-
32C3 preroll music
-
Herald: Our next talk is
called “Safe Harbor”.
-
Background is: back in October, in
the light of the Snowden revelations
-
the Court of Justice of the European
Union – that’s the “EuGH” in German
-
declared the Safe Harbor agreement
between the EU and the US invalid.
-
This talk is about how we got there
as well as further implications
-
of that decision. Please believe me when
I say our speaker is ideally suited
-
to talk about that topic. Please give it
up for the man actually suing Facebook
-
over Data Protection concerns:
Max Schrems!
-
applause and cheers
-
Max Schrems: Hallo! Hey!
applause and cheers
-
applause
-
It’s cheerful like some Facebook Annual
conference where the newest things
-
are kind of presented. I’m doing a little
intro basically where I got there.
-
This was my nice little university in
California. And I was studying there
-
for half a year and there were a
couple of people from Facebook
-
and other big companies and
they were talking about
-
European Data Protection law. And
the basic thing they said – it was
-
not an original quote but basically what
they said is: “Fuck the Europeans,
-
you can fuck their law as much as you
want and nothing is going to happen.”
-
And that was kind of the start of the
whole story because I thought: “Okay,
-
let’s just make a couple of
complaints and see where it goes.”
-
I originally got 1.300 pages Facebook data
back then, because you can exercise
-
your right to access. And Facebook
actually sent me a CD with a PDF file
-
on it with all my Facebook data.
It was by far not everything
-
but it was the first time that someone
really got the data and I was asking
-
someone from Facebook why they were so
stupid to send me all this information.
-
Because a lot of it was obviously illegal.
And the answer was “We had internal
-
communications problems.” So someone was
just stupid enough to burn it on a CD and
-
send it on. One of the CDs actually was
first going to Sydney in Australia because
-
they put “Australia” instead of “Austria”
on the label which was one of the things
-
as well.
applause
-
Anyway, this was basically how
my interest in Facebook started;
-
and the media got crazy about it because
there is like a little guy that does
-
something against the big guy. And this
is basically how the whole thing got
-
this big. This is like a cartoon from my
Salzburg newspaper. This should be me,
-
and it’s like basically the reason why
the story got that big because it’s
-
a small guy doing something against
Facebook, not necessarily because
-
what I was doing was so especially smart.
But the story was just good for the media,
-
’cause data protection is generally a very
dry topic that they can’t report about
-
and they’re they had like
the guy that did something.
-
A couple of introductions. We actually
had 3 procedures. So if you heard about
-
what I was doing… There was originally
a procedure at the Irish Data Protection
-
Commission, on Facebook itself – so what
Facebook itself does with the data.
-
This procedure has ended after 3 years.
There’s a “Class Action” in Vienna
-
right now that’s still ongoing. It’s in
front of the Supreme Court in Austria
-
right now. And there is the procedure
that I’m talking about today which is
-
the procedure on Safe Harbor at the
Irish Data Protection Commission.
-
A couple of other background
informations: I personally don’t think
-
Facebook is the issue. Facebook
is just a nice example for
-
an overall bigger issue. So I was never
personally concerned with Facebook but
-
for me the question is how we enforce
Data Protection or kind of stuff.
-
applause
So it’s not a Facebook talk; Facebook is
-
applause
the example. And of course the whole thing
-
is just one puzzle piece. A lot of people
are saying: “This was one win but there
-
are so many other issues!” – Yes, you’re
totally right! This was just one issue.
-
But you got to start somewhere.
And the whole thing is also
-
not an ultimate solution. So I can
not present you the final solution
-
for everything, but probably a couple
of possibilities to do something.
-
If you’re interested in the documents
– we pretty much publish everything
-
on the web page. It’s a very old style web
page. But you can download the PDF files
-
and everything if you’re interested
in the facts and (?) the details.
-
Talking about facts, the whole thing
started with the Snowden case,
-
where we kind of for the first time had
documents proving who is actually
-
forwarding data to the NSA in this case.
And this is the interesting part, because
-
we have a lot of rumours but if you’re in
a Court room you actually have to prove
-
everything and you cannot just suspect
that very likely they’re doing it. But you
-
need actual proof. And thanks to Snowden
we had at least a bunch of information
-
that we could use. These are the slides,
you all know them. The first very
-
interesting thing was the FISA act and we
mainly argued under 1881a as an example
-
for the overall surveillance in the US. So
we took this law as an example but it was
-
not the only thing we relied on. And I
think it’s interesting for Europeans to
-
understand how the law actually works.
The law actually goes after data and not
-
after people. We typically have laws in
criminal procedures that go after people.
-
This law goes after data. So it totally
falls outside of our normal thinking of
-
“we’re going after a suspect,
someone that
-
may have committed a crime”. Basically the
-
law says that there’s an electronic
communications service provider that holds
-
foreign intelligence information. That’s
much more than just terrorist prevention,
-
that’s also things that the US is
generally interested in.
-
And this is the level that’s publicly
known and everything else is basically
-
classified. So under the law the FISA
Court can do certification for one year
-
that basically says “the NSA can access
data”. In this certifications there are
-
these minimization and targeting
procedures that they have to describe.
-
But they’re not public.
We don’t know how
-
they look like. And basically they’re here
-
to separate data from US people out of
the data set. So it doesn’t really help
-
a European. And then there is a so called
Directive that goes to the individual
-
service provider which basically says:
“Give us the data in some technical
-
format.” So very likely it’s some kind
of API or some kind of possibility
-
that they can retrieve the data. That’s
what the law says. We don’t know
-
how it actually looks and we don't
have perfect proof of it. So there are
-
a lot of things that are disputed and
still disputed by the US government.
-
So the exact technical implementations,
the amount of data that’s actually pulled,
-
all the review mechanisms they have
internally. That’s all stuff that was
-
not 100% sure, and not sure enough
to present it to a Court. Which was
-
the basic problem we had. First of
all after the Snowden thing broke
-
we had different reactions. And that was
kind of how I started the procedure.
-
The first reaction was demonstrations.
We were all walking in the streets.
-
Which is good and which is important,
but we all know that this is something
-
we have to do but not something that’s
gonna change the world. Second thing:
-
we had parliaments like the European
Parliament doing resolutions saying
-
that we should strike down the Safe Harbor
and this is all bad and evil. We had
-
the Commission pretty much saying the
same thing. We had national politicians
-
saying the same thing. And we all knew
that basically this means that they all
-
send an angry letter to the US. Then they
can walk in front of the media and say:
-
“Yes, we’ve done something, we sent
an angry letter to the US”, and the US
-
is just thrown basically in some trash bin
of crazy Europeans wanting strange things
-
and that was it. So I was actually called
by a journalist and asked if there’s
-
some other option. And I was then
starting to think about it and there’s
-
the so called Safe Harbor agreement. To
explain the “Safe Harbor”: In Europe
-
we have Data Protection law that is on
the papers but factually not enforced.
