 Originally someone else wanted to do this introduction of our next awesome keynote speaker, but just a few seconds ago I decided want to do it myself because for me. This is quite special because our next keynote speaker is Max Max Scherms Really personal hero of mine for many many years and also should be your hero by the way Because he is really defending our privacy rights here in Europe in a big way had the guts to sue like Facebook two times and one two times against it So this is obviously quite cool and quite an achievement. It also I have to say is always for me Always a bit weird to see that because I mean we have in Europe. We have some privacy laws. We have the GDPR We have other regulations, but somehow like a Single person like a law student is needed somehow to enforce our rights here Because no one else no other organization did it at a time. So I'm really happy that Max did that and obviously because we go into the third round now keeps on fighting For that to protect our data and also as part of his organization None of your business, which I think is super cool and deserves some support from all of us So I'm personally really really happy to have Max here. So say a big welcome to Max now Thanks a lot for the introduction and on the supporting part of all of this You guys already support us because we're running on next cloud ourselves. So that's not the reason I'm usually not like promoting but thanks And get exactly I was can you turn me a little bit down if possible? It's a bit much at least from my perspective. I hope it's not Yeah, I was asked to talk about the EU US data transfers and a very lengthy story And I am gonna just gonna start up with a recap of what happened What's the background story why we ended up with this whole endless discussion? And in the end go into this new data transfer deal that was Announced this summer. We just realized actually the keynote here was Announced like the after the passing I think of the new law We just realized yesterday it wasn't technically passed yet because the EU has put it on its website But not in the official journal of the EU and that's not how law is passed So it seems actually this thing doesn't even exist yet So I was writing with someone on the Commission on Yesterday and they said yeah, actually we still have to publish it officially. So Seems companies already transferring stuff under a lot that is not officially passed yet That's kind of the state of play and back to the intro of yes, we have the GDPR Yes, we have all these wonderful laws, but we have a huge enforcement gap So a lot of that is just on paper and in reality if you don't follow it not much happens So basically going into the data transfer discussion First I would like to explain in a very very simplified version how a US surveillance law works because we oftentimes talk Oh, there's some law there's something going on But to probably dive a little bit deeper into that and how that actually works and this is actually a slide from from Berlin and where the Snowden disclosures happened and when we had all these demonstrations That's almost 10 years ago more than 10 years ago And and the big discussion was what are we gonna do? There was outrage Merkel wasn't happy that her phone was tapped and then all that kind of drama But actually there was not much that would have happened So we started with discussions on how we can litigate that and actually a journalist called me one night and asked me Is that actually legal from a privacy perspective like for these companies to actually just give all that data to the American services? I was like usually journalists you have the same questions all over it again, and you answer them again This time was like that's a really interesting question because I haven't really thought about that and if you look at it You have basically two surveillance systems The one is called upstream which is capturing the data on the backbone of the internet and That becomes less and less relevant because more and more of that data is encrypted So they can see where the data comes from where it goes to to a certain level But below the encryption level not that much anymore the second thing that they came up with was back then called prism Now it's called downstream these two things are the same They just changed the name over the time and the idea here is let's get the data from the service providers because they have the keys They have access to the data. They have to be able to process it So there is some way that they can get it and we just required them to give us all the information Which is obviously the easiest and most convenient way for a secret service I usually joke is like it used to be that they have to tap each phone Now they just have to tap basically apple and google and thereby have almost every phone Which it's much more convenient for a secret service than than doing it themselves As you can see from the slides, they were already pretty dated when they were published by snowden And that's more than 10 years ago. So we do know some stuff that went down 10 years ago But we all know how much technology has changed since then So it's not unlikely that much more is happening that there is new security services new Um operations that happen that we're simply not aware of So oftentimes we talk about these two programs But we have to think that there is a law in the background that allows these programs And it could be totally different programs by now. There is no official recognition There is no official reason to to say there is definitely something new or maybe they've just developed further But just to kind of think about that for a second that this is the status of probably 15 years ago And there may be much more by now In these slides it was rather interesting because you also have the different levels that Of systems that talk to each other where I don't know they say some voice component goes over into this system and so on It's not very detailed But basically there's an fbi direct interception unit that does Kind of the technical connection as far as we know and then the different services can provide The different services can get the data through them. So basically that's that is kind of the nsa bubble of what they do What's really interesting is we also had the logos of the different companies on it And there's a slide that also says when which company was actually hooked up to the system on which date So we had a very good understanding of how this works And that's crucial for surveillance litigation because usually surveillance litigation Is a big ass conspiracy theory. You just don't know in detail what they do It's all secret as a lawyer You look like a fool if you're in front of the judge and say oh they may do and And in this case we actually had a bit of an understanding what they really do If you look at the american law All of that happens on the Pfizer 702 That has a second Kind of number in us law, which is 50 us code 1881 a so you sometimes see 1881 a or Pfizer 702 in Reporting, it's basically the same law That law is 14 pages long And even though People say i'm not the worst lawyer the world has ever seen it takes you days to understand how these articles Interrelate to each other. It's the most fucked up lot of world has ever seen But once you go through it, you realize that there's a lot of like just back and forth blinking that doesn't make any sense If you look at the at the gist of the law, but it really says you have two elements that you need You need an electronic communication service provider, which is a cloud provider basically telco provider anything like that What's important is this law does not apply to any us business only to these electronic communication service providers So if you send data, let's say to lufthansa us Subsidiary something like that They would probably not be an electronic communication service provider and wouldn't fall