Data Protection and Data Security: The NSA Scandal from a Legal Point of View

 

Dear Readers,

It all began with the revelations of former US-intellicence services Edward Snowden in June 2013 on surveillance activities of the United States and the United Kingdom, who have carried this out at least since 2007. It came to light that the telecommunication and the Internet were monitored globally without a given suspicion. Main argument of both countries is the prevention of terrorist attacks. Besides individual citizens of different countries – including leading politicians – even buildings and offices of the European Union and the United Nations were spied on by hidden microphones and the e-mail traffic was monitored. The data obtained are retained for an undisclosed period (Cf. the contribution of Erich Schweighofer / Stephan Varga / Walter Hötzendorfer / Janos Böszörmenyi, Ist Open Source Intelligence durch Botschaften rechtmäßig? (Is Open Source Intelligence of Ambassies Lawful?), in: Jusletter IT 20 February 2014. At present, a comprehensive study on the lawfulness of secrect service activities is prepared; it could not be finished due to non-accessibility to important documents.).

Privacy experts, scholars and practitioners look at the legal situation in the individual countries and make comparisons.

Rolf H. Weber and Dominic N. Staiger contrast the surveillance capabilities of Swiss authorities with those of their US-American counterparts and focus in particular on data protection issues. Moreover technical solutions in minimizing monitoring as well as organizational changes are addressed with the aim of reducing exposure to foreign surveillance.

Daniel Vischer gives us an update on the Swiss Intelligence Service Act. Thomas Hansjakob presents the proposed changes and effects of the revision of the Swiss Federal Law on Surveillance of the Post and Telecommunications (BÜPF). This law regulates, inter alia, the permissibility of the use of so-called GovWare («Trojan horse of the Government»).

Ann Cavoukian from Canada proposes a new methodology – the «Privacy-Protective Surveillance» (PPS) – which offers an alternative to the current counter-terrorism surveillance systems.

Gertjan Boulet and Elonnai Hickok consider the reactions to the Snowden affair in India and Belgium. From the Czech perspective Filip Křepelka reports on mass surveillance of telecommunication and its legal remedies.

Not least the judgement of the European Court of Justice of 8 April 2014 (C-293/12, Digital Rights Ireland), clears basic rights questions. A surveillance and data retention without sufficient reasons is not allowed – and therefore the Data Retention Directive 2006/24/EC – is invalid. Both the Snowden affair as well as the decision of the ECJ demonstrate significant and avoidable failures of government policy development and implementation. Malcolm Crompton und Chong Shaodescribe the «4As Framework», which was developed years ago by the Privacy Commissioner of Australia for managing and avoiding such risks.

What is the «tense relationship» of society-related transparency and government surveillance? How can the various fundamental rights be balanced against each other? Elisabeth Hödland Sebastian Lukic analyse the concept of transparency in the digital world.

Agnes BalthasarMatthias Wach and Alexander Balthasar ask whether security riscs are really unavoidable. These bugs provide far-reaching options for intelligence services as well as criminals for intercepting data for their own purposes or for manipulation. The authors present technical, legal doctrine and legal policy considerations and want to be inspiration for further developments.

Orlan Lee and James She caution about insufficient control of private data collections which are commercially very successful but neglect data protection.

The monitoring of a player in online games, i.e. of his avatar, can be a threat to the privacy of individuals and can be misinterpreted completely. Burkhard Schafer and Wiebke Abel try a first comparative analysis of the monitoring of gambling habits.

Robert Briner raises the question of whether the NSA scandal is actually something for lawyers. Though as observed from nearby a legal detailed analysis is necessary, a view of the bigger picture clearly shows even more important legal contexts.

Espionage is however by no means a new phenomenon and has been practiced for millennia. Fritjof Haft compares the espionage in past and present.

Kai Erenli and Maximilian Schubert finally demand a constitution for the Internet and draft the individual articles of a global Bill of Rights 2.0.

In the case of Google Spain (C-131/12) the ECJ has also extended the principal of targeting to the sales offices of internet companies. Thus, the European data protection law is applicable to all companies which intend to sell advertising space in search engines (and social web). The right to deletion (or right to be forgotten) is nothing new, and it must be considered in the context of media and archiving law. On request, harmful links shall be deleted by Google, if there is no appropriate reason (i.e. interest in prosecution by the Police, open court policy etc.).

We would be delighted if you participate in our survey on data protection and data security. The results will be published in the next issue of Jusletter IT.