-
But at least, in theory, we have it. And
we have a couple of other countries
-
that have the same level of protection
or similar laws. And generally
-
Data Protection only works if you keep
the data within the protected sphere so
-
you’re not allowed to send personal
data to a third country that
-
doesn’t have adequate protection. There
are a couple of other countries that do;
-
and therefore you can transfer data e.g.
to Switzerland. This is what the law says.
-
And there are certain servers that
are outside these countries where
-
we can have contractual relationships. So
basically if you have a server in India,
-
you have a contract with your
Indian hosting provider saying:
-
“You apply proper Data Protection to it”.
So you can transfer data there, too.
-
All of this is approved by the European
Commission. This is how data
-
flows legally outside of the EU – personal
data. This all doesn’t apply
-
to any other kind of data, only personal
data. And we had a basic problem
-
with the US because there was this
Directive saying you can forward data
-
to other countries but there is no Data
Protection Law in the US. So basically
-
you wouldn’t be allowed to send
data there unless you have
-
some contractual relationship which
is always kind of complicated.
-
So the solution was to have a self
certification to EU principles
-
and this was put into an Executive
Decision by the European Commission.
-
So basically how Safe Harbor is working
is that e.g. Google can walk up and say:
-
“Hereby I pledge that I follow European
Data Protection Law. I solemnly swear!”.
-
And then they do whatever they
want to do. And basically
-
that’s the Safe Harbor system and the
Europeans can walk around saying:
-
“Yeah, there is some seal saying
that everything is fine, so don’t worry.”
-
Everybody knew that this is a fucked-up
system but for years and years
-
everyone was looking away because politics
is there and economics is there and
-
they just needed it. So basically Safe
Harbor works that way that a US company
-
can follow the Safe Harbor principles
and say: “We follow them”, then
-
the Federal Trade Commission and private
arbitrators are overlooking them
-
– in theory, in practice they never do –
and this whole thing was packaged
-
into decision by the European
Commission. And this is the so called
-
Safe Harbor system. So from a European
legal point of view it’s not an agreement
-
with the US, it’s a system that the US has
set up that we approved as adequate. So
-
there’s no binding thing between the US
and Europe, we can kind of trash it
-
any time. They’ve just never done that.
Which brings me to the legal argument.
-
Basically if I’m this little Smiley down
there, I’m sitting in Austria and
-
transfer my data to Facebook Ireland,
because worldwide – 82% of all users
-
have a contract with Facebook Ireland.
Anyone that lives outside the US
-
and Canada. So anyone from China,
South America, Africa has a contract
-
with Facebook in Ireland. And legally they
forward the data to Facebook in the US;
-
technically the data is directly
forwarded. So the data is actually flowing
-
right to the servers in the US. However
legally it goes through Ireland. And
-
my contract partner is an Irish company.
And under the law they can only transfer
-
data to the US if there is adequate
protection. At the same time we know
-
that the PRISM system is hooked up in
the end. So I was basically walking up
-
to the Court and saying: “Mass
Surveillance is very likely not
-
adequate protection, he?” And
that was basically the argument.
-
applause
-
The interesting thing in this situation
was actually the strategic approach.
-
So, we have the NSA and other surveillance
organizations that use private companies.
-
So we have kind of a public-private
surveillance partnership. It’s PPP in
-
a kind of surveillance way. Facebook is
subject to US law, so under US law they
-
have to forward all the data. At the same
time Facebook Ireland is subject to
-
European law so they’re not
allowed to forward all this data.
-
Which is interesting because
they’re split. The EU law regulates
-
how these third cwountry transfers work.
And all of this has to be interpreted
-
under Fundamental Rights. So this was
basically the system were looking at.
-
And the really crucial thing is that we
have this public-private surveillance.
-
Because we do have jurisdiction over
private company. We don’t have
-
jurisdication over the NSA. We can
send angry letters to the NSA. But
-
we do have jurisdiction over Facebook,
Google etc. because they’re basically
-
based here. Mainly for tax reasons.
And this was the interesting thing that
-
in difference to the national surveillance
where we can pretty much just send
-
the angry letters we can do something
about the private companies. And
-
without the private companies there is
almost no mass surveillance in this scale
-
because the NSA is not in our phones,
it’s the Googles and Apples and whatever.
-
And without them you’re not really
able to get this mass surveillance.
-
This is like the legal chart. Basically
what we argued is: there’s 7 and 8
-
of the Charta of Fundamental Rights.
That’s your right to Privacy and
-
your right to Data Protection. There
is an article in the Directive that
-
has to be interpreted in light of it. Then
there’s the Executive Decision of the EU.
-
This is basically the Safe Harbor
decision which refers to Paragraph 4
-
of the Safe Harbor principles. And the
Safe Harbor principles basically say
-
that the FISA Act is okay. So
you have kind of this circle
-
of different legal layers which is getting
really crazy. I’ll try to break it down
-
a little bit. Basically 7 and 8 of the
Charta we basically compared
-
to Data Retention, so the
“Vorratsdatenspeicherung”.
-
We basically said PRISM is much worse. If
“Vorratsdatenspeicherung” (Data Retention)
-
was invalid then PRISM has to be 10 times
as bad. That was basically the argument.
-
Very simple. We just compared: the
one was content data – the other one
-
was meta data. The one is storage
– the other one is making available.
-
And the one is endless – the other
one is 24 months. So basically
-
in all these categories PRISM was much
worse. And if the one has to be illegal
-
the other one has to be as well. And
what’s interesting – and that’s something
-
that the US side is typically not getting
– is that Article 8 is already covering
-
“making available of data”. So the
fun thing is I only had to prove
-
that Facebook makes data available,
so basically it’s possible
-
the NSA is pulling it. I didn’t even have
to prove that the NSA is factually pulling
-
my personal data. And this was like the
relevant point because under US law
-
basically your Fundamental Rights only
kick in when they factually look at your
-
data and actually surveil you. So I was
only: “They’re making it available
-
– that’s good enough for me!” which
was making all these factual evidence
-
much easier. So basically I only had
to say: “Look at the XKeyscore slides
-
where they say ‘user name Facebook’
they can get somehow the data out of it.
-
It’s at least made available; that’s
all I need to prove”. And this is
-
the big difference between the US
– it’s very simplified, but basically
-
between the US approach and the European
approach; is that in the US you have to
-
prove that your data is actually pulled.
I only had to prove that my data is made
-
available. So I had to… I was able to
get out of all the factual questions.
-
This is a comparison – you basically…
in the US we have very strict laws
-
for certain types of surveillance while in
Europe we have a more flexible system
-
that covers much more. So it’s a
different approach that we just have
-
in the two legal spheres. We’re both
talking about your Fundamental
-
Right to Privacy, but in details it’s
very different. And that’s kind of
-
the differences what we used. The fun
thing is if you’re European you don’t have
-
any rights in the US anyways because
the Bill Of Rights only applies to people
-
that live in the US and US citizens so
you’re out of luck anyways. So you’re
-
only left with the European things.