on the law So it's not like any data that goes to the us is the end of the world It's specifically kind of the big cloud providers where they actually really fall under this laws The second thing you need is foreign intelligence information And that is defined as information that relates to the conduct of the foreign affairs of the united states There's additional that's kind of the broadest definition There's a couple of things that fall under that definition Long story short, this is an extremely broad definition that basically means anything we're interested in globally That's the kind of plain language And and that's the two things you need This electronic communication service provider informed foreign intelligence information You do not need a crime. You do not need probable cause. You do not need an individual person you go after You don't need any of these elements we typically have in criminal law or in phone tapping laws in these laws that we have The interesting thing is this would actually be illegal in the us as well under the fourth amendment The fourth amendment also says very similar to europe that you need probable cause to phone tap and you need a judge saying yes In there again simplified terms, but for the purposes of of here. That's kind of what you want The problem with the fourth amendment is the fourth amendment only applies to american citizens or us persons It's also permanent residents And that is historically normal like we had that in the us as well that we had citizens rights mainly because You know 200 years ago people didn't move much So you were usually the citizen of the country that you were in so you had citizens rights Now ever since the second world war the latest we usually have human rights now because we realized it's very easy To just say you're not a citizen. You don't have any rights So we moved into human rights The us is still under the old constitutional fabric that they have in the idea of citizens rights Now what this law does is basically these elements here the minimization and targeting procedures Separate the data stream into american data and non american data That's fundamentally what this law does it's kind of a switch that says okay This bit is related to an american person can't touch it because would be unconstitutional very bad This bit is not related to an american person You can go and do whatever you want to do and that is structurally what this law does Um, they call that minimization and targeting procedures and that's kind of these filter procedures Now the us says that that's all approved by the faiza court And that sounds like odors Judicial review some court is actually looking at that what the court is looking at is the entire surveillance system for one year So it certifies basically the filtering It doesn't certify the individual data bit that goes through it And if there is actually problem cause or reason to look at it So it's basically the system that gets approved by the court Not as usual that you say, okay, there's really that guy that really has some reason that's connected to I don't know IS or whatever And that is kind of the interesting thing that there is court approval, but not individualized court approval And that usually makes it rather useless for for most of the purposes Who is actually making the individual targeting procedure is an is an nsa officer They have a targeting sheet, which is basically a form where they can put in an identifier Identifier is typically an ip address email address any kind of like user id for social networks stuff like that Um, and they can type it in they need to kind of put one box where they say why they do that Click the button and that targets the person and the data Um, we have the numbers for the big provider So we talk about a couple of hundred thousand accounts per half a year That are targeted and one account may include the data of hundreds of people because if it's the email address of one person You have all the emails that go to that person from other people as well Um, so the numbers are actually quite vast if you think about it Um, then there is a so-called directive to the service provider Which is the legal order saying you have to kind of give us access to the data Um, then we don't know the details of how that's done But technically it has to be something like an api where they can basically call the data and get it back They say oh, we don't see how it's technically actually implemented The law only says you have to kind of do the technical implementation to be able to capture the data Um, but we in litigation we ask people that had these security clearances If they're sending letters back and forth between the silicon valley and and and the nsa headquarters And that's for voice over ip not overly likely that that's how it's done Um, so we do assume that there is some kind of api where you can get the data from So um litigation wise Basically the system was like that if i'm that little austrian smiley down here Um, I had a contract with facebook Ireland back then we started all of this um for the younger people in the audience like 12 13 years ago facebook was cool back then people actually used it um But you have exactly the same thing with uh with instagram now and and and the likes So you have a contract with actually facebook Ireland, which is a european irish company And this irish company then sends the data abroad to the us And and they have a contract with each other and have to make sure that the data is properly Kind of protected in the us. Otherwise they're not allowed to send the data outside of the u Now they can't really do that because if your data de facto goes on the us server It's going to be surveilled under 12 triple 3, which is in executive order another law that i'm not going to go into Through upstream and then under Pfizer you basically get the data back out of through prism and have it somehow end up at the nsa So it's very hard for them to kind of write into a contract that this does not happen because that's simply us law Now if you um think about why they're so interested in in especially um, uh prism or their downstream as they call it That is basically one of the slides where they say that's where there is no ssl encryption anymore You who we can get the data right there because they have the encryption keys And that is also interesting because a lot of the um american companies said oh, we're just going to have encryption We're going to solve all the problems Um, and they have endless lists of how their data is now secured If you look at it, they always just basically talk about the transport part of it and not when it's actually there Even google said yeah, there is i'm not the tech person But the a something encryption on their service was like great That's the same thing that my android phone has but if you have the code And so they try to kind of oftentimes come up with time of oh There's encryption and most of the lawyers just hear encryption are like cool encryption But don't talk where when where does it actually um protect anybody Now if you look at the other side at the eu side of the story We basically and most people ignored that ever since since 1995 when the first directive came around We had an export prohibition on data So basically the eu says you cannot export data out of the european economic area Period as a as a default rule Why is that if you have privacy rules and you just Send the data to the next country that doesn't have privacy rules and they're fair game Then your whole system doesn't make any sense because you can just move your data out of the protected area or out of the jurisdiction Now there isn't a derogation for what I would call necessary transfers So if you have to book a hotel in north korea, you are absolutely fine in booking hotels in north korea because it's really necessary To send your booking to pyongyang if you really want to stay there