 Our next talk is called Safe Harbor. Background is back in October in the light of the Snowden revelations. The Court of Justice of the European Union, that's the Allgeher in German, declared the Safe Harbor agreement between the EU and the US invalid. This talk is about how we got there, as well as further implications of that decision. Please believe me when I say our speaker is ideally suited to talk about that topic. Please give it up for the man actually suing Facebook over data protection concerns. Max Schrems. It's cheerful like some Facebook annual conference where the newest things are kind of presented. I'm doing a little intro basically where I got there. This was my nice little university in California, and I was studying there for half a year, and there were a couple of people from Facebook and other big companies, and they were talking about European data protection law. And the basic thing they said, it was not the original quote, but basically what they said is, fuck the Europeans, you can fuck their law as much as you want and nothing is gonna happen. And that was kind of the start of the whole story, because I thought, okay, let's just make a couple of complaints and see where it goes. I originally got 1,200 pages Facebook data back then because you can exercise your right to access, and Facebook actually sent me a CD with a PDF file on it with all my Facebook data. It was by far not everything, but it was the first time that someone really got the data, and I was asking someone from Facebook why they were so stupid to send me all this information, because a lot of it was obviously legal, and the answer was we had internal communication problems. So someone was just stupid enough to burn it on a CD and send it on. One of the CDs actually was first going to Sydney in Australia, because they put Australia instead of Austria on the label, which was one of the things as well. Anyway, so this was basically how my interest in Facebook started, and the media got crazy about it because there's like a little guy that does something against a big guy, and this is basically how the whole thing got to speak. This is like a cartoon from my Salzburg newspaper. This should be me, and it's like basically the reason why the story got that big, because it's a small guy doing something against Facebook, not necessarily because what I was doing was so especially smart, but the story was just good for the media because data protection is generally a very dry topic that they can't report about, and there they had like the guy that did something. A couple of introductions. We actually had three procedures, so if you heard about what I was doing, there was originally a procedure at the Irish Data Protection Commissioner on Facebook itself, so what Facebook itself does with the data. This procedure has ended after three years. There's a class section in Vienna right now that's still ongoing. It's in front of the Supreme Court in Austria right now, and there is the procedure that I'm talking about today, which is the procedure on Safe Harbor at the Irish Data Protection Commissioner. A couple of other background informations. I personally don't think Facebook is the issue. Facebook is just a nice example for an overall bigger issue, so I was never personally concerned with Facebook, but it's more for me, the question is how we enforce data protection, all kind of stuff. So it's not a Facebook talk, Facebook is the example, and of course the whole thing is just one puzzle piece. A lot of people are saying, you know, this was one win, but there are so many other issues. Yes, you're totally right, this was just one issue, but you got to start somewhere. And the whole thing is also not an ultimate solution, so I cannot present you the final solution for everything, but probably a couple of possibilities to do something. If you're interested in the documents, we pretty much publish everything on the webpage. It's a very old style webpage, but you can download the PDF files and everything if you're interested in the facts and the integrated details. Talking about facts, the whole thing started with the Snowden case, where we kind of, for the first time, had documents proving who is actually forwarding data to the NSA in this case. And this is the interesting part because we have a lot of rumors, but if you're in a courtroom, you actually have to prove everything and you cannot just suspect that very likely they're doing it, but you need actual proof. And thanks to Snowden, we had at least a bunch of information that we could use. These are the slides, you all know them. The first very interesting thing was the FISA Act, and we mainly argued under 1881A as an example for the overall surveillance in the US. So we took this law as an example, but it was not the only thing we relied on. And I think it's interesting for Europeans to understand how the law actually works. The law actually goes after data, not after people. We typically have laws in criminal procedures that go after people. This law goes after data. So it totally falls outside of our normal thinking of we're going after a suspect, someone that may have committed a crime. Basically, the law says that there's an electronic communication service provider that holds foreign intelligence information. That's much more than just terrorist prevention. That's also things that the US is generally interested in. And this is the level that's publicly known and everything else is basically classified. So under the law, the FISA court can do a certification for one year that basically says the NSA can access data. In these certifications, there are these minimization and targeting procedures that they have to describe, but they're not public. We don't know how they look like. And basically they're here to separate data from US people out of the data set. So it doesn't really help a European. And then there is a so-called directive that goes to the individual service provider, which basically says give us the data in some technical format. So very likely it's some kind of API or some kind of possibility that they can retrieve the data. That's what the law says. We don't know how it actually looks and we don't have perfect proof of it. So there are a lot of things that are disputed and they're still disputed by the US government. So the exact technical implementations, the amount of data that's actually pulled, all the review mechanisms they have internally, that's all stuff that was not 100% sure and not sure enough to present it to a court. Which was the basic problem we had. First of all, after the Snowden thing broke, we had different reactions. And that was kind of how I started the procedure. The first reaction was demonstrations. We were all walking in the streets, which is good and which is important, but we all know that this is something we have to do, but not something that's gonna change the world. Second thing, we had parliaments, like the European parliament doing resolutions, saying that we should strike down the safe harbor and this is all bad and evil. We had the commission pretty much saying the same thing. We had national politicians saying the same thing and we all knew that basically this means that they all send an angry letter to the US, then they can walk in front of the media and say, yes, we've done something, we sent an angry letter to the US and the US has just thrown basically in some trash bin of crazy Europeans wanting strange things. And that was it. So I was actually called by a journalist and asked if there's some other option and I was then starting to think