Basically the law which is
-
the second level after the Fundamental
Rights is saying that there has to be
-
an adequate level of protection as I said
and this third country has to ensure it
-
by domestic law or international
commitments. And I was saying: “You know
-
there’s the FISA Act, you can read
it, it definitely doesn’t ensure
-
your fundamental rights and an
adequate protection. So we're
-
kind of out of Article 25”. And there is
paragraph 4 of the Safe Harbor principles
-
which say that all these wonderful privacy
principles that US companies sign up to
-
do not apply whenever a national law
in the US is overruling it. So there are
-
principles that companies say: “We
follow!” but if there is a city in Texas
-
saying: “We have a local ordinance
saying: ‘You have to do differently!’”
-
all these Safe Harbor principles
don’t apply anymore. And this is
-
the fundamental flaw of the self
certification system that it only works
-
if there is no law around that conflicts
with it. And as there are tons of laws
-
that conflict with it you’re hardly
able to hold up a system like that.
-
So basically if you go through all these
different legal layers you end up with
-
a conflict between the US FISA Act
and the European Fundamental Rights.
-
So you’re going through different layers
of the system but you’re basically making
-
a circle. This is what we did which was
a little bit complicated but worked.
-
applause
-
Basically now to the procedure,
so how the whole thing happened.
-
First I went through the Safe Harbor. Safe
Harbor allows you to go to TRUSTe or
-
the Federal Trade Commission and there’s
an online form to make your complaint. And
-
I was making a complaint and I think you
were only allowed to put in 60 characters
-
to explain what your complaint is. Which
is a little bit complicated if you’re
-
trying to explain NSA mass surveillance.
So I only wrote: “Stop Facebook, Inc.’s
-
involvement in PRISM!”. That
was everything I could actually
-
put in the text box; that was
the absolute maximum.
-
And the answer I got back was: “TRUSTe
does not have the authority to address
-
the matter you raise.” Which is obvious,
it’s a private arbitration company
-
that can hardly tell Facebook to not
follow the NSA’s guidelines. So
-
this was the arbitration mechanism under
Safe Harbor. You can also go to the
-
Federal Trade Commission and have your
complaint filed there. But they basically
-
just ignore them. This was the letter I
got back, that they received it. But
-
I was talking to the people at the FTC and
they say: “Yeah, we get these complaints
-
but they’re ending up in a huge storage
system where they stay for ever after”.
-
So this was enforcement done by
Safe Harbor. And we knew that
-
in the private field already; but in this
case it was especially interesting.
-
To be fair, both of these institutions
have no power to do anything
-
about mass surveillance. So
there was really a reason why
-
they didn’t do anything.
The next step you have is
-
the national Data Protection Commissioner.
So we have 28 countries
-
with 28 [Commissioners]; plus Germany has
– I think – a Data Protection Commissioner
-
in every province. And you end up at
this. And this is my most favourite slide.
-
This is the Irish Data
Protection Commissioner.
-
applause
-
To be super precise
– I don’t know if you
-
can see the laser pointer. But this is a
-
super market. And this is the Irish Data
Protection Commissioner back there.
-
laughter, applause
-
To be a little more fair, actually they’re
up here and they’re like 20 people
-
when we filed it originally. The fun thing
is back at the times they didn’t have
-
a single lawyer and not a single
technician. So they were 20
-
public employees that were dealing
with Data Protection and no one
-
had any clue of the technical
or the legal things about it.
-
The fun thing is: this is Billy Hawkes,
the Data Protection Commissioner
-
at the time. He went on the
national radio in the morning.
-
And in Ireland radio is a really big
thing. So it was a morning show.
-
And he was asked about these complaints.
And he actually said on the radio:
-
“I don’t think it will come
as much of a surprise
-
that the US services have access
to all the US companies”.
-
And this was the craziest thing!
I was sitting in front of the radio
-
and was like: “Strike! He just
acknowledged that all this is true!”.
-
And the second thing, he said: “This US
surveillance operation is not an issue
-
of Data Protection”. Interesting.
-
It’s actually online and you can listen
to it. But the fun thing was really that
-
the factual level is so hard to prove that
I was afraid that they would dispute:
-
“Hah, who knows if all this is true?
We don’t have any evidence!
-
The companies say we are
not engaging in all of this.”
-
So having the Data Protection Commissioner
saying: “Sure they surveil you!
-
Are you surprised?” was great
because we were kind of out of
-
the whole factual debate.
-
I actually got a letter back from them
saying that they’re not investigating
-
any of it. And I was asking them why. And
they were naming 2 sections of the law,
-
a combination thereof. So there was one
thing where it says they shall investigate
-
– which means they have to – or
they may investigate. And they say
-
they only “may” investigate complaints
and they just don’t feel like
-
investigating PRISM and Facebook
and all of this. Secondly they say
-
that a complaint could be “frivolous
and vexatious” – I love the word!
-
And therefor they’re not investigating
it. “A combination thereof or indeed
-
any other relevant matter.” So we
transferred this letter into a picture
-
which is basically what they said: “So
why did you not investigate PRISM?”
-
– “‘Shall’ means ‘may’, frivolous
or
-
vexatious, a combination of A and B
-
or any other reason.”
So this was the answer
-
by the Irish Data Protection Commissioner
why they wouldn’t want to investigate
-
the complaint. Just to give
you background information:
-
these are the complaints that the Irish
Data Protection Commissioner is receiving
-
– the blue line – and the red line is
all
-
of the complaints they’re not deciding.
-
Which is 96..98% of the complaints
-
they receive on an average year.
Which is interesting because you have
-
a right to get a decision but they don’t.
-
To give you the bigger picture: we
also made complaints on Apple
-
and all the other PRISM companies.
And Ireland basically said
-
what I just told you. Luxembourg, where
Skype and Microsoft are situated, said
-
that they do not have enough evidence for
the participation of Microsoft and Skype
-
[in PRISM]. And the funniest thing
about the answer was that they said
-
that they’re restricted by their
investigations to the territory
-
of Luxembourg. And since all of this is
happening in the US they have no way
-
of ever finding out what was going on.
So I was telling them: “You know,
-
most of this is online and if you’re not
able to download it I can print it out
-
for you and ship it to Luxembourg.” But
the problem is why we didn’t go down
-
in Luxembourg is because they went down
this factual kind of argument. They said:
-
“It’s all illegal but factually we
don’t believe it’s true”. And
-
then there was Germany that are
still investigating until today.
-
This was Yahoo. Actually that was
Yahoo in Munich but they now
-
moved to Ireland as well. So I don’t
know what happened to this complaint.
-
We never heard back. But whenever we sent
an email they were like: “Yeah, we’re
-
still investigating.” So what happened now
is that I went to the Irish High Court.
-
To jeopardize the non-decision of the
Irish Data Protection Commissioner.
-
This is the case that then went down as
“Schrems vs. the Data Protection
-
Commissioner” which is so strange because
I never wanted to have my name
-
on any of this and now the decision is
actually called after my second name
-
which is always freaking me out in a way.
Because you’re fighting for Privacy and
-
suddenly your name is all over the place.
applause and laughter
-
applause
-
And this is the Irish High Court. So you…
-
It’s very complicated to
get a procedure like that.
-
The biggest issue is that you need money.
