32C3 preroll music Herald: Our next talk is called “Safe Harbor”. Background is: back in October, in the light of the Snowden revelations the Court of Justice of the European Union – that’s the “EuGH” in German declared the Safe Harbor agreement between the EU and the US invalid. This talk is about how we got there as well as further implications of that decision. Please believe me when I say our speaker is ideally suited to talk about that topic. Please give it up for the man actually suing Facebook over Data Protection concerns: Max Schrems! applause and cheers Max Schrems: Hallo! Hey! applause and cheers applause It’s cheerful like some Facebook Annual conference where the newest things are kind of presented. I’m doing a little intro basically where I got there. This was my nice little university in California. And I was studying there for half a year and there were a couple of people from Facebook and other big companies and they were talking about European Data Protection law. And the basic thing they said – it was not an original quote but basically what they said is: “Fuck the Europeans, you can fuck their law as much as you want and nothing is going to happen.” And that was kind of the start of the whole story because I thought: “Okay, let’s just make a couple of complaints and see where it goes.” I originally got 1.300 pages Facebook data back then, because you can exercise your right to access. And Facebook actually sent me a CD with a PDF file on it with all my Facebook data. It was by far not everything but it was the first time that someone really got the data and I was asking someone from Facebook why they were so stupid to send me all this information. Because a lot of it was obviously illegal. And the answer was “We had internal communications problems.” So someone was just stupid enough to burn it on a CD and send it on. One of the CDs actually was first going to Sydney in Australia because they put “Australia” instead of “Austria” on the label which was one of the things as well. applause Anyway, this was basically how my interest in Facebook started; and the media got crazy about it because there is like a little guy that does something against the big guy. And this is basically how the whole thing got this big. This is like a cartoon from my Salzburg newspaper. This should be me, and it’s like basically the reason why the story got that big because it’s a small guy doing something against Facebook, not necessarily because what I was doing was so especially smart. But the story was just good for the media, ’cause data protection is generally a very dry topic that they can’t report about and they’re they had like the guy that did something. A couple of introductions. We actually had 3 procedures. So if you heard about what I was doing… There was originally a procedure at the Irish Data Protection Commission, on Facebook itself – so what Facebook itself does with the data. This procedure has ended after 3 years. There’s a “Class Action” in Vienna right now that’s still ongoing. It’s in front of the Supreme Court in Austria right now. And there is the procedure that I’m talking about today which is the procedure on Safe Harbor at the Irish Data Protection Commission. A couple of other background informations: I personally don’t think Facebook is the issue. Facebook is just a nice example for an overall bigger issue. So I was never personally concerned with Facebook but for me the question is how we enforce Data Protection or kind of stuff. applause So it’s not a Facebook talk; Facebook is applause the example. And of course the whole thing is just one puzzle piece. A lot of people are saying: “This was one win but there are so many other issues!” – Yes, you’re totally right! This was just one issue. But you got to start somewhere. And the whole thing is also not an ultimate solution. So I can not present you the final solution for everything, but probably a couple of possibilities to do something. If you’re interested in the documents – we pretty much publish everything on the web page. It’s a very old style web page. But you can download the PDF files and everything if you’re interested in the facts and (?) the details. Talking about facts, the whole thing started with the Snowden case, where we kind of for the first time had documents proving who is actually forwarding data to the NSA in this case. And this is the interesting part, because we have a lot of rumours but if you’re in a Court room you actually have to prove everything and you cannot just suspect that very likely they’re doing it. But you need actual proof. And thanks to Snowden we had at least a bunch of information that we could use. These are the slides, you all know them. The first very interesting thing was the FISA act and we mainly argued under 1881a as an example for the overall surveillance in the US. So we took this law as an example but it was not the only thing we relied on. And I think it’s interesting for Europeans to understand how the law actually works. The law actually goes after data and not after people. We typically have laws in criminal procedures that go after people. This law goes after data. So it totally falls outside of our normal thinking of “we’re going after a suspect, someone that may have committed a crime”. Basically the law says that there’s an electronic communications service provider that holds foreign intelligence information. That’s much more than just terrorist prevention, that’s also things that the US is generally interested in. And this is the level that’s publicly known and everything else is basically classified. So under the law the FISA Court can do certification for one year that basically says “the NSA can access data”. In this certifications there are these minimization and targeting procedures that they have to describe. But they’re not public. We don’t know how they look like. And basically they’re here to separate data from US people out of the data set. So it doesn’t really help a European. And then there is a so called Directive that goes to the individual service provider which basically says: “Give us the data in some technical format.” So very likely it’s some kind of API or some kind of possibility that they can retrieve the data. That’s what the law says. We don’t know how it actually looks and we don't have perfect proof of it. So there are a lot of things that are disputed and still disputed by the US government. So the exact technical implementations, the amount of data that’s actually pulled, all the review mechanisms they have internally. That’s all stuff that was not 100% sure, and not sure enough to present it to a Court. Which was the basic problem we had. First of all after the Snowden thing broke we had different reactions. And that was kind of how I started the procedure. The first reaction was demonstrations. We were all walking in the streets. Which is good and which is important, but we all know that this is something we have to do but not something that’s gonna change the world. Second thing: we had parliaments like the European Parliament doing resolutions saying that we should strike down the Safe Harbor and this is all bad and evil. We had the Commission pretty much saying the same thing. We had national politicians saying the same thing. And we all knew that basically this means that they all send an angry letter to the US. Then they can walk in front of the media and say: “Yes, we’ve done something, we sent an angry letter to the US”, and the US is just thrown basically in some trash bin of crazy Europeans wanting strange things and that was it. So I was actually called by a journalist and asked if there’s some other option. And I was then starting to think about it and there’s the so called Safe Harbor agreement. To explain the “Safe