Snowden revelations threaten U.S.-EU data transfer deal

A data-sharing agreement between the European Union and the United States should be invalidated after the revelation of mass surveillance programs uncovered thanks to the efforts of Edward Snowden in 2013, according to Advocate General for EU Court of Justice Yves Bot.
The agreement to which Bot refers is the Safe Harbor decision from 2000. It allows US companies to self-certify that they comply with EU rules governing the transfer of data related to European citizens to other countries, like the US.
“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” Bot stated in an opinion published this morning. This means Safe Harbor is “no longer adequate” and “the decision adopted in 2000 was no longer adapted to the reality of the situation.”
The opinion was published in response to a complaint brought against Facebook by privacy advocate Max Schrems, who says the personal data of European citizens has been made available to U.S. intelligence agencies via the social network.
Schrems has welcomed Bot’s recommendation, saying in response that “This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies, including EU subsidiaries of US companies,.” He also argues that invalidating Safe Harbor is a leveling of the playing field:

Self-certification under safe harbor gives US companies an extremely unfair advantage over all other players on the European market that have to stick to much stricter EU law. Removing ‘safe harbor’ would mainly mean that US companies have to play by rules that are equal to those their competitors already play by and that they cannot aid US mass surveillance.

It’s important to note that Bot’s opinion is non-binding, though the court is said to often side with the advocate general. Facebook wouldn’t be the only company affected by the invalidation of Safe Harbor, either; it would affect all companies that transfer data about European citizens to servers located in the US. The BBC reports that a decision like this could affect an estimated 4,000 companies.
In response to a request for comment, a Facebook spokesperson said the company “operates in compliance with EU Data Protection law.  Like the thousands of other companies who operate data transfers across the [A]tlantic we await the full judgement.” And, in response to complaints that data is transfers is given to US intelligence agencies through surveillance programs:

We have repeatedly said that we do not provide ‘backdoor’ access to Facebook servers and data to intelligence agencies or governments.  As Mark said in June 2013, we had never heard of PRISM before it was reported by the press and we have never participated in any such scheme.

The court’s judges are expected to make their own ruling later this year.

Google and Apple may be forced to pay more tax in Russia

Russian authorities may start trying to extract more tax from foreign tech firms such as Google and Apple, according to a report by Vedomosti.

There appear to be a couple elements to this push. Firstly, the Russians have taken note of recent changes in the European Union that force the suppliers of digital services to collect sales tax based on the location of the customer, rather than the location of the supplier. This is designed to stop the big tech firms from funnelling their EU revenues through low-tax jurisdictions such as Luxembourg and denying most European countries their tax proceeds.

Russia has the same problem – apps and content sold through Apple’s platforms, for example, are provided by foreign companies, and no Russian tax is levied.

The second apparent strand relates to the Russian web giant Yandex, which is embroiled in multiple battles with [company]Google[/company] over the U.S. firm’s restrictive practices around what software and services can be installed on Android devices. Yandex has given evidence to EU investigators who are looking into this matter, and it’s also prompted an investigation by Russia’s antitrust regulator with the support of the Microsoft-backed “FairSearch” group.

According to Vedomosti, Google is paying way less tax than Yandex is – around $8 million in 2013 compared with Yandex’s $53 million, a disparity considerably wider than that between Google and Yandex’s market shares in Russia (roughly 32 percent versus 59 percent). This may be legal today, but now the authorities are considering changing the law.

The initiator of all this was apparently Putin aide and former communications minister Igor Shchegolev. It’s all at the discussion stage right now, with other participants including government representatives and media regulator Roskomnadzor, but it looks like western tech firms – already facing incoming restrictions on where they can store Russians’ personal data — have something new to worry about in Russia.

Yandex declined to comment. I’ve asked Google and [company]Apple[/company] for comment and will add it in if and when it arrives.

EU legal advisers cast doubt on data retention legality

The European Parliament’s legal advisors have issued a report into the repercussions of last year’s ruling by the Court of Justice of the European Union, in which the CJEU struck down the E.U. Data Retention Directive. And the lawyers’ opinions suggest that surviving national data retention laws are on shaky ground.

The Directive forced E.U. member states to have a data retention regime in which telecommunications and internet service providers had to maintain records of their customers’ communications – metadata about who contacted whom and when, as opposed to the contents of those communications. After the CJEU judgement in April 2014, countries including Austria, Slovenia and Romania scrapped their national data retention laws (a couple others, notably Germany, had already rolled theirs back on constitutional grounds).