If you’re in front of an Irish Court
-
and you lose a case you
end up with a legal bill of
-
a couple of hundred thousand
Euros. Which is the reason why
-
never anybody ever challenged the
Irish Data Protection Commissioner.
-
Because you just gonna
lose your house over it!
-
So what I did is: we did a little
bit of crowd-funding! And
-
we actually got about 70.000 Euros out
of it. This was a crowd-funding platform
-
that basically worked in a way
that people could donate
-
and if we don’t need the money we either
donate it to another Privacy cause
-
or we actually give people the money
back. Which we got to have to do
-
because we won the case. And all
our costs are paid by the other side.
-
applause
-
So the fun thing is you then have to
walk into this wonderful old Court here
-
on Mondays at 11:30. And
there’s a room where you can
-
make your application. And about 100 other
people making their application as well.
-
And there is no number. So there
are 100 lawyers sitting in a room,
-
waiting for the judge to call out your
case. So we were sitting there until 4 PM
-
or something until suddenly our case was
called up. And we actually got kind of
-
the possibility to bring our case and then
it’s postponed to another date and
-
blablablablabla. In the end you
end up with something like this.
-
Which is all the paperwork
because in Ireland the Courts
-
are not computerized so far. So you
have to bring all the paperwork,
-
anything you rely on, in 3 copies.
And it’s all paper, noted of the pages,
-
so all these copies have pages 1 to 1000.
Someone’s writing all of them on the page.
-
And then they copy it 3 times and it’s
then in this wonderful little thing.
-
I thought it’s great. And
what happened is that
-
we walked into the judge’s room and you
get a judge assigned on the same day.
-
So you end up in front of a judge
that has never heard about Privacy,
-
never heard about Facebook and
never heard about Snowden and PRISM
-
and any of this. So you walk into the
room as like “We would like to debate
-
the Safe Harbor with you” and he was like
“What the fuck is the Safe Harbor?”.
-
So what happened is that he told us to
kind of explain what it is for 15 minutes.
-
And then he postponed the
whole thing for 2 hours I think
-
and we walked over to a pub and had a
beer. So that the judge could remotely
-
read what he’s about to look into.
-
And Ireland is very interesting because
you need a Solicitor and a Counsel
-
and then the Counsel is actually talking
to the Judge. So I actually had 2 filters.
-
If I’m the client down here I had to
talk to my Solicitor. The Solicitor
-
was telling the Counsel what to say to the
Judge. So half of it was lost on the way.
-
And when I was asking if I could
just address the Judge personally
-
they were like “No, no way that you could
possibly address the Judge personally
-
even though you’re the claimant”.
Which is
-
funny ’cause they talk about this “person”
-
in the room. It’s like “What’s the problem
of this Mr. Schrems?”. And you’re like
-
sitting right here, it’s like
“This would be me!”.
-
So what happened in Ireland is that we
had about 10 reasons why under Irish law
-
the Irish Data Protection Commissioner
would have to do its job but the Court
-
actually wiped all of this from the table
and said actually the Safe Harbor
-
is the issue, which legally they’re
not allowed to do what politically
-
was very wise and forwarded this
wonderful easy-to-understand question
-
to the European Court of Justice.
-
The reason why they put this kind
of very random question is that
-
if you jeopardize a law in Ireland you
have to get some Advocate General engaged.
-
And they didn’t want to do that
so they kind of “asked a question
-
around the actual question”
to not really get them engaged.
-
Which was very complicated
because we didn’t know how
-
the European Court of Justice ’d kind of
react to this random question because
-
it was so broad that they could just walk
any other direction and not address
-
the real issue. What was wonderful is
that in the judgment by the Irish Court
-
they have actually said that
all of this is factually true.
-
All the mass surveillance is factually
true. And the fun thing to understand
-
is that the factual assessment is done by
the national Courts. So the European
-
Court of Justice is not engaging in
factual matters anymore. They only
-
ask legal questions: “Is this legal or
not”. So we had a split of responsibility.
-
The Irish Court only said that all of this
is true. And Luxembourg only said
-
that all of this would be legal if all of
this would be true. Which was kind of
-
an interesting situation. But to be
fair no one before the European
-
Court of Justice has ever questioned
that this is true. So even the UK
-
that was in front of the Court and that
should possibly know if all of this
-
is true or not, they have never
questioned the facts. laughs
-
There is a pretty good factual basis.
What was interesting as well is
-
that I said I’m not gonna go in front
of the European Court of Justice.
-
Because the cost is so high that even the
60 or 70.000 Euros I got in donations
-
wouldn’t cover it. And I knew the judge
wants to get this hot potato off his table
-
and down to Luxembourg. So I was asking
for a so called “protective cost order”
-
which kind of tells you beforehand that
there is a maximum amount you have to pay
-
if you lose a case. And it
was actually the first one
-
to ever get protective cost
order in Ireland granted.
-
Which was really cool and the Irish
were like outraged about it, too.
-
applause
-
So we basically walked into the
European Court of Justice which is
-
a really hefty procedure.
In this room were…
-
13 judges are in front of you. The
European Court of Justice has assigned it
-
to the Great Chamber. So there is a
Small, a Medium and a Great Chamber.
-
Which is the highest thing you can
possibly end up in Europe. And
-
it’s chaired by the President of the
European Court of Justice. And this is
-
kind of where the really really basic,
really important questions are dealt with.
-
So I was like: “Cool, I’m getting to the
European Court of Justice!”. And it’s
-
funny because all the lawyers that were in
the room, everyone was like “I can pledge
-
in front of the European Court of
Justice!”. They all took pictures like
-
they were in Disneyland or something.
audience laughing
-
And it was – lawyers can be
very… kind of… interesting. And
-
we ended up in front of these 3 major
people. It was the President,
-
Thomas von Danwitz – who is the German
judge and he also wrote the lead decision.
-
He’s the Judge Rapporteur, so within
the 13 judges there’s one that is
-
the reporting judge and actually drafts
the whole case. And he was also
-
doing the Data Retention. And then there
was Yves Bot as the Advocate General.
-
The hearing was interesting
because we got questions
-
from the European Court of Justice before
the hearing. And in these questions
-
they were actually digging down into
the core issues of mass surveillance
-
in the US. When I got the questions
I was like “We won the case!” because
-
there’s no way they can decide differently
as soon as they address the question.
-
There were participants from all over
Europe. These are the countries,
-
then there was the European Parliament,
the European Data Protection Supervisor
-
and the European Commission.
There was me – MS down there,
-
the Data Protection Commissioner
and Digital Rights Ireland. And
-
what was interesting was the countries
that were not there. Like Germany, e.g.
-
was not there in this major procedure.
And as far as I’ve heard there were
-
reasons of not getting too engaged in
the Transatlantic Partnership problem.
-
So this was kind of interesting because
the UK walked up but Germany was like:
-
“No, we rather don’t want
to say anything about this.”
-
What was interesting as well is that there
were interventions by the US Government.