about it and there's the so-called safe harbor agreement. To explain the safe harbor, in Europe we have data protection law that is on the papers, but actually not enforced, but at least in theory we have it. And we have a couple of other countries that have the same level of protection or similar laws and generally data protection only works if you keep the data within the protected sphere so you're not allowed to send personal data to a third country that doesn't have adequate protection. There are a couple of other countries that do and therefore you can transfer data, for example, Switzerland. This is what the law says. And there are certain servers that are outside these countries where we can have contractual relationships. So basically if you have a server in India, you have a contract with your Indian hosting provider saying you apply proper data protection to it so you can transfer data there too. All of this is approved by the European Commission. This is how data flows legally outside of the European Union personal data. This all doesn't apply to any other kind of data, only personal data. And we had a basic problem with the US because there was this directive saying you can't forward data to other countries, but there is no data protection law in the US. So basically you wouldn't be allowed to send data there unless you have some contractual relationship which is always kind of complicated. So the solution was to have a self-certification to European Union principles and this was put into a executive decision by the European Commission. So basically how Safe Harbor is working is that for example Google can walk up and say hereby I pledge that I follow European data protection law. I solemnly swear. And then they do whatever they wanna do and basically that's the Safe Harbor system and the Europeans can walk around and say yeah there is some seal saying that everything is fine so don't worry. Everybody knew that this is a fucked up system but for years and years everyone was looking away because politics is there and economics is there and they just needed it. So basically Safe Harbor works that way that a US company can follow the Safe Harbor principles and say we follow them. Then the Federal Trade Commission and private arbitrators are overlooking them in theory and practice they never do. And this whole thing was packaged into a decision by the European Commission and this is the so-called Safe Harbor system. So from a legal point of view, from a European legal point of view it's not an agreement with the US. It's a system that the US has set up that we approved as adequate. So there's no binding thing between the US and Europe. We can kind of trash it any time. They've just never done that. Which brings me to the legal argument. Basically if I'm just a little smiley down there, I'm sitting in Austria and transferring my data to Facebook Island because worldwide 82% of all users have a conflict with Facebook Island. Anyone that lives outside the US and Canada. So anyone from China, South America, Africa has a conflict with Facebook and Ireland. Legally they forward the data to Facebook in the US. Technically the data is directly forwarded so that the data is actually flowing right to the service in the US. However legally it goes through Ireland and my contract partner is an Irish company. And under the law they can only transfer data to the US if there's adequate protection. At the same time we know that the prison system is hooked up in the end. So I was basically walking up to the court and saying mass surveillance is very likely not adequate protection, huh? And that was basically the argument. The interesting thing in this situation was actually the strategic approach. So we have the NSA and other surveillance organizations that use private companies. So we have kind of a public private surveillance partnership. It's PPP in a kind of surveillance way. Facebook is subject to US law so under US law they have to forward all the data. At the same time Facebook Island is subject to European laws so they're not allowed to forward all this data. Which is interesting because they're split. And the EU law regulates how these third country transfers work and all of this has to be interpreted under fundamental rights. So this was basically the system we were looking at. And the really crucial thing is that we have this public private surveillance because we do have jurisdiction over a private company. We don't have jurisdiction over the NSA. We can send angry letters to the NSA but we do have jurisdiction over Facebook, Google and so on because they're basically based here mainly for tax reasons. And this was the interesting thing that in difference to the national surveillance where we can pretty much just send the angry letters we can do something about the private companies and without the private companies there is almost no mass surveillance in this scale because the NSA is not in our phones. It's the Google's and Apple's and whatever. And without them you're not really able to get this mass surveillance. This is like a legal chart. Basically what we argue is there are seven and eight of the chart of fundamental rights. That's your right to privacy and your right to data protection. There is an article in the directive that has to be interpreted in light of it. Then there's the executive decision of the European Union. This is basically the safe harbor decision which refers to paragraph four of the safe harbor principles. And the safe harbor principles basically say that the FISA Act is okay. So you have kind of this circle of different legal layers which is getting really crazy. And I'll try to break it down a little bit. Basically seven and eight of the charter we basically compared to data retention so the Vorratsdatenspeicherung. We basically said prism is much worse if Vorratsdatenspeicherung and data retention was invalid then prism has to be 10 times as bad. That was basically the argument, very simple. We just compared the one was content data, the other one was metadata, the one is storage, the other one is make and available and the one is endless, the other one is 24 months. So basically in all these categories, prism was much worse and if the one has to be legal the other one has to be as well. And what's interesting and that's something that the US side is typically not getting is that article eight is already covering making available of data. So the fun thing is I only had to prove that Facebook makes data available so basically it's possible the NSA is pulling it. I didn't even have to prove that the NSA is factually pulling my personal data. And this was like the relevant point because on the US law basically your fundamental rights only kick in when they factually look at your data and actually surveil you. So I was only making it available, that's good enough for me, which was making all these factual evidence much easier. So basically I only had to say look at the X-keys course lights where they say username Facebook, they can get somehow the data out of it. It's at least made available, that's all I need to prove. And this is the big difference between the US, it's very simplified but basically between the US approach and the European approach is that in the US you have to prove that your data is actually pulled. I only had to prove that my data is made available. So I was able to get out of all the factual questions. This is a comparison. You basically in the US you have very strict laws for certain types of surveillance. While in Europe you have a more flexible system that covers much