 Yeah, I don't really think I have to introduce you Max do I? But I try I'm happy for anything My fellow Austrian Max the guy who's trying to beat Facebook Yeah Pardon my French Okay How long have we been at it now? One and a half years two years more than two years what's that like how long have we been at it now if you've been at it Facebook generally Yeah, 2011 seven years soon seven years Whoops. I missed the beginning there It's a long story You all know what that means Yeah, somebody who does not know what that means Wow, I'm impressed or they just don't want to Basically there are three procedures we had a couple of we had like the first three years in Ireland Which we took back because the DPC there the authority didn't really want to do much of a job the cleaning woman left the job You said that And then there was actually the safe harbor case which I'm gonna talk about today which started in 2013 it's still pending right now in Irish courts It went all the way to Luxembourg to the court of justice back to Ireland and now back up to the court of justice So that's your didn't it and this ping pong and there is a class action We're actually Having at the court of justice right now, and we're waiting for the judgment on that To see if we can enforce privacy through class action. So yeah We're basically going through all the options of privacy enforcement to not just have stuff in the law But probably in practice at some point as well Isn't that nice when friends do the job for you? Let's have another big hand for Max shrimps giving you the privacy shield lipstick on a pig Thanks a lot for the invitation Sorry for anybody that has to translate me because I'm very fast at talking and Probably it's sometimes hard to understand people tell me I'll try to slow down But at the same time we have 30 minutes and I have to go through a lot of stuff basically I was asked to talk about privacy shield and We called it lipstick on a pig because it's the old safe harbor agreement a bit of a background story probably on that What is safe harbor and what was the whole story behind all of this? We did have the surveillance Slides that Snowden disclosed where we basically knew that a couple of the big IT companies Take part in a program that's called prism, which is a US surveillance system basically an interesting thing here Is that from a legal perspective? I'm a lawyer the big promise a lot of that was oftentimes conspiracy hard to prove in courts And if you want to bring a case you need to have very very solid evidence because if you're to claim and you have to prove Stuff so if you just walk around and say oh, there's a law and they couldn't they may it's not going to be good enough The interesting thing with the disclosures by Snowden were that we actually had slides We actually had evidence that made sense that we could actually present to a court And that was the only reason this whole case ever happened is because of Snowden Thanks for that by the way That was kind of the factual side that we knew that these companies basically forward data to us government and The interesting thing from a legal perspective is how legally that works in the US And there's oftentimes talk about US law and I just want to kind of summarize that real quick It's not a hundred percent precise, but it gives you an idea how the law in the US works It basically says that there needs to be a so-called electronic communication service provider So that's your Google Facebook and so on the interesting thing is these surveillance laws do not apply to an ordinary business to the you Know airline or something that sends data to the US We're actually very specific in the surveillance law on electronic communication service providers And they need to have what they call foreign intelligence information and that is very broad Wording that basically excludes anything that the US may be interested in for diplomatic reasons and so on so it's not very Specific it's not your terrorist or something. It's basically espionage and all of that as well And that's pretty much the two things you need under Pfizer and On top of that and all of the stuff that's below that line is then classified There's a so-called certification for one year now typically the US says yeah, there's legal process when we have surveillance There's some court involved, but what that court does the Pfizer court is that it certifies a surveillance program for a whole year It doesn't look at individual surveillance at the individual person that is actually surveilled It just certifies a program like upstream or prison for a whole year. That's all the court does It doesn't look at the individual case where data is actually pulled The whole idea of that is that there are so-called minimization and targeting procedures that basically filter out the US Persons so anybody that lives in the US or is a US citizen if you're European this whole Minimizing and targeting procedure doesn't apply to you so you're not protected on any any of that The reason for that is if you would have surveillance that goes as far as Pfizer does for US people You would actually violate the fourth amendment under the US Constitution So all of what the US does right now would be unconstitutional if they would do it on US citizens, but since Fundamental rights in the US doesn't apply to foreigners. They can do it with us And that's the whole idea of this whole minimization targeting procedures is to filter them out And then there is a so-called directive at a service provider It doesn't specifically saw a say in the law what it does and how it works But it's basically telling a service provider that there has to be some technical interface to pull the data That's the order that goes to an individual service provider saying you have to give us the data That's not done by the court. That's actually done by the US government that order The court actually just certifies the whole surveillance program once a year So if I'm not a little smiley down here, and I'm a Facebook customer And I have a conflict with Facebook Island my data actually goes straight to the servers for off Facebook Inc The US parent