789
00:51:30,020 --> 00:51:33,630
is none of this. I only took the picture
because it kind of shows what’s

790
00:51:33,630 --> 00:51:37,630
inside the building. And the key
problem is that we have 2 countries

791
00:51:37,630 --> 00:51:40,390
– Luxembourg and Ireland, where
all of these headquarters are – and

792
00:51:40,390 --> 00:51:44,080
these 2 countries are not interested
in collecting taxes, they’re

793
00:51:44,080 --> 00:51:48,260
not interested in enforcing Privacy Law,
they’re not interested in any of this. And

794
00:51:48,260 --> 00:51:52,360
they’re basically getting a huge bunch of
money in the back of the rest of the EU.

795
00:51:52,360 --> 00:51:55,869
And until this actually changes
and there’s a change of attitude

796
00:51:55,869 --> 00:52:00,460
in the Irish DPC it doesn’t really
matter in which building they are.

797
00:52:00,460 --> 00:52:03,710
So they got a lot of more money to kind
of – to the public – say: “Yes we have

798
00:52:03,710 --> 00:52:05,660
more money and we have
more staff and dadadadada”…

799
00:52:05,660 --> 00:52:07,700
Q: …but the system did not change!

800
00:52:07,700 --> 00:52:10,680
M: The big question is what the system is
doing: they can prove now! As they have

801
00:52:10,680 --> 00:52:14,180
the new complaint on their table on Safe
Harbor and PRISM and Facebook.

802
00:52:14,180 --> 00:52:16,740
They can prove; if they do something
about it or not – my guess is that

803
00:52:16,740 --> 00:52:19,390
they’ll find “some” random reasons
why unfortunately they couldn’t do

804
00:52:19,390 --> 00:52:23,229
anything about it. We’ll see.
Q: OK, thanks!

805
00:52:23,229 --> 00:52:26,490
Herald: OK, thank you! It’s
your turn, microphone No.2.

806
00:52:26,490 --> 00:52:32,490
Question: OK, thank you very much and also
thank you for your service for the public.

807
00:52:32,490 --> 00:52:40,980
M: Thanks for the support!
<i>applause</i>

808
00:52:40,980 --> 00:52:45,540
Q: What that will…
Sorry about the English…

809
00:52:45,540 --> 00:52:50,030
M: Sag's auf Deutsch!

810
00:52:50,030 --> 00:52:57,869
Q: Was bedeutet das eigentlich für die
Geschichte mit der Vorratsdatenspeicherung

811
00:52:57,869 --> 00:53:03,700
wenn die jetzt wieder kommt?
Und inwiefern wird Social Media

812
00:53:03,700 --> 00:53:08,410
damit jetzt sozusagen freigestellt
wieder oder nicht?

813
00:53:08,410 --> 00:53:12,060
M: To be honest I didn’t really look
into the German Data Retention thing

814
00:53:12,060 --> 00:53:15,610
too much. To be honest, being an Austrian
I’m like “Our Supreme Cou… Constitu…”

815
00:53:15,610 --> 00:53:17,060
Q: Me, too!
<i>audience laughing</i>

816
00:53:17,060 --> 00:53:21,210
M: Yeah, I heard. “Our Constitutional
Court kind of killed it”, so…

817
00:53:21,210 --> 00:53:25,060
I don’t think we’ll see a Data
Retention in Austria too soon.

818
00:53:25,060 --> 00:53:27,380
But for Germany it’s gonna be interesting
especially if you find a way to

819
00:53:27,380 --> 00:53:31,490
go to Luxembourg in the end. Like if you
find some hook to say: “Actually,

820
00:53:31,490 --> 00:53:34,930
this German law violates something
in the Data Protection Regulation

821
00:53:34,930 --> 00:53:38,980
or in the Directive“. So we can probably
find a way to go back to Luxembourg.

822
00:53:38,980 --> 00:53:41,290
Could help. The other thing is that just
the fact that the Luxembourg Court

823
00:53:41,290 --> 00:53:46,100
has been so active has probably boosted
up a lot of the National Courts as well.