more. So it's a different approach that we just have into two legal spheres. We're both talking about your fundamental right to privacy but in details it's very different and that's kind of the difference is what we used. The fun thing is if you're European you don't have any rights in the US anyways because the Bill of Rights only applies to people that live in the US and US citizens, so you ought to flock anyways. So you're only left with the European things. Basically the law which is the second level after the fundamental rights is saying that there has to be an adequate level of protection as I said and this third country has to ensure it by domestic law or international commitments. I was saying there's the FISA Act, you can read it. It definitely doesn't ensure your fundamental rights and an adequate protection. So we're kind of out of Article 25. And there is paragraph four of the Safe Harbor Principles which say that all these wonderful privacy principles that US companies sign up to do not apply whenever a national law in the US is overruling it. So there are principles that companies say we follow but if there is a city in Texas saying we have a local ordinance saying you have to do differently all these Safe Harbor Principles don't apply anymore. And this is the fundamental law of a self-certification system that it only works if there is no law around that conflicts with it. And as there are tons of laws that conflict with it you're hardly able to hold up a system like that. So basically if you go through all these different legal layers you end up with a conflict between the US FISA Act and the European Fundamental Rights. So you're going through different layers of the system but you're basically making a circle. And this is what we did which was a little bit complicated but it worked. Basically now to the procedure so how the whole thing happened. First I went through the Safe Harbor. Safe Harbor allows you to go to trustee or the Federal Trade Commission and you can actually there's an online form to make your complaint. And I was making a complaint and I think you were only allowed to put in 60 characters to explain what your complaint is which is a little bit complicated if you're trying to explain NSA mass surveillance. So I only wrote stop Facebook Inc's involvement in Prism. That was everything I could actually put in the text box that was the absolute maximum. And the answer I got back was trustee does not have the authority to address the matter you raise. Which is obvious it's a private arbitration company that can hardly tell Facebook to not follow the NSA's guidelines. So this was the arbitration mechanism under Safe Harbor. You can also go to the Federal Trade Commission and have your complaint filed there but they basically just don't ignore them. This was the letter I got back that they received it but I was talking to the people at the Federal Trade Commission and say yeah, we get these complaints but they're ending up in a huge storage system where they stay forever after. So this was enforcement done by Safe Harbor and we knew that in the private field already but in this case it was especially interesting. To be fair, both of these institutions have no power to do anything about mass surveillance. So there was really a reason why they didn't do anything. The next step you have is the National Data Protection Commissioner. So we have 28 countries with 28 plus Germany has I think a data protection commissioner in every province and yet end up at this and this is my most favorite slide. This is the Irish Data Protection Commissioner and to be super precise, I don't know if you can see the laser pointer but this is a supermarket and this is the Irish Data Protection Commissioner back there. To be a little more fair, actually they're living, they're up here and they're like 20 people when we filed it originally. The fun thing is back at the times they didn't have a single lawyer and not a single technician so there were 20 public employees that were dealing with data protection and no one had any clue of the technical or the legal things about it. The fun thing is this is Billy Hawks, the Data Protection Commissioner at the time. He went on the National Radio in the morning and in Ireland radio is a really big thing so there was a morning show and he was asked about these complaints and he actually said on the radio I don't think it will come much of a surprise that the U.S. services have access to all the U.S. companies and it was the craziest thing. I was sitting in front of the radio and was like, strike, he just acknowledged that all this is true and the second thing he said is U.S. surveillance operation is not an issue of data protection. Interesting and it's actually online, you can listen to it but the fun thing was really that the factual level is so hard to prove that I was afraid that they would dispute who knows if all this is true, we don't have any evidence, the companies say we're not engaging in all of this so having the Data Protection Commissioner saying sure this reveal you, are you surprised was great because we're kind of out of the whole factual debate and I actually got a letter back from them saying that they're not investigating any of it and I was asking them why and they were naming two sections of the law a combination thereof so there is one thing where it says they shall investigate, which means they have to or they may investigate and they say they only may investigate complaints and they just don't feel like investigate imprisonment and Facebook and all of this. Secondly, they say that a complaint could be frivolous and vexatious, I love the word, and therefore they're not investigating it, a combination thereof or indeed any other relevant matter. So we transferred this letter into a picture which is basically what they said, so why did you not investigate prison? It's sure means may, frivolous or vexatious, a combination of A and B or any other reason. So this was the answer by the Irish Data Protection Commissioner why they wouldn't want to investigate the complaint. Just to give you background information, these are the complaints that the Irish Data Protection Commissioner is receiving, the blue line and the red line is all of the complaints they're not deciding, which is 96 to 98% of the complaints they receive on an average year, which is interesting because you have a right to get a decision, but they don't. To give you the bigger picture, we also made complaints on Apple and all the other prison companies and Ireland basically said what I just told you. Luxembourg, where Skype and Microsoft are situated, said that they do not have enough evidence for the participation of Microsoft and Skype. And the funniest thing about the answer was that they said that they're restricted by their investigations to the territory of Luxembourg. And since all of this is happening in the US, they have no way of ever finding out what was going on. So I was telling them, you know, most of it is online and if you're not able to download it, I can print it out for you and ship it to Luxembourg. But the problem is why we didn't go down in Luxembourg is because they went down this factual kind of argument. They said it's all illegal, but factually we don't believe it's true. And then it was Germany that are still investigating until today. This was Yahoo, actually there was Yahoo in Munich, but they're now moved to Ireland as well. So I don't know what happened to this complaint. We never heard back, but whenever we send an email, they were like, oh, we're still investigating. So