0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/933 Thanks! 1 00:00:15,170 --> 00:00:16,170 Yeah. 2 00:00:19,180 --> 00:00:21,369 I don't really think I have to introduce 3 00:00:21,370 --> 00:00:24,129 you, Max, to her, but 4 00:00:24,130 --> 00:00:25,149 I try. 5 00:00:25,150 --> 00:00:26,199 I'm happy for anything, 6 00:00:27,310 --> 00:00:28,600 my fellow Austrian. 7 00:00:29,710 --> 00:00:32,319 Max, the guy who's 8 00:00:32,320 --> 00:00:34,090 trying to beat Facebook. 9 00:00:36,050 --> 00:00:37,050 Yeah, 10 00:00:38,760 --> 00:00:39,760 and. 11 00:00:42,910 --> 00:00:43,910 Pardon my French. 12 00:00:45,610 --> 00:00:47,769 OK, how long have we been 13 00:00:47,770 --> 00:00:49,239 at it now? 14 00:00:49,240 --> 00:00:50,449 One and a half years, two years? 15 00:00:50,450 --> 00:00:51,729 More than two years. 16 00:00:51,730 --> 00:00:52,869 What's that like? 17 00:00:52,870 --> 00:00:54,039 We've been at it now. 18 00:00:54,040 --> 00:00:57,249 If you've been at Facebook, January 2011. 19 00:00:57,250 --> 00:00:58,139 Seven years. 20 00:00:58,140 --> 00:00:59,919 Seven years. 21 00:00:59,920 --> 00:01:01,449 Oops, I missed the beginning there. 22 00:01:01,450 --> 00:01:03,849 Yeah, it's a 23 00:01:03,850 --> 00:01:04,850 long story. 24 00:01:08,650 --> 00:01:10,340 You all know what that means. 25 00:01:12,040 --> 00:01:14,109 Yeah, somebody who does not know what 26 00:01:14,110 --> 00:01:15,110 that means. 27 00:01:17,000 --> 00:01:19,199 Wow, I'm impressed 28 00:01:19,200 --> 00:01:20,420 or they just don't want to 29 00:01:21,550 --> 00:01:22,979 know, basically, there are three procedures, 30 00:01:22,980 --> 00:01:24,619 we had a couple of we had like the first 31 00:01:24,620 --> 00:01:26,569 three years in Ireland, which we took 32 00:01:26,570 --> 00:01:28,669 back because the dpk there, diaphoretic, 33 00:01:28,670 --> 00:01:30,799 didn't really want to do much of a job. 34 00:01:30,800 --> 00:01:32,170 The cleaning woman left the job. 35 00:01:33,410 --> 00:01:34,410 You said that. 36 00:01:36,380 --> 00:01:37,879 And then there was actually the safe 37 00:01:37,880 --> 00:01:39,109 harbor case, which I'm going to talk 38 00:01:39,110 --> 00:01:42,049 about today, which started in 2013. 39 00:01:42,050 --> 00:01:43,549 It's still pending right now in Irish 40 00:01:43,550 --> 00:01:44,719 courts. It went all the way to 41 00:01:44,720 --> 00:01:46,279 Luxembourg, to the court of justice, back 42 00:01:46,280 --> 00:01:47,779 to Ireland and now back up to the Court 43 00:01:47,780 --> 00:01:49,759 of Justice. So Atsu did an endless ping 44 00:01:49,760 --> 00:01:51,979 pong. And there is a class action 45 00:01:51,980 --> 00:01:54,139 we're actually having at the Court 46 00:01:54,140 --> 00:01:55,399 of Justice right now. And we're waiting 47 00:01:55,400 --> 00:01:57,469 for the judgment on that to 48 00:01:57,470 --> 00:01:58,999 see if we can enforce privacy through 49 00:01:59,000 --> 00:02:01,549 class action. So, yeah, 50 00:02:01,550 --> 00:02:02,749 we're basically going through all the 51 00:02:02,750 --> 00:02:04,459 options of privacy enforcement to not 52 00:02:04,460 --> 00:02:06,169 just have stuff in the law, but probably 53 00:02:06,170 --> 00:02:07,549 in practice at some point as well. 54 00:02:08,780 --> 00:02:10,758 Isn't that nice when friends do the job 55 00:02:10,759 --> 00:02:11,759 for you? 56 00:02:17,950 --> 00:02:20,209 To please, let's have 57 00:02:20,210 --> 00:02:22,519 another big hand for Maxitrans, giving 58 00:02:22,520 --> 00:02:24,680 you the privacy of lipstick on a pig. 59 00:02:32,230 --> 00:02:33,879 Thanks a lot for the invitation. 60 00:02:33,880 --> 00:02:35,889 I'm sorry for anybody that has to 61 00:02:35,890 --> 00:02:37,969 translate me because I'm very fast 62 00:02:37,970 --> 00:02:40,179 talking and probably sometimes 63 00:02:40,180 --> 00:02:41,469 hard to understand. People tell me I'll 64 00:02:41,470 --> 00:02:42,819 try to slow down. 65 00:02:42,820 --> 00:02:44,289 But at the same time, we have 30 minutes 66 00:02:44,290 --> 00:02:46,139 and I have to go through a lot of stuff. 67 00:02:47,140 --> 00:02:49,239 Basically, I was asked to talk 68 00:02:49,240 --> 00:02:51,579 about Privacy Shield and 69 00:02:51,580 --> 00:02:53,259 we called it Lipstick on a pig because 70 00:02:53,260 --> 00:02:55,569 it's the old Safe Harbor agreement. 71 00:02:55,570 --> 00:02:57,669 A bit of a background story probably 72 00:02:57,670 --> 00:02:58,899 on that. 73 00:02:58,900 --> 00:03:00,279 What is Safe Harbor and what was the 74 00:03:00,280 --> 00:03:02,049 whole story behind all of this? 75 00:03:02,050 --> 00:03:05,019 And we did have the surveillance 76 00:03:05,020 --> 00:03:06,969 flights that Snowden disclosed where we 77 00:03:06,970 --> 00:03:08,709 basically knew that a couple of the big 78 00:03:08,710 --> 00:03:10,839 I.T. companies take 79 00:03:10,840 --> 00:03:12,819 part in a program that's called PRISM, 80 00:03:12,820 --> 00:03:15,039 which is US surveillance system, 81 00:03:15,040 --> 00:03:16,959 basically. And the interesting thing here 82 00:03:16,960 --> 00:03:18,849 is that from a legal perspective, I'm a 83 00:03:18,850 --> 00:03:20,859 lawyer. The big problem is a lot of that 84 00:03:20,860 --> 00:03:22,779 was oftentimes conspiracy, hard to prove 85 00:03:22,780 --> 00:03:24,729 in courts. And if you want to bring a 86 00:03:24,730 --> 00:03:26,769 case, you need to have very, very solid 87 00:03:26,770 --> 00:03:28,689 evidence, because if you're the claimant, 88 00:03:28,690 --> 00:03:29,769 you have to prove stuff. 89 00:03:29,770 --> 00:03:31,089 So if you just walk around and say, oh, 90 00:03:31,090 --> 00:03:32,199 there's a law and they couldn't, they 91 00:03:32,200 --> 00:03:34,299 may. It's not going to be good enough. 92 00:03:34,300 --> 00:03:35,949 The interesting thing with the 93 00:03:35,950 --> 00:03:37,899 disclosures by Snowden were that we 94 00:03:37,900 --> 00:03:38,889 actually had slides. 95 00:03:38,890 --> 00:03:41,229 We actually had evidence that made sense 96 00:03:41,230 --> 00:03:42,459 that we could actually present to a 97 00:03:42,460 --> 00:03:44,439 court. And that was the only reason this 98 00:03:44,440 --> 00:03:45,999 whole case ever happened is because of 99 00:03:46,000 --> 00:03:47,049 Snowden. 100 00:03:47,050 --> 00:03:48,160 Thanks for that, by the way. 101 00:03:53,720 --> 00:03:55,819 He that was kind of the factual 102 00:03:55,820 --> 00:03:57,349 side that we knew that these companies 103 00:03:57,350 --> 00:03:59,689 basically forward data to US 104 00:03:59,690 --> 00:04:01,099 government. 105 00:04:01,100 --> 00:04:02,569 The interesting thing from a legal 106 00:04:02,570 --> 00:04:04,729 perspective is how legally that works 107 00:04:04,730 --> 00:04:05,629 in the U.S. 108 00:04:05,630 --> 00:04:07,999 And there's oftentimes talk about US law. 109 00:04:08,000 --> 00:04:09,709 And I just want to kind of summarize that 110 00:04:09,710 --> 00:04:11,659 real quick. It's not 100 percent precise, 111 00:04:11,660 --> 00:04:13,069 but it gives you an idea how the law in 112 00:04:13,070 --> 00:04:14,239 the US works. 113 00:04:14,240 --> 00:04:15,979 It basically says that there needs to be 114 00:04:15,980 --> 00:04:18,119 a so-called electronic communication 115 00:04:18,120 --> 00:04:19,278 service provider. 116 00:04:19,279 --> 00:04:21,259 So that's your Google, Facebook and so 117 00:04:21,260 --> 00:04:22,849 on. The interesting thing is these 118 00:04:22,850 --> 00:04:24,499 surveillance laws do not apply to an 119 00:04:24,500 --> 00:04:26,779 ordinary business to the 120 00:04:26,780 --> 00:04:28,379 airline or something that sends data to 121 00:04:28,380 --> 00:04:29,959 the US. We're actually very specific in 122 00:04:29,960 --> 00:04:31,789 the surveillance law on electronic 123 00:04:31,790 --> 00:04:34,069 communication service providers, and 124 00:04:34,070 --> 00:04:35,779 they need to have what they call foreign 125 00:04:35,780 --> 00:04:37,339 intelligence information. 126 00:04:37,340 --> 00:04:38,570 And that is very broad 127 00:04:39,740 --> 00:04:41,929 wording that basically excludes anything 128 00:04:41,930 --> 00:04:43,519 that the US may be interested in for 129 00:04:43,520 --> 00:04:45,079 diplomatic reasons and so on. 130 00:04:45,080 --> 00:04:46,639 So it's not very specific. 131 00:04:46,640 --> 00:04:48,019 It's not your terrorist or something. 132 00:04:48,020 --> 00:04:50,179 It's basically espionage and 133 00:04:50,180 --> 00:04:51,889 all of that as well. 134 00:04:51,890 --> 00:04:53,749 And that's pretty much the two things you 135 00:04:53,750 --> 00:04:55,429 need under FISA. 136 00:04:55,430 --> 00:04:57,499 And on top of that, and all 137 00:04:57,500 --> 00:04:59,629 of the stuff that's below that line is 138 00:04:59,630 --> 00:05:00,679 then classified. 139 00:05:00,680 --> 00:05:02,659 There's a so-called certification for one 140 00:05:02,660 --> 00:05:04,879 year. Now, typically, the U.S. 141 00:05:04,880 --> 00:05:06,769 says here there's a legal process. 142 00:05:06,770 --> 00:05:08,179 When we have surveillance, there is some 143 00:05:08,180 --> 00:05:09,169 court involved. 144 00:05:09,170 --> 00:05:11,299 But what that court does, the FISA court, 145 00:05:11,300 --> 00:05:13,159 is that it certifies a surveillance 146 00:05:13,160 --> 00:05:14,959 program for a whole year. 147 00:05:14,960 --> 00:05:16,249 It doesn't look at individual 148 00:05:16,250 --> 00:05:17,869 surveillance at the individual person 149 00:05:17,870 --> 00:05:19,279 that is actually surveilled. 