-
So I heard… we were… on a Tuesday we
were actually in the Court. And on Mondays
-
I got text messages from people of
these different countries telling me that
-
the US just called them up. And
I was like: “This is interesting”
-
because I know a lot of these people from
conferences and stuff. So they were like
-
telling me: “The US just called me
up and said they wanna talk to my
-
lead lead lead supervisor and tell me
what to say tomorrow in the Court”.
-
It was like: “This is very interesting!”.
-
I was actually in the Court room and there
was the justice person from the US embassy
-
to the European Union. And he was actually
watching the procedure and watching
-
what everybody was arguing.
Where I had a feeling this is
-
like a watchdog situation. And someone
pointed out that this is the guy,
-
so I knew who it is. And he was walking up
to me and asked: “Are you the plaintiff?”
-
And I said: “Yeah, hey!” and he was
trying to talk to me and I said:
-
“Did you manage calling everybody by now
or do you still need a couple of numbers?”
-
audience laughing
-
And he was like: “(?) arrogant!”. He was
like: “He didn’t just ask this question?”.
-
He said: “No, we kind of we’re in contact
with all of our colleagues and of course
-
we have to kind of push for the interest
of the US” and blablabla. I thought:
-
“This is very interesting!”. But
anyway, it didn’t help them.
-
No one of them was really kind
of arguing for the US, actually.
-
The findings of the European Court of
Justice, so what was in the judgment
-
in the end. First of all, Safe Harbor
is invalid. Which was the big news.
-
And this was over night. We were expecting
that they would have a grace period
-
so it’s invalid within 3 months or
something like this. But in the minute
-
they were saying it there all your data
transfers to the US were suddenly illegal.
-
applause
Which was kind of big.
-
The second biggie was that they actually
said that the essence of your rights
-
is violated. Now this, for an average
person, doesn’t mean too much.
-
But for a lawyer it says: “Oh my
god, the essence is touched!!”.
-
To explain to you what the essence is and
why everybody is so excited about it is:
-
basically if you have a violation of
your rights you have no interference.
-
So if a policeman was walking
down the street and watching you
-
there’s no interference with any of your
rights. If they probably tapped your phone
-
there is some kind of proportionality
issue which is what we typically debate
-
before a Court. There is a system how
you argue if something is proportionate
-
or not. So e.g. Data Retention
was not proportionate.
-
And Data Retention would be somewhere
here probably. points to slide
-
So not legal anymore but
still in a proportionality test.
-
And then there is “the essence”
which means whatever the fuck
-
you’re trying to do here is totally
illegal because what you’re doing
-
is so much out of the scale
of proportionality that
-
it will never be legal. And on Data
Retention it actually said that
-
for the first time…
applause
-
applause
-
…and this was actually the
first time as far as I saw
-
that the European Court of Justice has
ever said that under the convention.
-
So the convention is only
in place since 2008, I think.
-
But it’s the first time they actually
found that in a case which was
-
huge for law in general. There
was a couple of findings
-
on Data Protection powers that
are not too interesting for you.
-
What may be interesting is that
-
– there is a story to this picture
that’s the reason I put it in –
-
basically they said that a
third country doesn’t have
-
to provide adequate protection, as
I said before. So the story was
-
that third countries originally had
to provide equivalent protection.
-
But there was lobbying going on,
so the word “equivalent” was
-
changed to “adequate”. And
“adequate” means basically nothing.
-
Because anything and nothing can be
adequate. “Adequate” has no legal meaning.
-
I mean if you ask what an adequate
dressing is – you don’t really know.
-
So they changed that actually back to the
law… to the wording that was lobbied
-
out of the law and said it has to be
“essentially equivalent” and that’s how
-
we now understand “adequate”. Which is
cool because any third country now
-
has to provide more or less the same
level of protection than Europe has.
-
There has to be effective detention
and supervision mechanisms. And
-
there has to be legal redress. Just
a really short thing on the picture:
-
I was actually just pointing at two
people and they were taking a picture
-
from down there to make it a Victory
sign. And that’s how the media
-
is then doing: “Whoo”.
making short Victory gesture
-
I have to speed up a little bit.
Not too much but a little bit.
-
The future, and I think that’s probably
relevant for you guys as well…
-
First of all, what this whole judgment
means. First of all the US
-
basically lost its privileged
status as being a country
-
that provides adequate [data] protection.
Which is kind of the elephant in the room
-
that everyone knew anyway, that they’re
not providing it. And now, officially,
-
they’re not providing it anymore. And the
US is now like any third country.
-
So like China or Russia or India or
any country we usually transfer data to.
-
So it’s not like you cannot transfer
data to the US anymore.
-
But they lost their special status.
Basically what the judgment said:
-
“You can’t have mass surveillance
and be at the same time
-
an adequately [data] protecting country”.
Which is kind of logical anyway.
-
The consequence is that you have to
use the derogations that are in the law
-
that we have for other countries as well.
So a lot of people said: “You know,
-
the only result will be that there will be
a consent box saying ‘I consent that my
-
[personal] data is going to the US.’”
Now the problem is: consent has to be
-
freely given, informed, unambiguous
and specific; under European law.
-
Which is something all the Googles
and Facebooks in the world have
-
never understood. That’s the reason
why all these Privacy Policies are
-
typically invalid. But anyway. So if
you have any of these wordings that
-
they’re currently using, like “Your data
is subject to all applicable laws” it’s
-
very likely not “informed” and
“unambiguous”. Because you don’t have
-
any fucking idea that your data is
ending up at the NSA if you read this.
-
So what they would have to do is to have
some Policy saying: “I agree that all of
-
my personal data is made available to the
NSA, FBI and whatsoever – YES/NO”.
-
applause
Because it has to be “freely given”, so
-
applause
I have to have the option to say “No”.
-
Now this would theoretically be possible
but under US law they’re placed under
-
a “gag order”, so they’re
not allowed to
-
say this. So they’re in a legal kind of
-
Limbo because on the one hand they have to
say: “It’s this way” but on the other hand
-
they have to say “No it’s not”. So consent
is not going to give you any solution.
-
Then there are Standard Contractual
Clauses. That’s the one from Apple that
-
they’re using right now.
-
And Standard Contractual Clauses allow
you to have a contract with a provider
-
in a third country. And that
pledges to you in a contract
-
that all your data is safe. The problem
is that they have exception clauses.
-
That basically say: “If there’s mass
surveillance your whole contract is void”
-
because you cannot have a contract
saying: “Hereby I pledge full Privacy”
-
and at the same time be subject to these
laws. And this is the interesting thing:
-
all these companies are saying: “Now we’re
doing Standard Contractual Clauses”,
-
but none of them are going to hold
up in Courts and everybody knows,
-
but of course to their shareholders
they have to tell: “Oh we have
-
a wonderful solution for this.”
-
The big question here is if we have
a factual or legal assessment.
-
So do we have to look at factually what
data is actually processed by the NSA
-
and what are they actually doing. Or do we
just have to look at the laws in a country
-
and the possibility of mass access. So the
factual assessment works fine for Apple,
-
Google etc. who are all in these Snowden
slides. If you look at the abstract and
-
legal assessment which is legally the
thing that probably we have to do
-
you actually end up with questions like
Amazon. Amazon was not a huge
-
cloud provider when the Snowden slides
were actually drafted and written.