New to this issue is the category «TechLawNews», where you'll find News from the field of IT and Law by the lawyers Daniel Ronzani and Simon Schlauri.

Having said this, we hope you enjoy reading this issue

 

DATA PROTECTION / DATA SECURITY
Spannungsfelder von Datenschutz und Datenüberwachung in der Schweiz und in den USA
Rolf H. Weber
Rolf H. Weber
Dominic N. Staiger
Dominic N. Staiger
Edward Snowden brought to light the extensive National Security Agency surveillance which raises numerous issues in regard to the protection of fundamental rights. The article contrasts the surveillance capabilities of Swiss authorities with those of their American counterparts focusing in particular on data protection concerns. Moreover technical solutions in minimizing monitorability as well as organizational changes are addressed with the aim of reducing exposure to foreign surveillance.
Nachrichtendienstgesetz (NDG)
Daniel Vischer
Daniel Vischer
Currently, in the Swiss federal Counsels two laws are being discussed, in which the law of informational self-determination is affected essential. The advanced Data Retention in the Federal Law on the Surveillance of Post and Telecommunications (BÜPF) traffic and the new powers in the Security and Intelligence Agencies Act (NDG) bring forth new, additional supervisory responsibilities, which are constitunional untenable. (ah)
Der Einsatz von GovWare in der Schweiz
Thomas Hansjakob
Thomas Hansjakob
The Swiss Council of States has deliberated on the amendement of the Law on the Monitoring of Postal and Telecommunications Traffic and thereby approved the proposal to tolerate the use of GovWare in the future. The author introduces the planned changes and their impacts on practice. (ah)
Canada’s Secretive Work with the NSA Demonstrates the Need for Privacy-Protective Surveillance
Ann Cavoukian
Ann Cavoukian
The revelations from the Edward Snowden have made it very clear that significant change is needed in the ways that the intelligence agencies such as the Communications Security Establishment Canada (CSEC) and National Security Agency (NSA), operate and are overseen. The article proposes a new methodology called Privacy-Protective Surveillance (PPS) which offers a positive-sum, «win-win» alternative to the current invasive, counter-terrorism surveillance systems.
Post-Snowden reactions in India and Belgium: A snapshot
Gertjan Boulet
Gertjan Boulet
Elonnai Hickok
Elonnai Hickok
This article explores and analyzes reactions, policies, and projects that have emerged post-Snowden in India and Belgium in an attempt to understand the impact of the Snowden Revelations across jurisdictions. Part 1 provides an overview of the post-Snowden public response in India and Belgium. Parts 2 and 3 give an overview of the post-Snowden inquiries and cybersecurity initiatives in India and Belgium. Part 4 refers to surveillance initiatives by India and Belgium, of which some have an obvious extraterritorial reach. Finally, we draw conclusions from the comparison between the post-Snowden response of India and Belgium, and point to the adoption of the International Principles on the Application of Human Rights to Communications Surveillance, as well as internal reviews of national surveillance legal regimes and practices as steps that both governments, despite contextual differences, could adopt.
Mass Telecommunication Surveillance in Czech Republic (and in Slovakia)
Filip Křepelka
Filip Křepelka
Controversy related to retention of metadata related to phone calls, e-mails and other Internet communication does not spare Czech Republic, one of the most technologically advanced post-socialist countries. Legislation demanded by authorities investigating and prosecuting crimes harmonized by the European Union was criticized by activists and scrutinized by courts. Recent intervention of the European Court of Justice sparks new round of discussion about the issue.
Reconciling Privacy and Security in the Age of Snowden: applying the 4A’s Framework to an age-old challenge
Malcolm Crompton
Malcolm Crompton
Chong Shao
Chong Shao
The European Court of Justice ruled in 2014 that the EU Data Retention Directive was invalid. It follows the revelations by Edward Snowden in 2013 about the highly controversial and wide ranging surveillance of anybody whose digital footprint has any contact with the USA. Both demonstrate significant and avoidable failures of policy development and implementation. Yet there is a well established Framework for managing and avoiding such risks whenever coercive and covert powers are being considered for law enforcement or national security purposes. It is the «4As Framework» developed years ago by the Privacy Commissioner of Australia. This article describes the Framework.
Das Spannungsfeld von gesellschaftsbezogener Transparenz und Überwachung
Elisabeth Hödl
Elisabeth Hödl
Sebastian Lukic
Sebastian Lukic