150 00:05:19,280 --> 00:05:21,679 It just certifies a program like Upstream 151 00:05:21,680 --> 00:05:23,149 of PRISM for a whole year. 152 00:05:23,150 --> 00:05:24,529 That's all the court does. 153 00:05:24,530 --> 00:05:26,239 It doesn't look at the individual case 154 00:05:26,240 --> 00:05:27,439 where data is actually pulled. 155 00:05:28,790 --> 00:05:30,379 The whole idea of that is that there are 156 00:05:30,380 --> 00:05:31,969 so-called minimization and targeting 157 00:05:31,970 --> 00:05:34,099 procedures that basically filter 158 00:05:34,100 --> 00:05:35,929 out the U.S. persons. 159 00:05:35,930 --> 00:05:37,849 So anybody to listen to us or is a US 160 00:05:37,850 --> 00:05:39,799 citizen if you're European, this whole 161 00:05:39,800 --> 00:05:41,749 minimizing and targeting procedure 162 00:05:41,750 --> 00:05:43,049 doesn't apply to you. 163 00:05:43,050 --> 00:05:45,199 So you're not protected on any of that. 164 00:05:45,200 --> 00:05:46,729 The reason for that is if you would have 165 00:05:46,730 --> 00:05:48,559 surveillance that goes as far as FISA 166 00:05:48,560 --> 00:05:49,759 does for U.S. 167 00:05:49,760 --> 00:05:51,889 people, you would actually violate the 168 00:05:51,890 --> 00:05:53,509 Fourth Amendment under the US 169 00:05:53,510 --> 00:05:55,579 Constitution. So all of what 170 00:05:55,580 --> 00:05:56,839 the US does right now would be 171 00:05:56,840 --> 00:05:58,519 unconstitutional if they would do it on 172 00:05:58,520 --> 00:05:59,659 U.S. citizens. 173 00:05:59,660 --> 00:06:01,819 But since fundamental rights 174 00:06:01,820 --> 00:06:03,799 in the US doesn't apply to foreigners, 175 00:06:03,800 --> 00:06:05,149 they can do it with us. 176 00:06:05,150 --> 00:06:06,649 And that's the whole idea of this whole 177 00:06:06,650 --> 00:06:08,239 minimization targeting procedures to 178 00:06:08,240 --> 00:06:09,709 filter them out. 179 00:06:09,710 --> 00:06:11,659 And then there is a so-called directive 180 00:06:11,660 --> 00:06:13,519 at a service provider. 181 00:06:13,520 --> 00:06:15,559 It doesn't specifically say in the law 182 00:06:15,560 --> 00:06:18,079 what it does and how it works, but 183 00:06:18,080 --> 00:06:20,119 it's basically telling a service provider 184 00:06:20,120 --> 00:06:21,619 that there has to be some technical 185 00:06:21,620 --> 00:06:23,299 interface to pull the data. 186 00:06:23,300 --> 00:06:24,589 That's the order that goes to an 187 00:06:24,590 --> 00:06:26,059 individual service provider saying you 188 00:06:26,060 --> 00:06:27,739 have to give us the data that's not done 189 00:06:27,740 --> 00:06:29,089 by the court, that's actually done by the 190 00:06:29,090 --> 00:06:30,199 U.S. government that order 191 00:06:31,250 --> 00:06:33,319 the court actually just certifies the 192 00:06:33,320 --> 00:06:34,730 whole surveillance program once a year. 193 00:06:35,760 --> 00:06:37,709 So if I'm that little smiley down here 194 00:06:37,710 --> 00:06:39,419 and I'm a Facebook customer and I have a 195 00:06:39,420 --> 00:06:41,609 contract with Facebook Ireland, my data 196 00:06:41,610 --> 00:06:43,139 actually goes straight to the servers for 197 00:06:43,140 --> 00:06:45,809 Facebook Inc, the US parent company. 198 00:06:45,810 --> 00:06:47,519 And there are two ways that the data, as 199 00:06:47,520 --> 00:06:49,289 far as we know yet, but there could be 200 00:06:49,290 --> 00:06:51,479 legally more ways, two ways where 201 00:06:51,480 --> 00:06:53,579 we're sure that data is pooled. 202 00:06:53,580 --> 00:06:55,109 That's basically upstream where they pull 203 00:06:55,110 --> 00:06:56,219 it on the cable. 204 00:06:56,220 --> 00:06:58,079 And then there's PRISM, where they pull 205 00:06:58,080 --> 00:06:59,459 it from the service of the service 206 00:06:59,460 --> 00:07:01,499 provider PRISM makes sense. 207 00:07:01,500 --> 00:07:03,239 If you, for example, have it encrypted 208 00:07:03,240 --> 00:07:04,619 that way, you can still pull it from the 209 00:07:04,620 --> 00:07:06,509 service if you can get it upstream. 210 00:07:06,510 --> 00:07:07,979 Upstream is much broader. 211 00:07:07,980 --> 00:07:09,839 Both of that works under Pfizer. 212 00:07:09,840 --> 00:07:11,969 Upstream can possibly also go and 213 00:07:11,970 --> 00:07:13,709 work under 12, triple three, an executive 214 00:07:13,710 --> 00:07:15,299 order. That's the true legal basis for 215 00:07:15,300 --> 00:07:16,300 that. 216 00:07:16,830 --> 00:07:17,969 And there are a couple of guidelines and 217 00:07:17,970 --> 00:07:19,409 stuff I'm going to touch later. 218 00:07:19,410 --> 00:07:20,819 But that's the legal basis and that's 219 00:07:20,820 --> 00:07:21,820 what we have to look at. 220 00:07:22,740 --> 00:07:24,809 So there are a couple of things that 221 00:07:24,810 --> 00:07:27,179 are disputed that we don't know yet the 222 00:07:27,180 --> 00:07:29,069 exact technical implementation amount of 223 00:07:29,070 --> 00:07:30,749 data that's really pulled the review 224 00:07:30,750 --> 00:07:32,579 mechanisms that are internal because all 225 00:07:32,580 --> 00:07:33,959 of that is classified and we don't have 226 00:07:33,960 --> 00:07:35,429 any proof of it. There's a lot of rumors, 227 00:07:35,430 --> 00:07:37,619 a lot of hints, but not really anything 228 00:07:37,620 --> 00:07:38,759 that was solid. 229 00:07:38,760 --> 00:07:40,589 Now, that was basically what Snowden 230 00:07:40,590 --> 00:07:42,899 disclosed. And what was interesting 231 00:07:42,900 --> 00:07:43,919 to me were the reactions. 232 00:07:43,920 --> 00:07:46,589 We had demonstrations. 233 00:07:46,590 --> 00:07:47,969 We had the European Parliament doing 234 00:07:47,970 --> 00:07:50,249 resolutions. The European Commission 235 00:07:50,250 --> 00:07:51,539 did a wonderful review. 236 00:07:51,540 --> 00:07:53,459 Merkel was pissed about her phone. 237 00:07:53,460 --> 00:07:55,229 And that was basically the reaction. 238 00:07:55,230 --> 00:07:57,299 And we knew that this is not going to go 239 00:07:57,300 --> 00:07:58,409 far. 240 00:07:58,410 --> 00:08:00,119 So the idea was how can we make a legal 241 00:08:00,120 --> 00:08:01,569 case out of this? 242 00:08:01,570 --> 00:08:03,179 And that was the original Safe Harbor 243 00:08:03,180 --> 00:08:04,919 case at the Court of Justice. 244 00:08:04,920 --> 00:08:06,659 And the strategic approach there was kind 245 00:08:06,660 --> 00:08:07,660 of interesting. 246 00:08:08,820 --> 00:08:10,199 If you bring the case like that, you have 247 00:08:10,200 --> 00:08:11,609 to be very strategic because you're going 248 00:08:11,610 --> 00:08:12,899 to go against a big government and you 249 00:08:12,900 --> 00:08:15,419 have to find some point where you can hit 250 00:08:15,420 --> 00:08:17,579 without having 100 lawyers scream back at 251 00:08:17,580 --> 00:08:19,199 you and you're kind of messed up. 252 00:08:19,200 --> 00:08:21,719 But you need to fight like the one little 253 00:08:21,720 --> 00:08:23,549 bit where you can actually pull in and 254 00:08:23,550 --> 00:08:25,259 where you can actually get stuff done. 255 00:08:25,260 --> 00:08:26,639 So the interesting thing was that we 256 00:08:26,640 --> 00:08:28,559 actually have a situation of public 257 00:08:28,560 --> 00:08:30,599 private surveillance partnership. 258 00:08:30,600 --> 00:08:32,819 We have the Internet service providers to 259 00:08:32,820 --> 00:08:34,589 get the data and the government that 260 00:08:34,590 --> 00:08:35,639 pulls it from them. 261 00:08:35,640 --> 00:08:37,798 So it's this combination of private 262 00:08:37,799 --> 00:08:40,019 and public that was interesting legally. 263 00:08:40,020 --> 00:08:41,939 And then the interesting thing is, in our 264 00:08:41,940 --> 00:08:43,649 case, Facebook was subject to U.S. 265 00:08:43,650 --> 00:08:44,849 law and EU law. 266 00:08:44,850 --> 00:08:46,679 They're headquartered in Ireland. 267 00:08:46,680 --> 00:08:48,899 84 percent of the users are operated 268 00:08:48,900 --> 00:08:51,119 out of Ireland. So you can say it's an 84 269 00:08:51,120 --> 00:08:52,229 percent European company. 270 00:08:52,230 --> 00:08:53,789 So I guess they have to follow European 271 00:08:53,790 --> 00:08:55,229 law. At the same time, there are other 272 00:08:55,230 --> 00:08:56,579 companies in the US, so they have to 273 00:08:56,580 --> 00:08:58,709 follow that law at the same time. 274 00:08:58,710 --> 00:09:00,899 And EU law regulates third country 275 00:09:00,900 --> 00:09:01,799 transfers. 276 00:09:01,800 --> 00:09:03,839 So if you have personal data in the 277 00:09:03,840 --> 00:09:05,459 European Union, you're not allowed to 278 00:09:05,460 --> 00:09:07,649 send it to any third country unless 279 00:09:07,650 --> 00:09:09,449 you have some legal way to actually 280 00:09:09,450 --> 00:09:10,529 protect the data. 281 00:09:10,530 --> 00:09:12,629 So it's basically an export control on 282 00:09:12,630 --> 00:09:13,849 personal data. 283 00:09:15,450 --> 00:09:17,549 And finally, all this EU law has to 284 00:09:17,550 --> 00:09:19,319 be interpreted under our fundamental 285 00:09:19,320 --> 00:09:20,759 rights treaties. So that was interesting 286 00:09:20,760 --> 00:09:22,859 because even if one company sends data to 287 00:09:22,860 --> 00:09:24,389 another company, you have all your 288 00:09:24,390 --> 00:09:25,889 fundamental rights applying in this 289 00:09:25,890 --> 00:09:26,789 transfer. 