824
00:53:46,100 --> 00:53:50,020
Because the German decision, I had
the feeling was like a “We don’t really

825
00:53:50,020 --> 00:53:53,490
feel like we can fully say that this is
actually illegal and we kind of argued

826
00:53:53,490 --> 00:53:56,230
that it’s somehow not illegal the way
it is, but possibly you can do it

827
00:53:56,230 --> 00:54:00,090
in the future and uooah…“. And after
Luxembourg has really thrown

828
00:54:00,090 --> 00:54:04,790
all of this right out of the door and was
like: “Get lost with your Data Retention

829
00:54:04,790 --> 00:54:08,200
thing and especially with the PRISM thing”
you probably have better case law now,

830
00:54:08,200 --> 00:54:11,240
as well. And that could be relevant
for National Courts as well. Because

831
00:54:11,240 --> 00:54:16,160
of course these things are question of
proportionality. And if we ask everybody

832
00:54:16,160 --> 00:54:18,430
here in the room what they
think is proportionate or not,

833
00:54:18,430 --> 00:54:22,400
everyone has another opinion. And
therefore it’s relevant what our people

834
00:54:22,400 --> 00:54:25,260
are saying and what other Courts are
saying to probably get the level of

835
00:54:25,260 --> 00:54:28,780
what we feel as proportionate
somehow a little bit up.

836
00:54:28,780 --> 00:54:31,640
Q: So thank you very much. And go on!
M: Thank you!

837
00:54:31,640 --> 00:54:35,610
Herald: OK, just for the record, in
case you couldn’t tell by the answer:

838
00:54:35,610 --> 00:54:39,680
the question was about the implications
for the Data Retention Laws, like

839
00:54:39,680 --> 00:54:44,690
in Germany and Austria. Microphone
No.1, we have another question.

840
00:54:44,690 --> 00:54:48,750
Question: Hi! Two questions. One: could
you tell a little bit more about your idea

841
00:54:48,750 --> 00:54:55,850
of “Stiftung Datenschutz” Europe-wide?
And how do we get funding to you…

842
00:54:55,850 --> 00:54:58,690
M: Send me an email!
Q: …if you don’t mind?

843
00:54:58,690 --> 00:55:03,810
Second question: when I argue with people
about like “Let’s keep the personal data

844
00:55:03,810 --> 00:55:08,300
of all activists within Europe!” I always
get this answer: “Yeah, are you so naive,

845
00:55:08,300 --> 00:55:11,770
do you think it’s anything different
if the server stands in Frankfurt

846
00:55:11,770 --> 00:55:14,170
instead of San Francisco?”
What do you say to that?

847
00:55:14,170 --> 00:55:17,670
Max: The same problem, like pretty much
what we have is – and that’s the reason

848
00:55:17,670 --> 00:55:20,410
why I said I hope this judgment is used
for National surveillance in Europe,

849
00:55:20,410 --> 00:55:25,190
as well. Because we do have the same
issues. I mean when you are an Austrian

850
00:55:25,190 --> 00:55:29,560
and the German “Untersuchungsausschuss”
is basically saying: “Ah, we’re only

851
00:55:29,560 --> 00:55:32,840
protecting Germans” I feel like my
fucking data is going through Frankfurt

852
00:55:32,840 --> 00:55:36,750
all the times. And I’m kind of out of
the scope, apparently. So we do need

853
00:55:36,750 --> 00:55:39,369
to take care of this as well. I hope
that this is a case showing that

854
00:55:39,369 --> 00:55:42,580
you can actually take action. You
just have to poke long enough and

855
00:55:42,580 --> 00:55:47,770
kind of poke at the right spot especially.
And I think this is something that…

856
00:55:47,770 --> 00:55:51,280
there’s not an ultimate solution to it.
It’s just one of the kind of holes

857
00:55:51,280 --> 00:55:54,869
that you have. The other thing that we
may see is that a lot of companies that

858
00:55:54,869 --> 00:55:59,630
are holding this data are much more
questioning an order they get.

859
00:55:59,630 --> 00:56:03,540
Because if they get legal problems from
an order they got by a German Court

860
00:56:03,540 --> 00:56:08,210
or whatever it is they probably
are now more interested in – and

861
00:56:08,210 --> 00:56:10,530
actually looking at it. Because
right now it’s cheaper for them

862
00:56:10,530 --> 00:56:14,390
to just forward the data. You don’t need
a whole Legal Team, reviewing it all.

863
00:56:14,390 --> 00:56:17,760
So I think to kind of split the private
companies that are helping them

864
00:56:17,760 --> 00:56:21,880
from the Government and kind of get some
issue between them probably helps there,

865
00:56:21,880 --> 00:56:25,010
as well. But of course it’s just like
little peanuts you put in there.

866
00:56:25,010 --> 00:56:28,930
But in the end you have that
issue, in the end. Yeah.