what happened now is that I went to the Irish High Court to jeopardize the non-decision of the Irish Data Protection Commissioner. This is the case that then went down as Shrems versus the Data Protection Commissioner, which is so strange because I never wanted to have my name on any of this and now the decision is actually called after my second name, which is always freaking me out in a way because you're fighting for privacy and suddenly your name is all over the place. And, but yeah. And this is the Irish High Court. It's very complicated to get a procedure like that. The biggest issue is that you need money. If you are in front of an Irish court and you lose a case, you end up with a legal bill of a couple of 100,000 euros, which is the reason why never anybody ever challenged the Irish Data Protection Commissioner because you're just gonna lose your house over it. So what I did is we did a little bit of crowdfunding and we actually got about 70,000 euros out of it. This was a crowdfunding platform that basically worked in a way that people could donate. And if we don't need the money, we either donate it to another privacy cause or we actually give people the money back, which we're gonna have to do because we won the case and all our costs are paid by the other side. So the fun thing is you then have to walk into this wonderful old court here on Mondays at 11.30. And there is a room where you can make your application and about 100 other people making their application as well and there is no number. So there are 100 lawyers sitting in a room waiting for the judge to call out their case. So we're sitting there until four in the afternoon or something until suddenly our case was called up and we actually got kind of the possibility to bring our case and then it's postponed to another date and blah, blah, blah, blah, blah. In the end, you end up with something like this which is all the paperwork because in Ireland the courts are not computerized so far. So you have to bring all the paperwork, anything you rely on in three copies and it's all paper noted of the pages. So all these copies have pages one to 1000. Someone is writing all of them on the page and then they copy three times and it's then in this wonderful little thing. I thought it's great. And what happened is that we walked into the judge's room and you get a judge assigned on the same day. So you end up in front of a judge that has never heard about privacy, never heard about Facebook and never heard about Snowden imprisonment, any of this. So you walk into the room it's like we would like to debate the safe harbor with you and he's like, what the fuck is the safe harbor? So what happened is that he told us to kind of explain what it is for 15 minutes and then he postponed the whole thing for two hours I think and we walked over to a pub and had a beer so that the judge could remotely read what he's about to look into. And Ireland is very interesting because you need a solicitor and a council and then the council is actually talking to the judge. So I actually had two filters. If I'm the client down here I had to talk to my solicitor. The solicitor is telling the council what to say to the judge. So half of this was lost on the way. And when I was asking if I could just address the judge personally or like no way that you could possibly address the judge personally even though you're the client which is funny because they talk about this person in the room it's like, what's the problem of this Mr. Shrems? And you're like sitting right here it's like, this would be me and it's put there. So what happened in Ireland is that we had about 10 reasons why on the Irish law the Irish Data Protection Commission would have to do its job but the court actually swiped all of this from the table and said actually the safe harbor is the issue which legally they're not allowed to do but politically it was very wise and forwarded this wonderful easy to understand question to the European Court of Justice. The reason why they put this kind of very random question is that if you jeopardize a law in Ireland you have to get some advocate general engaged and they didn't want to do that so they kind of asked a question around the actual question to not really get them engaged which was very complicated because we didn't know how the European Court of Justice is going to react to this random question because it was so broad that they could just walk any other direction and not address the real issue. What was wonderful is that in the judgment by the Irish court they have actually said that all of this is factually true all the mass surveillance is factually true and the fun thing to understand is that the factual assessment is done by the national courts so the European Court of Justice is not engaging in factual matters anymore they only ask legal questions is this legal or not? So we had a split of responsibility the Irish court only said that all of this is true and Luxembourg only said that all of this would be legal if all of this would be true which was kind of an interesting situation but to be fair no one before the European Court of Justice has ever questioned that this is true so even the UK that was in front of the court and that you possibly know if all of this is true or not they have never questioned the fact there is a pretty good factual basis. What was interesting as well is that I said I'm not gonna go in front of the European Court of Justice because the costs are so high that even the 60 or 70,000 euros I got in donations wouldn't cover it and I knew the judge wants to get this hot potato off his table and down to Luxembourg so I was asking for a so-called protective cost order which kind of tells you beforehand that there is a maximum amount you have to pay if you lose a case and it was actually the first one to ever get protective cost order in Ireland granted which was really cool and the Irish were like outraged about it too and so we basically walked into the European Court of Justice which is a really hefty procedure in this room where 13 judges are in front of you the European Court of Justice has assigned you to the great chamber so there's a small and medium and a great chamber which is the highest thing you can possibly end up in Europe and it's chaired by the president of the European Court of Justice and this is kind of where the really, really basic really important questions are dealt with so I was like cool I'm getting to the European Court of Justice and it's funny because all the lawyers that were in the room, everyone was like I can't flash in front of the European Court of Justice they all took pictures like they were in Disneyland or something and lawyers can be very kind of, yeah, interesting and we ended up in front of these three major people it was the president, Thomas von Danwitz who is the German judge and he also wrote the lead decision he's the judge reporter so within the 13 judges there's one that is the reporting judge and actually drafts the whole case and he was also doing the data retention and then it was Eve bought as the advocate general the hearing was interesting because we got questions from the European Court of Justice before the hearing and in these questions they were actually digging down into the core issues of mass surveillance in the US when I got the questions I was like we won the case because there is no way they can decide differently as soon as they address the question there were participants from all over Europe these are the countries then there was the European Parliament European Data Protection