CLASH OF JURISDICTIONS IN THE AREA OF DATA

  • Slides: 45
Download presentation
CLASH OF JURISDICTIONS IN THE AREA OF DATA PROTECTION

CLASH OF JURISDICTIONS IN THE AREA OF DATA PROTECTION

PART 1: PRISM / SAFE HARBOR @maxschrems

PART 1: PRISM / SAFE HARBOR @maxschrems

FACTS @maxschrems

FACTS @maxschrems

FISA § 1881 a • Electronic Communication Service Provider • „Foreign Intelligence Information“ •

FISA § 1881 a • Electronic Communication Service Provider • „Foreign Intelligence Information“ • Certification for one year („FISA Court“) – Minimizing / Targeting procedures (US persons) • „Directive“ at Service Provider – API (? )

DISPUTED • • Technical implementation Amount of data „pulled“ Review mechanisms … ?

DISPUTED • • Technical implementation Amount of data „pulled“ Review mechanisms … ?

LEGAL ARGUMENT @maxschrems

LEGAL ARGUMENT @maxschrems

„ADEQUATE PROTECTION“ ? Facebook Inc. Facebook Ireland Ltd.

„ADEQUATE PROTECTION“ ? Facebook Inc. Facebook Ireland Ltd.

Strategic Approach 1. NSA + ECSPs = “Public/Private Surveillance” 2. Facebook is subject to

Strategic Approach 1. NSA + ECSPs = “Public/Private Surveillance” 2. Facebook is subject to US and EU law 3. EU law regulates third country transfers 4. EU law has to be interpreted in the light of the CFR and the ECHR

Art 7 & 8 CFR • • „PRISM“ -v- Content Data -v- „Available“ -v-

Art 7 & 8 CFR • • „PRISM“ -v- Content Data -v- „Available“ -v- Endless -v- … Data Retention Meta Data Storage 24 Months

Interference (simplified) Data pulled? Data accessible?

Interference (simplified) Data pulled? Data accessible?

Art 8 CFR • „Making Available“ – EU proportionality test Facebook Inc.

Art 8 CFR • „Making Available“ – EU proportionality test Facebook Inc.

Interference Art 8 ECHR (simplified)

Interference Art 8 ECHR (simplified)

PROCEDURE @maxschrems

PROCEDURE @maxschrems

PROCEDURE: DPCS @maxschrems

PROCEDURE: DPCS @maxschrems

Foto: James Flynn „I don’t think it will come as much of a surprise

Foto: James Flynn „I don’t think it will come as much of a surprise that in fact US intelligence services do have access from US companies“

CJEU @maxschrems

CJEU @maxschrems

Findings (CFR) SH is invalid: (overnight) - Mass Surveillance violates “essence” of Art 7

Findings (CFR) SH is invalid: (overnight) - Mass Surveillance violates “essence” of Art 7 CFR - Legal Redress in the US violates “essence” of Art 47 CFR

“Essence” Proportionality No Interference 1. 2. 3. 4. Legitimate aim for the measure Measure

“Essence” Proportionality No Interference 1. 2. 3. 4. Legitimate aim for the measure Measure suitable to achieve the aim Measure must be necessary to achieve the aim (Less onerous way? ) Measure must be reasonable, considering the competing interests of different groups at hand Essence

Other Key Findings - “Essentially Equivalent” Protection in 3 rd Country - Effective Detection

Other Key Findings - “Essentially Equivalent” Protection in 3 rd Country - Effective Detection and Supervision Mechanisms - Legal Redress in Line with Art 47 CFR. . . higher standard than many MS?

EO 12. 333 FISA 702 GRC

EO 12. 333 FISA 702 GRC

PART 2: PRIVACY SHIELD @maxschrems

PART 2: PRIVACY SHIELD @maxschrems

TWO HURDLES @maxschrems

TWO HURDLES @maxschrems

≈ 95/46. Art 25 of 95/46/EC „Ess. Equivalent” = CFR Art 7, 8 &

≈ 95/46. Art 25 of 95/46/EC „Ess. Equivalent” = CFR Art 7, 8 & 47

PRIVATE SECTOR NOTICE & CHOICE @maxschrems

PRIVATE SECTOR NOTICE & CHOICE @maxschrems

collection, blocking, recording, erasure, organization, destruction; storage, use, adaptation or alteration, disclosure by transmission,

collection, blocking, recording, erasure, organization, destruction; storage, use, adaptation or alteration, disclosure by transmission, retrieval, change of purpose, consultation, alignment or combination, dissemination or otherwise making available, and any other form of “processing”; “Opt Out” for two specific situations

Collection Use Storage Change of Purpose Disclosure

Collection Use Storage Change of Purpose Disclosure

HOW TO KILL THE TWO LIMITS IN TWO LINES?

HOW TO KILL THE TWO LIMITS IN TWO LINES?

USE A BROAD PURPOSE + THIRD PARTY CLAUSE = UNLIMITED DATA PROCESSING

USE A BROAD PURPOSE + THIRD PARTY CLAUSE = UNLIMITED DATA PROCESSING

PRIVATE SECTOR REDRESS @maxschrems

PRIVATE SECTOR REDRESS @maxschrems

Choice / $$$ DPAs . Panel

Choice / $$$ DPAs . Panel

SURVEILLANCE ASSESSMENT @maxschrems

SURVEILLANCE ASSESSMENT @maxschrems

“The US authorities. . . assured there is no indiscriminate or mass surveillance by

“The US authorities. . . assured there is no indiscriminate or mass surveillance by national security authorities. ” th

ANNEX VI, PAGE 4

ANNEX VI, PAGE 4

PPD-28, PAGE 3

PPD-28, PAGE 3

PPD-28, PAGE 3, FN 5

PPD-28, PAGE 3, FN 5

SURVEILLANCE REDRESS @maxschrems

SURVEILLANCE REDRESS @maxschrems

DPA (i) „has been investigated“ (ii) „complied or remedied“ „will neither confirm nor deny

DPA (i) „has been investigated“ (ii) „complied or remedied“ „will neither confirm nor deny that whether the individual has been the target of surveillance“ nor „confirm specific remedy“ ANNEX III, Paragraph 4(e)

THANKS @maxschrems

THANKS @maxschrems