company and there are two ways that the data as far as we know yet But there could be legally more ways two ways where we're sure that Data is pulled that's basically upstream where they pull it on the cable and then there's prism where they could pull it from The service off the service provider Prism makes sense if you for example have it encrypted that way you can still pull it from the service if you can't get it through upstream Upstream is much broader both of that works under Pfizer upstream can possibly also go under work on the 12 triple 3 and executive order That's the two legal basis is for that And there are a couple of guidelines and stuff. I'm gonna touch later, but that's the legal basis And that's what we have to look at so there are a couple of things that are disputed that we don't know yet the exact technical Implementation the amount of data that's really pulled the review mechanisms that are internal because all of that is classified and we don't have any proof of it There's a lot of rumors a lot of hints, but not really anything that was solid now That was basically what Snowden disclosed and what was interesting to me were the reactions. We had Demonstrations we had the European Parliament doing resolutions the European Commission did a wonderful review Merkel was pissed about her phone and that was basically the reaction and We knew that this is not gonna go far So the idea was how can we make a legal case out of this? And that was the original safe harbor case at the court of justice and the strategic approach there was kind of interesting If you bring the case like that you have to be very strategic because you're gonna go against a big government And you have to find some point where you can hit without having a hundred lawyers scream back at you And you're kind of messed up But you need to find like the one little bit where you can actually pull in and where you can actually get stuff done So the interesting thing was that we actually have a situation of public private surveillance partnership We have the internet service providers that get the data and the government that pulls it from them So it's this combination of private and public that was interesting legally Then the interesting thing is in our case Facebook was subject to US law and EU law their headquartered in Ireland 84% of their users are operated out of Ireland So you can say it's an 84 percent European company So I guess they have to follow European law at the same time their mother companies in the US So they have to follow that loss at the same time and you law regulates third country transfers So if you have personal data in the European Union, you're not allowed to send it to any third country Unless you have some legal way to actually protect the data. So it's basically an export control on personal data And finally all this you law has to be interpreted under our fundamental rights treaties So that was interesting because even if one company sends data to another company You have all your fundamental rights applying in this transfer and this overall connection actually made this case possible Another feature of European law that was very interesting for us is that the definitions in European law are very broad So for example processing data already is just making data available So one thing in our whole legal strategy was just to never claim that I was actually surveilled by the NSA I was only saying my data has to be made available to the NSA by Facebook under US law And that is the interesting thing if you go very abstract in the case and you kind of try to Say the only thing I have to prove is that they have to make it available Not that they actually pulled my data Then you actually leave a lot out of the case that you couldn't possibly prove otherwise And that's the interesting thing because that's exactly the difference to US law There you typically have to prove all these these things that you cannot prove and therefore your case is going to go Over so the interesting thing is because European law is much broader in their definitions You could actually bring a case that you would never be able to bring in the US the other thing that was interesting for us is we basically compared prism to data retention and Said the surveillance under prism is just basically ten times as bad as data retention And if data retention was illegal in the European Union then prism has to be ten times as illegal Basically go through the different things to the court of justice was interested in a Fundamental thing I think that everybody has to understand to talk about these data transfer issues is we have a actually on the very Meta level we have a conflict of law situation here Basically European law says you need to have privacy on Facebook servers In very simple terms and US law says you have to have surveillance on the same on the same data And that is the fundamental conflict of all these cases We have basically a conflict of jurisdiction one country screams at Facebook say we need surveillance the other country screams At Facebook and says you can't do that and that is the fundamental clash that we actually have in this whole area It's very different than in the private sector in the private sector There's basically no general data production law in the US Europe has that and because there is no conflict There's simply a gap Companies in the US could actually fill that through self-certification So we have to separate between the private sector that we can fix and the government sector that we can only fix if we Change either European fundamental rights or US surveillance laws both is not overly likely right now What was the legal argument that we brought if my data goes over to Facebook this data can only leave the European Union That's this export control thing if there's so-called adequate protection in a third country and my legal argument was very simple You don't have to study law for that I was basically walking up to the court and said mass surveillance is not adequate protection full stop And So how did the procedure go down under safe harbor you could actually go to a private arbitration service