290 00:09:26,790 --> 00:09:28,799 And this overall connection actually made 291 00:09:28,800 --> 00:09:30,869 this case possible and not 292 00:09:30,870 --> 00:09:32,159 a feature of European law. 293 00:09:32,160 --> 00:09:34,379 It was very interesting for us is that 294 00:09:34,380 --> 00:09:36,269 the definitions in European law are very 295 00:09:36,270 --> 00:09:38,429 broad. So, for example, processing 296 00:09:38,430 --> 00:09:40,799 data already is 297 00:09:40,800 --> 00:09:42,719 just making data available. 298 00:09:42,720 --> 00:09:44,969 So one thing in our whole legal strategy 299 00:09:44,970 --> 00:09:47,069 was just to never claim that I 300 00:09:47,070 --> 00:09:48,959 was actually surveilled by the NSA. 301 00:09:48,960 --> 00:09:51,089 I was only saying my data has to be made 302 00:09:51,090 --> 00:09:53,279 available to the NSA by Facebook under 303 00:09:53,280 --> 00:09:54,479 US law. 304 00:09:54,480 --> 00:09:55,679 And that is an interesting thing. 305 00:09:55,680 --> 00:09:57,659 If you go very abstract in the case and 306 00:09:57,660 --> 00:09:59,669 you kind of try to say, the only thing I 307 00:09:59,670 --> 00:10:00,839 have to prove is that they have to make 308 00:10:00,840 --> 00:10:02,489 it available, not that they actually 309 00:10:02,490 --> 00:10:04,709 pulled my data, then you actually 310 00:10:04,710 --> 00:10:06,539 leave a lot out of the case that you 311 00:10:06,540 --> 00:10:08,579 couldn't possibly prove otherwise. 312 00:10:08,580 --> 00:10:09,779 And that's the interesting thing, because 313 00:10:09,780 --> 00:10:11,849 that's exactly the difference to US law 314 00:10:11,850 --> 00:10:13,589 there. You typically have to prove all 315 00:10:13,590 --> 00:10:15,389 these these things that you cannot prove 316 00:10:15,390 --> 00:10:16,529 and therefore your case is going to go 317 00:10:16,530 --> 00:10:18,029 nowhere. So the interesting thing is, 318 00:10:18,030 --> 00:10:19,949 because European law is much broader in 319 00:10:19,950 --> 00:10:21,569 their definitions, you could actually 320 00:10:21,570 --> 00:10:22,979 bring a case that you would never be able 321 00:10:22,980 --> 00:10:24,359 to bring in the U.S.. 322 00:10:24,360 --> 00:10:25,559 The other thing that was interesting for 323 00:10:25,560 --> 00:10:27,629 us is we basically compared PRISM to data 324 00:10:27,630 --> 00:10:30,119 retention and set the surveillance 325 00:10:30,120 --> 00:10:32,339 under PRISM is just basically 326 00:10:32,340 --> 00:10:33,959 10 times as bad as data retention. 327 00:10:33,960 --> 00:10:35,489 And if data retention was illegal in the 328 00:10:35,490 --> 00:10:37,559 European Union, then PRISM has to be 10 329 00:10:37,560 --> 00:10:39,539 times as legal, basically go through the 330 00:10:39,540 --> 00:10:40,829 different things to the Court of Justice 331 00:10:40,830 --> 00:10:43,259 was interested in a fundamental 332 00:10:43,260 --> 00:10:44,669 thing. I think that everybody has to 333 00:10:44,670 --> 00:10:46,379 understand to talk about these data 334 00:10:46,380 --> 00:10:48,479 transfer issues is we have a 335 00:10:48,480 --> 00:10:50,729 actually on the very meta level, 336 00:10:50,730 --> 00:10:53,039 we have a conflict of situation here. 337 00:10:53,040 --> 00:10:55,109 Basic European law says you need to 338 00:10:55,110 --> 00:10:57,899 have privacy on Facebook servers 339 00:10:57,900 --> 00:10:58,979 in very simple terms. 340 00:10:58,980 --> 00:11:00,569 And US law says you have to have 341 00:11:00,570 --> 00:11:02,159 surveillance on the same on the same 342 00:11:02,160 --> 00:11:03,959 data. And that is the fundamental 343 00:11:03,960 --> 00:11:05,849 conflict of all these cases. 344 00:11:05,850 --> 00:11:07,319 We have basically a conflict of 345 00:11:07,320 --> 00:11:08,969 jurisdiction. One country screams at 346 00:11:08,970 --> 00:11:10,529 Facebook say we need surveillance. 347 00:11:10,530 --> 00:11:12,629 The other country screams at Facebook and 348 00:11:12,630 --> 00:11:14,249 says, you can't do that. 349 00:11:14,250 --> 00:11:16,019 And that is the fundamental clash that we 350 00:11:16,020 --> 00:11:17,939 actually have in this whole area. 351 00:11:17,940 --> 00:11:19,139 It's very different. And in the private 352 00:11:19,140 --> 00:11:21,449 sector and the private sector, 353 00:11:21,450 --> 00:11:23,249 there's basically no general data 354 00:11:23,250 --> 00:11:24,659 protection law in the US. 355 00:11:24,660 --> 00:11:25,859 Europe has that. 356 00:11:25,860 --> 00:11:27,329 And because there is no conflict, there's 357 00:11:27,330 --> 00:11:28,559 simply a gap. 358 00:11:28,560 --> 00:11:30,419 Companies in the US could actually fill 359 00:11:30,420 --> 00:11:31,649 that through self certification. 360 00:11:31,650 --> 00:11:33,359 So we have to separate between the 361 00:11:33,360 --> 00:11:35,229 private sector that we can fix. 362 00:11:35,230 --> 00:11:36,669 The government sector that we can only 363 00:11:36,670 --> 00:11:38,559 fix if we change the European fundamental 364 00:11:38,560 --> 00:11:40,719 rights or U.S. surveillance laws both, 365 00:11:40,720 --> 00:11:42,129 it's not overly likely right now. 366 00:11:43,780 --> 00:11:45,129 What was the legal argument that we 367 00:11:45,130 --> 00:11:47,259 brought? If my data goes over to 368 00:11:47,260 --> 00:11:49,359 Facebook, this data can only leave 369 00:11:49,360 --> 00:11:50,349 the European Union. 370 00:11:50,350 --> 00:11:52,379 That's this export control thing if there 371 00:11:52,380 --> 00:11:54,249 so-called adequate protection in a third 372 00:11:54,250 --> 00:11:56,499 country. And my legal argument was very 373 00:11:56,500 --> 00:11:58,029 simple. You don't have to study law for 374 00:11:58,030 --> 00:11:59,709 that. I was basically walking up to the 375 00:11:59,710 --> 00:12:02,049 court and said mass surveillance is not 376 00:12:02,050 --> 00:12:03,369 adequate protection. 377 00:12:03,370 --> 00:12:04,980 Full stop and. 378 00:12:11,170 --> 00:12:13,479 So how did the procedure go down under 379 00:12:13,480 --> 00:12:15,009 Safe Harbor? You could actually go to a 380 00:12:15,010 --> 00:12:17,769 private arbitration service trustee 381 00:12:17,770 --> 00:12:19,749 and you had to file a complaint with them 382 00:12:19,750 --> 00:12:20,919 first. So I filed a complaint. 383 00:12:20,920 --> 00:12:23,049 But because you could only have 100 384 00:12:23,050 --> 00:12:25,539 I think 250 characters at the most, 385 00:12:25,540 --> 00:12:26,979 the only thing I could say stop 386 00:12:26,980 --> 00:12:28,869 Facebook's involvement in prison. 387 00:12:28,870 --> 00:12:30,369 That was the legal argument I could 388 00:12:30,370 --> 00:12:32,589 possibly make in that small little box. 389 00:12:32,590 --> 00:12:34,059 And they came back to me saying the 390 00:12:34,060 --> 00:12:35,709 trustee does not have any authority to 391 00:12:35,710 --> 00:12:37,599 address the issue because a private 392 00:12:37,600 --> 00:12:39,249 company can hardly tell the NSA to stop 393 00:12:39,250 --> 00:12:40,939 what it's doing. So the next place you 394 00:12:40,940 --> 00:12:42,849 got to go is the Irish Data Protection 395 00:12:42,850 --> 00:12:44,229 Commissioner. That's the Irish Data 396 00:12:44,230 --> 00:12:46,089 Protection Commissioner. My most favorite 397 00:12:46,090 --> 00:12:47,979 slide of any presentation. 398 00:12:47,980 --> 00:12:49,479 It's actually that's a supermarket. 399 00:12:49,480 --> 00:12:51,609 And the little red, the little blue door 400 00:12:51,610 --> 00:12:53,709 and a very right. That's the Irish duck. 401 00:12:53,710 --> 00:12:56,019 And the interesting thing 402 00:12:56,020 --> 00:12:57,579 with the Irish DPC, they now got a new 403 00:12:57,580 --> 00:12:58,899 office because that picture was in the 404 00:12:58,900 --> 00:13:01,089 media, too much fancier 405 00:13:01,090 --> 00:13:02,349 office. 406 00:13:02,350 --> 00:13:04,269 But at the time, Billy Hochstetter, their 407 00:13:04,270 --> 00:13:07,209 main their head 408 00:13:07,210 --> 00:13:09,129 was actually going on to national radio 409 00:13:09,130 --> 00:13:11,049 in Ireland and said, I don't think it 410 00:13:11,050 --> 00:13:12,669 will come as much of a surprise that, in 411 00:13:12,670 --> 00:13:13,209 fact, U.S. 412 00:13:13,210 --> 00:13:15,169 intelligence services do have access from 413 00:13:15,170 --> 00:13:16,269 U.S. companies. 414 00:13:16,270 --> 00:13:18,489 And it was amazing because he agreed 415 00:13:18,490 --> 00:13:20,589 on public radio that factually, 416 00:13:20,590 --> 00:13:22,239 we're absolutely right. 417 00:13:22,240 --> 00:13:24,099 And the big problem in any privacy case 418 00:13:24,100 --> 00:13:25,029 is to get the facts right. 419 00:13:25,030 --> 00:13:26,419 The facts are always the big issue. 420 00:13:26,420 --> 00:13:28,239 The law is kind of the smaller issue. 421 00:13:28,240 --> 00:13:30,609 So he went onto national radio records 422 00:13:30,610 --> 00:13:33,099 saying all these facts are actually true. 423 00:13:33,100 --> 00:13:35,319 We know that there were surveillance. 424 00:13:35,320 --> 00:13:36,609 So that was the most important thing. 