Policy Matters: Europe deadlocked over data protection reform

• John Burn-Murdoch
• theguardian.com, Monday 12 August 2013 16.48 BST

Viviane Reding, European commissioner for justice, fundamental rights and citizenship, has called for a swift conclusion to data protection negotiations. Photograph: Szilard Koszticsak/EPA

An EU parliament vote on amendments to data protection law has been postponed for the third successive time, with the impasse leaving citizens' rights inadequately protected.

MEPs had been set to decide whether to ratify the latest set of proposals in early July but the vote is now scheduled to take place in October, with a view to publishing the amended legislation before the European elections in May 2014.

The legislation in its current form is 18 years old and as a result has increasingly been found wanting in a number of areas, including the protection of personally identifiable information in light of recent industry developments.

The process was kicked off in January 2012 when the European Commission published its initial proposal. Since then, no significant agreements have been reached, fueling fears that the legal system simply cannot keep pace with technological change where data collection, analysis and storage is concerned.

"Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation, and some detailed exploration of the key elements of such an approach under the Irish presidency", said Bridget Treacy, partner and head of the UK privacyand cybersecurity practice at Hunton & Williams.

Foremost in recent discussions has been the need to consolidate definitions of differing levels of privacy risk; from personally identifiable records through to truly anonymous information.

One sticking point has been where information falls somewhere between these two extremes. The latest proposal includes an attempt to establish a third, intermediate classification, but this step is easier said than done.

A third way: pseudonymous data

"The Irish presidency's compromise text includes a definition of 'pseudonymous data', being personal data processed in such a way that the data cannot be attributed to a specific individual, without the use of additional information, provided the additional information is kept separately.

"Pseudonymous data would still be personal data, and subject to data protection law, but controllers might be exempted from certain obligations. The practical challenge, however, is to find an appropriate definition of 'pseudonymous data', which is an extremely complex task. It may not be possible", said Treacy.

Perhaps more problematic than the protracted process itself is the apparent lack of desire to define anonymous data.

In one recent example, a Harvard professor was able to re-identify almost half of participants in a genetics study by cross-referencing records from its results database with publicly available information. The whole re-identification process was done without individuals' names, and using only three pieces of data - gender, age and postal code.

"On the subject of anonymisation, there appears to be no real appetite to define this as a concept. That said, if data are anonymous, they cannot be 'personal data' and will therefore fall outside the scope of data protection law. True anonymisation is, however, difficult to achieve and it is often only temporary", said Treacy.

With algorithms getting better and better at matching data from one database to another using common or similar fields, some data sets may gradually migrate from anonymous, through pseudonymous, to personally identifiable.

This risk is exacerbated by the fact that experts believe many companies simply do not currently have the means to delete all copies of an individual record when duplicates are stored off-site, risking such data being left waiting to be discovered at a time when analytical capabilities are such that its subjects can be re-identified.

UK firms selling customer data

Earlier this year Barclays was revealed to be combining its customers' data with that of third parties, including - in theory - government departments, in order to yield more valuable information than could be extracted from their own databases alone.

Even when such data is anonymised, the creation of these super-databases brings with it its own inherent dangers. The more data feeds used for analytics, the richer the data that could fall into the wrong hands in the event of a breach.

Techniques such as topological data analysis are already providing data scientists with methods of grouping data based on inherent mathematical patterns, taking the bulk of the work out of human hands altogether.

The threat from non-EU governments and corporations

Another concern - that of whether EU courts will be able to hold non-European bodies to account - has been brought into the spotlight by theongoing revelations regarding government surveillance.

Angela Merkel and Viviane Reding, Europe's most senior justice officialhave both in recent weeks cited government and corporate collection of personal data in calls for a swift conclusion to data protection negotiations.

"I would find it helpful if the European council in October could speed up the work on this important matter," said Reding.

During an election debate last month on internet privacy Merkel named Google and Facebook as examples of companies that should provide information to European authorities on third parties where their customers' data is being sent.