Supervisor and the European Commission there was me, MS down there the Data Protection Commissioner and Digital Rights Ireland and what was interesting was the countries that were not there like Germany for example was not there in this major procedure and as far as I've heard there were reasons of not not getting too engaged in the transatlantic partnership blah and so this was kind of interesting because like the UK walked up but Germany was like nah, we're right, I don't want to say anything about this what was interesting as well is that there were interventions by the US government so I heard we were on a Tuesday we were actually in the court and on Mondays I got text messages from people from these different countries telling me that the US just called them up and I was like this is interesting because I know a lot of these people from conferences and stuff so they were like telling me the US just called me up and said they want to talk to my lead lead lead supervisor and tell me what to say tomorrow in the court I was like this is very interesting and I was actually in the court room and there was the Chief Justice or like the Justice Person from the US Embassy to the European Union and he was actually watching the procedure and watching what everybody was arguing we had a feeling this is like a watchdog situation and someone pointed out that this is the guy so I knew who it is and he was walking up to me he was like are you the plaintiff and I was like yeah hey and he was like trying to kind of talk to me and I was like so did you manage calling everybody by now or do you still need a couple of numbers he was like staring and we was like he didn't just ask this question and I was like he was like no we kind of we are in contact with all of our colleagues and of course we have to kind of push for the interest of the US and blah blah blah I was like this is very interesting but anyways it didn't help them no one of them was really kind of arguing for the US actually the findings of the European Court of Justice so what was in the judgment in the end first of all safe harbor is invalid which was like the big news and this was overnight we were expecting that they would have a grace period so it's invalid within three months or something like this but they were like in the minute they were saying it there all your data transfers to the US were suddenly legal which was kind of big the second biggie was that they actually said that the essence of your rights is violated now this for an average person doesn't mean too much but for a lawyer it's like oh my God the essence is judged to explain to you what the essence is and why everybody's so excited about it is basically if you have a violation of your rights you have no interference so if a policeman was walking down the street and watching you there is no interference with any of your rights if they probably tapped your phone there is some kind of proportionality issue which is what we typically debate before a court there is like a system how you argue if something is proportionate or not so for example data retention was not proportionate and data retention would be somewhere here probably so not legal anymore but still in the proportionality test and then there is the essence which means whatever the fuck you're trying to do here is totally legal because what you're doing is so much out of the scale of proportionality that it will never be legal and on data retention they actually said that for the first time and this was actually the first time as far as I saw that the European Court of Justice has ever said that under the convention so the convention is only in place until since 2008 I think but it's the first time they actually found that in the case which was huge for law in general there was a couple of findings on data protection powers that are not too interesting for you what may be interesting is that there is a story to this picture that's the reason I put it in but anyways basically they said that a third country doesn't have to provide adequate protection as I said before so the story was that third countries originally had to provide equivalent protection but there was lobbying going on so the word equivalent was changed to adequate and adequate means basically nothing because anything and nothing can be adequate adequate has no legal meaning I mean if you ask what an adequate dressing is you don't really know so they changed that actually back to the law to the wording that was lobbied out of the law and said it has to be essentially equivalent and that's how we now understand adequate which is cool because any third country now has to provide more or less the same level of protection in Europe has it has to be effective detention and supervision mechanisms and it has to be legal redress just a really short thing on the picture I was actually just pointing at two people and they were taking a picture from down there to make it a victory sign and that's how the media stand like I have to speed up a little bit not too much but a little bit the future and I think that's probably relevant for you guys as well first of all what does this whole judgment mean first of all the U.S. is basically lost its privilege status as being a country that provides adequate protection which is kind of the elephant in the room that everyone knew anyways that they're not providing it and now officially they're not providing it anymore and the U.S. is now like any third country so like China or Russia or India or any country we usually transfer data to so it's not like you cannot transfer data to the U.S. anymore but they lost their special status basically what the judgment said they can't have massive aliens and be at the same time an adequate protecting country which is kind of logical anyways the consequences is that you have to use the derogations that are in law that we have for other countries as well so a lot of people said you know the only result will be that there will be a consent box saying I consent that my data is going to the U.S. now the problem is consent has to be freely given informed unambiguous and specific on the European law which is something all the Googles and Facebooks in the world have never understood that's the reason why all these privacy policies are typically invalid but anyways so if you have any of these wordings that they're currently using like your data is subject to all applicable laws it's very likely not informed and unambiguous because you don't have any fucking idea that your data is ending up at the NSA if you read this so what they would have to do is to have some policy saying I agree that all my personal data is made available to the NSA, FBI and whatsoever yes no because it has to be freely given so I have to have the option to say no now this was theoretically be possible but on the U.S. law they're placed on the gag order so they're not allowed to say this so they're in a legal kind of limbo because on the one hand they have to say it's this way but the other side they have to say no it's not so consent is not gonna give you any solution then there are standard contractual clauses that's the one from Apple that they're using right now and standard contractual clauses allow you to have a contract with a provider in the third country that pledges to you in a contract that all your data is safe the problem is that they have exception clauses that basically say if there's mass surveillance your whole contract is void because you cannot have a contract saying hereby I pledge full privacy and at the same time be subject to these laws and