425 00:13:36,610 --> 00:13:37,659 That's the reason we also went with 426 00:13:37,660 --> 00:13:39,339 Ireland. We also filed in Germany, for 427 00:13:39,340 --> 00:13:41,079 example. And there I think the 428 00:13:41,080 --> 00:13:42,399 authorities are still investigating a 429 00:13:42,400 --> 00:13:44,079 case or something like that. 430 00:13:44,080 --> 00:13:45,909 But he was stupid enough to walk out into 431 00:13:45,910 --> 00:13:47,439 public and say, obviously, there is all 432 00:13:47,440 --> 00:13:48,399 this surveillance. 433 00:13:48,400 --> 00:13:49,989 He just felt that legally there is no 434 00:13:49,990 --> 00:13:50,919 problem. 435 00:13:50,920 --> 00:13:52,899 And so we appealed that to the Irish High 436 00:13:52,900 --> 00:13:55,179 Court that's dead 437 00:13:55,180 --> 00:13:56,319 and had our hearing there. 438 00:13:56,320 --> 00:13:58,269 And what basically happened in Ireland is 439 00:13:58,270 --> 00:14:00,129 that they approved all the facts and 440 00:14:00,130 --> 00:14:01,629 passed it on to the European Court of 441 00:14:01,630 --> 00:14:03,399 Justice. That's the highest court in the 442 00:14:03,400 --> 00:14:04,719 European Union. 443 00:14:04,720 --> 00:14:06,879 And because Safe Harbor and the validity 444 00:14:06,880 --> 00:14:08,649 of it was at stake, they had to refer to 445 00:14:08,650 --> 00:14:09,650 the Court of Justice 446 00:14:11,230 --> 00:14:12,159 at the Court of Justice. 447 00:14:12,160 --> 00:14:13,959 We actually had a very long one day 448 00:14:13,960 --> 00:14:15,879 hearing. It was really interesting to see 449 00:14:15,880 --> 00:14:18,489 how how that kind of 450 00:14:18,490 --> 00:14:20,469 detail to knowledge was off the judges 451 00:14:20,470 --> 00:14:22,239 there. I was because that's oftentimes a 452 00:14:22,240 --> 00:14:23,679 problem in privacy cases, is that the 453 00:14:23,680 --> 00:14:25,449 judges don't really know about all of 454 00:14:25,450 --> 00:14:27,219 this. And in this case, we're actually 455 00:14:27,220 --> 00:14:29,349 really happy with the judges and their 456 00:14:29,350 --> 00:14:30,489 understanding of it. 457 00:14:30,490 --> 00:14:32,679 And and kind of a little side note, 458 00:14:32,680 --> 00:14:34,929 I think it was funny, a day 459 00:14:34,930 --> 00:14:36,189 before the hearing, there were a couple 460 00:14:36,190 --> 00:14:38,259 of people texting me saying from 461 00:14:38,260 --> 00:14:40,509 different member states texting me, guess 462 00:14:40,510 --> 00:14:42,399 who was just calling us? 463 00:14:42,400 --> 00:14:43,569 And was like, I don't know. 464 00:14:43,570 --> 00:14:45,549 Nance was someone from the US government 465 00:14:45,550 --> 00:14:47,049 was calling us that we should change our 466 00:14:47,050 --> 00:14:48,459 position because the member states can 467 00:14:48,460 --> 00:14:50,979 all put their views 468 00:14:50,980 --> 00:14:52,209 before the court as well. 469 00:14:52,210 --> 00:14:53,589 And apparently the US government has 470 00:14:53,590 --> 00:14:55,869 tried to push tremendously the day before 471 00:14:55,870 --> 00:14:57,969 to change your positions. 472 00:14:57,970 --> 00:14:59,169 But it was too late. Everybody was 473 00:14:59,170 --> 00:15:01,059 already on their planes, was they 474 00:15:01,060 --> 00:15:02,709 couldn't do anything. And at the hearing, 475 00:15:02,710 --> 00:15:04,299 actually, there was someone from the US 476 00:15:04,300 --> 00:15:06,439 mission and he approached me and 477 00:15:06,440 --> 00:15:07,659 there was like, hey, how are you doing? 478 00:15:07,660 --> 00:15:08,589 And he was like, Oh, you're the 479 00:15:08,590 --> 00:15:09,909 plaintiff. I was like, Yeah, you too much 480 00:15:09,910 --> 00:15:10,809 talk from the US. 481 00:15:10,810 --> 00:15:11,889 Nice to meet you. 482 00:15:11,890 --> 00:15:13,719 And we're chatting. 483 00:15:13,720 --> 00:15:15,789 And it was funny because I was 484 00:15:15,790 --> 00:15:17,889 like, you know, 485 00:15:17,890 --> 00:15:19,419 do you still need any phone numbers to 486 00:15:19,420 --> 00:15:21,189 call around and tell people what to say 487 00:15:21,190 --> 00:15:22,809 in front of the court? Are you done doing 488 00:15:22,810 --> 00:15:24,399 that? And the fun thing is, if you're a 489 00:15:24,400 --> 00:15:25,809 student, you can say things like that, 490 00:15:25,810 --> 00:15:26,979 that the diplomats are not allowed to 491 00:15:26,980 --> 00:15:29,259 say. And and they actually 492 00:15:29,260 --> 00:15:30,789 agreed then and said, yeah, we had to 493 00:15:30,790 --> 00:15:33,029 kind of make sure that our position is 494 00:15:33,030 --> 00:15:35,109 is heard. And but he said 495 00:15:35,110 --> 00:15:36,429 that they only found out about the 496 00:15:36,430 --> 00:15:38,259 hearing on Friday night. 497 00:15:38,260 --> 00:15:39,489 Then there was the weekend. 498 00:15:39,490 --> 00:15:41,169 Then they only had Monday to intervene 499 00:15:41,170 --> 00:15:42,789 anymore, which was way too late. 500 00:15:42,790 --> 00:15:44,499 And on Tuesday the actual hearing 501 00:15:44,500 --> 00:15:46,359 happened. So they were simply too late to 502 00:15:46,360 --> 00:15:48,069 intervene anymore, even though that 503 00:15:48,070 --> 00:15:49,599 hearing, I think, was on the back page of 504 00:15:49,600 --> 00:15:51,339 the Court of Justice for three weeks. 505 00:15:51,340 --> 00:15:52,449 So they have all their wonderful 506 00:15:52,450 --> 00:15:53,919 surveillance, but they don't even find 507 00:15:53,920 --> 00:15:55,239 out when the actual court date is 508 00:15:55,240 --> 00:15:56,579 happening. 509 00:15:56,580 --> 00:15:57,580 But. 510 00:16:04,230 --> 00:16:06,479 So that was fun, a really interesting 511 00:16:06,480 --> 00:16:07,799 thing happened to the Court of Justice as 512 00:16:07,800 --> 00:16:08,189 well. 513 00:16:08,190 --> 00:16:10,439 The judgment came out, I think, 514 00:16:10,440 --> 00:16:12,179 only two weeks after the advocate general 515 00:16:12,180 --> 00:16:13,619 at the Court of Justice is an advocate 516 00:16:13,620 --> 00:16:15,119 general that gives the general opinion 517 00:16:15,120 --> 00:16:16,259 about the case. 518 00:16:16,260 --> 00:16:18,149 And then there is the actual judgment. 519 00:16:18,150 --> 00:16:19,589 And typically that takes two or three 520 00:16:19,590 --> 00:16:21,749 months. And we heard rumors 521 00:16:21,750 --> 00:16:23,759 that there's going to be a judgment on, I 522 00:16:23,760 --> 00:16:25,499 think, October 6th. 523 00:16:25,500 --> 00:16:26,459 And it was like, this is crazy. 524 00:16:26,460 --> 00:16:27,959 It's like two days, two weeks or three 525 00:16:27,960 --> 00:16:29,129 weeks after the advocate general. 526 00:16:29,130 --> 00:16:30,029 That never happens. 527 00:16:30,030 --> 00:16:31,619 It's like totally exceptional. 528 00:16:31,620 --> 00:16:34,289 And the rumor goes that the former 529 00:16:34,290 --> 00:16:36,419 president of the Court of Justice that 530 00:16:36,420 --> 00:16:38,489 retired on the 7th of October, that they 531 00:16:38,490 --> 00:16:40,739 later wanted to push that judgment 532 00:16:40,740 --> 00:16:42,749 out before he retires, as I like his 533 00:16:42,750 --> 00:16:44,489 goodbye present. 534 00:16:44,490 --> 00:16:46,109 So it was actually really interesting to 535 00:16:46,110 --> 00:16:47,759 see how apparently judges get very 536 00:16:47,760 --> 00:16:49,589 emotional about these privacy cases, 537 00:16:49,590 --> 00:16:51,299 which is very good news in the long run 538 00:16:51,300 --> 00:16:53,039 if we want to go to the Court of justice 539 00:16:53,040 --> 00:16:54,040 in the future as well. 540 00:16:55,050 --> 00:16:56,429 So what did the Court of Justice say? 541 00:16:56,430 --> 00:16:58,769 It's actually had a very, very bold 542 00:16:58,770 --> 00:17:00,389 judgment. It said two things. 543 00:17:00,390 --> 00:17:01,679 First of all, it said that mass 544 00:17:01,680 --> 00:17:03,209 surveillance violates the essence of 545 00:17:03,210 --> 00:17:05,279 Article seven, which is the right 546 00:17:05,280 --> 00:17:06,568 to privacy under the Charter of 547 00:17:06,569 --> 00:17:08,759 Fundamental Rights, and that 548 00:17:08,760 --> 00:17:09,899 the lack of legal redress. 549 00:17:09,900 --> 00:17:11,489 So there's no court to go to and appeal 550 00:17:11,490 --> 00:17:13,469 anything violates the essence of the 551 00:17:13,470 --> 00:17:16,108 Article 47 rights, which is a fair trial. 552 00:17:16,109 --> 00:17:18,239 And I may know that this is only 553 00:17:18,240 --> 00:17:20,489 exciting to me because I'm a lawyer. 554 00:17:20,490 --> 00:17:22,679 But in EU law, there is 555 00:17:22,680 --> 00:17:24,598 so-called proportionality tests. 556 00:17:24,599 --> 00:17:26,759 So you test if a law is proportionate 557 00:17:26,760 --> 00:17:29,459 or not. And if you have, for example, 558 00:17:29,460 --> 00:17:31,679 data retention, it may be somewhere 559 00:17:31,680 --> 00:17:33,629 in the disproportionate area or may be 560 00:17:33,630 --> 00:17:34,859 proportionate and so on. 561 00:17:34,860 --> 00:17:36,869 However, you can have a violation of the 562 00:17:36,870 --> 00:17:38,969 essence, which is kind of no way 563 00:17:38,970 --> 00:17:40,709 this is ever going to be justifiable. 564 00:17:40,710 --> 00:17:42,329 What you do here, no matter how many 565 00:17:42,330 --> 00:17:44,279 people you can save from being dead or 566 00:17:44,280 --> 00:17:46,199 whatever, it's simply a violation of the 567 00:17:46,200 --> 00:17:48,209 essence. So it's outside of even debating 568 00:17:48,210 --> 00:17:49,439 proportionality. 