called trustee and You had to file a complaint with them first So I filed a complaint but because you could only have 100 I think 250 characters at the most the only thing I could say is stop Facebook inks involvement in prism That was the legal argument I could possibly make in that small little box and they came back to me saying that trustee does not have any authority to address the Issue because a private company can hardly tell the NSA to stop what it's doing So the next place you got to go is the Irish data protection commissioner That's the Irish data protection commissioner. My most favorite slide of any presentation It's actually that's a supermarket and the little red the little blue door on the very right. That's the Irish DPC and The interesting thing with the Irish DPC. They now got a new office because that picture was in the media too much So they got a fancy office But at the time Billy Hawks their their main their their their head Was actually going on to national radio in Ireland and said I don't think it will come as much of a surprise that in fact US intelligence services do have access from US companies and it was amazing because he agreed on public radio that factually We're absolutely right and the big problem in any privacy case is to get the facts right the facts Always the big issue the law is kind of the smaller issue So he went on to national radio recorded saying all these facts are actually true We know that there are surveillance So that was the most important thing. That's the reason we also went with Ireland We also filed in Germany for example and there I think the authorities are still investigating case or something like that But he was stupid enough to walk out into public and say obviously there is all this surveillance He just felt that legally there is no problem. And so we appealed that to the Irish High Court That's that And had our hearing there and what basically happened in Ireland is that they approved all the facts and passed it on to the European Court of Justice, that's the highest court in the European Union and Because safe harbor and the validity of it was at stake. They had to refer to the Court of Justice At the Court of Justice, we actually had a very long one-day hearing it was really interesting to see how How the kind of detailed the knowledge was of the judges there? I was because that's oftentimes the problem in privacy cases is that the judges don't really know what all of this is and in this case We're actually really happy with the judges and and their understanding of it and and kind of a little side note I think it was funny A day before the hearing there were a couple of people texting me a thing from different member states texting me Guess who was just calling us? I was like, I don't know yeah It was ah someone from the US government was calling us that we should change our position because the member states can all Put their views before the court as well and apparently the US government has tried to push Tremendously the day before to change their positions But it was too late. Everybody was already on their plane So it was they couldn't do anything and at the hearing actually there was someone from the US mission And he approached me and I was like, hey, how are you doing and he was like, oh, you're the plaintiff I was like, yeah, you're the watchdog from the US nice to meet you and We're chatting and it was funny because I was like You know and do you still need any phone numbers to call around and tell people what to say in front of the court? Are you done doing that? And the fun thing is if you're a student you can say things like that that the diplomats are not allowed to say and And he actually agreed then and said yeah We had to kind of make sure that our position is is is heard But he said that they only found out about the hearing on Friday night Then there was the weekend then they only had Monday to intervene anymore Which was way too late and on Tuesday the actual hearing happened So they were simply too late to intervene anymore even though that hearing I think was on the webpage of the court of justice for three weeks So they have all their wonderful surveillance, but they don't even find out when the actual court date is happening So that was fun a really interesting thing happened to the court of justice as well the Judgment came out. I think only two weeks after the advocate general at the court of justice There's an advocate general that gives a general opinion about the case and then there is the actual judgment and typically that takes two or three months and We heard rumors that there's gonna be a judgment on I think October 6th And I was like this is crazy It's like two days two weeks or three weeks after the advocate general that never happens It's like totally exceptional and the rumor goes that the former President of the court of justice that retired on the 7th of October the day later Wanted to push that judgment out before he retires as I like his goodbye present So it was actually really interesting to see how apparently judges get very emotional about these privacy cases Which is very good news in the long run if we want to go to the court of justice in the future as well So what did the court of justice say it's actually had a very very bold judgment? It said two things first of all It said that massive aliens violates the essence of article 7 which is the right to privacy under the charter of fundamental rights And that they're the lack of legal redress So there's no court to go to and appeal anything while it's the essence of your article 47 rights which is your fair trial and I may know that this is only exciting to me Because I'm a lawyer, but in EU law there is so-called proportionality tests So you test how if a law is proportionate or not and if you have for example Data retention it may be somewhere in the disproportionate area or may be proportionate and so on However, you can have a violation of the essence which is kind of no way this is ever gonna be justifiable budget you hear No matter how many people you can save from being dead or whatever It's simply a violation of the