this is the interesting thing all these companies are saying now we're doing standard contractual clauses but none of them are gonna hold up in courts and everybody knows but of course to their shareholders they have to say oh we have a wonderful solution for this the big question here is if we have a factual or legal assessment so do we have to look at factually what data is actually processed by the NSA and what are they actually doing or do we just have to look at the laws in the country and the possibility of mass access so the factual assessment works fine for Apple, Google and so on who are all in these Snowden slides if you look at the abstract and legal assessment which is legally the thing that probably you have to do you actually end up with questions like Amazon Amazon was not a huge cloud provider when the Snowden slides were actually drafted and written they're huge now and very likely they're subject to all of these laws so how do we deal with a company like this can we still forward data to an Amazon cloud if we know they're subject to these US laws so this is the question of which companies are actually falling under this whole judgment basically you still have a couple of other exemptions so this basic thing that a couple of people said like you're not allowed to book a hotel in the US anymore is not true there are a lot of exceptions in the law for example the performance of a contract so if I book a hotel in New York online my data has to go to New York to actually book my hotel so in all these cases you can still transfer data the ruling is mainly on outsourcing so if you could theoretically have your data in Europe you're just not choosing because it's cheaper to host it in the US or it's easier it's more convenient in these cases we actually get problems so what we did is we had a second round of complaints that is now taking these judgments on board you can download them on the web page as well and there's also the deal that Ireland with Facebook US has signed to have safety to your data and this is currently under investigation in Ireland basically I argue that they have a contract but the contract is void because the US law says they have to do all this mass surveillance I just got the letter that on November 18th Facebook is actually giving them a huge amount of information on what they're actually doing with the data and this is now going to be under investigation a big question is if the data protection commission in Ireland is actually giving us access to this information because so far all these evidence that they had they said it's all secret and you cannot know what Facebook is doing with your data even though you're fully informed about what they're doing with their data which is kind of interesting as well but different issue a big question was also if there's going to be a safe harbor 2.0 I already was told by everybody they're not going to call it a safe harbor anymore because they're stuck with media headlines like safe harbor is sunk or something like this and what happened is that the US has done a huge lobbying effort they have said right on the day that all of this is based on wrong facts and they've never done any of this and all of this is a trade war and blah blah blah blah so they put a lot of pressure on them I was actually talking to Yorva the justice commissioner and I was impressed by her she actually took a whole hour and she really knew what was going on and at the time they had press releases saying we're really deeply working on a new safe harbor and I was asking her did you get any of the evidence that you need to make such a finding and the answer was yeah we're still waiting for it we should get it next week and which basically meant this is never going to work out anymore but of course I think there's a blame game going on the European Union has to say we tried everything to find a solution and the US is saying we tried everything to find the solution too and then in the end they will blame each other for not finding a solution that's my guess but we'll see what happened the basic problem with a safe harbor too is that in the government sector they would basically have to rewrite the whole US legal system which they haven't done for their own citizens so they very likely not do it for European citizens like judicial redress not even an American has judicial redress so they would never give that to European and the private area they actually have to redraft the whole safe harbor principles because they now have to be essentially equivalent of what Europe is doing so this would also protect people in the private sphere much more but it would really take a major overhaul of the whole system to give you an idea all of these processing operations are covered by European law so from collection all the way to really deleting the data this is what's covered by the safe harbor principles only two operations which is a disclosure by transmission and a change of purpose anything else they can do as fully as they want to do under the current safe harbor thing so if you talk about essentially equivalent you need to see it on these basis already that this is miles apart so what is the future of US data flows? We will have massive problems for the prison companies because what they're doing is just a violation of our fundamental rights give or take it you can change the law as much as you want to you cannot change the fundamental rights and you will have serious problems for businesses that are subject to US surveillance law in general so I'm wondering what the final solution is and that was part of the issue that I had with the cases typically I like to have a solution for all of this in this case I could only point at the problems but I couldn't really come up with the solutions because the solutions are something that has to be done politically an interesting question was how about European Union surveillance actually because aren't they doing more or less the same thing which is true and the problem is that the Charter of Fundamental Rights only applies to anything that's regulated by the European Union and national surveillance is exempt from any European Union law it's something that member states are doing all by themselves so you're out of luck here you can possibly argue it through a couple of circles but it's hard to do however seven and eight of the Charter are exactly the same wording as the European Convention of Human Rights and this applies to national security cases so the relevant court here is actually in Strasburg so you could probably end up at this court with the same argument and say if they already found that this is a violation of the essence in Luxembourg don't you want to give us the same rights in Strasburg as well and these crew courts are in kind of a fight about kind of providing proper privacy protection and protection in general so very likely you can walk up with a German case or with a UK case and or a French case and pretty much do the same thing here so the judgment will be interesting for European surveillance as well because it's a benchmark and we can hardly argue that the US is bad and we are not doing the same thing other solutions are possibly technical solutions so what Microsoft did with the cloud services and hosting it with the Germans and the German telecom and there is really the issue that if you can get a technical solution of not having any access from the US side you can actually get out of the whole problem so you can try with encryption or data localization and all this kind of stuff however none of this is really a very sexy