Obviously north korea is probably the country that has the least protections of anything that we could think of But that's fine. The gdpr accepts if you really want to go there. You have to book your hotel. That's fine Um, what's the bigger issue is the outsourcing part So if you don't really need to send data abroad, but it's more convenient cheaper the business is there Whatever happens and for that there are different options to kind of extend gdpr rules to another country Um, how that works is if you think about switzerland It has a data protection act and we kind of accept that that data protection act is very similar to the european union And that becomes like a big privacy bubble and we say oh, you can just send the data there because swiss law is very similar to the EU law Swiss people may disagree But that's kind of the fundamental idea Now if you have a country like the us where there's no data protection act That can also work. You can contractually kind of get there It's a bit like if you say I buy organic bananas from some country and they just follow the rules of what organic is in the EU We kind of say, okay, you're not from an EU country But what you do is still kind of compliant with our rules So we accept it and you can put the bananas in the supermarket That's kind of what we do with so-called standard contractual clauses So that's a contract privacy shield by spiny copper rules and so on What this basically does is that an american company signs a contract saying I follow EU law And therefore they're kind of our data is protected contractually That can work Sounds like a bit technical, but it's from a legal perspective fine If there is a vacuum in another country if the other country just has no rules Then you can have a contract over what you're going to do the problem with the us is they have these surveillance laws And you cannot contract out of them So basically you have a situation where all these contractual arrangements that all these companies are now pushing and where there's all Kind of endless paperwork to sign Are going to conflict with american law because if this contract or EU laws as you need to have privacy An american law says you have to have surveillance at some point. This is not going to work out Fundamentally from a lawyer's perspective. It's like two trains colliding There's too much law to law saying the opposite thing you can technically not comply with both at the same time And and what the EU is trying to is to put more text or more paper in between the two Colliding trains and we can all figure out what happens with the paper. It's going to be shredded And that happened at the court of justice twice So it's like not too hard to comprehend that if too long simply or to jurisdiction simply say the opposite thing You cannot contract out of it like There there is no way And that is fundamentally what we're doing now since 10 years is to explain that to the european commission and failing over and over again Um, how did that happen? So we ended up at the court of justice the court of justice is kind of the supreme court of the european union the highest court we have Um, and the case law was kind of interesting because typically when you have fundamental rights We have a so-called proportionality test So they say okay, there's a fundamental right the right to privacy for example, and then there's a public interest Let's say Going against criminals is a public interest and you have to balance these two interests somehow And we do that in the so-called proportionality test Which is a four-step test that you go through the first three steps kind of make sense the fourth step is kind of like a political How far did that go? and so That's typically where we are and then there is a situation for example for for Data retention that the member states do over and over again where your cell phone metadata is kept for terrorist prevention Which is the whole data retention for at start and spare children's discussion We usually ended up in the red zone at the court of justice said no you can't do that bit too much Now what exists on top of that and that's legal geekism There is a violation of the essence of your fundamental right never happens. It's basically if a violation is so massive That they don't even start the proportionality test anymore The only time that exists by law is um in torture. There is no proportion of torture It's just always banned And and what was interesting in both of these types of litigation the court of justice actually said that the That the surveillance in the u.s. Is so extreme that it's a violation of the essence of fundamental rights They said we're not even starting a proportionality test here anymore. This is so outside We're not even going to engage in this discussion and that is very bold from the court of justice There is no other judgments other than these two where they have found that so far So the court is actually quite strong on that For us it was interesting because we we argued the violation of the essence when we're there because the case law Basically suggested that we never thought the court of justice would actually say it So you would sit there in luxembourg get the judgment you kind of divided up by the lawyers Everybody reads a couple of pages and our irish lawyer was like oh my god We found a violation of the essence which is as a lawyer like who we found something super crazy because never existed in case law before Um, and we didn't think ourselves that they would say that but they did Um, so what in the end we now need to have is that you have to um if you transfer data abroad You have to have essential equivalents with the gdpr So you have to make sure that the company abroad kind of follows the same rules It doesn't have to be exactly the same and you have to follow the charter of fundamental rights Which is kind of the fundamental rights Document in the european union. We don't have don't have a bill of rights or constitutional rights. We have what they call Um the contractual rights is kind of the treaties of the european union. It's defect to the constitution We're just not allowed to call it a constitution Um, so what happened with all of that? Um, once the first deal which was called safe harbor was dead The commission came around the european commission two or three months later with this wonderful logo and said oh, there's a new deal It's called the eu us privacy shield and I was like which graphics person ever anyways, um And um, what was interesting was presented in the european parliament and I asked one of the people at the commission You know, how did they end up with the shitty name and the answer of the guy at the commission was like I've never heard that name before it's basically something that the commissioner made up and the pr people This deal doesn't even exist right now So they presented a wonderful deal to the public that didn't actually exist I don't have it in the slides right now, but we kind of two weeks later made a freedom of information request in the us Um, uh, a colleague organization did that and they asked for the text of the new deal that was presented in press conferences And so on and the answer they got was that the access request is rejected because the record you requested does not exist They literally presented the deal that simply didn't exist at the time Two months later there was actually then the text of the deal and and we could actually read it Now what was really interesting is the european commission put a lot of pr effort into that And they for example said that the us authorities assured that there's no indiscriminate or mass surveillance by national security authorities That was in all the newspapers then we now have these wonderful assurances Now as a lawyer you tend to kind of read text in very much in detail and word by word And I was like assured So basically they just told us that they don't do it And that's