essence so it's outside of even debating proportionality And our case was the first time where the court of justice found that there's a violation of the essence of any fundamental rights in this case the right to privacy so So obviously we argued that but if you're the court of justice and you get that judgment handed down Everybody's reading something and someone some other lawyer screamed out just like fuck. We got the essence and we're like strike So anyways, that's you know what your fun, but anyways The other stuff that was interesting was that they said that the third country has to have essentially equivalent protection as the European Union and that's interesting because I said before the law only talks about adequate protection and Adequate is not a legally really meaningful word adequate anything and nothing can be adequate so what actually happened in the law it said equivalent originally then it was lobbied out in the 90s to adequate because that means nothing and Now the court basically lobbied it back in into essential equivalent and basically put the law back of where it was they said that there had to be effective detection and supervision mechanisms and They also said that they have to be has to be legal redress in line with article 47 now This is very interesting because none of the European Union countries that has serious surveillance does any of the above and So they actually went very far in how it's like for example if I'm an Austrian citizen and I'm surveilled by the German services There is nothing like that in Germany where I could possibly appeal to How does that happen? The EU treaties have an exception for national security So anything that is in the national security area is exempt from EU law the member states never gave that part to the European Union So the court of justice can rule about national security of a third country because that's not exempt from EU law But it cannot rule about national security of our own member states, which is a totally absurd situation But that's the reason why basically the US and the Germany or France or so Gets along with it without really having a problem. I'm gonna get back to that later At least with the UK that is a thing that is solved by Brexit because then there's third country and we can bring a case there as well But you know you've got to look at the bright side of Brexit too So actually that's all the pre-story to get to the stuff I should actually talk about Which is privacy shield or a cold safe harbor 2.0 I usually call it safe harbor 1.0 point one or something like that because it's basically the same text What happened when safe harbor was kicked down is Basically that the US became like any other third country we transferred data to so it simply just lost the special status it had before through that treaty And there are still different possibilities to send data to the US So for example, you can use consent performance of a contract so called SEC standard contractual clauses binding copyright rules and so on So it's not like you couldn't send data to the US anymore It was just not that easy you had to use different legal mechanisms The Facebook actually switched to SCC's and we have a case right now pending in Ireland where the Irish data protection commissioner sued me and Facebook Over the standard contractual clauses. It's still the same complaint as the original case We're right now. We had about four weeks five weeks in courts in Dublin beginning of this year with about 20 solicitors and barristers We had about 45,000 pages produced in this case We're expect about five to ten million in cost for this legal battle for the second round where I got sued like I didn't start this The DPC started that and and there's gonna be a second reference. We're still fighting over what the question is So actually the whole case is gonna go back up to the court of justice a second time around just on another legal basis I can't really talk much about this case because it's a pending case But let's say Facebook totally fucked up in that procedure They had like all their wonderful experts with Thousands of pages and when it was before the court you just had to look at the footnotes and you're like guys You're actually saying this is in the footnote, but it's not there You just made it up and it was amazing to see how they have Incredibly well-paid lawyers, but they don't check their own stuff And it's it's really they just apparently they're so full of themselves that they think we're gonna get away with anything However, the judge didn't let him get away So the most important part to me is that actually that judgment that we had in the first round. That's already Kind of fixed so I can talk about it Actually again says that there's mass and indiscriminate processing by the US government So that is actually what they challenge where they say there is no mass surveillance and it says exactly that again So on the whole factual stuff they lost again Back that's kind of a little side story I'm Back to the actual privacy shield How did that thing actually happen? I think you need to understand the history of privacy shield to explain why it's bullshit on January 31st little fairy tale there was a deadline by the European data protection authorities and January 31st at night in New York Times reports That EU and US couldn't agree on any kind of new deal and I was talking to the reporter And he said he got that information in a way that he knows it's it's a hundred percent certain So apparently on the 31st the two sides stood up from the table from the table and said there's no agreement We can't agree on anything here anything here 48 hours later there was apparently a phone call between the US government and the European Commission and someone was told that you're about the responsible Commissioner should just get anything done and 48 hours later the same New York Times with the same reporter reports that there is now a new deal And and we didn't really know the name yet, but 24 hours later There was suddenly this logo and it was called privacy shield and I was talking to people that negotiated It was like how did he come up