-
They’re huge now. And very likely
they’re subject to all of these laws.
-
So how do we deal with a company like
this? Can we still forward [personal] data
-
to an Amazon cloud? If we know
they’re subject to these US laws.
-
So this is the question of which
companies are actually falling
-
under this whole judgment.
-
Basically you still have a couple of
other exemptions. So this basic thing
-
that a couple of people say that you’re
not allowed to book a hotel [room]
-
in the US anymore is not true. There
are a lot of exceptions in the law e.g.
-
the performance of a contract. So if
I book a hotel [room] in New York online
-
my [personal] data has to go to New York
to actually book my hotel [room]. So
-
in all these cases you can still transfer
[personal] data. The ruling is mainly
-
on outsourcing. So if you could
theoretically have your [personal] data
-
in Europe you’re just not choosing because
it’s cheaper to host it in the US or
-
it’s easier or it’s more convenient. In
these cases we actually get problems.
-
So what we did is we had a second round
of complaints. That is now taking
-
these judgments onboard. You can download
them on the web page as well. And there’s
-
also the deal that Facebook Ireland
with Facebook US has signed.
-
To have safety to your data. And this is
currently under investigation in Ireland.
-
Basically I argued that they have a
contract but the contract is void because
-
US law says they have to do all this mass
surveillance. I just got the letter that
-
on November, 18th Facebook has actually
given them [to the DPC] a huge amount
-
of information on what they’re actually
doing with the data. This is now going
-
to be under investigation. The big
question is if the DPC in Ireland is
-
actually giving us access to this
information. Because so far all these
-
evidence that they had they said:
“it’s all secret and you cannot know
-
what Facebook is doing with your data
even though you’re fully informed about
-
what they’re doing with your data.”
Which is kind of interesting as well. But
-
– different issue. A big question was also
if there’s gonna be a Safe Harbor 2.0.
-
I already was told by everybody they’re
not gonna call it a Safe Harbor anymore
-
because they’re stuck with media
headlines like “Safe Harbor is sunk”
-
or something like this.
-
And what happened is that the US has done
a huge lobbying effort. They have said
-
right on the day that all of this is based
on wrong facts and they’ve never done
-
any of this; and all of this
is Trade War; and blablablabla.
-
So they put a lot of pressure on them.
I was actually talking to Jurova,
-
the Justice Commissioner. And I was
impressed by her. She actually took
-
a whole hour and she really knew what
was going on. And at the time they had
-
press releases saying: “We’re really
deeply working on the new Safe Harbor”.
-
And I was asking Jurova: “Did you get
any of the evidence you need to make
-
such a finding?” And the answer
was: “Yeah, we’re still waiting for it.
-
We should get it next week”.
Which basically meant this
-
is never going to work out anymore. But
of course I think there’s a blame game
-
going on. The EU has to say: “We
tried everything to find a solution”
-
and the US is saying: “We tried
everything to find a solution, too”.
-
And then in the end they will blame
each other for not finding a solution.
-
That’s my guess. But
we’ll see what happens.
-
The basic problem with a Safe Harbor 2
is that in the government sector
-
they’d basically have to rewrite the whole
US legal system. Which they haven’t done
-
for their own citizens. So they will very
likely not do it for European citizens.
-
Like judicial redress. Not even an
American has judicial redress. So
-
they would never give that to a European.
And the private area: they actually
-
have to redraft the whole Safe Harbor
principles because they now have to be
-
essentially equivalent of
what Europe is doing.
-
So this would also protect people on
the private sphere much more but it
-
would really take a major overhaul of
the whole system. To give you an idea:
-
all of these processing operations
are covered by European law. So
-
from collection all the way
to really deleting the data.
-
This is what’s covered by the Safe
Harbor principles. Only 2 operations
-
which is at the closure by “transmission”
and the “change of purpose”. Anything else
-
they can do as fully as they wanna do
under the current Safe Harbor things.
-
So if you talk about “essentially
equivalent” you see on these spaces
-
already points to slide
that this is miles apart.
-
So what is the future of US-EU-US data
flows? We will have massive problems
-
for the PRISM companies. Because
what they’re doing is just a violation
-
of our Fundamental Rights. Give or take
it – you can change the law as much
-
as you want but you cannot
change the Fundamental Rights.
-
And you’ll have serious problems
for businesses that are subject
-
to US surveillance law in
general. So I’m wondering
-
what the final solution is. And that
was part of the issue that I had
-
with the cases. Typically I like
to have a solution for all of this.
-
In this case I could only point at the
problems but I couldn’t really come up
-
with solutions. Because solutions are
something that has to be done politically.
-
An interesting question was: “How
about EU surveillance, actually?”
-
Because aren’t they doing more or
less the same thing? Which is true.
-
And the problem is that the Charta of
Fundamental Rights only applies
-
to anything that’s regulated by the EU.
And national surveillance is exempt
-
from any EU law. It’s something that
member states are doing all by themselves.
-
So you’re out of luck here. You
can possibly argue it through
-
a couple of circles; but it’s hard to
do. However, 7 and 8 of the Charta
-
– exactly the same wording as the
European Convention of Human Rights.
-
And this applies to National Security
cases. So the relevant Court here
-
is actually in Strasbourg. So you
could probably end up at this Court
-
with the same argument and say: if they
already found that this is a violation
-
of your essence in Luxembourg – don’t
you want to give us the same rights
-
in Strasbourg as well? And these cool
Courts are in kind of a fight about
-
kind of providing proper Privacy
protection and protection in general.
-
So very likely you can walk up with
a German case or with a UK case
-
or a French case and pretty much do
the same thing here. So the judgment
-
will be interesting for European
surveillance as well because
-
it’s a benchmark. And you can hardly
argue that the US is bad and we’re
-
not doing the same thing. Either solutions
are possibly technical solutions.
-
So what Microsoft did with the cloud
services and hosting it with the Germans.
-
And the German Telekom. And there
is really the issue that if you can get
-
a technical solution of not having any
access from the US side you can actually
-
get out of the whole problem. So you can
try with encryption or data localization;
-
all this kind of stuff. However none
of this is really a very sexy solution
-
to the whole issue. However it's
something that you can possibly do.
-
Last thing: enforcement. And this a
little bit of a pitch, I got to confess.
-
We have the problem so far that
-
we have Data Protection law in Europe.
-
But we don’t really have enforcement. And
the problem is that the lawyers don’t know
-
what’s happening technically. The
technical people hardly know
-
what the law says. And then you
have a funding issue. So the idea
-
that I have right now is to create some
kind of an NGO or some kind of
-
a “Stiftung Warentest for Privacy”. To
kind of look into the devices we all have
-
and kind of have a structured system of
really looking into it. And then probably
-
do enforcement as well if your
stuff that you have on your device
-
is not following European law.
I think this is an approach that
-
probably changes a lot of the issues.
It’s not gonna change everything.