Worries over extra-EU attacks on EU privacy have escalated to the extent that one security expert has stated his belief that the only way for European citizens to be free from fear of surveillance would be for European entrepreneurs to create an EU dot.com industry rivalling that of the US.

The revelations that several of the US' counterparts in the EU are engaging in the same or similar practices have perhaps shown such concerns to be misplaced, but the argument that a more self-sufficient online Europe would offer its citizens better protection than the current model will remain appealing until non-EU governments and corporations have a reason to fear EU data protection law.

Are cries for an EU dot.com industry to rival that of the US alarmist, or is this the only watertight solution to concerns over the online privacy of EU citizens? Join in the debate by commenting below or contacting me directly on Twitter @jburnmurdoch or @GuardianData

Source:

http://www.theguardian.com/news/datablog/2013/aug/12/europe-data-protection-directive-eu

Policy Matter: NSA Spying: The Three Pillars of Government Trust Have Fallen

AUGUST 15, 2013 | BY CINDY COHN AND MARK M. JAYCOX

With each recent revelation about the NSA's spying programs government officials have tried to reassure the American people that all three branches of government—the Executive branch, the Judiciary branch, and the Congress—knowingly approved these programs and exercised rigorous oversight over them. President Obama recited this talking point just last week, saying: "as President, I've taken steps to make sure they have strong oversight by all three branches of government and clear safeguards to prevent abuse and protect the rights of the American people."  With these three pillars of oversight in place, the argument goes, how could the activities possibly be illegal or invasive of our privacy? 

Today, the Washington Post confirmed that two of those oversight pillars—the Executive branch and the court overseeing the spying, the Foreign Intelligence Surveillance Court (FISA court)—don't really exist. The third pillar came down slowly over the last few weeks, with Congressional revelations about the limitations on its oversight, including what Representative Sensennbrenner called "rope a dope" classified briefings. With this, the house of government trust has fallen, and it's time to act. Join the over 500,000 people demanding an end to the unconstitutional NSA spying.

First, the Executive. After a review of internal NSA audits of the spying programs provided by Edward Snowden, the Post lays out—in stark detail—that the claims of oversight inside the Executive Branch are empty. The article reveals that an internal NSA audit not shown to Congress, the President, or the FISA Court detailed thousands of violations where the NSAcollected, stored, and accessed American's communications content and other information. In one story, NSA analysts searched for all communications containing the Swedish manufacturer Ericsson and “radio” or “radar.” What's worse: the thousands of violations only include the NSA's main office in Maryland—not the other—potentially hundreds—of other NSA offices across the country. And even more importantly, the documents published by the Post reveal violations increasing every year. The news reports and documents are in direct contrast to therepeated assertions by President Obama (video), General James Clapper (video), and General Keith Alexander (video) that the US government does not listen to or look at Americans' phone calls or emails. So much for official pronouncements that oversight by the Executive was "extensive" and "robust."

Second, the FISA Court. The Post presents a second article in which the Chief Judge of the FISA Court admits that the court is unable to act as a watchdog or stop the NSA's abuses: “The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, US District Judge Reggie B. Walton, said in a written statement. “The FISC does not have the capacity to investigate issues of noncompliance."  Civil liberties and privacy advocates have long said that the FISA Court is a rubber stamp when it comes to the spying, but this is worse—this is the Court admitting that it cannot conduct the oversight the President and others have claimed it is doing. So much for claims by officials from the White House (video), NSA, DOJ, andIntelligence Committee members of Congress that the FISA Court is another strong pillar of oversight.

Third, the Congress. Last week, Representative Sensenbrenner complained that "the practice of classified briefings are a 'rope-a-dope operation' in which lawmakers are given information and then forbidden from speaking out about it." Members of Congress who do not serve on the Intelligence Committees in the both the House and Senate have had difficulty in obtainingdocuments about the NSA spying. Last week, it was even uncovered that the Chairman of the House Intelligence Committee, Rep. Mike Rogers, failed to provide freshmen members of Congress vital documents about the NSA's activities during a key vote to reapprove the spying. Senators Wyden and Udall have been desperately trying to tell the American people what is going on, but this year the House Intelligence committee's Subcommittee on Oversight has not met once and the Senate Intelligence committee has met publicly only twice. 