Harbor”: In Europe we have Data Protection law that is on the papers but factually not enforced. But at least, in theory, we have it. And we have a couple of other countries that have the same level of protection or similar laws. And generally Data Protection only works if you keep the data within the protected sphere so you’re not allowed to send personal data to a third country that doesn’t have adequate protection. There are a couple of other countries that do; and therefore you can transfer data e.g. to Switzerland. This is what the law says. And there are certain servers that are outside these countries where we can have contractual relationships. So basically if you have a server in India, you have a contract with your Indian hosting provider saying: “You apply proper Data Protection to it”. So you can transfer data there, too. All of this is approved by the European Commission. This is how data flows legally outside of the EU – personal data. This all doesn’t apply to any other kind of data, only personal data. And we had a basic problem with the US because there was this Directive saying you can forward data to other countries but there is no Data Protection Law in the US. So basically you wouldn’t be allowed to send data there unless you have some contractual relationship which is always kind of complicated. So the solution was to have a self certification to EU principles and this was put into an Executive Decision by the European Commission. So basically how Safe Harbor is working is that e.g. Google can walk up and say: “Hereby I pledge that I follow European Data Protection Law. I solemnly swear!”. And then they do whatever they want to do. And basically that’s the Safe Harbor system and the Europeans can walk around saying: “Yeah, there is some seal saying that everything is fine, so don’t worry.” Everybody knew that this is a fucked-up system but for years and years everyone was looking away because politics is there and economics is there and they just needed it. So basically Safe Harbor works that way that a US company can follow the Safe Harbor principles and say: “We follow them”, then the Federal Trade Commission and private arbitrators are overlooking them – in theory, in practice they never do – and this whole thing was packaged into decision by the European Commission. And this is the so called Safe Harbor system. So from a European legal point of view it’s not an agreement with the US, it’s a system that the US has set up that we approved as adequate. So there’s no binding thing between the US and Europe, we can kind of trash it any time. They’ve just never done that. Which brings me to the legal argument. Basically if I’m this little Smiley down there, I’m sitting in Austria and transfer my data to Facebook Ireland, because worldwide – 82% of all users have a contract with Facebook Ireland. Anyone that lives outside the US and Canada. So anyone from China, South America, Africa has a contract with Facebook in Ireland. And legally they forward the data to Facebook in the US; technically the data is directly forwarded. So the data is actually flowing right to the servers in the US. However legally it goes through Ireland. And my contract partner is an Irish company. And under the law they can only transfer data to the US if there is adequate protection. At the same time we know that the PRISM system is hooked up in the end. So I was basically walking up to the Court and saying: “Mass Surveillance is very likely not adequate protection, he?” And that was basically the argument. applause The interesting thing in this situation was actually the strategic approach. So, we have the NSA and other surveillance organizations that use private companies. So we have kind of a public-private surveillance partnership. It’s PPP in a kind of surveillance way. Facebook is subject to US law, so under US law they have to forward all the data. At the same time Facebook Ireland is subject to European law so they’re not allowed to forward all this data. Which is interesting because they’re split. The EU law regulates how these third cwountry transfers work. And all of this has to be interpreted under Fundamental Rights. So this was basically the system were looking at. And the really crucial thing is that we have this public-private surveillance. Because we do have jurisdiction over private company. We don’t have jurisdication over the NSA. We can send angry letters to the NSA. But we do have jurisdiction over Facebook, Google etc. because they’re basically based here. Mainly for tax reasons. And this was the interesting thing that in difference to the national surveillance where we can pretty much just send the angry letters we can do something about the private companies. And without the private companies there is almost no mass surveillance in this scale because the NSA is not in our phones, it’s the Googles and Apples and whatever. And without them you’re not really able to get this mass surveillance. This is like the legal chart. Basically what we argued is: there’s 7 and 8 of the Charta of Fundamental Rights. That’s your right to Privacy and your right to Data Protection. There is an article in the Directive that has to be interpreted in light of it. Then there’s the Executive Decision of the EU. This is basically the Safe Harbor decision which refers to Paragraph 4 of the Safe Harbor principles. And the Safe Harbor principles basically say that the FISA Act is okay. So you have kind of this circle of different legal layers which is getting really crazy. I’ll try to break it down a little bit. Basically 7 and 8 of the Charta we basically compared to Data Retention, so the “Vorratsdatenspeicherung”. We basically said PRISM is much worse. If “Vorratsdatenspeicherung” (Data Retention) was invalid then PRISM has to be 10 times as bad. That was basically the argument. Very simple. We just compared: the one was content data – the other one was meta data. The one is storage – the other one is making available. And the one is endless – the other one is 24 months. So basically in all these categories PRISM was much worse. And if the one has to be illegal the other one has to be as well. And what’s interesting – and that’s something that the US side is typically not getting – is that Article 8 is already covering “making available of data”. So the fun thing is I only had to prove that Facebook makes data available, so basically it’s possible the NSA is pulling it. I didn’t even have to prove that the NSA is factually pulling my personal data. And this was like the relevant point because under US law basically your Fundamental Rights only kick in when they factually look at your data and actually surveil you. So I was only: “They’re making it available – that’s good enough for me!” which was making all these factual evidence much easier. So basically I only had to say: “Look at the XKeyscore slides where they say ‘user name Facebook’ they can get somehow the data out of it. It’s at least made available; that’s all I need to prove”. And this is the big difference between the US – it’s very simplified, but basically between the US approach and the European approach; is that in the US you have to prove that your data is actually pulled. I only had to prove that my data is made available. So I had to… I was able to get out of all the factual questions. This is a comparison – you basically… in the US we have very strict laws for certain types of surveillance while in Europe we have a more flexible system that covers much more. So it’s a different approach that we just have in the two legal spheres. We’re both talking about your Fundamental Right to Privacy, but in details it’s very different. And that’s kind of the differences what we used. The fun thing is if you’re European you don’t have any rights in the