569 00:17:49,440 --> 00:17:51,299 And our case was the first time where the 570 00:17:51,300 --> 00:17:52,469 Court of Justice found that there's a 571 00:17:52,470 --> 00:17:53,849 violation of the essence of any 572 00:17:53,850 --> 00:17:55,979 fundamental rights, in this 573 00:17:55,980 --> 00:17:57,599 case, the right to privacy. 574 00:17:57,600 --> 00:17:58,600 So. 575 00:18:02,720 --> 00:18:05,209 So obviously, we argued that, but if 576 00:18:05,210 --> 00:18:06,409 you're the court of Justice and you get 577 00:18:06,410 --> 00:18:08,089 the judgment handed down, everybody's 578 00:18:08,090 --> 00:18:09,439 reading something and someone some other 579 00:18:09,440 --> 00:18:11,269 lawyer screamed out just like, fuck, we 580 00:18:11,270 --> 00:18:13,849 got Jesus. And we're like, striking. 581 00:18:13,850 --> 00:18:16,129 And so anyways, 582 00:18:16,130 --> 00:18:17,749 that's, you know, all your fun. 583 00:18:17,750 --> 00:18:19,819 But anyways, the other stuff that was 584 00:18:19,820 --> 00:18:21,289 interesting was that they said that the 585 00:18:21,290 --> 00:18:23,059 third country has to have essentially 586 00:18:23,060 --> 00:18:25,459 equivalent protection as the European 587 00:18:25,460 --> 00:18:27,409 Union. And that's interesting because I 588 00:18:27,410 --> 00:18:29,299 said before, the law only talks about 589 00:18:29,300 --> 00:18:31,759 adequate protection and adequate 590 00:18:31,760 --> 00:18:33,949 is not a legally really 591 00:18:33,950 --> 00:18:35,119 meaningful word. 592 00:18:35,120 --> 00:18:36,859 Adequate anything and nothing can be 593 00:18:36,860 --> 00:18:39,199 adequate. So what actually happened 594 00:18:39,200 --> 00:18:40,519 in the law had said equivalent 595 00:18:40,520 --> 00:18:42,349 originally, then it was lobbied out in 596 00:18:42,350 --> 00:18:44,629 the 90s to adequate because that means 597 00:18:44,630 --> 00:18:46,579 nothing. And now the court basically 598 00:18:46,580 --> 00:18:48,319 lobbied it back in the two essential 599 00:18:48,320 --> 00:18:50,419 equivalent and basically put the 600 00:18:50,420 --> 00:18:52,009 law back where it was. 601 00:18:52,010 --> 00:18:53,839 And they said that there had to be 602 00:18:53,840 --> 00:18:55,519 effective detection and supervision 603 00:18:55,520 --> 00:18:56,629 mechanisms. 604 00:18:56,630 --> 00:18:58,759 And they also said that they 605 00:18:58,760 --> 00:19:00,439 have to be has to be legal redress in 606 00:19:00,440 --> 00:19:02,269 line with Article 47. 607 00:19:02,270 --> 00:19:04,729 Now, this is very interesting 608 00:19:04,730 --> 00:19:07,069 because none of the European Union 609 00:19:07,070 --> 00:19:08,659 countries that has serious surveillance 610 00:19:08,660 --> 00:19:10,729 does any of the above. 611 00:19:10,730 --> 00:19:12,859 And so they actually 612 00:19:12,860 --> 00:19:15,019 went very far and have like, for example, 613 00:19:15,020 --> 00:19:17,059 if I'm an Austrian citizen and I'm 614 00:19:17,060 --> 00:19:18,559 surveilled by the German services, there 615 00:19:18,560 --> 00:19:20,899 is nothing like that in Germany 616 00:19:20,900 --> 00:19:22,789 where I could possibly appeal to. 617 00:19:22,790 --> 00:19:24,709 How does that happen? 618 00:19:24,710 --> 00:19:26,809 The EU treaties have 619 00:19:26,810 --> 00:19:28,969 an exception for national security, 620 00:19:28,970 --> 00:19:30,739 so anything that is in the national 621 00:19:30,740 --> 00:19:32,929 security area is exempt from 622 00:19:32,930 --> 00:19:34,789 EU law. The member states never gave that 623 00:19:34,790 --> 00:19:36,589 part to the European Union. 624 00:19:36,590 --> 00:19:38,779 So the Court of Justice can rule 625 00:19:38,780 --> 00:19:40,459 about national security of a third 626 00:19:40,460 --> 00:19:42,379 country because that's not exempt from EU 627 00:19:42,380 --> 00:19:44,479 law. But it cannot rule about national 628 00:19:44,480 --> 00:19:46,549 security of our own member states, 629 00:19:46,550 --> 00:19:49,189 which is a totally absurd situation. 630 00:19:49,190 --> 00:19:50,929 But that's the reason why basically the 631 00:19:50,930 --> 00:19:53,929 US and Germany or France also 632 00:19:53,930 --> 00:19:55,759 gets along with it without really having 633 00:19:55,760 --> 00:19:57,109 a problem. I'm going to get back to that 634 00:19:57,110 --> 00:19:59,179 later, at least with the UK. 635 00:19:59,180 --> 00:20:00,919 That is the thing that is solved by 636 00:20:00,920 --> 00:20:02,449 Brexit, because then the third country 637 00:20:02,450 --> 00:20:03,670 and we can bring a case there as well, 638 00:20:05,480 --> 00:20:06,480 but. 639 00:20:08,190 --> 00:20:09,539 You know, you've got to look at the 640 00:20:09,540 --> 00:20:10,700 bright side of Brexit, too. 641 00:20:12,570 --> 00:20:14,729 So actually, that's all the press story 642 00:20:14,730 --> 00:20:16,349 to get to the stuff I should actually 643 00:20:16,350 --> 00:20:18,659 talk about, which is Privacy 644 00:20:18,660 --> 00:20:21,509 Shield or a Safe Harbor 2.0. 645 00:20:21,510 --> 00:20:23,589 I usually call it Safe Harbor one point 646 00:20:23,590 --> 00:20:25,349 zero point one or something like that, 647 00:20:25,350 --> 00:20:27,149 because it's basically the same text. 648 00:20:27,150 --> 00:20:29,279 And what happened when 649 00:20:29,280 --> 00:20:31,679 Safe Harbor was kicked down is basically 650 00:20:31,680 --> 00:20:33,929 that the US became like any other third 651 00:20:33,930 --> 00:20:35,459 country would transfer data to. 652 00:20:35,460 --> 00:20:37,769 So it simply just lost the special status 653 00:20:37,770 --> 00:20:39,150 it had before through the treaty. 654 00:20:40,500 --> 00:20:42,239 And there are still different 655 00:20:42,240 --> 00:20:44,429 possibilities to send data to the US. 656 00:20:44,430 --> 00:20:46,019 So, for example, you can use consent 657 00:20:46,020 --> 00:20:48,149 performance of a contract, so-called C 658 00:20:48,150 --> 00:20:49,949 C standard contractual clauses, binding 659 00:20:49,950 --> 00:20:51,149 corporate rules and so on. 660 00:20:51,150 --> 00:20:52,739 So it's not like you couldn't send data 661 00:20:52,740 --> 00:20:54,209 to the US anymore. It was just not that 662 00:20:54,210 --> 00:20:56,159 easy. You had to use different legal 663 00:20:56,160 --> 00:20:57,160 mechanisms. 664 00:20:58,390 --> 00:21:00,749 The Facebook actually switched to sex. 665 00:21:00,750 --> 00:21:02,549 And we have a case right now pending in 666 00:21:02,550 --> 00:21:04,739 Ireland where the Irish Data Protection 667 00:21:04,740 --> 00:21:07,599 Commissioner suit me and Facebook, 668 00:21:07,600 --> 00:21:09,719 um, over the standard 669 00:21:09,720 --> 00:21:10,799 contractual clauses. 670 00:21:10,800 --> 00:21:11,909 It's still the same complaint. 671 00:21:11,910 --> 00:21:14,309 The original case we're right now, 672 00:21:14,310 --> 00:21:16,349 we had about four or five weeks in courts 673 00:21:16,350 --> 00:21:18,359 in Dublin beginning of this year with 674 00:21:18,360 --> 00:21:20,039 about 20 solicitors and barristers 675 00:21:21,150 --> 00:21:23,519 had about 45000 pages produced. 676 00:21:23,520 --> 00:21:25,769 In this case, we're expecting 677 00:21:25,770 --> 00:21:27,899 about five to 10 million in costs 678 00:21:27,900 --> 00:21:29,009 for this legal battle. 679 00:21:29,010 --> 00:21:30,449 For the second round where I got sued, 680 00:21:30,450 --> 00:21:32,249 like I didn't start this, the dpk start 681 00:21:32,250 --> 00:21:33,250 started that. 682 00:21:33,690 --> 00:21:34,679 And there's going to be a second 683 00:21:34,680 --> 00:21:36,569 reference. We're still fighting over what 684 00:21:36,570 --> 00:21:37,949 the question is. So actually, the whole 685 00:21:37,950 --> 00:21:39,599 case is going to go back up to the Court 686 00:21:39,600 --> 00:21:41,609 of Justice a second time around, just on 687 00:21:41,610 --> 00:21:42,610 another legal basis. 688 00:21:43,890 --> 00:21:45,929 I can't really talk much about this case 689 00:21:45,930 --> 00:21:47,309 because it's a pending case. 690 00:21:47,310 --> 00:21:49,109 But let's say Facebook totally fucked up 691 00:21:49,110 --> 00:21:50,489 in that procedure. 692 00:21:50,490 --> 00:21:52,019 They had, like all their wonderful 693 00:21:52,020 --> 00:21:54,689 experts with thousands of pages. 694 00:21:54,690 --> 00:21:56,609 And when it was before the court, you 695 00:21:56,610 --> 00:21:57,869 just had to look at the footnotes and 696 00:21:57,870 --> 00:21:59,969 you, like guys are actually saying this 697 00:21:59,970 --> 00:22:01,949 is in the footnote, but it's not there. 698 00:22:01,950 --> 00:22:03,299 You just made it up. 699 00:22:03,300 --> 00:22:05,669 And it was amazing to see how they have 700 00:22:05,670 --> 00:22:07,739 incredibly well paid lawyers, 701 00:22:07,740 --> 00:22:10,019 but they don't check their own stuff. 702 00:22:10,020 --> 00:22:12,059 It's really they just apparently they're 703 00:22:12,060 --> 00:22:13,469 so full of themselves that they think 704 00:22:13,470 --> 00:22:15,519 we're going to get away with anything. 