kind of like china assured us that there is no secret concentration camps Great thanks for the assurance And then the second is like indiscriminate or mass surveillance That term doesn't have a trademark or a definition So once you go into the actual deal you see how this all works out So there's an annex to this european commission decision And on page four of this annex you find that there is collection in bulk So we don't have mass or indiscriminate surveillance, but we have bulk collection And and that is used for six purposes that go as far as combating transnational criminal threats And again reading text in detail You don't need a crime you need a threat So if there is some mexican dude walking along the border With a little bit of cocaine or whatever in his hand That's a threat because if you put it through the border fence, that's a transnational crime because you're basically just trafficked drugs That's technically enough for a bulk collection And if you then go through the exact details of all of that You realize how the press release is very different if you actually then go into it Now if you go not just in what the eu published, but actually the source document in the us That word bulk has a little footnote And if you follow that footnote You follow that this you realize that these limitations only apply if the data is actually Processed in bulk in long term If you collect all the data in bulk to then find the needle in the haystack. This is not bulk collection This is basically Targeted collection for the definition of all of that So if you go from press release layer to layer to layer you realize actually we have all mass surveillance But we have assurances that there isn't any and that is basically how the system works We even asked the evidence that they produced for the court. They said, oh, we have a letter by the us They don't do it So that's the evidence we have as the european commission And it's to me mind blowing because i mean it's like russia saying oh, we never invaded anybody Here's a letter and the russians told us so what's the problem? And that is a bit how technically all of this went down There was also an issue that you couldn't go to any court in the us And they came up with a wonderful solution That there is now a privacy shield on boots person. It was that person at the time And the system was that you would go to your local data protection authority in the eu They would forward the issue to that person They would then internally in the us try to figure out the problem and give you an answer And the wonderful thing is the deal already had the answer pre described Like literally the deal said what you're going to get as an answer in any case And they would always tell you that the case has been investigated Otherwise you wouldn't get an answer Second that they either complied or remedied the situation, but they don't tell you which one So either they complained from the get go or they didn't comply, but they remedied the situation There's no answer that they didn't remedy the situation not possible They always remedy the situation And then they would also tell you that they neither confirmed nor deny that there was any surveillance on you And the reason for that is if they would actually tell you the rose surveillance on you You would actually have a possibility to get into you american courts because in the u.s There's a stand-in doctrine and it's really hard to get into courts for litigation The aclu that we work with which is kind of the fundamental rights organization in the u.s Actually litigated the u.s government and they the u.s government says you cannot prove that you were actually on the surveillance Because of all the different hops and networks we surveil. There's always one or two that is down And your package could have gone through the one that is actually down so they started litigation I kid you not with wikimedia To say that's wikipedia That's one of the most visited web pages ever and the u.s government still argued It could be that all wikipedia packages of the last year's always went through that one hub and therefore we never captured it That was the one that actually the courts did not accept anymore But for anybody else they basically say oh, you can't prove you were actually on the surveillance And if they would have basically told you there then you would have a cause of action So The this deal was also struck down by the court of justice in our second litigation What are the practical consequences in reality is that all these kind of transfer deals that are not necessary Were actually under threat. There is no legal basis to do that anymore If you divide it up, it basically means if you I don't know book a hotel or a flight in the u.s That's fine. That's necessary. No problem. There was a lot of the industry Streaming oh, the world is going to go under you can't send emails to the u.s anymore Which was utter bullshit, but it works for just creating drama What is a problem is if you outsource your data to an electronic communication service provider in the u.s And that also includes servers in the u. So what these big companies said is over have a server in frankfurt Wonderful. What they did not say is that these american laws do not have a jurisdictional limitation So they basically apply globally to any server that they have access to Which is normal same thing in austria for Investigative powers wherever you have access as an authority you can get there The limits in us is what they saw is called possession custody to control So if an american provider can say I cannot physically access the data, I simply don't have the keys I gave it to someone else in europe Then they would be out and that would be a possibility that they have a sub Organization in the u that holds the data and the american boss simply doesn't have access to it. That would work But when you talk to the big tech company, they would have access to it Big tech companies, they're like that costs money. It's complicated So that didn't really happen in reality You can still transfer data as I said to a normal company in the u.s That is not a electronic communication service provider Now we basically filed complaints against the biggest websites of the european union and basically country by country to actually try to enforce this A second judgment And it ended up to be 101 complaints We basically went for google analytics and facebook pixel just because it was easy to find and easy to to show um and went through public Www to find them and because it happened to be 101 we already had our logo there as well um And what was interesting is we basically when we went through the companies most of them said sorry We removed it blah blah blah because it was just a facebook pixel and it didn't really was easy enough to to remove usually The second thing is that they said they did supplementary measures Which is basically what was discussed the last couple of years as the big solution And then there is a what they call respaced approach to just quickly debunk why that is all bullshit um So the supplementary measures There was the idea and it was actually in our submission to the court of justice We're the only ones to argue for that that you could find a technical solution for the prom And we're like if you find a technical solution, you might guess wonderful great um One of the arguments for that was okay if you transfer data, let's say to I don't know Australia It may go through 100 countries on the way that we really don't trust And if that is end to an encrypted fair enough, you could probably work with that and and and say that's fine Same thing is it goes just through the us and just go somewhere else And you may have proper encryption and technical solutions for that Now what the industry made out of that is that they basically said oh We have technical stuff like encryption and transit and and you can encrypt backups