-
But this could possibly be a solution to
a lot of what we had. And that’s kind of
-
what we did in other fields of law as
well. That we have NGOs or organizations
-
that take care of these things. I think
that would be a solution and probably
-
helps a little bit. Last - before we
have a question/answer session –
-
a little Bullshit Bingo to probably get a
couple of questions answered right away.
-
So the first thing is that a lot
of questions are if the EU
-
does the same thing. I just answered it:
Of course they do the same thing and
-
we’ll have to do something about it
as well. And I hope that my case
-
is a good case to bring other cases
against member states of the EU.
-
The second question is these whole PRISM
companies are saying they don’t do this.
-
It’s absurd because they’re all placed
under gag orders. Or the people that are
-
talking to us don’t even have the
security clearance to talk about
-
the surveillance system. So it’s insane
when a PR person comes up and says:
-
“I hereby read the briefing from Facebook
that we’re not doing this!”. Which
-
basically is what we have right now.
And that’s what a lot of the media
-
is referring to as well. Another thing
that Facebook and the US government
-
have argued later is that they weren’t
asked. They were not invited to the Court
-
procedure. The fun thing is: both of them
totally knew about the Court procedure.
-
They just decided not to step in and not
to get a party of the procedure. So they
-
were like first: “Ouh,
we don’t wanna talk
-
about it” and then when the decision
-
came around they were like:
“Oh we weren’t asked”.
-
Of course it’s a win-on-paper mainly
but we’re trying to get it implemented
-
in practice as well. And there
is kind of this argument
-
“The EU has broken the Internet”
which I typically rebut in “No, the US
-
has broken the Internet and
the EU is reacting to it”.
-
applause
-
Another issue that was interesting
is that a lot of the US side said that
-
this is protectionism. So the EU is only
enforcing these Fundamental Rights
-
to hurt US companies. Which is funny
because I’m not involved in kind of
-
getting more trade to Europe. I’m
just like someone interested in
-
my Fundamental Rights. And secondly the
European politics has done everything
-
to kind of not get this case to cross.
So kind of this idea that this is
-
a protectionist thing is kind of strange,
too. And the last question which is:
-
“What about the Cables? What about all
the other types of surveillance we have?”
-
They’re an issue, too. In these cases you
just have more issues of actual hacking,
-
government hacking, basically. So
illegal access to servers and cables.
-
Which is harder to tackle with than
these companies. Because we have
-
this private interference. So there are a
lot of other issues around here as well,
-
I was just happy to kind of get one thing
across. And I’m happy for questions,
-
as well.
applause
-
Herald: Alright…
applause
-
Max: at lowered voice
Wie lange haben wir noch für Fragen?
-
Herald: We have about
10 minutes for questions.
-
I would ask you to please line up at
the microphones here in the hall.
-
We have 6 microphones. And we have also
-
questions from the IRC.
While you guys queue up
-
I would take one from the internet.
-
Signal Angel: Yeah, just
one – for the first time.
-
Does TTIP influence any of this?
-
Max: Basically, not really. Because
the judgment that was done was
-
on the Fundamental Rights. So if they
have some kind of wording in TTIP
-
it would again be illegal. And there was
actually a push to get something like that
-
into TTIP. And as far as I know this idea
was done, after the judgment. laughs
-
Just a little intro: EDRI has organized
an ask-me-anything thing at 7 PM as well.
-
So if you got specific questions, you
can also go there. Just as a reminder.
-
Herald: OK, great.
Microphone No.2, please.
-
Question: Thank you for your
efforts. The question would be:
-
Could US businesses
under these findings ever
-
be again employed
in critical sectors? E.g.
-
public sector, Windows in the
Bundestag, e.g. and stuff like that?
-
Max: Yep, yip. That’s a huge problem.
And that’s a problem we had for a while.
-
I was mainly talking actually with people
in the business area. I’m mainly invited
-
to conferences there. And people
were telling me: “Yeah, we’re doing
-
all our bank data on Google
now”. And I was like: WTF?
-
Because this is not only Privacy.
That’s also trade secrets, all of
-
this kind of stuff. So there is this
huge issue and if you talk about
-
the new Windows that is talking home a
little more than the old did, you probably
-
have the same issue here because
Microsoft is falling under the same thing.
-
Q: No plausible deniability,
therefor culpability.
-
M: Yep, yep, yep.
Q: Thank you!
-
Max: Thank you!
-
Herald: OK, microphone No.3,
please, for your next question.
-
Question: How would you assess
Microsoft saying they put up
-
a huge fight that they… well,
-
they said they had customers’
data in Ireland and they said
-
they refuse to give it to the FBI.
What’s to think of that?
-
Max: I think to be fair a lot of
these companies have realized
-
that there is an issue. And that
they are the “Feuer am Arsch”.
-
And Microsoft… actually a couple of
Microsoft people is talking to me
-
and is like: “We’re actually not
unhappy about this case because
-
we have a good argument in the US
now that we’re getting troubles here…”
-
But the companies are between
these 2 chairs. The US law says:
-
“We kill you if you’re not giving us all
the data” and the problem so far is
-
that in the EU… e.g. in Austria
-
the maximum penalty is 25.000 Euro
if you don’t comply with this.
-
Q: Peanuts.
M: Which is absurd.
-
And in most other countries it’s the same.
We now have the Data Protection regulation
-
that is coming up which gives
you a penalty of a maximum
-
of 4% of the worldwide turnover,
which is a couple of millions.
-
And if you want to thank someone there’s
Jan Philipp Albrecht, probably in the room
-
or not anymore, who is the member of [EU]
Parliament from the Green Party, that’s
-
actually from Hamburg who
has negotiated all of this.
-
And this actually could possibly
change a couple of these things.
-
But you have this conflict of laws
and solutions like the Telekom thing –
-
that you host the data with the Telekom –
could possibly allow them to argue
-
in the US that they don’t have any factual
access anymore so they can’t give the data
-
to the US Government. But we’re splitting
the internet here. And this is not really
-
something I like too much, but
apparently the only solution.
-
Herald: OK, thank you for your
question. We have another one
-
at microphone 4, please.
-
Q: Thank you very much for your
efforts, first of all. And great result!
-
M: Thank you.
Q: The question from me would also be:
-
Is there any change in the system
in Ireland now? So somebody has
-
a similar struggle to yours – the
next round might be easier or not?
-
Max: Basically what the Irish DPC got
is a wonderful new building. And
-
the press release is too funny.
Because it says: “We have a very nice
-
Victorian building now downtown Dublin
in a very nice neighborhood“ and blablabla
-
and they get double the staff of what
they had before. The key problem
-
is none of this. I only took the picture
because it kind of shows what’s
-
inside the building. And the key
problem is that we have 2 countries
-
– Luxembourg and Ireland, where
all of these headquarters are – and
-
these 2 countries are not interested
in collecting taxes, they’re
-
not interested in enforcing Privacy Law,
they’re not interested in any of this. And
-
they’re basically getting a huge bunch of
money in the back of the rest of the EU.
-
And until this actually changes
and there’s a change of attitude
-
in the Irish DPC it doesn’t really
matter in which building they are.
-
So they got a lot of more money to kind
of – to the public – say: “Yes we have
-
more money and we have
more staff and dadadadada”…
-
Q: …but the system did not change!