Digitization of society and global networking changed the handling with information. A stress field due to legal positions arised, whose consideration due to the complexity of the systems is becoming increasingly difficult. In the following article, this should be demonstrated by means of a concept, which currently plays a major role in law and society: transparency.
Sind Sicherheitslücken wirklich unvermeidlich? Technische, rechtsdogmatische und rechtspolitische Überlegungen
Agnes Balthasar-Wach
Agnes Balthasar-Wach
Matthias Wach
Matthias Wach
Alexander Balthasar
Alexander Balthasar
Vulnerabilities provide an extensive opportunity for intelligence services as well as criminals to monitor and manipulate data for their purposes. To find the proper solutions to these threats is currently a real challenge for our legal systems, in particular against the backdrop of fundamental rights requiring effective protection. After describing the technical background this article intends to provide a survey of the current instruments of protection as well as to give impetus to further reasonable developments.
«It Could Never Happen Here!»
Orlan Lee
Orlan Lee
James She
James She
We have realized for many years that, with advances in technology, we were subject to surveillance of unknown kinds from unknown sources. Nevertheless, revelation of the extent of surveillance by our own government comes as a shock. Layman’s indifference to technology has also allowed a private sector culture of profiting from exploitation of access to private personal data to emerge. To callous personal data specialists, special interest law «liberates employers from following the [law's] exacting consent and disclosure requirements» when investigating supposed «employee misconduct». Not even the police have powers like that in the United States.
Guter Ork, Böser Ork: Snowden und die staatliche Überwachung von Online-Spielen in Grossbritannien
Burkhard Schafer
Burkhard Schafer
Wiebke Abel
Wiebke Abel
British and American secret services infiltrated online role games on a massive scale, or so the Snowden documents indicate. But do we need to be worried about this new field of surveillance, or is it more a concern about the appropriate use of taxpayers money on an obviously frivolous endeavour? Using arguments from psychology, cultural studies and anthropology in addition to legal arguments from UK and German law, we argue that far from being a trivial addition to our lives, playing is a constitutive art of «homo ludens» in modern, capitalist societies. By submitting gaming behaviour to the police officer’s gaze, we get closer than ever to a form of surveillance that threatens to capture us in our entirety – not just what we are, but what we are longing to be.
Der NSA-Skandal: Etwas für Juristen?
Robert G. Briner
Robert G. Briner
The knowledge about the data interceptions of the American security service NSA (National Security Agency; www.nsa.gov) – transcending even bold visions – is at first sight calling for a detailed legal analysis. Taking one step back, a certain distance discloses a more important context.
Spionage – einst und jetzt
Fritjof Haft
Fritjof Haft
The copious data spying by secret services, particulary by the National Security Agency (NSA) has been subjected to criticism world wide. Espionage certainly is not a new phenomenon. It has been practised for millennias. The article provides a brief overview, expresses skepticism regarding legal measures and points out, which technical barriers are hampering the analysis of large collections of data. Contrary to specific target persons, notably politicians, the mass of persons concerned can rest assured in this data portfolio, such as a single fish in the school in an attack of the predator. (ah)
Es ist an der Zeit – Das Internet braucht eine eigenständige Verfassung!
Kai Erenli
Kai Erenli
Maximilian Schubert
Maximilian Schubert
Die Internetnutzerinnen und -nutzer (nennen wir sie in Folge «Netizens») haben bislang nur reagieren können, auf die Regeln, die ihnen Staaten, Konzerne oder Unternehmen vorgeschrieben haben. Diese Regeln unterliegen aber einem immer größer werdenden Vertrauensverlust, einzelne Versuche, die Grundrechte der Netizens einzuschränken, wurden mehr oder weniger erfolgreich bekämpft (so zum Beispiel die Richtline 2006/24/EG über die Vorratsspeicherung von Daten) Nun scheint es aber an der Zeit, selbst einen konstruktiven Vorschlag zu machen, welche Grundregeln zukünftig beachtet werden sollten. Der Beitrag versteht sich als Einladung zur Diskussion und nicht als abschließendes Werk, die Bill of Rights 2.0 soll dabei der Versuch einer zeitgemäßen Adaptierung bzw. Weiterentwicklung der originalen Bill of Rights darstellen.
TechLawNews by Ronzani Schlauri Attorneys
Init7: Interconnect Peering
Simon Schlauri
Simon Schlauri
Use of Private Email at Work
Daniel Ronzani
Daniel Ronzani
AGB in Providerverträgen
Simon Schlauri
Simon Schlauri
The Right to Be Forgotten
Daniel Ronzani
Daniel Ronzani