But if you boil down to like a zero knowledge approach, you're almost at no Useful scenarios anymore where you can actually use that What the industry then started to say oh, we're just going to have contractual stuff Contractual is wonderful because you just change some text in terms and conditions and never touch anything anymore Not solve any of the problems And they basically say that they will inform you or resist or try to kind of do anything against surveillance like that Prom is not working if the third country law like in the u.s. Doesn't allow that So the u.s. Already says there is a gag order You're not allowed to talk about the surveillance all of that is in secret blah blah blah So they they produced pages and pages of text saying oh if possible We will inform you it's like if possible means it's not possible So you're not going to do that and what we saw is that these big tech companies just generated 30 pages 40 pages of bullshit Of all the wonderful supplementary measures that they do and they were literally laughable like some of them are on Website you can go through them. There's just nothing that actually from a realistic perspective helps anybody So we went that's the edbb that basically confirmed that Facebook was super interesting They had stuff like we have a tech team or a legal team that actually reviews requests and was like I guess so I mean if the police asked for data it would be nice if someone reuse that But the law is still you have to give it. So what's what's the point in having that team? My favorite one was actually google they said that they put out the fence around their data center And put a sign on it that they shouldn't enter that was one of the on the list of their supplementary measures I was like, yeah, I'm sure the nsa is going to be super impressed about that There was a lot of these supplementary measures went around all the authorities in europe usually told the companies to fuck off with that But a lot of the big tech deciders or the people that you know them buy big products are like, oh, there's a long list of meta of Microsoft for example that tell us everything's fine. So let's just continue as it is and that was kind of what this It was a pr exercise largely And then the funniest one was the so-called risk-based approach That is something that the lawyers pulled out of their ass It's basically that in the gdpr There are certain elements where there's a risk element where the law says dependent on the risk You have to do x typical thing is security. There is never perfect security But dependent on your risk what you have blah blah blah technical developments you have to do What's kind of state of the art usually Now they said oh we found that in three articles or four articles of the gdpr Let's say that's a general principle of the law and we just apply risk to everything in the whole law Which is just not how law works at all But that was actually Put around and and argued by a lot of the lawyers to say oh Which write you a piece of paper as the CEO of a company that everything is legal because we now apply a risk-based approach It's like we apply a risk-based approach to murder Murder just doesn't exist because it's risk-based. Um, that's kind of the thinking behind it That was also rejected by first the austrian authorities now by a couple of other courts Now um back to enforcement We tried to kind of get this through as I said we made these 101 complaints was super slow Most of the dps didn't really want to do anything about it because most of the data protection authorities are like Data transfers don't touch it Promatic. We don't want to kill the internet. Um, there were some cases like in germany or france where a public tenure was a problem So that basically for government, um For government, um Projects they couldn't use microsoft anymore because they couldn't comply with the law What's really interesting? What's upcoming is non-material damages So theoretically um the eu passed a collective redress directive this summer where you can do collective redress meaning summer clogging like Where thousands or millions of people can get together and bring a case Um, and that could become interesting if uh, we also have non-material damages So let's say each person whose data was transferred to a country that um, you don't like where your data goes to ask for 100 euros If you then have let's say, I think facebook has 200 million users If you do the math that becomes really really interesting Um, this is starting now. So we're just um seeing where that goes down And and if there could be more cases in that direction because that will allow people to directly do something and not depend on the authorities To do something. So that's kind of on the enforcement side. What's up? so um Then after all this drama and the last couple of years the commission came around and presented another wonderful deal The third now so first we had safe harbor and now we have privacy shield now. It's a transatlantic data privacy framework um The cool kids call it tap apparently that's now what's all over twitter and and The story of that was there was basically one and a half years of negotiations to european commission said no deal The americans don't move. How should we ever solve the problem? And then these two guys got together over a coffee And suddenly solved all the legal problems in a heartbeat The background was that after the invasion of ukraine the us literally apparent what I was told Was coming up the next day and said We now need to show everybody that we love each other And how better to show Each other that we love each other than having a wonderful conference or press conference Where that dude says you can get natural gas from the us and that person says you can get our data And that seems to have been the political logic of the new deal And same thing again. There was no text. It was on the headlines the same procedure a lot as last time And what was interesting is that um, they basically then produced a paper about a year later And what they do is just spam everybody with tons of paper And I talked to lawyers that give presentations and explain that this is now the wonderful new deal and everything's fine No one the fuck has read these papers None of these lawyers that sit there that I've talked to has ever read that shit in detail Now, um, I'm the unlucky person that actually reached stuff in detail Um, so if you go through it, uh, basically what they do is that they have these commercial principles So the commercial principles tell you what the companies can do with the data And these principles are still the old safe harbor than privacy shield principles now taught principles Um That still be are based on the privacy laws we had in the 1990s in europe So not GDPR the old directive And The interesting thing is the updated them Now an industry organization the us has shown the updates So on the core principles they added us twice in here and the footnote on the first two pages Second and third page no change at all And the last page they added that there could be other enforcement than the other two than the authorities that right now exist They are not foreseen. It's just like an option to do that in the future That's the big upgrade to the new core principles Now if you compare these core principles with the GDPR in the you you usually need consent or another legal basis, there are six different legal basis In the american system You only need to have an up doubt if you share the data with someone else Or if you change the purpose of the processing Now here basically they have to ask you for example for a consent and say do you want that or not? In the us system that's usually a sub sub sub process So someone far down chain and down in the processing chain Some company that you've never heard you just know kind of the front to the front page of something And they have I don't know 20 companies