705 00:22:15,520 --> 00:22:17,099 However, the judge didn't let them get 706 00:22:17,100 --> 00:22:19,199 away. So the most important part to me is 707 00:22:19,200 --> 00:22:20,969 that actually the judgment that we had in 708 00:22:20,970 --> 00:22:23,669 the first round, that's already kind of 709 00:22:23,670 --> 00:22:26,009 fixed. So I can talk about it actually, 710 00:22:26,010 --> 00:22:27,659 again, says that there's mass and 711 00:22:27,660 --> 00:22:29,399 indiscriminate processing by the US 712 00:22:29,400 --> 00:22:31,199 government. So that is actually what they 713 00:22:31,200 --> 00:22:32,609 challenge where they say there is no mass 714 00:22:32,610 --> 00:22:34,169 surveillance and it says exactly that 715 00:22:34,170 --> 00:22:34,739 again. 716 00:22:34,740 --> 00:22:37,199 So on the whole factual stuff, they lost 717 00:22:37,200 --> 00:22:39,449 again back, that's 718 00:22:39,450 --> 00:22:41,730 kind of a little side story and. 719 00:22:44,970 --> 00:22:48,179 Back to the actual privacy shield, 720 00:22:48,180 --> 00:22:50,219 how did that thing actually happen? 721 00:22:50,220 --> 00:22:51,479 I think you need to understand the 722 00:22:51,480 --> 00:22:53,519 history of Privacy Shield to explain why 723 00:22:53,520 --> 00:22:54,520 it's bullshit. 724 00:22:55,320 --> 00:22:57,389 On January 31st, 725 00:22:57,390 --> 00:22:59,009 little fairy tale. 726 00:22:59,010 --> 00:23:00,689 There was a deadline by the European data 727 00:23:00,690 --> 00:23:02,999 protection authorities and January 728 00:23:03,000 --> 00:23:05,999 31st at night, The New York Times reports 729 00:23:06,000 --> 00:23:08,129 that EU and US couldn't agree on any 730 00:23:08,130 --> 00:23:09,629 kind of New Deal. 731 00:23:09,630 --> 00:23:11,339 And I was talking to the reporter and he 732 00:23:11,340 --> 00:23:13,439 said he got that information 733 00:23:13,440 --> 00:23:15,749 in a way that he knows it's 100 734 00:23:15,750 --> 00:23:17,309 percent certain. It's apparently on the 735 00:23:17,310 --> 00:23:19,619 31st, the two sides stood 736 00:23:19,620 --> 00:23:21,119 up from the table, from the table and 737 00:23:21,120 --> 00:23:22,139 said, there is no agreement. 738 00:23:22,140 --> 00:23:23,999 We can't agree on anything here, anything 739 00:23:24,000 --> 00:23:25,000 here. 740 00:23:25,370 --> 00:23:27,559 48 hours later, there was apparently 741 00:23:27,560 --> 00:23:28,849 a phone call between the U.S. 742 00:23:28,850 --> 00:23:31,009 government and the European Commission 743 00:23:31,010 --> 00:23:32,839 and someone was told that you're about 744 00:23:32,840 --> 00:23:34,430 the responsible 745 00:23:36,260 --> 00:23:38,089 commissioner should just get anything 746 00:23:38,090 --> 00:23:38,989 done. 747 00:23:38,990 --> 00:23:41,119 And 48 hours later, the same 748 00:23:41,120 --> 00:23:42,529 New York Times with the same reporter 749 00:23:42,530 --> 00:23:44,540 reports that there is now a new deal. 750 00:23:45,990 --> 00:23:48,109 And we didn't really know the name yet. 751 00:23:48,110 --> 00:23:50,149 But 24 hours later, there was suddenly 752 00:23:50,150 --> 00:23:52,249 this logo and it was called Privacy 753 00:23:52,250 --> 00:23:54,439 Shield, and it was talking to people 754 00:23:54,440 --> 00:23:55,759 that negotiate. And it was like, how did 755 00:23:55,760 --> 00:23:57,619 you come up with this shitty name? 756 00:23:57,620 --> 00:23:59,599 And he said, I didn't know about the name 757 00:23:59,600 --> 00:24:01,969 until that actual press conference 758 00:24:01,970 --> 00:24:03,469 because that deal didn't exist. 759 00:24:03,470 --> 00:24:05,539 It was simply a logo with a name 760 00:24:05,540 --> 00:24:07,339 and no actual deal. 761 00:24:07,340 --> 00:24:09,529 Um, we know that because 762 00:24:09,530 --> 00:24:11,749 one week later, EPICA, US privacy 763 00:24:11,750 --> 00:24:14,029 NGO made a Freedom of Information request 764 00:24:14,030 --> 00:24:15,949 with the US government asking for the 765 00:24:15,950 --> 00:24:17,269 actual text of that deal. 766 00:24:18,380 --> 00:24:19,849 And they got a response, I think, two 767 00:24:19,850 --> 00:24:22,099 days later saying that they cannot 768 00:24:22,100 --> 00:24:24,229 have to the text because the record that 769 00:24:24,230 --> 00:24:25,700 you requested does not exist. 770 00:24:30,330 --> 00:24:32,519 So one month later, there 771 00:24:32,520 --> 00:24:34,979 was actually a text and 772 00:24:34,980 --> 00:24:37,439 it's basically safe harbor again, 773 00:24:37,440 --> 00:24:39,119 it's the same text. Most of it is one on 774 00:24:39,120 --> 00:24:40,949 one the same. Like if you would do a red 775 00:24:40,950 --> 00:24:42,689 line comparison of it, probably five 776 00:24:42,690 --> 00:24:43,919 percent would be new text. 777 00:24:43,920 --> 00:24:45,329 All the rest is basically the same. 778 00:24:46,380 --> 00:24:47,759 And they just put a new name on it. 779 00:24:47,760 --> 00:24:49,169 Call it a privacy shield. 780 00:24:49,170 --> 00:24:50,759 And that's why I basically think it's 781 00:24:50,760 --> 00:24:52,289 lipstick on a pig. 782 00:24:52,290 --> 00:24:53,909 What's the problem with Privacy Shield if 783 00:24:53,910 --> 00:24:55,379 that gets ever back to the Court of 784 00:24:55,380 --> 00:24:57,329 Justice? So basically that your pick 785 00:24:57,330 --> 00:24:59,549 meets court, how would that 786 00:24:59,550 --> 00:25:01,829 go down under 787 00:25:01,830 --> 00:25:03,749 what the judgment by the Court of 788 00:25:03,750 --> 00:25:05,579 Justice? There are two hurdles to privacy 789 00:25:05,580 --> 00:25:06,750 Shield would have to overcome. 790 00:25:07,890 --> 00:25:09,719 One hurdle is basically this essential 791 00:25:09,720 --> 00:25:11,579 equivalence, which is important in the in 792 00:25:11,580 --> 00:25:13,049 the the private sector. 793 00:25:13,050 --> 00:25:14,789 And then it also has to be compliant with 794 00:25:14,790 --> 00:25:15,989 the Charter of Fundamental Rights, which 795 00:25:15,990 --> 00:25:17,369 is relevant for mass surveillance. 796 00:25:18,420 --> 00:25:20,369 Just two or three examples why this would 797 00:25:20,370 --> 00:25:21,370 not work. 798 00:25:22,240 --> 00:25:23,699 Privacy Shield still follows the 799 00:25:23,700 --> 00:25:25,349 so-called notice and choice principle in 800 00:25:25,350 --> 00:25:27,419 the US, not consent, not a legal basis to 801 00:25:27,420 --> 00:25:29,009 process data, but notice and choice, 802 00:25:29,010 --> 00:25:31,319 which is a very kind of, 803 00:25:31,320 --> 00:25:32,880 yeah, not very stringent system. 804 00:25:34,170 --> 00:25:36,419 In a very simple graphic 805 00:25:36,420 --> 00:25:38,459 on the left, all these types of data 806 00:25:38,460 --> 00:25:40,709 processing are covered under EU law 807 00:25:40,710 --> 00:25:42,269 from collecting the data all the way to 808 00:25:42,270 --> 00:25:44,579 deleting it. Anything you do with data is 809 00:25:44,580 --> 00:25:46,739 covered by the law and you need 810 00:25:46,740 --> 00:25:47,879 a legal basis for that. 811 00:25:47,880 --> 00:25:50,099 Under Privacy Shield, you only need 812 00:25:50,100 --> 00:25:52,139 an opt to provide an opt out so you don't 813 00:25:52,140 --> 00:25:53,819 even need to ask for consent any other 814 00:25:53,820 --> 00:25:55,799 legal basis. You only have to provide for 815 00:25:55,800 --> 00:25:57,809 an opt out if you disclose data to 816 00:25:57,810 --> 00:26:00,089 someone else or if you change the purpose 817 00:26:00,090 --> 00:26:01,409 of the data processing. 818 00:26:01,410 --> 00:26:03,209 So if you just compare these two things 819 00:26:03,210 --> 00:26:04,589 together, you can say, oh, this is 820 00:26:04,590 --> 00:26:06,599 absolutely not essentially equivalent 821 00:26:06,600 --> 00:26:08,249 basically to one thing is teeny tiny 822 00:26:08,250 --> 00:26:10,199 protection and the other one is full 823 00:26:10,200 --> 00:26:11,459 protection. 824 00:26:11,460 --> 00:26:13,199 If you compare that, if you collect data, 825 00:26:13,200 --> 00:26:14,909 use it, store it, all of that is not even 826 00:26:14,910 --> 00:26:16,619 covered. You don't need any legal basis. 827 00:26:16,620 --> 00:26:19,349 You can just do it under privacy shield. 828 00:26:19,350 --> 00:26:21,239 Only if you then disclose or change your 829 00:26:21,240 --> 00:26:22,919 purpose, then you can actually you 830 00:26:22,920 --> 00:26:24,419 actually need to provide an opt out so 831 00:26:24,420 --> 00:26:25,859 you don't even have to have to ask for 832 00:26:25,860 --> 00:26:27,299 consent. You just need to have some opt 833 00:26:27,300 --> 00:26:28,679 out box on some Web page that no one 834 00:26:28,680 --> 00:26:29,969 finds. 835 00:26:29,970 --> 00:26:32,339 And you can even kill these two things by 836 00:26:32,340 --> 00:26:34,289 simply putting a very broad purpose into 837 00:26:34,290 --> 00:26:35,909 your privacy policy, saying we use the 838 00:26:35,910 --> 00:26:37,619 data for anything we want to use it. 839 00:26:37,620 --> 00:26:38,669 So you will never have to change your 840 00:26:38,670 --> 00:26:40,769 purpose. If it's that brought and you 841 00:26:40,770 --> 00:26:42,179 basically have a third party clause where 842 00:26:42,180 --> 00:26:43,859 it says you can send the data to anybody 843 00:26:43,860 --> 00:26:45,989 else and thereby 844 00:26:45,990 --> 00:26:47,879 you have basically unlimited data 845 00:26:47,880 --> 00:26:50,129 processing under Privacy Shield, which 846 00:26:50,130 --> 00:26:52,109 is should officially be the same thing as 847 00:26:52,110 --> 00:26:53,879 European Union law. 848 00:26:53,880 --> 00:26:56,129 So it will not not add up ever. 849 00:26:56,130 --> 00:26:57,719 The other thing that was interesting was 850 00:26:57,720 --> 00:26:59,579 redress. And I think that kind of 851 00:26:59,580 --> 00:27:01,109 displays quite well how this is never 852 00:27:01,110 --> 00:27:02,939 going to work in practice, because 853 00:27:02,940 --> 00:27:04,409 imagine I want to get a beef with 854 00:27:04,410 --> 00:27:06,809 Facebook for the twenty first time 855 00:27:06,810 --> 00:27:09,149 and I write my funny little complaint 856 00:27:09,150 --> 00:27:11,399 to Facebook. They have forty five days to 857 00:27:11,400 --> 00:27:13,499 send me a letter back saying fuck off 858 00:27:13,500 --> 00:27:15,149 and that's what they typically do. 859 00:27:15,150 --> 00:27:16,889 Then I can complain to TRUSTe. 