with this shitty name and he said I didn't know about the name until that actual press conference Because that deal didn't exist. It was simply a logo with a name and no actual deal We know that because one week later epic a US privacy NGO made a freedom of information request with the US government Asking for the actual text of that deal And they got a response. I think two days later Saying that they cannot have the the text because the record that you requested does not exist So one month later there was actually a text And it's basically save harbor again It's the same text most of it is one-on-one the same like if you would do a red line comparison of it Probably five percent would be new text all the rest is basically the same And they just put a new name on it call it a privacy shield and that's why I basically think it slips They got a pic What's the problem with privacy shield if that gets ever back to the court of justice? So basically the idea pig meets court How would that go down? Under what the the judgment by the court of justice there are two hurdles that privacy shield would have to overcome One hurdle is basically this essential equivalence which is important in the in the in the in the private sector And then it also has to be compliant with the charter fundamental rights, which is relevant for mass surveillance Just two three examples why this would not work Privacy shield still follows the so-called notice and choice principle in the US not consent not a legal basis to process data But notice and choice which is a very kind of Yeah, not very stringent system in a very simple graphic on The left all these types of data processing are covered on the EU law from collecting the data all the way to deleting it Anything you would do with data is covered by the law and you need a legal basis for that on the privacy shield You only need an up to provide an opt out So you don't even need to ask for consent any other legal basis You only have to provide for an opt out if you disclose data to someone else or if you change the purpose of the data processing So if you just compare these two things together, you can say oh, this is absolutely not essential equivalent Basically the one thing is teeny tiny protection and the other one is full protection If you compare that if you collect data use it store it all of that is not even covered You don't need any legal basis. You can just do it under privacy shield Only if you then disclose or change the purpose then you can actually you actually need to provide an opt out So you don't even have to have to ask for consent You just need to have some opt out box on some web page and no one finds And you can even kill these two things by simply putting a very broad purpose into your privacy policy saying we use the data For anything we want to use it So you will never have to change the purpose if it's that broad and you basically have a third-party clause where it says you can send the data to anybody else and Thereby you have basically unlimited data processing under privacy shield, which is should officially be the same thing as European Union law So it will not add up ever the other thing that was interesting was redress And I think that kind of displays quite well how this is never gonna work in practice because imagine I want to get a beef with Facebook for the 21st time and I write my funny little complaint to Facebook They have 45 days to send me a letter back saying fuck off and that's what they typically do then I can complain to trustee We already know them before that's the guys with the 2250 characters to complain about stuff They're actually chosen and paid for by Facebook, but they're officially independent So I can complain with them if my complaint is upheld They tell Facebook not to do stuff anymore, but it's not enforceable. It's basically an email to Facebook saying don't do this Anymore if they further do it. There is no consequence. There's no way they also don't have investigative power So they cannot figure out what Facebook actually does on its servers They can only look at whatever I bring up and I'm usually not able to gonna gonna be able to bring up much If I'm unhappy with that I can go to my national DPA in Europe And they can then raise the issue with the Department of Commerce in the US in an informal procedure again The Department of Commerce doesn't have any investigative powers So let's say I made an access request that I want to have a copy of all my data Facebook doesn't send anything back. None of these guys can actually find out what Facebook actually stores on their servers to then decide over my access request If I'm with the Irish DPC I first have to go to a court to sue them to actually do all of that because they would never do that anyways And all of them can theoretically go to the Federal Trade Commission Which again doesn't really have too much enforcement powers and not a lot of investigative powers, but definitely more than the others But the FTC already said they're not gonna do that if they don't like it and they haven't done that so far So basically all of that is all in gray because you don't get anywhere with all of this Now on top of all of that and you have to go through all the other things before before you can appeal to the so-called privacy shield Panel which is gonna be about 10 or 15 lawyers or something like that and you can call with you can have a Skype call basically with them a video conference and And talk with them over your privacy concern and even their decision is not going to be legally binding But you would then have to transfer that through an American court into a legally binding American decision and all of this is probably gonna take Three or four years to just get your fucking access requests So that is the enforcement mechanism of privacy shield which makes sure that even if you violate any of these rules that you can hardly Violate there is no way you will ever get your rights in the end The interesting thing here is also a question of fair competition now. We have people on the European market That can run under this system instead of really following The European