in the background that do some shit This sub sub sub company has to offer an opt out on their website for these two purposes No one in the world ever knows that their data goes to that company No one ever checks that no one ever goes to the website and then clicks the opt out So basically what that means is you can do whatever the fuck you want to do with data And still be certified as fully compliant with EU law Which is amazing because even on the commercial side We allow these companies to do much more with data than our own companies are allowed to do Under this new deal Same thing is usually we need data to be necessary there It only has to be relevant which is a legal difference But it basically means as long as there are some relevance for what you're doing You can use the data necessary really needs you absolutely need the data Which allows you suddenly to kind of store a double the amount that you would be allowed to store otherwise Typically in the EU you have full access. You would get access to all your data There is very limited access to all of that and dot dot dot There's a hundred other of these compares instead you can look into where these two deals are just very different Now on the government surveillance side there is now a new executive order Quickly what is an executive order? We all know that trump had his wonderful sharpie and put stuff up in the cameras and said oh, I signed something That is an executive order And and an executive order is an internal An internal Rule by the government that is not a law. So it's like you're boss telling you do a not b That's not a law your customers cannot sue you over it. No one else can sue you It's an internal order and that is the same thing with an executive order So they have rules on saying do this on surveillance. Don't do the other on surveillance But if they break it as a person that whose data got illegally surveilled you have no right to actually go against it It's basically yeah, your boss said something you didn't do it But that's an internal problem nothing that you can rely on and that is an executive order The reason why the u.s. Uses that a lot now is because their political system is very broken They can't even pass the budget anymore. So it's very hard to pass any law So they tried to kind of manage the whole country with these executive orders But for the purposes of surveillance not really helpful because you don't have any rights under it now They said oh, there's this wonderful new executive order that is now signed by biden What they did not say is the new executive order is 14 086 That actually there was a ppd 28 which is also an executive order from obama that literally had the same shit in it Now the commission runs around again saying oh, there is this executive order with all these limitations And it's all wonderful and all great and all new the realities You find almost all these limitations in the old ppd 28 That was already at the court of justice and the court of justice already said that's not enough So it's reformulated same shit And we run it through the court another time around there are some differences So the there's largely the same limitations. They're slightly clearer languages in the in the new executive order But there's for example also additional reasons for mass surveillance. So for example for a health crisis That's what they added after corona or for climate change So they can now I don't I have no fucking clue what how they surveilled people and then help climate change I don't know but maybe Everybody found on the left found that cool. I don't know But that's now in So it's not that there is more protections There's also parts where there's actually more surveillance in it and the commission usually wants around and say oh, it's wonderful And it's better It's I think generally a bit in the right direction But it's like if the court of justice had put up a fence and the fence is now Two millimeters instead of one millimeter. Yeah, it's higher But it doesn't really fend off anybody Um, and that is kind of what they did what was really interesting is they now added the word Proportionate to a u.s. Law and that would be a huge game changer And that was the main thing that they put out in the press releases And the problem with that is the following and unfortunately we had to convert the Presentation so you don't see the full effect of this Imagine the lower thing is not there for theatric reasons And what they basically said in america and the european system is that visor and prism surveillance is a violation of the essence of your fundamental Right, so it's not even proportionate at the same time the u.s Is to continue this violation at this these this processing of data the surveillance not going to change any of it But it's also now going to be proportionate And this you cannot square like this is technically not able to you cannot technically square it And the solution that they did is that they basically just said there is an american definition of proportionality Which is just going to be shifted so far over that we can agree on the word We both agree on the word proportionality, but then the definition is going to be different This is now the latest solution to the problem And and it works well because the european commission can say oh they now have a proportionate surveillance system in the u.s Can say yeah sure proportionate, but just our proportionate So everybody can walk off and everybody can be happily ever after and we can go back to the court of justice with that slide And the judges are probably going to be like in which fucking film am i in? Um, but that is basically what what they're doing Now then they were unhappy the court of justice about this um ombuds person And i actually brought some stuff for you here. I usually forget to bring it um They basically now replace the ombuds person with a clpo. I forgot what the acronym is for But it's basically another dude that does the same thing. There should be no animation that we don't have Um and gives you exactly the same answer And the funny thing is as with the old answer is exactly the same one that i mentioned before You can get that back Now if you're unhappy with that you can go to the court, which is a second instance It's not a real court Um, it is actually also an executive body that they just called court And and it's amazing because the us has a definition of what a court is and you need a law to establish a court It's not a court. It's what you can call an independent tribunal or something like that But the e you insisted it has to be called court So this thing now got a new name It's now a court but it does exactly the same exercise that you have before a second time around And you will get exactly the same answer a second time around but therefore you have an appeal And someone asked how what are you going to write in your appeal because in the first instance this system here You don't know anything while you get that answer. You never heard you have no Reason to say this decision is wrong because you were absolutely excluded from the procedure You just filed something with your dpa and five months later you get this or 10 months later And they said oh if you appeal you don't have to argue your appeal You just have to write I appeal because you cannot argue your appeal because you don't know anything about the procedure So it's the most puppet thing the world has ever seen Um, and because we thought it's funny, um, we basically took that exact wording and put it on a stamp So if you want to have your judgment anytime soon, you can get the stamps here You can have the first instance and the second instance. This is your judicial, um approval and your um kind of Judicial redress anybody that wants stamps here the lawyers love it I don't know if the tech people love it that much, but the lawyers find that this the most amazing thing ever Um, okay, and then there's