860 00:27:16,890 --> 00:27:17,949 We already know them before it. 861 00:27:17,950 --> 00:27:19,489 It's the guys with the twenty two hundred 862 00:27:19,490 --> 00:27:21,449 fifty characters to complain about stuff. 863 00:27:21,450 --> 00:27:23,249 They're actually chosen and paid for by 864 00:27:23,250 --> 00:27:24,659 Facebook but they're officially 865 00:27:24,660 --> 00:27:26,669 independent so I can complain with them 866 00:27:26,670 --> 00:27:28,829 if my complaint is upheld. 867 00:27:28,830 --> 00:27:30,359 They tell Facebook not to do stuff 868 00:27:30,360 --> 00:27:32,369 anymore, but it's not enforceable. 869 00:27:32,370 --> 00:27:33,899 It's basically an email to Facebook 870 00:27:33,900 --> 00:27:35,789 saying don't do this anymore. 871 00:27:35,790 --> 00:27:37,619 If they further do it, there is no 872 00:27:37,620 --> 00:27:38,699 consequence. There's no way. 873 00:27:38,700 --> 00:27:39,929 They also don't have investigative 874 00:27:39,930 --> 00:27:41,249 powers. So he cannot figure out what 875 00:27:41,250 --> 00:27:43,019 Facebook actually does on its servers. 876 00:27:43,020 --> 00:27:44,519 They can only look at whatever I bring 877 00:27:44,520 --> 00:27:46,319 up. And I'm usually not able to go to 878 00:27:46,320 --> 00:27:48,419 going to be able to bring up much. 879 00:27:48,420 --> 00:27:50,009 If I'm unhappy with that, I can go to my 880 00:27:50,010 --> 00:27:52,229 national DPA in Europe and they can 881 00:27:52,230 --> 00:27:53,759 then raise the issue with the Department 882 00:27:53,760 --> 00:27:55,769 of Commerce in the US in an informal 883 00:27:55,770 --> 00:27:57,119 procedure. Again, the Department of 884 00:27:57,120 --> 00:27:58,469 Commerce doesn't have any investigative 885 00:27:58,470 --> 00:28:00,419 powers. So let's say I made an explicit 886 00:28:00,420 --> 00:28:01,769 request that I want to have a copy of all 887 00:28:01,770 --> 00:28:03,599 my data. Facebook doesn't send anything 888 00:28:03,600 --> 00:28:05,399 back. None of these guys can actually 889 00:28:05,400 --> 00:28:07,409 find out what Facebook actually stores on 890 00:28:07,410 --> 00:28:09,389 their servers to then decide over my 891 00:28:09,390 --> 00:28:11,009 access request. 892 00:28:11,010 --> 00:28:12,509 If I'm with the Irish doctor first, I 893 00:28:12,510 --> 00:28:13,769 have to go to court to sue them to 894 00:28:13,770 --> 00:28:15,749 actually do all of that, because they 895 00:28:15,750 --> 00:28:16,750 would never do that anyways. 896 00:28:17,820 --> 00:28:19,769 And all of them can theoretically go to 897 00:28:19,770 --> 00:28:21,659 the Federal Trade Commission, which 898 00:28:21,660 --> 00:28:23,279 again, doesn't really have too much 899 00:28:23,280 --> 00:28:24,899 enforcement powers and not a lot of 900 00:28:24,900 --> 00:28:26,339 investigative powers, but definitely more 901 00:28:26,340 --> 00:28:27,340 than the others. 902 00:28:27,960 --> 00:28:29,549 But the FTC already said they're not 903 00:28:29,550 --> 00:28:31,259 going to do that if they don't like it 904 00:28:31,260 --> 00:28:33,089 and they haven't done that so far. 905 00:28:33,090 --> 00:28:35,189 So basically, all of that is old and gray 906 00:28:35,190 --> 00:28:36,689 because you don't get anywhere with all 907 00:28:36,690 --> 00:28:38,789 of this. Now, on top of all of that, and 908 00:28:38,790 --> 00:28:40,079 you have to go through all the other 909 00:28:40,080 --> 00:28:42,359 things before before you can appeal 910 00:28:42,360 --> 00:28:45,059 to the so-called Privacy Shield PENNEL, 911 00:28:45,060 --> 00:28:46,799 which is going to be about ten or fifteen 912 00:28:46,800 --> 00:28:48,029 lawyers or something like that. 913 00:28:48,030 --> 00:28:49,829 And you can call with you can have a 914 00:28:49,830 --> 00:28:51,539 Skype call basically with them a video 915 00:28:51,540 --> 00:28:53,759 conference and talk with 916 00:28:53,760 --> 00:28:55,679 them over your privacy concern. 917 00:28:55,680 --> 00:28:57,389 And even their decision is not going to 918 00:28:57,390 --> 00:28:59,249 be legally binding, but you would then 919 00:28:59,250 --> 00:29:01,409 have to transfer that through an American 920 00:29:01,410 --> 00:29:03,419 court into a legally binding American 921 00:29:03,420 --> 00:29:04,409 decision. 922 00:29:04,410 --> 00:29:06,179 And all of this is probably going to take 923 00:29:06,180 --> 00:29:08,339 three or four years to just get your 924 00:29:08,340 --> 00:29:10,169 fucking access requests. 925 00:29:10,170 --> 00:29:11,909 So that is the enforcement mechanism of 926 00:29:11,910 --> 00:29:13,349 Privacy Shield, which makes sure that 927 00:29:13,350 --> 00:29:15,269 even if you violate any of these rules 928 00:29:15,270 --> 00:29:17,309 that you can hardly violate, there's no 929 00:29:17,310 --> 00:29:18,629 way you will ever get your rights. 930 00:29:18,630 --> 00:29:20,939 And yet it's the 931 00:29:20,940 --> 00:29:22,709 interesting thing here is also a question 932 00:29:22,710 --> 00:29:24,989 of fair competition. Now, we have people 933 00:29:24,990 --> 00:29:27,149 on the European markets that 934 00:29:27,150 --> 00:29:28,829 can run under this system instead of 935 00:29:28,830 --> 00:29:30,529 really following. 936 00:29:30,530 --> 00:29:32,479 The European rules, and I think that's 937 00:29:32,480 --> 00:29:34,309 also an issue that our companies now have 938 00:29:34,310 --> 00:29:36,589 to follow, are all these fancy privacy 939 00:29:36,590 --> 00:29:38,869 laws we have and US companies 940 00:29:38,870 --> 00:29:39,870 don't. 941 00:29:40,490 --> 00:29:42,439 The most interesting part, actually, of 942 00:29:42,440 --> 00:29:44,179 that whole privacy shield thing is the 943 00:29:44,180 --> 00:29:45,649 whole surveillance issue. 944 00:29:45,650 --> 00:29:47,329 And the European Commission made a very 945 00:29:47,330 --> 00:29:49,549 interesting assessment and had 946 00:29:49,550 --> 00:29:51,319 a press release when they put up Privacy 947 00:29:51,320 --> 00:29:53,809 Shield saying that US, USAID 948 00:29:53,810 --> 00:29:55,699 assured that there is no indiscriminate 949 00:29:55,700 --> 00:29:57,349 or mass surveillance by national security 950 00:29:57,350 --> 00:29:58,819 authorities. 951 00:29:58,820 --> 00:30:00,619 So we now know we're safe. 952 00:30:01,760 --> 00:30:03,769 If you look into the privacy shield, 953 00:30:03,770 --> 00:30:05,959 actually there is a six page 954 00:30:05,960 --> 00:30:08,029 horror that says that 955 00:30:08,030 --> 00:30:10,399 there is so-called 956 00:30:10,400 --> 00:30:12,769 bulk surveillance for six specific 957 00:30:12,770 --> 00:30:13,789 purposes. 958 00:30:13,790 --> 00:30:15,229 So in the press release, they said there 959 00:30:15,230 --> 00:30:16,909 is no mass surveillance, but now there is 960 00:30:16,910 --> 00:30:20,029 bulk surveillance in Annex six, page four 961 00:30:20,030 --> 00:30:22,129 AM. And that is for a lot 962 00:30:22,130 --> 00:30:23,929 of six purposes that are very broad. 963 00:30:23,930 --> 00:30:25,279 For example, the last one here is 964 00:30:25,280 --> 00:30:27,919 combating transnational criminal threats. 965 00:30:27,920 --> 00:30:30,179 So you just need a crime that goes across 966 00:30:30,180 --> 00:30:32,269 the border and a threat of 967 00:30:32,270 --> 00:30:33,649 such a crime, you don't even need a 968 00:30:33,650 --> 00:30:36,139 crime. So just the fact that Mexicans 969 00:30:36,140 --> 00:30:38,449 may throw drugs over 970 00:30:38,450 --> 00:30:40,579 the border is such a trans criminal, 971 00:30:40,580 --> 00:30:42,319 transnational criminal threat that 972 00:30:42,320 --> 00:30:44,009 already allows mass surveillance. 973 00:30:44,010 --> 00:30:45,649 And so if you look at the definitions, 974 00:30:45,650 --> 00:30:47,929 there are really, really broad. 975 00:30:47,930 --> 00:30:49,999 However, they say 976 00:30:50,000 --> 00:30:51,829 that this is the rule for bulk 977 00:30:51,830 --> 00:30:52,969 surveillance and there are only six 978 00:30:52,970 --> 00:30:55,099 purposes, but the bulk actually 979 00:30:55,100 --> 00:30:57,589 has a footnote five 980 00:30:57,590 --> 00:30:58,889 and lawyers love footnotes. 981 00:30:58,890 --> 00:31:00,439 So you follow that. 982 00:31:00,440 --> 00:31:01,939 And if you follow that footnote, they 983 00:31:01,940 --> 00:31:04,159 actually say that these limitations only 984 00:31:04,160 --> 00:31:06,229 apply if data is not 985 00:31:06,230 --> 00:31:08,689 temporally, temporarily acquired 986 00:31:08,690 --> 00:31:10,429 to later facilitate targeted 987 00:31:10,430 --> 00:31:12,499 surveillance. So 988 00:31:12,500 --> 00:31:14,719 the overall story is, if I collect 989 00:31:14,720 --> 00:31:16,909 all the data in bulk first to 990 00:31:16,910 --> 00:31:19,099 later target someone within that bulk, 991 00:31:19,100 --> 00:31:21,289 then it's not mass surveillance. 