867
00:56:28,930 --> 00:56:34,660
On the “Stiftung Datenschutz” or whatever:
I think that’s kind of a thing I just

868
00:56:34,660 --> 00:56:37,710
wanted to blow out to people here, because
I’m mainly in the legal sphere and in,

869
00:56:37,710 --> 00:56:43,200
like the activist/consumer side. And
I think that’s the big problem we have

870
00:56:43,200 --> 00:56:48,249
in the legal and consumer side is that we
don’t understand the devices that much.

871
00:56:48,249 --> 00:56:51,050
And we lack the evidence. We
don’t really have the evidence of

872
00:56:51,050 --> 00:56:54,050
what’s actually going on on devices
and you need to have this evidence

873
00:56:54,050 --> 00:56:56,869
if you go in front of Courts. I think
a lot of the people in the room probably

874
00:56:56,869 --> 00:57:00,890
have this evidence somewhere on the
computer. So the idea of really getting

875
00:57:00,890 --> 00:57:03,670
this connection at some point – it’s not
something I can pitch to you right away,

876
00:57:03,670 --> 00:57:07,220
because it’s not… like I don’t wanna
start it tomorrow. But it’s something

877
00:57:07,220 --> 00:57:10,560
I wanted to circulate to get feedback
as well, what you guys think of it.

878
00:57:10,560 --> 00:57:15,559
So if there’s any feedback on it, send me
an email, or twitter. Or whatever it is.

879
00:57:15,559 --> 00:57:21,520
<i>applause</i>

880
00:57:21,520 --> 00:57:23,789
Herald: So we do have a bit time left,

881
00:57:23,789 --> 00:57:26,640
microphone No.2 with the
next question, please.

882
00:57:26,640 --> 00:57:31,390
Question: What can I do as an individual
person now? Can I sue Google

883
00:57:31,390 --> 00:57:35,770
or can I sue other companies
just to stop this?

884
00:57:35,770 --> 00:57:40,160
And would it create some
pressure if I do that?

885
00:57:40,160 --> 00:57:43,040
So what can the ordinary
citizen do now?

886
00:57:43,040 --> 00:57:47,160
Max: We’re right now… I already prepared
it but I didn’t have time to send it out

887
00:57:47,160 --> 00:57:50,070
to have complaints against the Googles and
all the others that are on the PRISM list.

888
00:57:50,070 --> 00:57:53,180
We started with Facebook because I kind
of know them the best. And, you know, so

889
00:57:53,180 --> 00:57:57,430
it was a good start. And the idea
was really to have other people

890
00:57:57,430 --> 00:58:00,790
probably copy-pasting this. The complaint
against Facebook we actually filed

891
00:58:00,790 --> 00:58:05,109
with the Hamburg DPC, as well, and the
Belgium DPC. The idea behind it was

892
00:58:05,109 --> 00:58:08,670
that the Irish now suddenly have 2 other
DPCs that are more interested in

893
00:58:08,670 --> 00:58:12,940
enforcing the law in their boat. So
they’re not the only captains anymore.

894
00:58:12,940 --> 00:58:17,330
And it’s interesting what’s gonna happen
here. If there are other people

895
00:58:17,330 --> 00:58:21,660
that have other cases and just file a
complaint with your Data Protection

896
00:58:21,660 --> 00:58:25,200
authority, a lot of them, especially the
German Data Protection authorities

897
00:58:25,200 --> 00:58:28,940
– most of them – are really interested
in doing something about it, but

898
00:58:28,940 --> 00:58:32,260
they oftentimes just need a case. They
need someone to complain about it and

899
00:58:32,260 --> 00:58:37,070
someone giving them the evidence and
someone arguing it, to get things started.

900
00:58:37,070 --> 00:58:41,760
So if anyone is using Google Drive
or something like that – let’s go.

901
00:58:41,760 --> 00:58:44,750
And basically the wording is on our web
page. You just have to download it

902
00:58:44,750 --> 00:58:50,300
and reword it. And we’re gonna probably
publish on the website the complaints

903
00:58:50,300 --> 00:58:53,080
against the other companies, as soon as
they’re out. Probably the next 2..3 weeks.

904
00:58:53,080 --> 00:59:00,270
Something like this. So just
copy-paste and spread the love.

905
00:59:00,270 --> 00:59:04,260
Herald: OK, thank you
very much, Max, again!

906
00:59:04,260 --> 00:59:07,530
For your great talk. This is it!

907
00:59:07,530 --> 00:59:10,430
<i>postroll music</i>

908
00:59:10,430 --> 00:59:17,919
<i>Subtitles created by c3subtitles.de
in 2016. Join and help us do more!</i>