US anyways because the Bill Of Rights only applies to people that live in the US and US citizens so you’re out of luck anyways. So you’re only left with the European things. Basically the law which is the second level after the Fundamental Rights is saying that there has to be an adequate level of protection as I said and this third country has to ensure it by domestic law or international commitments. And I was saying: “You know there’s the FISA Act, you can read it, it definitely doesn’t ensure your fundamental rights and an adequate protection. So we're kind of out of Article 25”. And there is paragraph 4 of the Safe Harbor principles which say that all these wonderful privacy principles that US companies sign up to do not apply whenever a national law in the US is overruling it. So there are principles that companies say: “We follow!” but if there is a city in Texas saying: “We have a local ordinance saying: ‘You have to do differently!’” all these Safe Harbor principles don’t apply anymore. And this is the fundamental flaw of the self certification system that it only works if there is no law around that conflicts with it. And as there are tons of laws that conflict with it you’re hardly able to hold up a system like that. So basically if you go through all these different legal layers you end up with a conflict between the US FISA Act and the European Fundamental Rights. So you’re going through different layers of the system but you’re basically making a circle. This is what we did which was a little bit complicated but worked. applause Basically now to the procedure, so how the whole thing happened. First I went through the Safe Harbor. Safe Harbor allows you to go to TRUSTe or the Federal Trade Commission and there’s an online form to make your complaint. And I was making a complaint and I think you were only allowed to put in 60 characters to explain what your complaint is. Which is a little bit complicated if you’re trying to explain NSA mass surveillance. So I only wrote: “Stop Facebook, Inc.’s involvement in PRISM!”. That was everything I could actually put in the text box; that was the absolute maximum. And the answer I got back was: “TRUSTe does not have the authority to address the matter you raise.” Which is obvious, it’s a private arbitration company that can hardly tell Facebook to not follow the NSA’s guidelines. So this was the arbitration mechanism under Safe Harbor. You can also go to the Federal Trade Commission and have your complaint filed there. But they basically just ignore them. This was the letter I got back, that they received it. But I was talking to the people at the FTC and they say: “Yeah, we get these complaints but they’re ending up in a huge storage system where they stay for ever after”. So this was enforcement done by Safe Harbor. And we knew that in the private field already; but in this case it was especially interesting. To be fair, both of these institutions have no power to do anything about mass surveillance. So there was really a reason why they didn’t do anything. The next step you have is the national Data Protection Commissioner. So we have 28 countries with 28 [Commissioners]; plus Germany has – I think – a Data Protection Commissioner in every province. And you end up at this. And this is my most favourite slide. This is the Irish Data Protection Commissioner. applause To be super precise – I don’t know if you can see the laser pointer. But this is a super market. And this is the Irish Data Protection Commissioner back there. laughter, applause To be a little more fair, actually they’re up here and they’re like 20 people when we filed it originally. The fun thing is back at the times they didn’t have a single lawyer and not a single technician. So they were 20 public employees that were dealing with Data Protection and no one had any clue of the technical or the legal things about it. The fun thing is: this is Billy Hawkes, the Data Protection Commissioner at the time. He went on the national radio in the morning. And in Ireland radio is a really big thing. So it was a morning show. And he was asked about these complaints. And he actually said on the radio: “I don’t think it will come as much of a surprise that the US services have access to all the US companies”. And this was the craziest thing! I was sitting in front of the radio and was like: “Strike! He just acknowledged that all this is true!”. And the second thing, he said: “This US surveillance operation is not an issue of Data Protection”. Interesting. It’s actually online and you can listen to it. But the fun thing was really that the factual level is so hard to prove that I was afraid that they would dispute: “Hah, who knows if all this is true? We don’t have any evidence! The companies say we are not engaging in all of this.” So having the Data Protection Commissioner saying: “Sure they surveil you! Are you surprised?” was great because we were kind of out of the whole factual debate. I actually got a letter back from them saying that they’re not investigating any of it. And I was asking them why. And they were naming 2 sections of the law, a combination thereof. So there was one thing where it says they shall investigate – which means they have to – or they may investigate. And they say they only “may” investigate complaints and they just don’t feel like investigating PRISM and Facebook and all of this. Secondly they say that a complaint could be “frivolous and vexatious” – I love the word! And therefor they’re not investigating it. “A combination thereof or indeed any other relevant matter.” So we transferred this letter into a picture which is basically what they said: “So why did you not investigate PRISM?” – “‘Shall’ means ‘may’, frivolous or vexatious, a combination of A and B or any other reason.” So this was the answer by the Irish Data Protection Commissioner why they wouldn’t want to investigate the complaint. Just to give you background information: these are the complaints that the Irish Data Protection Commissioner is receiving – the blue line – and the red line is all of the complaints they’re not deciding. Which is 96..98% of the complaints they receive on an average year. Which is interesting because you have a right to get a decision but they don’t. To give you the bigger picture: we also made complaints on Apple and all the other PRISM companies. And Ireland basically said what I just told you. Luxembourg, where Skype and Microsoft are situated, said that they do not have enough evidence for the participation of Microsoft and Skype [in PRISM]. And the funniest thing about the answer was that they said that they’re restricted by their investigations to the territory of Luxembourg. And since all of this is happening in the US they have no way of ever finding out what was going on. So I was telling them: “You know, most of this is online and if you’re not able to download it I can print it out for you and ship it to Luxembourg.” But the problem is why we didn’t go down in Luxembourg is because they went down this factual kind of argument. They said: “It’s all illegal but factually we don’t believe it’s true”. And then there was Germany that are still investigating until today. This was Yahoo. Actually that was Yahoo in Munich but they now moved to Ireland as well. So I don’t know what happened to this complaint. We never heard back. But whenever we sent an email they were like: “Yeah, we’re still investigating.” So what happened now is that I went to the Irish High Court. To jeopardize the non-decision of the Irish Data Protection Commissioner. This is the case that then went down as “Schrems vs. the Data Protection Commissioner” which is so strange because I never wanted to have my name on any of this and now the decision is actually called after my second name which is