a lot of technical shit with all of that Um, for example, this whole new deal only applies for data that was transferred from the eu to the us under one of these deals after july of this year Now that means if you process data or transfer data before that date You would actually have to get it back to the european union And then send it to the us a second time around to actually even fall under the definition of the time application of this whole deal So technically, I don't know my facebook or instagram data would have to be removed back to the eu Then send back to the us so that you fall under the definition of this executive order because the executive order does not apply to anything that happened before This summer. Um, so a lot of that stuff is is in reality just laughable and really doesn't you just wonder how you can ever get there now, um What's the short term solution? My problem is usually with no if we do a lot We have more than 800 cases and usually we explain to people That's how you fix the privacy problem and and everything is fine here. It's a political problem We don't have a fix for it. We can't change us law. We can't change european law But if we think about solutions a little bit The short term is this is going to be ping pong get back to the court of justice and probably be destroyed again And two years and then we are back at square one and we do the whole exercise another time around Long term, um, what could be the solutions? So I think what we need to talk about in the long run and there is a part of the executive order That has that in it is kind of what they call a no spy agreement So if we now have a globalized internet in each country only protects their own people Your data is typically not protected 99 percent of the time when it's somewhere not in your own country Which is typically where your data is in most of the situations that we have today So one option is that at least among the democratic countries in the world We come around with a kind of no spy agreement where we say, okay We have baseline guarantees the all the same and it's independent of citizenship would be very logical And actually the executive order has an element of that in it because it says it only applies to the eu If the you also gives these rights to americans, which fair enough I mean, I think that's a fair proposition But if you do that both ways at a certain point you would end up at a no spy situation Where basically countries grant these rights to each other and that could allow data transfers again The reality is right now in the u.s. That's politically almost impossible if you talk with anybody in in washington They say if I grant rights to foreigners, I get voted out of office I get voted into office if I take away rights from foreigners. That's how politics works Um, so this could only work if the industry is really pushing for it to say, okay If we need to process data and we need to do our shit We need to solve this legal problem here. And that is basically how um, such an agreement could come around Let's say in 20 years. I think that could be an option Now the cheapest option would be that the us would just put 20 judges there Then we wouldn't have to worry about all that stuff We didn't need wouldn't have to pay lawyers for all this kind of crazy stuff But that says as I said politically also unlikely to happen In the meantime, what's going to happen more I guess is that we have the segregation where basically data is just held in the european union and we have some data holder here that is not Um, directly accessible from the u.s. Not a big fan of that I'm personally more of a globalist where you know, we just should have free data flows and proper regulations But for the time being that's probably what we're going to see more Um for companies that actually want to comply with all of that So not the perfect solution, but at least the in-between solution And we will see um last sentence on that That much more because right now this is a conflict of law debate about privacy But we will have similar conflict of law debates in other areas Typical example is freedom of speech in in austria and germany Or else in france the denial of the holocaust is a crime. That's not going to change anytime soon Um in the u.s. That's freedom of speech How as a company do you comply with the both rules at the same time? So you will have more and more and more of that because the different countries try to regulate the internet more We see new laws passed every year on the internet and there is no jurisdictional rules on that So we will see these conflicts. We're probably the first ones here with the privacy debate But we will see similar conflicts in many other areas of the law So we will have more and more of a discussion of which jurisdiction is your data in What is the one that you want to comply with or not and you will not be able to comply with 200s because I mean, you probably don't want to comply with certain rules of this kind of this world Um, so I hope that was useful. Um, I know it was a bit deep dive Legal stuff, but it may be useful to get a bit of background of these issues and thanks a lot And I think we have some time for discussion now as well And I was told they need a couple of minutes to put chairs up and so on So for the time that we need for that if you have any questions, we can do that right now as I understood Thanks Thanks a lot and if anybody's interested here I added some legal conference. I mean lawyers are usually very dull and I'm the one person not wearing like a suit But they then came up with like all these stems like as if they have been on a club or something. That was really amazing Well, thank you very much. That was super enlightening. I would say especially I'm from Canada as a north american we kind of Look at eu privacy laws I think kind of as a target and yet There are a few issues out there One question I have while we're collecting questions from the audience Given that you're an expert in EU law as it relates to US law I'm curious how you feel about, you know, that's not even solved yet. You've been working on it for quite a long time Yet we have, you know, more than A few countries there are countries all over the world. So how do you see these efforts that you're doing especially with no Maybe being an example for other countries in the world and how do we deal with all the permutations? Yeah, so a couple of questions there at the same time. So we have a huge enforcement issue in the european union Um, and that's especially with the data protection authorities and for as a lawyer It's a weird bubble. You're in like typically if someone parks in the wrong spot to get a ticket goodbye If you are in the legal bubble for gdpr You're at conferences where like, yeah, you know, it would be really interesting if we would do something about that And I literally had that with a with a head of a dpa that told me Oh, wouldn't it be funny if we would actually enforce all of that over dinner? I was like that's like the drug police say, oh, wouldn't it be funny if we would do something about fucking crack? And this is like a bubble of where even as a lawyer, you're sometimes wondering which one which bubbly you're in So that's I think the first part. Secondly, what we see is we have I think about 70 countries globally that follow more or less The european system cannabini being one of them So even the us is kind of squeezed in like Mexico is basically following a similar gpr type of law canada does canada also has an adequacy decision for that So we I think in the long run this Typical system that we have is going to spread out in more countries globally and will become the standard What's going to be a huge problem is divergence different countries different laws Biggest issue right now the us itself because the 50 different states started to have privacy laws. So there is now a privacy law in I think illinois