However, some countries have continued or – in the case of the U.K. with its DRIPA surveillance law — even expanded their national data retention regimes. Here’s a breakdown of what the Legal Service department said about the ruling’s implications in that regard (a copy of the opinion was obtained and published by the digital rights group Access).

  • The CJEU ruling was specific to the Data Retention Directive, which had been challenged by Digital Rights Ireland (DRI), so it did not have a direct effect on national data retention laws, apart from saying that it’s now okay by the E.U. for countries to repeal them.
  • With the Data Retention Directive now out of the picture, the continuing national laws are now governed by the earlier e-Privacy Directive of 2002, which allows member states to implement data retention regimes “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.”
  • Because member states’ national data retention laws are therefore still in the realm of E.U. law, they have to be compatible with the E.U.’s Charter of Fundamental Rights, specifically Articles 7 and 8, which set out the rights to privacy and personal data protection respectively, and Article 52(1), which says any limitations to rights must be proportionate.
  • The Charter is what informed the CJEU judgement striking down the Data Retention Directive – the court said the directive was not proportionate and didn’t provide “clear and precise rules” to limit the interference to what is “strictly necessary” and provide “minimum safeguards”.
  • Therefore, countries maintaining national data retention laws must re-examine those laws to check whether they fulfil the requirements “as interpreted by the Court of Justice in the DRI judgement”, and fix them if they’re not. What’s more, anyone who wants to challenge those national laws can now point to the CJEU judgement as a guideline, even though it doesn’t have a direct effect.
  • The same goes for existing E.U.–level data retention programs such as the Terrorist Finance Tracking Programme (TFTP) and the Union’s international passenger name record (PNR) agreements – they’re still valid, but if someone wants to challenge the legality of those, they can also point to the CJEU’s DRI judgement. The CJEU ruling should also be heeded when formulating any new E.U. data retention legislation. As it happens, TFTP and the international PNR agreements are about to be renegotiated.

This is particularly good news for the two British members of Parliament that are challenging DRIPA in the U.K. High Court. DRIPA was fast-tracked as an “emergency” law because the Data Retention Directive had been implemented in the U.K. as secondary rather than primary legislation, so the government feared that the CJEU judgement left it without a proper legal justification for continuing to demand that ISPs and web service providers keep retaining communications data.

DRIPA is temporary, time-limited to the end of 2016, but the underlying primary legislation that it expands on – the Regulation of Investigatory Powers Act (RIPA) – is not. RIPA is however up for review, as the government will want to make the DRIPA powers permanent before the end of 2016, so those conducting the review will now also need to take the E.U. legal advice into account.

RIPA was designed as anti-terrorist legislation but it’s widely used by local authorities in the U.K. to spy on citizens, in order to see whether they’re putting their trash out in the prescribed manner or trying to cheat their kids into schools in a different neighborhood. It’s also used to spy on lawyers and journalists. Around half a million RIPA requests for communications data are made each year.

The CJEU ruling will make it hard to justify the continuation of this situation, and even in the case of terrorism and more serious crime, the British government may have a struggle proving the proportionality of its mass surveillance regime. Proper reviews of data retention laws in other countries such as Sweden may uncover similar problems.

Looks like the EU net neutrality debate will run into 2015

The Council of the EU, representing the 28 member states, is currently debating how to finalize the strict net neutrality rules that the European Parliament handed it earlier this year. It looked like the Council was about to water the rules down, but then the European Commission and the Parliament both pleaded with it not to, and now the decision has reportedly been delayed. The Italian presidency of the Council said Thursday that none of the compromise drafts had achieved consensus and a Council official quoted by IDG said the debate will now go through to 2015. The Commission and Parliament want strong rules and definitions but the member states want more flexible “principles” – we’ll have to wait to see who wins.

Google antitrust case: New EU competition chief wants fresh talks with complainants

Europe’s last antitrust chief, Joaquin Almunia, couldn’t settle his department’s four-year case against Google, keen though he was to do so. Now the new European Commission is in place, his successor, Margrethe Vestager, has said she wants to meet with “those most directly affected” by Google’s anticompetitive practices. That would include vertical search engines such as Yelp and Foundem, publishers and consumer rights groups. “We are talking about fast moving markets – I have to be sure that we have all the facts up to date to get it right,” Vestager said in a Tuesday statement. “The issues at stake in our investigations have a big potential impact on many players… I will therefore need some time to decide on the next steps.”