always freaking me out in a way. Because you’re fighting for Privacy and suddenly your name is all over the place. applause and laughter applause And this is the Irish High Court. So you… It’s very complicated to get a procedure like that. The biggest issue is that you need money. If you’re in front of an Irish Court and you lose a case you end up with a legal bill of a couple of hundred thousand Euros. Which is the reason why never anybody ever challenged the Irish Data Protection Commissioner. Because you just gonna lose your house over it! So what I did is: we did a little bit of crowd-funding! And we actually got about 70.000 Euros out of it. This was a crowd-funding platform that basically worked in a way that people could donate and if we don’t need the money we either donate it to another Privacy cause or we actually give people the money back. Which we got to have to do because we won the case. And all our costs are paid by the other side. applause So the fun thing is you then have to walk into this wonderful old Court here on Mondays at 11:30. And there’s a room where you can make your application. And about 100 other people making their application as well. And there is no number. So there are 100 lawyers sitting in a room, waiting for the judge to call out your case. So we were sitting there until 4 PM or something until suddenly our case was called up. And we actually got kind of the possibility to bring our case and then it’s postponed to another date and blablablablabla. In the end you end up with something like this. Which is all the paperwork because in Ireland the Courts are not computerized so far. So you have to bring all the paperwork, anything you rely on, in 3 copies. And it’s all paper, noted of the pages, so all these copies have pages 1 to 1000. Someone’s writing all of them on the page. And then they copy it 3 times and it’s then in this wonderful little thing. I thought it’s great. And what happened is that we walked into the judge’s room and you get a judge assigned on the same day. So you end up in front of a judge that has never heard about Privacy, never heard about Facebook and never heard about Snowden and PRISM and any of this. So you walk into the room as like “We would like to debate the Safe Harbor with you” and he was like “What the fuck is the Safe Harbor?”. So what happened is that he told us to kind of explain what it is for 15 minutes. And then he postponed the whole thing for 2 hours I think and we walked over to a pub and had a beer. So that the judge could remotely read what he’s about to look into. And Ireland is very interesting because you need a Solicitor and a Counsel and then the Counsel is actually talking to the Judge. So I actually had 2 filters. If I’m the client down here I had to talk to my Solicitor. The Solicitor was telling the Counsel what to say to the Judge. So half of it was lost on the way. And when I was asking if I could just address the Judge personally they were like “No, no way that you could possibly address the Judge personally even though you’re the claimant”. Which is funny ’cause they talk about this “person” in the room. It’s like “What’s the problem of this Mr. Schrems?”. And you’re like sitting right here, it’s like “This would be me!”. So what happened in Ireland is that we had about 10 reasons why under Irish law the Irish Data Protection Commissioner would have to do its job but the Court actually wiped all of this from the table and said actually the Safe Harbor is the issue, which legally they’re not allowed to do what politically was very wise and forwarded this wonderful easy-to-understand question to the European Court of Justice. The reason why they put this kind of very random question is that if you jeopardize a law in Ireland you have to get some Advocate General engaged. And they didn’t want to do that so they kind of “asked a question around the actual question” to not really get them engaged. Which was very complicated because we didn’t know how the European Court of Justice ’d kind of react to this random question because it was so broad that they could just walk any other direction and not address the real issue. What was wonderful is that in the judgment by the Irish Court they have actually said that all of this is factually true. All the mass surveillance is factually true. And the fun thing to understand is that the factual assessment is done by the national Courts. So the European Court of Justice is not engaging in factual matters anymore. They only ask legal questions: “Is this legal or not”. So we had a split of responsibility. The Irish Court only said that all of this is true. And Luxembourg only said that all of this would be legal if all of this would be true. Which was kind of an interesting situation. But to be fair no one before the European Court of Justice has ever questioned that this is true. So even the UK that was in front of the Court and that should possibly know if all of this is true or not, they have never questioned the facts. laughs There is a pretty good factual basis. What was interesting as well is that I said I’m not gonna go in front of the European Court of Justice. Because the cost is so high that even the 60 or 70.000 Euros I got in donations wouldn’t cover it. And I knew the judge wants to get this hot potato off his table and down to Luxembourg. So I was asking for a so called “protective cost order” which kind of tells you beforehand that there is a maximum amount you have to pay if you lose a case. And it was actually the first one to ever get protective cost order in Ireland granted. Which was really cool and the Irish were like outraged about it, too. applause So we basically walked into the European Court of Justice which is a really hefty procedure. In this room were… 13 judges are in front of you. The European Court of Justice has assigned it to the Great Chamber. So there is a Small, a Medium and a Great Chamber. Which is the highest thing you can possibly end up in Europe. And it’s chaired by the President of the European Court of Justice. And this is kind of where the really really basic, really important questions are dealt with. So I was like: “Cool, I’m getting to the European Court of Justice!”. And it’s funny because all the lawyers that were in the room, everyone was like “I can pledge in front of the European Court of Justice!”. They all took pictures like they were in Disneyland or something. audience laughing And it was – lawyers can be very… kind of… interesting. And we ended up in front of these 3 major people. It was the President, Thomas von Danwitz – who is the German judge and he also wrote the lead decision. He’s the Judge Rapporteur, so within the 13 judges there’s one that is the reporting judge and actually drafts the whole case. And he was also doing the Data Retention. And then there was Yves Bot as the Advocate General. The hearing was interesting because we got questions from the European Court of Justice before the hearing. And in these questions they were actually digging down into the core issues of mass surveillance in the US. When I got the questions I was like “We won the case!” because there’s no way they can decide differently as soon as they address the question. There were participants from all over Europe. These are the countries, then there was the European Parliament, the European Data Protection Supervisor and the European Commission. There was me – MS down there, the Data Protection Commissioner and Digital Rights Ireland. And what was interesting was the countries that were not there. Like Germany, e.g. was not there in this major procedure. And as far as I’ve heard there were reasons of not getting too engaged in the Transatlantic Partnership problem. So this was kind of interesting because the UK walked up but Germany was like: “No, we rather don’t want to say anything about this.” What was interesting as well is that there were interventions by the US Government. So I heard… we were… on a Tuesday we were actually in the Court. And on Mondays I got text messages from people of these different countries telling me that the US just called them up. And I was like: “This is interesting” because I know a lot of these people from conferences and stuff. So they were like telling me: “The US just called me up and said they wanna talk to my lead lead lead supervisor and tell me what to say tomorrow in the Court”. It was like: “This is very interesting!”