for Biometrics, but only for biometrics Then there is one for that and this is going to be unmanageable at some point So we'll at some point have to come to an international consensus on how we do deal with that and the de facto I think the european system is Very logical structured And more or less a system that is similar to that would probably work in the long run However, each country is free to decide what they do So that will be interesting how all of that moves along and how that interconnects and I think what's really important is to have a systematic approach because This is technically not feasible You can't comply like write code for 50 different jurisdictions and still keep that separate and follow all of these rules It's just I think for for economic reasons not really sensible And the biggest issue then is that we actually I should move over to get this. Okay. Yeah And the biggest issue is that we also get that enforced in the end because that's our big concern in europe Like five years after the gpr They now started having a couple of bigger fines and the dpa is basically put out one big fine Every two or three months to say oh, we did something look at it But in our case we have more than 800 cases and at certain jurisdictions 99 of the complaints are simply not dealt with So you have a fundamental right to privacy You claim it and then 99 of the time they tell you not for you And I sometimes joke it's like a right to to vote but 99 of the time there's no voting booth Then you don't really have a right to vote And that is where where we see that the culture hasn't changed with the gdpr So the legislator said big fines big enforcement have been serious That was more than 90 percent in the european parliament So it's interesting because a very strong political backing all the member states voted for it other than austria my home country because we thought it's not strict enough for whatever reason And but everybody backed it but now the executive is simply not enforcing it and that is that is an interesting Political situation where democracy doesn't work that well anymore if there's a political consensus and then the authorities just don't do it I hope that's somehow useful We now got the chairs. I know it's amazing. Choose your favorite. Uh, do we have any audience questions? Does anybody have uh, do we have a microphone that we can? Yeah, sure. Yes Hi, uh, you spoke on the separation between data of us citizens and non us citizens How does that work if that data is mixed? So let's say I have a conversation with a friend that is a us citizen Is the nsa allowed to listen to half the conversation? So basically whenever there's any american involved it kind of falls under all of these rules The world's litigation on that because they were technically partly not able to properly do that And that has then litigated the us. So if it's like oh this tiny little bit of an american conversation was in the system That's a case um Other people in the system not a case because you don't have rights under the fourth amendment All right. Thank you So If I remember correctly the gdpr says that you should not collect more data than absolutely necessary to fulfill the The purpose yeah purpose now i'm wondering with Sim altman, I think some people know about him and he's Really big in this new thing called world app Where you can create like an authentication system called proof of personhood So you only sign up and then you know the person But why do all these platforms need to know that I am me? Actually, and this would be like the lowest level of actual necessary data. Yeah Why why go anywhere beyond that? And typically you can litigate that if you have cases like that the other concept that goes in is privacy by design It's kind of to already build a system to have minimum information. I had a very simplified Again, I'm not a tech person. I had four years of programming in high school where as a lawyer i'm already very cool And the There are situations like that that we for example have with in austria at least with eid, which is its own issue But for example it allows to show that you're above 18 or not If a company needs to know you're above 18 because you're by tobacco or whatever they don't need to know your id Your name your birth date and so on they just need to know above 18 or not And that can be solutions where that technically is doable And that can also be litigated because you have to ask why is the system designed to give? I don't know 20 fields if you only just need a binary yes or no And and that would be the proper design then so I could sue the company for your collecting more data And then you actually typically you could if if you have a good case on that and you have to have to show that in the individual case That was not necessary. How easy is that? Um not overly easy to give you an example the litigation the shrimps to litigation in ireland cost 10 million euros What and I was personally liable um if I would have lost And the the next thing I checked is there is no enforcement agreement between ireland and austria So I was like I'm just not going to have a summer house. I guess um But that's the reality that also the um The the the court system and the political system and and all of that in certain member states is extremely shitty um in ireland to bring a case generally you have to calculate about 100 000 euros um and We got from winning at 1.3 million back for our legal fees because the whole legal system is so slow and so convoluted and complicated um That you just need a lot of hours by lawyers to kind of be put in to give you an example in austria and appeal costs 30 euros And so you have like extreme differences and that's to a large extent what we do at noib is to try to find these differences And use them because they basically go to ireland because they know it's almost impossible to litigate They know they don't pay taxes there. So they basically choose a jurisdiction As a company like we can choose a jurisdiction as citizens Let's bring it in a country where stuff actually works and that is also possible the other way around So that's what we call strategic litigation. It's Very complicated and especially in the u. It's very complicated because you have all the different languages legal systems and so on It's immense and we're just scratching the surface But there's a lot of efficiency in it because we run on donations like everything we do is is donated money And I have the feeling if someone donates as money that right I've put it somewhere where I get a lot from 30 euros then Very little from 100,000. Um, but that's basically Its own story. I could do a whole day on that Now I think we'll take one more question But we do have to set up for the panel discussion and I think these topics will really just continue during that discussion So I think we'll bring the mic over here Hi, uh max, uh, first of all, thanks for Everything you did for us. That's really absolutely fantastic. Um, I'm also in the in the I'm also our certified board commissioner of the in the german association of data commission data protection commissioners and the working your healthcare area What would you just said triggered something in me? Well, actually what you said, uh, the u.s authorities are not allowed to spy on us citizens so Coming from legal point of view, wouldn't it be just simply the solution to add one u.s citizen to your database? And uh, then sue them in the us And that's exactly where these target minimization procedures come in So they have to have a procedure to separate them in the database or in the data stream in reality Yeah, um, and that is Partly why the system works. They have thought about that. Oh, that's the whole part of this thing that they have to get Certified to show to the court that they do exactly this thing, right? All right, um, not not much more, but that's the one thing that has to work But nice try