rules and I think that's also an issue that our companies now have to follow GDPR all these fancy privacy laws We have and US companies don't The most interesting part actually of that whole privacy shield thing is the whole surveillance issue and the European Commission made a very interesting assessment and Had a press release when they put our privacy shield saying that you are so your authorities Assured that there is no indiscriminate or mass surveillance by national security authorities So we now know we're safe If you look into the privacy shield actually there is annex six page four that says that there is So-called box surveillance for six specific purposes So in the press release they said there is no mass surveillance, but now there is bulk surveillance in annex six page four And that is for a lot of physics purposes that are very broad for example The last one here is combating transnational criminal threats So you just need a crime that goes across a border and a threat of such a crime You don't even need a crime. So just the fact that Mexicans may throw Drugs over the border is such a trans criminal transnational criminal threat that already allows mass surveillance So if you look at the definitions, they're a huge really really broad however They say that this is the rule for box surveillance and there are only six purposes But the word bulk actually has a footnote five and Lawyers love footnote. So you follow that and if you follow that footnote They actually say that these limitations only apply if data is not temporary Temporarily acquired to later facilitate targeted surveillance. So The overall story is if I collect all the data in bulk first to later target someone within that bulk Then it's not mass surveillance and that is the interesting thing and that's basically where the definition goes differently The US basically has that view if you have an if you have your I don't know your browser And you just type in one URL you obviously only have access to one page at a time So your browser doesn't give you access to internet to the bulk of the whole internet But only to one page at a time. So therefore it's not bulk collection of data That's kind of the idea that they tried to put up and therefore you basically get out of the whole system Finally I'm kind of short with my time what they did is that because it would be impossible that the US said that the European Union would Put all of that into their own finding what they did is they basically got a letter from the US and annexed the letter From the US to the decision So what they basically did is they asked a foreign government to approve that their law is great Put that in a letter and annex it to European Union decision if you would do that with China you would basically ask China to give you a letter how great your The fundamental rights in China are you annexed that to a European Union decision and say obviously the law in China is great because the Chinese Government send us a letter saying it is and that's basically how they got around all these issues Very final issue that I want to bring up is that you can now complain to a so-called privacy shield on boots person that's not a court or anything but an onwards person in the US State Department so the foreign Department and That goes through the national DPA the fun part of all of it This is you the answer you will get from this redress mechanism And that's the only new redress mechanism in privacy shield is already Pre-described in privacy shield and the answer is going to be the same answer no matter what your case is and The answer will be first of all that it has been investigated Secondly, they will tell you that they either complied with the law or change their behavior They're not going to tell you if they complied with the law They only said either we complied with the law or we're going to change do that differently in the future And then they will neither confirm nor deny that there was any surveillance anyways And that is your wonderful redress that should apparently fulfill your right to redress on the European Union law I'm gonna jump through that Snowden was pissed about it as well. You can read that on Twitter yourself One last thing that I want to talk about is how to kill privacy shield because if anybody in this room wants to kill it There's a very easy way to do that and I'm encouraging anybody to do that You can basically file an injunction against an internet service provider at your local European court and basically claim the privacy shield It's invalid and request a reference to a court of justice because your local court will have to refer a case like that to the court of justice And then you can basically focus on the commercial things because that's much easier to challenge than the mass surveillance And then you basically just have to sit back and relax. So if anybody in this room wants to go to the court of justice I'm happily assisting you and Finally, I need to jump to the very last part because We're right now That's the part about use of European surveillance. I told you that already. There's actually a way to probably get these courses There is no jurisdiction for mass surveillance in Europe by the court of justice Luxembourg But there is a possibility to bring the same cases with the same legal rationale to Strasburg and we already had the first case going up where they cited our case So I think for European surveillance this whole case was very important as well But we're just gonna need a different court to go to the very last thing Sorry, but I have to pitch something We just started a privacy enforcement NGO We're looking for donations on that actually for memberships because I do all of this for free But to do cases like that and actually win stuff We need to have a team on a European level that does shit like that Especially we're looking into the commercial sector. We are working together with the NGOs that already exist nationally But the idea is to really do stuff on the European level Very quick pitch because I'm over my time Questions, please ask me personally because we're over time anyway. Sorry Okay, thank you max