. I was actually in the Court room and there was the justice person from the US embassy to the European Union. And he was actually watching the procedure and watching what everybody was arguing. Where I had a feeling this is like a watchdog situation. And someone pointed out that this is the guy, so I knew who it is. And he was walking up to me and asked: “Are you the plaintiff?” And I said: “Yeah, hey!” and he was trying to talk to me and I said: “Did you manage calling everybody by now or do you still need a couple of numbers?” audience laughing And he was like: “(?) arrogant!”. He was like: “He didn’t just ask this question?”. He said: “No, we kind of we’re in contact with all of our colleagues and of course we have to kind of push for the interest of the US” and blablabla. I thought: “This is very interesting!”. But anyway, it didn’t help them. No one of them was really kind of arguing for the US, actually. The findings of the European Court of Justice, so what was in the judgment in the end. First of all, Safe Harbor is invalid. Which was the big news. And this was over night. We were expecting that they would have a grace period so it’s invalid within 3 months or something like this. But in the minute they were saying it there all your data transfers to the US were suddenly illegal. applause Which was kind of big. The second biggie was that they actually said that the essence of your rights is violated. Now this, for an average person, doesn’t mean too much. But for a lawyer it says: “Oh my god, the essence is touched!!”. To explain to you what the essence is and why everybody is so excited about it is: basically if you have a violation of your rights you have no interference. So if a policeman was walking down the street and watching you there’s no interference with any of your rights. If they probably tapped your phone there is some kind of proportionality issue which is what we typically debate before a Court. There is a system how you argue if something is proportionate or not. So e.g. Data Retention was not proportionate. And Data Retention would be somewhere here probably. points to slide So not legal anymore but still in a proportionality test. And then there is “the essence” which means whatever the fuck you’re trying to do here is totally illegal because what you’re doing is so much out of the scale of proportionality that it will never be legal. And on Data Retention it actually said that for the first time… applause applause …and this was actually the first time as far as I saw that the European Court of Justice has ever said that under the convention. So the convention is only in place since 2008, I think. But it’s the first time they actually found that in a case which was huge for law in general. There was a couple of findings on Data Protection powers that are not too interesting for you. What may be interesting is that – there is a story to this picture that’s the reason I put it in – basically they said that a third country doesn’t have to provide adequate protection, as I said before. So the story was that third countries originally had to provide equivalent protection. But there was lobbying going on, so the word “equivalent” was changed to “adequate”. And “adequate” means basically nothing. Because anything and nothing can be adequate. “Adequate” has no legal meaning. I mean if you ask what an adequate dressing is – you don’t really know. So they changed that actually back to the law… to the wording that was lobbied out of the law and said it has to be “essentially equivalent” and that’s how we now understand “adequate”. Which is cool because any third country now has to provide more or less the same level of protection than Europe has. There has to be effective detention and supervision mechanisms. And there has to be legal redress. Just a really short thing on the picture: I was actually just pointing at two people and they were taking a picture from down there to make it a Victory sign. And that’s how the media is then doing: “Whoo”. making short Victory gesture I have to speed up a little bit. Not too much but a little bit. The future, and I think that’s probably relevant for you guys as well… First of all, what this whole judgment means. First of all the US basically lost its privileged status as being a country that provides adequate [data] protection. Which is kind of the elephant in the room that everyone knew anyway, that they’re not providing it. And now, officially, they’re not providing it anymore. And the US is now like any third country. So like China or Russia or India or any country we usually transfer data to. So it’s not like you cannot transfer data to the US anymore. But they lost their special status. Basically what the judgment said: “You can’t have mass surveillance and be at the same time an adequately [data] protecting country”. Which is kind of logical anyway. The consequence is that you have to use the derogations that are in the law that we have for other countries as well. So a lot of people said: “You know, the only result will be that there will be a consent box saying ‘I consent that my [personal] data is going to the US.’” Now the problem is: consent has to be freely given, informed, unambiguous and specific; under European law. Which is something all the Googles and Facebooks in the world have never understood. That’s the reason why all these Privacy Policies are typically invalid. But anyway. So if you have any of these wordings that they’re currently using, like “Your data is subject to all applicable laws” it’s very likely not “informed” and “unambiguous”. Because you don’t have any fucking idea that your data is ending up at the NSA if you read this. So what they would have to do is to have some Policy saying: “I agree that all of my personal data is made available to the NSA, FBI and whatsoever – YES/NO”. applause Because it has to be “freely given”, so applause I have to have the option to say “No”. Now this would theoretically be possible but under US law they’re placed under a “gag order”, so they’re not allowed to say this. So they’re in a legal kind of Limbo because on the one hand they have to say: “It’s this way” but on the other hand they have to say “No it’s not”. So consent is not going to give you any solution. Then there are Standard Contractual Clauses. That’s the one from Apple that they’re using right now. And Standard Contractual Clauses allow you to have a contract with a provider in a third country. And that pledges to you in a contract that all your data is safe. The problem is that they have exception clauses. That basically say: “If there’s mass surveillance your whole contract is void” because you cannot have a contract saying: “Hereby I pledge full Privacy” and at the same time be subject to these laws. And this is the interesting thing: all these companies are saying: “Now we’re doing Standard Contractual Clauses”, but none of them are going to hold up in Courts and everybody knows, but of course to their shareholders they have to tell: “Oh we have a wonderful solution for this.” The big question here is if we have a factual or legal assessment. So do we have to look at factually