solution to the whole issue however it's something that you can't possibly do last thing enforcement and this is a little bit of a pitch I got to confess is we have the prom so far that we have data protection law in Europe but we don't really have enforcement and the prom is that the lawyers don't know what's happening technically the technical people hardly know what the law says and then you have a funding issue so the idea that I have right now is to create some kind of an NGO or some kind of a Stiftung van test for privacy to kind of look into the devices we all have and kind of have a structured system of really looking into it and then probably do enforcement as well if your stuff that you have on your device is not following European law I think this is an approach that probably changes a lot of the issues it's not gonna change everything but this could possibly be a solution to a lot of what we had and that's kind of what we did in other fields of law as well that we have NGOs or organizations that take care of these things I think that would be a solution it probably helps a little bit last before we have a question answer session a little bullshit bingo to probably get a couple of questions answered right away so the fourth thing is that a lot of questions are if the European Union does the same thing I just answered it of course they do the same thing and we'll have to do something about it as well and I hope that my case is a good case to bring other cases against member states of the European Union the second question is this whole prison companies are saying they don't do this it's absurd because they're all placed under gag orders or the people that are talking to us don't even have the security clearance to talk about the surveillance system so it's insane when a PR person comes up and say I hereby read the briefing from Facebook that we're not doing this which basically is all we have right now and that's what a lot of the media is referring to as well another thing that Facebook and the US government have argued later is that they weren't asked they were not invited to the court procedure the fun thing is both of them totally knew about the court procedure they just decided not to step in and not to get a party of the procedure so they were like first like we don't want to talk about it and then when the solution the decision came around they were like oh we weren't asked of course it's a win on paper mainly but we're trying to get it implemented in practice as well and there is kind of this argument the European Union has broken the internet which I typically read but no the US has broken the internet and the European Union is reacting to it another issue that was interesting is that a lot of the US side said that this is protectionism so the European Union is only enforcing these fundamental rights to hurt US companies which is funny because I'm not involved in kind of getting more trade to Europe I'm just like someone interested in my fundamental rights and secondly the European politics has done everything to kind of not get this case across so kind of this idea that this is a protectionist thing is kind of strange too and the last question which is kind of what about the cables what about all the other types of surveillance we have there are an issue too in these cases you just have more issues of actual hacking, government hacking basically so illegal access to servers and cables which is harder to tackle with than these companies because we have this private interference so there are a lot of other issues around here as well I was just happy to kind of get one thing across and I'm happy for questions as well Alright We have about 10 minutes for questions I would ask you to please line up at the microphones here in the hall we have six microphones and we have also questions from the IRC while you guys queue up I would take one from the internet Yeah just one for the first time so does TTIB influence any of this? Basically not really because the judgment that was done was on the fundamental right so if they have some kind of wording in TTIB it would again be illegal and there was actually a push to get something like that into TTIB and as far as I know this idea was done after the judgment just a little intro there Adri has organized a Ask Me Anything thing at seven o'clock as well so if you have specific questions you can also go there just as a reminder Okay great Microphone number two please Thank you for your thoughts The question would be could US businesses under these findings ever be again employing critical sectors for example public sector windows in the Bundestag for example stuff like that and what? That's a huge problem and that's a problem we had for a while I was mainly talking actually with people in the business area I'm mainly invited to conferences there and people were telling me yeah we're doing all our bank data on Google now and I was like what the fuck because this is not only privacy that's also trade secrets all of this kind of stuff and so there is this huge issue and if you talk about the new windows that is talking home a little more than the old did you probably have the same issue here because Microsoft is falling under the same thing No plausible deniability therefore culpability Thank you Okay microphone number three please Next question How would you assess Microsoft saying they put up a huge fight that they well they said they had customer's data in Ireland and they said they refused to give it to the FBI What's to think of that? I think to be fair a lot of these companies have realized that there is an issue and that they're the foyer marsh but the and Microsoft actually couple of Microsoft people is talking to me and is like we're actually not unhappy about this case because we have a good argument in the US now that we're getting troubles here but the companies are between these two chairs the US law says we kill you if you're not giving us all the data and the problem so far is that in the European Union for example in Austria the maximum penalty is 25,000 euro if you don't comply with this Which is absurd and in most other countries it's the same we now have the data protection regulation that is coming up which gives you a penalty of a maximum of 4% of the worldwide turnover which is a couple of millions and if you want to thank someone there is Jan-Philip Albrecht probably in the room or not anymore who is the member of parliament from the Green Party that's actually from Hamburg who has negotiated all of this and this actually could possibly change a couple of these things but you have this conflict of laws and solutions like the telecom thing that you host the data with the telecom could possibly allow them to argue in the US that they don't have any factual access anymore so they can't give the data to the US government but we're splitting the internet here and this is not really something I like too much but apparently the only solution Okay, thank you for your question We have another one at microphone 4 please My question is I think number 4 would be me The guy can back in Okay, thank you very much for your efforts first of all and great result The question for me would also be is there any change in the system in Ireland now so if somebody has a similar struggle to yours the next round might be easier or not? Basically what the Irish DPC got is a wonderful new building and the press release is too funny because it says we have a very nice Victorian building now downtown Dublin in a very nice neighborhood and blah blah blah and they get double the staff of