One, two, three pillars of government, all cited repeatedly as the justification for our trust and all now obviously nonexistent or failing miserably. It's no surprise Americans are turning against the government's explanations.

The pattern is now clear and it's getting old. With each new revelation the government comes out with a new story for why things are really just fine, only to have that assertion demolished by the next revelation. It's time for those in government who want to rebuild the trust of the American people and others all over the world to come clean and take some actual steps to rein in the NSA. And if they don't, the American people and the public, adversarial courts, must force change upon it.

We still think the first step ought to be a truly independent investigatory body that is assigned to look into the unconstitutional spying. It must be empowered to search, read and compel documents and testimony, must be required to give a public report that only redacts sensitive operational details, and must suggest specific legislation and regulatory changes to fix the problem—something like the Church Committee or maybe even the 9/11 Commission. The President made a mockery of this idea recently, by initially handing control of the "independent" investigation he announced in his press conference to the man who most famously lied to Congress and the American people about the spying, the Director of National Intelligence James Clapper.

The three pillars of American trust have fallen. It's time to get a full reckoning and build a new house from the wreckage, but it has to start with some honesty.

Source: 

https://www.eff.org/deeplinks/2013/08/nsa-spying-three-pillars-government-trust-have-fallen

NEWS: Global Coalition States Principles to Protect Human Rights from Surveillance

AUGUST 1, 2013 | BY KATITZA RODRIGUEZ

For some time now there has been a need to update understandings of existing human rights law to reflect modern surveillance technologies and techniques. Nothing could demonstrate the urgency of this situation more than the recent revelationsconfirming the mass surveillance of innocent individuals around the world. 

To move toward that goal, today we’re pleased to announce the launch of the International Principles on the Application of Human Rights to Communications Surveillance. The thirteen principles articulate what international human rights law – which binds every country across the globe – require of governments conducting surveillance in the digital age. They speak to a growing global consensus that modern surveillance has gone too far and needs to be restrained. They also give benchmarks that people around the world can use to evaluate and push for changes in their own legal systems.

The product of over a year of consultation among civil society, privacy and technology experts(read here, here, here and here), the principles have already been co-signed by over hundred organisations from around the world. The process was led by Privacy International, Access, and the Electronic Frontier Foundation.

The principles can be found in full at necessaryandproportionate.org. They include requirements that surveillance law ensure all interceptions  be  legal, and for a legitimate purpose; necessary,  proportionate and adequate; be overseen by a competent judicial authority; include transparency, user notifications, public oversight and due process, protect the integrity of communication systems, and include human rights safeguards against illegitimate access and the misuse of co-operation procedures between States.

The release of the principles comes on the heels of a landmark report from the United Nations Special Rapporteur on the right to Freedom of Opinion and Expression, which details the widespread use of state surveillance of communications, stating that such surveillance severely undermines citizens’ ability to enjoy a private life, freely express themselves and enjoy their other fundamental human rights. And recently, the UN High Commissioner for Human Rights, Nivay Pillay, emphasised the importance of applying human right standards and democratic safeguards to surveillance and law enforcement activities.

“While concerns about national security and criminal activity may justify the exceptional and narrowly-tailored use of surveillance programmes, surveillance without adequate safeguards to protect the right to privacy actually risk impacting negatively on the enjoyment of human rights and fundamental freedoms”. 

Over the next year and beyond, groups around the world will be using them to advocate for changes in how present laws are interpreted and how new laws are crafted.

We encourage privacy advocates, rights organisations, scholars from legal and academic communities, and other members of civil society to support the principles by adding their signature. To sign, please send an email to rights AT eff.org, or visithttps://www.necessaryandproportionate.org/about

Files

 English Version 13 Principles

Source: https://www.eff.org/deeplinks/2013/07/thirteen-principles-for-human-rights