This is not a done deal yet, but it is a very interesting development and one, if it holds, that could have significant impact on a lot of countries, including the U.S.
Over the last few years, a number of countries have enacted laws that allow their intelligence apparatuses to override many privacy laws and hoover up vast quantities of data without any particular justification – just in case. They say that they don’t know what they might need – until they do. And, there is some justification to that story. Some. Justification.
The EU high court, technically called the Court of Justice of the European Union or ECJ can appoint an advocate to advise it on matters where they feel that is justified.
In this case, Privacy International, a privacy rights organization, sued both the UK and France, saying that their respective laws that require businesses to hand over anything they ask for just because they say the magic words “national security”.
Specifically, this case says that the UK’s Investigatory Powers Act (also referred to as the Snooper’s Charter) and France’s Data Retention law go too far.
What happened yesterday is that the Advocate General advising the high court released his opinion.
The opinion says screaming terrorist is insufficient to violate people’s rights under the European Directive on privacy and electronic communications.
Very importantly, the ECJ has not handed down it’s opinion yet; this is just the advise from the AG. HOWEVER, the ECJ does agree with the AG about 80 percent of the time.
*IF* the ECJ does agree with the AG, that will mean several things:
- UK’s Snooper’s Charter is likely illegal under EU law and will need to be revised if the UK wants to enforce it in the EU.
- Likely France’s Data Retention law would violate EU law.
- For those of us in the U.S., it would likely mean that the U.S. government’s use of large scale data vacuum cleaners also does not comply with E.U. law.
The AG said that whatever the government does by itself is OK IF IT IS INTENDED TO SAFEGUARD NATIONAL SECURITY AND IS UNDERTAKEN BY THE PUBLIC AUTHORITIES THEMSELVES, WITHOUT REQUIRING THE COOPERATION OF PRIVATE INDIVIDUALS. So, for example, they could intercept data on fiber optic Internet cables but they can’t ask AT&T to let them tap those cables (which they did) and cannot ask Google or Facebook to hand over their encryption keys.
What the AG is saying is that rather than vacuuming up terabytes of data per hour, that hoovering needs to be done “on an exceptional and temporary basis” and only when justified by “overriding considerations relating to threats to public security or national security”.
When the U.K. leaves the E.U. – maybe this month – it doesn’t have to be bound by E.U. law, but if it doesn’t agree to abide by E.U. law, then companies in the E.U. will not be able to send data to the U.K. and U.K. companies will not be able to collect any data of E.U. residents.
Probably more important for U.S. companies is this.
A few years ago, when the E.U. started enacting privacy laws, they said that laws in the U.S. were not adequate to protect the privacy of E.U. citizens so data collected by U.S. companies could not be sent to the U.S.
In response to that, the U.S. and E.U. came up with this agreement called Safe Harbor which supposedly protected the privacy rights of E.U. residents.
Unfortunately, this same court ruled that Safe Harbor didn’t really protect the rights of E.U. citizens. This threw U.S. businesses that suck large quantities of data out of the E.U. into a bit of a tailspin.
After Safe Harbor was struck down, the U.S. got out a large tube of lipstick and put it on Safe Harbor. The new agreement was called Privacy Shield and it is under review by this same court right now.
If the ECJ agrees with the AG in this different case, it seems like a REALLY small step to say that Privacy Shield doesn’t hack it either, which would create tailspin 2.0.
That would require that the U.S. and E.U. try a third time to come up with something that the courts will hold as adequate.
Various authorities have gotten their respective countries to pass laws that say as long as they claim “national security” privacy laws do not apply. Countries who have done this include the U.S., U.K. and Australia, three of the “five eyes” countries.
This battle is far from over, but this is a very interesting development. Source: The Register