what they had before the key problem is none of this I only took the picture because it kind of shows what's inside the building and the key problem is that we have two countries Luxembourg and Ireland where all of these headquarters are and these two countries are not interested not interested in collecting taxes they're not interested in enforcing privacy law they're not interested in any of this and they're basically getting a huge bunch of money on the back of the rest of the European Union and until this actually changes and there is a change of attitude in the Irish Data Protection Commissioner it doesn't really matter in which building they are so they got a lot of more money to the public say yes we have more money and we have more staff and blah blah blah But the system did not change The big question is what the system is doing but as they have the new complaint on their table on Safe Harbor and Prism and Facebook they can prove if they do something about it or not my guess is that they'll find some random reasons why unfortunately they couldn't do anything about it We'll see Okay, thank you It's your turn, microphone number two Okay, thank you very much and also thank you for your service for the public Thanks for the support And what that will Sorry But the English word It doesn't mean anything Why ever What does that actually mean for the history of the data storage when it comes back and in a way the social media will be released I have to be honest I didn't really look in the German data retention thing too much to be honest being in Austria and I'm like our Supreme Court Yeah, I heard our constitutional court kind of killed it I don't think we'll see a data retention in Austria too soon but for Germany it's going to be interesting especially if you find a way to go to Luxembourg in the end like if you find some hook to say actually this German law violates something in the data protection regulation or in the directive so we can probably find a way to go back to Luxembourg The other thing is that just the fact that the Luxembourg court has been so active has probably boosted up a lot of the national courts as well because the German decision I had the feeling was like a we don't really feel like we can fully say that this is actually illegal and we kind of argue that it's somehow not illegal the way it is but possibly you can do it in the future and after Luxembourg has like really thrown all of this right out of the door and was like get lost with your data retention thing and especially with the prison thing now we have better case law now as well and that could be relevant for national courts as well because of course these things are a question of proportionality and if we ask everybody here in the room what they think is proportionate or not everyone has another opinion and therefore it's relevant what our people are saying and what other courts are saying to probably get the level of what we feel is proportionate somehow a little bit up So thank you very much and go on Thank you Just for the record the answer the question was about the implications for the data retention laws like in Germany and Austria Microphone number one we have another question Hi, two questions one could you tell a little bit more about your idea of Stiftung Datenschutz Europe wide and how do we get funding to you Send me If you don't mind Second question when I argue with people about like personal data of our activists within Europe I always guess it's answer year are you so naive do you think it's anything different if the service stands in Frankfurt instead of San Francisco what do you say to that? The same problem like pretty much what we have is and that's the reason why I said I hope this judgment is used for national surveillance in Europe as well because we do have the same issues I mean when you are in Austria and there the German Untersuchungshaus is basically saying oh we're only protecting Germans I feel like my fucking data is going through Frankfurt all the time and I'm kind of out of the scope apparently so we do need to take care of this as well I hope that this is a case showing that you can actually take action you just have to poke long enough and kind of poke at the right spot especially and I think this is something that there is not an ultimate solution to it it's just one of the kind of holes that you have the other thing that we may see is that a lot of companies that are holding this data are much more much more questioning in order they get because if they get legal problems from an order they got by a German court or whatever it is they probably are now more interested in actually looking at it because right now it's cheaper for them to just forward the data you don't need a whole legal team reviewing it all so I think to kind of split the private companies that are helping them from the government and kind of get some issue between them probably helps there as well but of course it's just like little peanuts you put in there but in the end you have that issue in the end. On the Stiftung Bahn data shots or whatever I think that's kind of a thing I just wanted to blow out to people here because I'm mainly in the legal sphere and in the activist consumer side and I think that's the big problem we have in the legal and consumer side is that we don't understand the devices that much and we lack the evidence we don't really have the evidence of what's actually going on on the device and I think a lot of the people in the room probably have this evidence somewhere on the computer so the idea of really getting this connection at some point it's not something I can pitch to you right away because it's not like I don't want to start it tomorrow but it's something I wanted to circulate to get feedback as well what you guys think of it so if there's any feedback on it send me an email or Twitter or whatever it is So we do have a bit time left microphone number two with the next question please What can I do as an individual person now can I sue a Google or can I sue other companies just to stop this and would it create some pressure if I do that so what can the ordinary citizen do now? Right now I've already prepared it but I didn't have time to send it out to have complaints against the Googles and all the others that are on the prison list we started with Facebook because I kind of know them the best to start and the idea was really to have other people probably copy pasting this the complaint against Facebook we actually filed with the Hamburg DPC as well and the Belgium DPC the idea behind it was that the Irish now suddenly have two other DPCs that are more interested in enforcing the law in their boat so they're not the only captains anymore and it's interesting what's going to happen here if there are other people that have other cases and just file a complaint with your data protection authority a lot of them especially the German data protection authorities most of them are really interesting in doing something about it but they often just need a case they need someone to complain about it and someone giving them the evidence and kind of someone arguing it to get things started so if anyone is using Google Drive or something like that let's go and basically the wording is on our webpage you just have to download it and reword it and we're going to probably publish on the website the complaints against the other companies as soon as they're out probably the next two or three weeks or something like this so just copy paste and spread the love okay thank you very much Max again for your great talk this is it