what data is actually processed by the NSA and what are they actually doing. Or do we just have to look at the laws in a country and the possibility of mass access. So the factual assessment works fine for Apple, Google etc. who are all in these Snowden slides. If you look at the abstract and legal assessment which is legally the thing that probably we have to do you actually end up with questions like Amazon. Amazon was not a huge cloud provider when the Snowden slides were actually drafted and written. They’re huge now. And very likely they’re subject to all of these laws. So how do we deal with a company like this? Can we still forward [personal] data to an Amazon cloud? If we know they’re subject to these US laws. So this is the question of which companies are actually falling under this whole judgment. Basically you still have a couple of other exemptions. So this basic thing that a couple of people say that you’re not allowed to book a hotel [room] in the US anymore is not true. There are a lot of exceptions in the law e.g. the performance of a contract. So if I book a hotel [room] in New York online my [personal] data has to go to New York to actually book my hotel [room]. So in all these cases you can still transfer [personal] data. The ruling is mainly on outsourcing. So if you could theoretically have your [personal] data in Europe you’re just not choosing because it’s cheaper to host it in the US or it’s easier or it’s more convenient. In these cases we actually get problems. So what we did is we had a second round of complaints. That is now taking these judgments onboard. You can download them on the web page as well. And there’s also the deal that Facebook Ireland with Facebook US has signed. To have safety to your data. And this is currently under investigation in Ireland. Basically I argued that they have a contract but the contract is void because US law says they have to do all this mass surveillance. I just got the letter that on November, 18th Facebook has actually given them [to the DPC] a huge amount of information on what they’re actually doing with the data. This is now going to be under investigation. The big question is if the DPC in Ireland is actually giving us access to this information. Because so far all these evidence that they had they said: “it’s all secret and you cannot know what Facebook is doing with your data even though you’re fully informed about what they’re doing with your data.” Which is kind of interesting as well. But – different issue. A big question was also if there’s gonna be a Safe Harbor 2.0. I already was told by everybody they’re not gonna call it a Safe Harbor anymore because they’re stuck with media headlines like “Safe Harbor is sunk” or something like this. And what happened is that the US has done a huge lobbying effort. They have said right on the day that all of this is based on wrong facts and they’ve never done any of this; and all of this is Trade War; and blablablabla. So they put a lot of pressure on them. I was actually talking to Jurova, the Justice Commissioner. And I was impressed by her. She actually took a whole hour and she really knew what was going on. And at the time they had press releases saying: “We’re really deeply working on the new Safe Harbor”. And I was asking Jurova: “Did you get any of the evidence you need to make such a finding?” And the answer was: “Yeah, we’re still waiting for it. We should get it next week”. Which basically meant this is never going to work out anymore. But of course I think there’s a blame game going on. The EU has to say: “We tried everything to find a solution” and the US is saying: “We tried everything to find a solution, too”. And then in the end they will blame each other for not finding a solution. That’s my guess. But we’ll see what happens. The basic problem with a Safe Harbor 2 is that in the government sector they’d basically have to rewrite the whole US legal system. Which they haven’t done for their own citizens. So they will very likely not do it for European citizens. Like judicial redress. Not even an American has judicial redress. So they would never give that to a European. And the private area: they actually have to redraft the whole Safe Harbor principles because they now have to be essentially equivalent of what Europe is doing. So this would also protect people on the private sphere much more but it would really take a major overhaul of the whole system. To give you an idea: all of these processing operations are covered by European law. So from collection all the way to really deleting the data. This is what’s covered by the Safe Harbor principles. Only 2 operations which is at the closure by “transmission” and the “change of purpose”. Anything else they can do as fully as they wanna do under the current Safe Harbor things. So if you talk about “essentially equivalent” you see on these spaces already points to slide that this is miles apart. So what is the future of US-EU-US data flows? We will have massive problems for the PRISM companies. Because what they’re doing is just a violation of our Fundamental Rights. Give or take it – you can change the law as much as you want but you cannot change the Fundamental Rights. And you’ll have serious problems for businesses that are subject to US surveillance law in general. So I’m wondering what the final solution is. And that was part of the issue that I had with the cases. Typically I like to have a solution for all of this. In this case I could only point at the problems but I couldn’t really come up with solutions. Because solutions are something that has to be done politically. An interesting question was: “How about EU surveillance, actually?” Because aren’t they doing more or less the same thing? Which is true. And the problem is that the Charta of Fundamental Rights only applies to anything that’s regulated by the EU. And national surveillance is exempt from any EU law. It’s something that member states are doing all by themselves. So you’re out of luck here. You can possibly argue it through a couple of circles; but it’s hard to do. However, 7 and 8 of the Charta – exactly the same wording as the European Convention of Human Rights. And this applies to National Security cases. So the relevant Court here is actually in Strasbourg. So you could probably end up at this Court with the same argument and say: if they already found that this is a violation of your essence in Luxembourg – don’t you want to give us the same rights in Strasbourg as well? And these cool Courts are in kind of a fight about kind of providing proper Privacy protection and protection in general. So very likely you can walk up with a German case or with a UK case or a French case and pretty much do the same thing here. So the judgment will be interesting for European surveillance as well because it’s a benchmark. And you can hardly argue that the US is bad and we’re not doing the same thing. Either solutions are possibly technical solutions. So what Microsoft did with the cloud services and hosting it with the Germans. And the German Telekom. And there is really the issue that if you can get a technical solution of not having any access from the US side you can actually get out of the whole problem. So you can try with encryption or data localization; all this kind of stuff. However none of this is really a very sexy solution to the whole issue. However it's something that you can possibly do. Last thing: enforcement. And this a little bit of a pitch, I got to confess. We have the problem so far that we have Data Protection law in Europe. But we don’t really have enforcement. And the problem is that the lawyers don’t know what’s happening technically. The technical people hardly know what the law says. And then you have a funding issue. So the idea that