-
M: The big question is what the system is
doing: they can prove now! As they have
-
the new complaint on their table on Safe
Harbor and PRISM and Facebook.
-
They can prove; if they do something
about it or not – my guess is that
-
they’ll find “some” random reasons
why unfortunately they couldn’t do
-
anything about it. We’ll see.
Q: OK, thanks!
-
Herald: OK, thank you! It’s
your turn, microphone No.2.
-
Question: OK, thank you very much and also
thank you for your service for the public.
-
M: Thanks for the support!
applause
-
Q: What that will…
Sorry about the English…
-
M: Sag's auf Deutsch!
-
Q: Was bedeutet das eigentlich für die
Geschichte mit der Vorratsdatenspeicherung
-
wenn die jetzt wieder kommt?
Und inwiefern wird Social Media
-
damit jetzt sozusagen freigestellt
wieder oder nicht?
-
M: To be honest I didn’t really look
into the German Data Retention thing
-
too much. To be honest, being an Austrian
I’m like “Our Supreme Cou… Constitu…”
-
Q: Me, too!
audience laughing
-
M: Yeah, I heard. “Our Constitutional
Court kind of killed it”, so…
-
I don’t think we’ll see a Data
Retention in Austria too soon.
-
But for Germany it’s gonna be interesting
especially if you find a way to
-
go to Luxembourg in the end. Like if you
find some hook to say: “Actually,
-
this German law violates something
in the Data Protection Regulation
-
or in the Directive“. So we can probably
find a way to go back to Luxembourg.
-
Could help. The other thing is that just
the fact that the Luxembourg Court
-
has been so active has probably boosted
up a lot of the National Courts as well.
-
Because the German decision, I had
the feeling was like a “We don’t really
-
feel like we can fully say that this is
actually illegal and we kind of argued
-
that it’s somehow not illegal the way
it is, but possibly you can do it
-
in the future and uooah…“. And after
Luxembourg has really thrown
-
all of this right out of the door and was
like: “Get lost with your Data Retention
-
thing and especially with the PRISM thing”
you probably have better case law now,
-
as well. And that could be relevant
for National Courts as well. Because
-
of course these things are question of
proportionality. And if we ask everybody
-
here in the room what they
think is proportionate or not,
-
everyone has another opinion. And
therefore it’s relevant what our people
-
are saying and what other Courts are
saying to probably get the level of
-
what we feel as proportionate
somehow a little bit up.
-
Q: So thank you very much. And go on!
M: Thank you!
-
Herald: OK, just for the record, in
case you couldn’t tell by the answer:
-
the question was about the implications
for the Data Retention Laws, like
-
in Germany and Austria. Microphone
No.1, we have another question.
-
Question: Hi! Two questions. One: could
you tell a little bit more about your idea
-
of “Stiftung Datenschutz” Europe-wide?
And how do we get funding to you…
-
M: Send me an email!
Q: …if you don’t mind?
-
Second question: when I argue with people
about like “Let’s keep the personal data
-
of all activists within Europe!” I always
get this answer: “Yeah, are you so naive,
-
do you think it’s anything different
if the server stands in Frankfurt
-
instead of San Francisco?”
What do you say to that?
-
Max: The same problem, like pretty much
what we have is – and that’s the reason
-
why I said I hope this judgment is used
for National surveillance in Europe,
-
as well. Because we do have the same
issues. I mean when you are an Austrian
-
and the German “Untersuchungsausschuss”
is basically saying: “Ah, we’re only
-
protecting Germans” I feel like my
fucking data is going through Frankfurt
-
all the times. And I’m kind of out of
the scope, apparently. So we do need
-
to take care of this as well. I hope
that this is a case showing that
-
you can actually take action. You
just have to poke long enough and
-
kind of poke at the right spot especially.
And I think this is something that…
-
there’s not an ultimate solution to it.
It’s just one of the kind of holes
-
that you have. The other thing that we
may see is that a lot of companies that
-
are holding this data are much more
questioning an order they get.
-
Because if they get legal problems from
an order they got by a German Court
-
or whatever it is they probably
are now more interested in – and
-
actually looking at it. Because
right now it’s cheaper for them
-
to just forward the data. You don’t need
a whole Legal Team, reviewing it all.
-
So I think to kind of split the private
companies that are helping them
-
from the Government and kind of get some
issue between them probably helps there,
-
as well. But of course it’s just like
little peanuts you put in there.
-
But in the end you have that
issue, in the end. Yeah.
-
On the “Stiftung Datenschutz” or whatever:
I think that’s kind of a thing I just
-
wanted to blow out to people here, because
I’m mainly in the legal sphere and in,
-
like the activist/consumer side. And
I think that’s the big problem we have
-
in the legal and consumer side is that we
don’t understand the devices that much.
-
And we lack the evidence. We
don’t really have the evidence of
-
what’s actually going on on devices
and you need to have this evidence
-
if you go in front of Courts. I think
a lot of the people in the room probably
-
have this evidence somewhere on the
computer. So the idea of really getting
-
this connection at some point – it’s not
something I can pitch to you right away,
-
because it’s not… like I don’t wanna
start it tomorrow. But it’s something
-
I wanted to circulate to get feedback
as well, what you guys think of it.
-
So if there’s any feedback on it, send me
an email, or twitter. Or whatever it is.
-
applause
-
Herald: So we do have a bit time left,
-
microphone No.2 with the
next question, please.
-
Question: What can I do as an individual
person now? Can I sue Google
-
or can I sue other companies
just to stop this?
-
And would it create some
pressure if I do that?
-
So what can the ordinary
citizen do now?
-
Max: We’re right now… I already prepared
it but I didn’t have time to send it out
-
to have complaints against the Googles and
all the others that are on the PRISM list.
-
We started with Facebook because I kind
of know them the best. And, you know, so
-
it was a good start. And the idea
was really to have other people
-
probably copy-pasting this. The complaint
against Facebook we actually filed
-
with the Hamburg DPC, as well, and the
Belgium DPC. The idea behind it was
-
that the Irish now suddenly have 2 other
DPCs that are more interested in
-
enforcing the law in their boat. So
they’re not the only captains anymore.
-
And it’s interesting what’s gonna happen
here. If there are other people
-
that have other cases and just file a
complaint with your Data Protection
-
authority, a lot of them, especially the
German Data Protection authorities
-
– most of them – are really interested
in doing something about it, but
-
they oftentimes just need a case. They
need someone to complain about it and
-
someone giving them the evidence and
someone arguing it, to get things started.
-
So if anyone is using Google Drive
or something like that – let’s go.
-
And basically the wording is on our web
page. You just have to download it
-
and reword it. And we’re gonna probably
publish on the website the complaints
-
against the other companies, as soon as
they’re out. Probably the next 2..3 weeks.
-
Something like this. So just
copy-paste and spread the love.
-
Herald: OK, thank you
very much, Max, again!
-
For your great talk. This is it!
-
postroll music
-
Subtitles created by c3subtitles.de
in 2016. Join and help us do more!