992 00:31:21,290 --> 00:31:22,609 And that is the interesting thing. 993 00:31:22,610 --> 00:31:23,959 And that's basically where the definition 994 00:31:23,960 --> 00:31:24,949 goes differently. 995 00:31:24,950 --> 00:31:27,349 The US basically has that view. 996 00:31:27,350 --> 00:31:29,359 If you haven't if you have your, I don't 997 00:31:29,360 --> 00:31:31,519 know, your browser and you just type 998 00:31:31,520 --> 00:31:33,619 in one URL, you obviously 999 00:31:33,620 --> 00:31:35,929 only have access to one page at a time. 1000 00:31:35,930 --> 00:31:37,819 So your browser doesn't give you access 1001 00:31:37,820 --> 00:31:39,739 to Internet, to the bulk of the whole 1002 00:31:39,740 --> 00:31:41,899 Internet, but only to one page at 1003 00:31:41,900 --> 00:31:43,399 a time. So therefore it's not bulk 1004 00:31:43,400 --> 00:31:44,899 collection of data. 1005 00:31:44,900 --> 00:31:47,149 That's kind of the idea that they try to 1006 00:31:47,150 --> 00:31:49,219 put up and therefore you basically get 1007 00:31:49,220 --> 00:31:50,220 out of the whole system. 1008 00:31:51,560 --> 00:31:53,809 Finally, I'm kind of short with my time. 1009 00:31:53,810 --> 00:31:56,089 What they did is that 1010 00:31:56,090 --> 00:31:57,439 because it would be impossible that the 1011 00:31:57,440 --> 00:32:00,169 U.S. said that the European Union would 1012 00:32:00,170 --> 00:32:01,999 put all of that into their own finding. 1013 00:32:02,000 --> 00:32:03,259 What they did is they basically got a 1014 00:32:03,260 --> 00:32:05,659 letter from the US and annexed the letter 1015 00:32:05,660 --> 00:32:06,409 from the U.S. 1016 00:32:06,410 --> 00:32:07,579 to the decision. 1017 00:32:07,580 --> 00:32:09,199 So what they basically did is to ask a 1018 00:32:09,200 --> 00:32:10,729 foreign government to approve. 1019 00:32:10,730 --> 00:32:12,079 The law is great. 1020 00:32:12,080 --> 00:32:13,909 Put that in the letter and annex it to 1021 00:32:13,910 --> 00:32:15,559 European Union decision. 1022 00:32:15,560 --> 00:32:16,909 If you would do that with China, you 1023 00:32:16,910 --> 00:32:18,589 would basically ask China to give you a 1024 00:32:18,590 --> 00:32:20,929 letter. How great you the fundamental 1025 00:32:20,930 --> 00:32:22,909 rights in China, are you an extra to a 1026 00:32:22,910 --> 00:32:24,439 European Union decision and say, 1027 00:32:24,440 --> 00:32:25,819 obviously the law in China is great 1028 00:32:25,820 --> 00:32:27,169 because the Chinese government sent us a 1029 00:32:27,170 --> 00:32:29,629 letter saying it is, and that's basically 1030 00:32:29,630 --> 00:32:31,700 how they got around all these issues. 1031 00:32:33,350 --> 00:32:35,479 Very final issue that 1032 00:32:35,480 --> 00:32:37,669 I want to bring up is that 1033 00:32:37,670 --> 00:32:39,859 you can now complain to so-called Privacy 1034 00:32:39,860 --> 00:32:41,149 Shield Ombudsperson. 1035 00:32:41,150 --> 00:32:42,529 That's not a court or anything, but an 1036 00:32:42,530 --> 00:32:44,219 ombudsperson in the US State Department. 1037 00:32:44,220 --> 00:32:46,789 So the foreign department and 1038 00:32:46,790 --> 00:32:48,589 that goes through the national DPA. 1039 00:32:48,590 --> 00:32:51,409 The fun part of all of this is 1040 00:32:51,410 --> 00:32:53,119 the answer you will get from this redress 1041 00:32:53,120 --> 00:32:54,439 mechanism. And that's the only new 1042 00:32:54,440 --> 00:32:55,849 redress mechanism in privacy. 1043 00:32:55,850 --> 00:32:58,039 Shield is already pre described in 1044 00:32:58,040 --> 00:33:00,139 Privacy Shield, and the answer is going 1045 00:33:00,140 --> 00:33:01,849 to be the same answer no matter what your 1046 00:33:01,850 --> 00:33:02,869 cases. 1047 00:33:02,870 --> 00:33:04,729 And the answer will be, first of all, 1048 00:33:04,730 --> 00:33:06,199 that it has to be investigated. 1049 00:33:06,200 --> 00:33:07,759 Secondly, they will tell you that they 1050 00:33:07,760 --> 00:33:09,829 either comply with the law or change 1051 00:33:09,830 --> 00:33:10,789 their behavior. 1052 00:33:10,790 --> 00:33:11,959 They're not going to tell you if they 1053 00:33:11,960 --> 00:33:13,219 complied with the law. They only said 1054 00:33:13,220 --> 00:33:15,649 either we complied with the law or 1055 00:33:15,650 --> 00:33:17,359 we're going to change Judith differently 1056 00:33:17,360 --> 00:33:18,319 in the future. 1057 00:33:18,320 --> 00:33:19,999 And then they will neither confirm nor 1058 00:33:20,000 --> 00:33:21,199 deny that there was any surveillance 1059 00:33:21,200 --> 00:33:22,219 anyways. 1060 00:33:22,220 --> 00:33:24,019 And that is your wonderful redress that 1061 00:33:24,020 --> 00:33:26,059 should apparently fulfill your right to 1062 00:33:26,060 --> 00:33:27,589 redress on the European Union law. 1063 00:33:28,790 --> 00:33:30,079 I'm going to jump through that. 1064 00:33:30,080 --> 00:33:31,669 Snowden was pissed about it as well. 1065 00:33:31,670 --> 00:33:33,499 You can read it on Twitter yourself. 1066 00:33:33,500 --> 00:33:35,659 And one last thing that I want 1067 00:33:35,660 --> 00:33:37,429 to talk about is how to kill Privacy 1068 00:33:37,430 --> 00:33:39,229 Shield, because if anybody in this room 1069 00:33:39,230 --> 00:33:41,419 wants to kill it, there's a very easy 1070 00:33:41,420 --> 00:33:42,949 way to do that. And I'm encouraging 1071 00:33:42,950 --> 00:33:43,950 anybody to do that. 1072 00:33:44,900 --> 00:33:46,609 You can basically file an injunction 1073 00:33:46,610 --> 00:33:48,349 against an Internet service provider at 1074 00:33:48,350 --> 00:33:50,089 your local European court and basically 1075 00:33:50,090 --> 00:33:52,309 claim the Privacy Shield is invalid and 1076 00:33:52,310 --> 00:33:53,569 request a reference to a court of 1077 00:33:53,570 --> 00:33:55,069 justice, because your local court will 1078 00:33:55,070 --> 00:33:56,449 have to refer a case like that to the 1079 00:33:56,450 --> 00:33:57,450 Court of Justice. 1080 00:33:58,250 --> 00:33:59,899 And then you can basically focus on the 1081 00:33:59,900 --> 00:34:01,339 commercial things, because that's much 1082 00:34:01,340 --> 00:34:02,539 easier to challenge than the mass 1083 00:34:02,540 --> 00:34:03,649 surveillance. 1084 00:34:03,650 --> 00:34:05,119 And then you basically just have to sit 1085 00:34:05,120 --> 00:34:06,919 back and relax. So if anybody in this 1086 00:34:06,920 --> 00:34:08,749 room wants to go to the Court of Justice, 1087 00:34:08,750 --> 00:34:10,669 I'm happily assisting you. 1088 00:34:10,670 --> 00:34:12,829 And finally, I 1089 00:34:12,830 --> 00:34:14,899 need to jump to the very last part, 1090 00:34:14,900 --> 00:34:17,299 because right now 1091 00:34:17,300 --> 00:34:19,129 that's the part about the use of European 1092 00:34:19,130 --> 00:34:20,569 surveillance. I told you that already 1093 00:34:20,570 --> 00:34:22,698 there is actually a way to probably get 1094 00:34:22,699 --> 00:34:23,809 these courses. 1095 00:34:23,810 --> 00:34:25,309 There is no jurisdiction for mass 1096 00:34:25,310 --> 00:34:27,379 surveillance in Europe by the Court 1097 00:34:27,380 --> 00:34:28,519 of Justice in Luxembourg. 1098 00:34:28,520 --> 00:34:29,919 But there is a possibility. 1099 00:34:29,920 --> 00:34:31,329 The same cases with the same legal 1100 00:34:31,330 --> 00:34:33,369 rationale to Strasbourg, and we already 1101 00:34:33,370 --> 00:34:34,658 had the first case going up where they 1102 00:34:34,659 --> 00:34:36,369 cited our case, I think for European 1103 00:34:36,370 --> 00:34:38,169 surveillance, this whole case was very 1104 00:34:38,170 --> 00:34:39,488 important as well. But we're just going 1105 00:34:39,489 --> 00:34:41,619 to need a different court to go to 1106 00:34:41,620 --> 00:34:42,988 the very last thing. 1107 00:34:42,989 --> 00:34:45,099 I'm sorry, but I have to pitch something. 1108 00:34:45,100 --> 00:34:47,079 And we just started to have Privacy 1109 00:34:47,080 --> 00:34:48,879 Enforcement NGO. 1110 00:34:48,880 --> 00:34:50,559 We're looking for donations on that, 1111 00:34:50,560 --> 00:34:52,749 actually for membership's because I do 1112 00:34:52,750 --> 00:34:53,859 all of this for free. 1113 00:34:53,860 --> 00:34:55,658 But to do cases like that and actually 1114 00:34:55,659 --> 00:34:57,249 win stuff, we need to have a team on the 1115 00:34:57,250 --> 00:34:59,649 European level that does shit like that. 1116 00:34:59,650 --> 00:35:00,759 Especially we're looking into the 1117 00:35:00,760 --> 00:35:02,019 commercial sector. We are working 1118 00:35:02,020 --> 00:35:04,029 together with the NGOs that already exist 1119 00:35:04,030 --> 00:35:05,679 nationally. But the idea is to really do 1120 00:35:05,680 --> 00:35:07,509 stuff on the European level. 1121 00:35:07,510 --> 00:35:09,549 Very quick pitch because I'm over my time 1122 00:35:09,550 --> 00:35:11,349 questions. Please ask me personally 1123 00:35:11,350 --> 00:35:12,669 because we're over time anyway. 1124 00:35:12,670 --> 00:35:13,719 Sorry for. 1125 00:35:32,380 --> 00:35:33,999 OK, thank you, Max.