I have right now is to create some kind of an NGO or some kind of a “Stiftung Warentest for Privacy”. To kind of look into the devices we all have and kind of have a structured system of really looking into it. And then probably do enforcement as well if your stuff that you have on your device is not following European law. I think this is an approach that probably changes a lot of the issues. It’s not gonna change everything. But this could possibly be a solution to a lot of what we had. And that’s kind of what we did in other fields of law as well. That we have NGOs or organizations that take care of these things. I think that would be a solution and probably helps a little bit. Last - before we have a question/answer session – a little Bullshit Bingo to probably get a couple of questions answered right away. So the first thing is that a lot of questions are if the EU does the same thing. I just answered it: Of course they do the same thing and we’ll have to do something about it as well. And I hope that my case is a good case to bring other cases against member states of the EU. The second question is these whole PRISM companies are saying they don’t do this. It’s absurd because they’re all placed under gag orders. Or the people that are talking to us don’t even have the security clearance to talk about the surveillance system. So it’s insane when a PR person comes up and says: “I hereby read the briefing from Facebook that we’re not doing this!”. Which basically is what we have right now. And that’s what a lot of the media is referring to as well. Another thing that Facebook and the US government have argued later is that they weren’t asked. They were not invited to the Court procedure. The fun thing is: both of them totally knew about the Court procedure. They just decided not to step in and not to get a party of the procedure. So they were like first: “Ouh, we don’t wanna talk about it” and then when the decision came around they were like: “Oh we weren’t asked”. Of course it’s a win-on-paper mainly but we’re trying to get it implemented in practice as well. And there is kind of this argument “The EU has broken the Internet” which I typically rebut in “No, the US has broken the Internet and the EU is reacting to it”. applause Another issue that was interesting is that a lot of the US side said that this is protectionism. So the EU is only enforcing these Fundamental Rights to hurt US companies. Which is funny because I’m not involved in kind of getting more trade to Europe. I’m just like someone interested in my Fundamental Rights. And secondly the European politics has done everything to kind of not get this case to cross. So kind of this idea that this is a protectionist thing is kind of strange, too. And the last question which is: “What about the Cables? What about all the other types of surveillance we have?” They’re an issue, too. In these cases you just have more issues of actual hacking, government hacking, basically. So illegal access to servers and cables. Which is harder to tackle with than these companies. Because we have this private interference. So there are a lot of other issues around here as well, I was just happy to kind of get one thing across. And I’m happy for questions, as well. applause Herald: Alright… applause Max: at lowered voice Wie lange haben wir noch für Fragen? Herald: We have about 10 minutes for questions. I would ask you to please line up at the microphones here in the hall. We have 6 microphones. And we have also questions from the IRC. While you guys queue up I would take one from the internet. Signal Angel: Yeah, just one – for the first time. Does TTIP influence any of this? Max: Basically, not really. Because the judgment that was done was on the Fundamental Rights. So if they have some kind of wording in TTIP it would again be illegal. And there was actually a push to get something like that into TTIP. And as far as I know this idea was done, after the judgment. laughs Just a little intro: EDRI has organized an ask-me-anything thing at 7 PM as well. So if you got specific questions, you can also go there. Just as a reminder. Herald: OK, great. Microphone No.2, please. Question: Thank you for your efforts. The question would be: Could US businesses under these findings ever be again employed in critical sectors? E.g. public sector, Windows in the Bundestag, e.g. and stuff like that? Max: Yep, yip. That’s a huge problem. And that’s a problem we had for a while. I was mainly talking actually with people in the business area. I’m mainly invited to conferences there. And people were telling me: “Yeah, we’re doing all our bank data on Google now”. And I was like: WTF? Because this is not only Privacy. That’s also trade secrets, all of this kind of stuff. So there is this huge issue and if you talk about the new Windows that is talking home a little more than the old did, you probably have the same issue here because Microsoft is falling under the same thing. Q: No plausible deniability, therefor culpability. M: Yep, yep, yep. Q: Thank you! Max: Thank you! Herald: OK, microphone No.3, please, for your next question. Question: How would you assess Microsoft saying they put up a huge fight that they… well, they said they had customers’ data in Ireland and they said they refuse to give it to the FBI. What’s to think of that? Max: I think to be fair a lot of these companies have realized that there is an issue. And that they are the “Feuer am Arsch”. And Microsoft… actually a couple of Microsoft people is talking to me and is like: “We’re actually not unhappy about this case because we have a good argument in the US now that we’re getting troubles here…” But the companies are between these 2 chairs. The US law says: “We kill you if you’re not giving us all the data” and the problem so far is that in the EU… e.g. in Austria the maximum penalty is 25.000 Euro if you don’t comply with this. Q: Peanuts. M: Which is absurd. And in most other countries it’s the same. We now have the Data Protection regulation that is coming up which gives you a penalty of a maximum of 4% of the worldwide turnover, which is a couple of millions. And if you want to thank someone there’s Jan Philipp Albrecht, probably in the room or not anymore, who is the member of [EU] Parliament from the Green Party, that’s actually from Hamburg who has negotiated all of this. And this actually could possibly change a couple of these things. But you have this conflict of laws and solutions like the Telekom thing – that you host the data with the Telekom – could possibly allow them to argue in the US that they don’t have any factual access anymore so they can’t give the data to the US Government. But we’re splitting the internet here. And this is not really something I like too much, but apparently the only solution. Herald: OK, thank you for your question. We have another one at microphone 4, please. Q: Thank you very much for your efforts, first of all. And great result! M: Thank you. Q: The question from me would also be: Is there any change in the system in Ireland now? So somebody has a similar struggle to yours – the next round might be easier or not? Max: Basically what the Irish DPC got is a wonderful new building. And the press release is too funny. Because it says: “We have a very nice Victorian building now downtown Dublin in a very nice neighborhood“ and blablabla and they get double the staff of what they had before. The key problem is none of this. I only took the picture because it kind of shows what’s inside the building. And the key problem is that we have 2 countries – Luxembourg and Ireland, where all of these headquarters are – and these 2 countries are not interested in collecting taxes, they’re not interested in enforcing Privacy Law, they’re not interested in any of this. And they’re basically getting a huge bunch of money in the back of the rest of the EU. And until this actually changes and there’s a change of attitude in the Irish DPC it doesn’t really matter in which building they are. So they got a lot of more money to kind of – to the public – say: “Yes we have more money and we have more staff and dadadadada”… Q: …but the system did not change! M: The big question is what the system is doing: they can prove now! As they have the new complaint on their table on Safe Harbor and PRISM and Facebook. They can prove; if they do something about it or not – my guess is that they’ll find “some” random reasons why unfortunately they couldn’t do anything about it. We’ll see. Q: OK, thanks! Herald: OK, thank you! It’s your turn, microphone No.2. Question: OK, thank you very much and also thank you for your service for the public. M: Thanks for the support! applause Q: What that will… Sorry about the English… M: Sag's auf Deutsch! Q: Was bedeutet das eigentlich für die Geschichte mit der Vorratsdatenspeicherung wenn die jetzt wieder kommt? Und inwiefern wird Social Media damit jetzt sozusagen freigestellt wieder oder nicht? M: To be honest I didn’t really look into the German Data Retention thing too much. To be honest, being an Austrian I’m like “Our Supreme Cou… Constitu…” Q: Me, too! audience laughing M: Yeah, I heard. “Our Constitutional Court kind of killed it”, so… I don’t think we’ll see a Data Retention in Austria too soon. But for Germany it’s gonna be interesting especially if you find a way to go to Luxembourg in the end. Like if you find some hook to say: “Actually, this German law violates something in the Data Protection Regulation or in the Directive“. So we can probably find a way to go back to Luxembourg. Could help. The other thing is that just the fact that the Luxembourg Court has been so active has probably boosted up a lot of the National Courts as well. Because the German decision, I had the feeling was like a “We don’t really feel like we can fully say that this is actually illegal and we kind of argued that it’s somehow not illegal the way it is, but possibly you can do it in the future and uooah…“. And after Luxembourg has really thrown all of this right out of the door and was like: “Get lost with your Data Retention thing and especially with the PRISM thing” you probably have better case law now, as well. And that could be relevant for National Courts as well. Because of course these things are question of proportionality. And if we ask everybody here in the room what they think is proportionate or not, everyone has another opinion. And therefore it’s relevant what our people are saying and what other Courts are saying to probably get the level of what we feel as proportionate somehow a little bit up. Q: So thank you very much. And go on! M: Thank you! Herald: OK, just for the record, in case you couldn’t tell by the answer: the question was about the implications for the Data Retention Laws, like in Germany and Austria. Microphone No.1, we have another question. Question: Hi! Two questions. One: could you tell a little bit more about your idea of “Stiftung Datenschutz” Europe-wide? And how do we get funding to you… M: Send me an email! Q: …if you don’t mind? Second question: when I argue with people about like “Let’s keep the personal data of all activists within Europe!” I always get this answer: “Yeah, are you so naive, do you think it’s anything different if the server stands in Frankfurt instead of San Francisco?” What do you say to that? Max: The same problem, like pretty much what we have is – and that’s the reason why I said I hope this judgment is used for National surveillance in Europe, as well. Because we do have the same issues. I mean when you are an Austrian and the German “Untersuchungsausschuss” is basically saying: “Ah, we’re only protecting Germans” I feel like my fucking data is going through Frankfurt all the times. And I’m kind of out of the scope, apparently. So we do need to take care of this as well. I hope that this is a case showing that you can actually take action. You just have to poke long enough and kind of poke at the right spot especially. And I think this is something that… there’s not an ultimate solution to it. It’s just one of the kind of holes that you have. The other thing that we may see is that a lot of companies that are holding this data are much more questioning an order they get. Because if they get legal problems from an order they got by a German Court or whatever it is they probably are now more interested in – and actually looking at it. Because right now it’s cheaper for them to just forward the data. You don’t need a whole Legal Team, reviewing it all. So I think to kind of split the private companies that are helping them from the Government and kind of get some issue between them probably helps there, as well. But of course it’s just like little peanuts you put in there. But in the end you have that issue, in the end. Yeah. On the “Stiftung Datenschutz” or whatever: I think that’s kind of a thing I just wanted to blow out to people here, because I’m mainly in the legal sphere and in, like the activist/consumer side. And I think that’s the big problem we have in the legal and consumer side is that we don’t understand the devices that much. And we lack the evidence. We don’t really have the evidence of what’s actually going on on devices and you need to have this evidence if you go in front of Courts. I think a lot of the people in the room probably have this evidence somewhere on the computer. So the idea of really getting this connection at some point – it’s not something I can pitch to you right away, because it’s not… like I don’t wanna start it tomorrow. But it’s something I wanted to circulate to get feedback as well, what you guys think of it. So if there’s any feedback on it, send me an email, or twitter. Or whatever it is. applause Herald: So we do have a bit time left, microphone No.2 with the next question, please. Question: What can I do as an individual person now? Can I sue Google or can I sue other companies just to stop this? And would it create some pressure if I do that? So what can the ordinary citizen do now? Max: We’re right now… I already prepared it but I didn’t have time to send it out to have complaints against the Googles and all the others that are on the PRISM list. We started with Facebook because I kind of know them the best. And, you know, so it was a good start. And the idea was really to have other people probably copy-pasting this. The complaint against Facebook we actually filed with the Hamburg DPC, as well, and the Belgium DPC. The idea behind it was that the Irish now suddenly have 2 other DPCs that are more interested in enforcing the law in their boat. So they’re not the only captains anymore. And it’s interesting what’s gonna happen here. If there are other people that have other cases and just file a complaint with your Data Protection authority, a lot of them, especially the German Data Protection authorities – most of them – are really interested in doing something about it, but they oftentimes just need a case. They need someone to complain about it and someone giving them the evidence and someone arguing it, to get things started. So if anyone is using Google Drive or something like that – let’s go. And basically the wording is on our web page. You just have to download it and reword it. And we’re gonna probably publish on the website the complaints against the other companies, as soon as they’re out. Probably the next 2..3 weeks. Something like this. So just copy-paste and spread the love. Herald: OK, thank you very much, Max, again! For your great talk. This is it! postroll music Subtitles created by c3subtitles.de in 2016. Join and help us do more!