Surveillance around the world

Where can I safely store my data? Percentage of population using the internet (0-100: light to dark)

“Safe Harbor” principles -> “Privacy Shield” principles Notice - Individuals must be informed that their data is being collected and how it will be used. The organization must provide information about how individuals can contact the organization with any inquiries or complaints. Choice - Individuals must have the option to opt out of the collection and forward transfer of the data to third parties. Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles. Security - Reasonable efforts must be made to prevent loss of collected information. Data Integrity - Data must be relevant and reliable for the purpose it was collected. Access - Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate. Enforcement - There must be effective means of enforcing these rules.

USA? Intelligence services and law enforcement operate surveillance programs, but not for an economic purpose Court orders, warrants, and subpoenas govern who must provide what data Subjects of surveillance by intelligence agencies are not notified, but subjects of law enforcement surveillance are usually notified Most U.S. privacy laws protect individuals without regard to citizenship and courts will generally take jurisdiction against U.S. companies regardless where plaintiff is located. 4th Amendment protections are limited to searches on U.S. territory, but the California Constitution and most statutes, torts and other privacy laws are not so limited.

United Kingdom? “Snooper’s Charter” (12/30/2016) Requires communication service providers to store websites visited for 1 year Allows police, intelligence officers and other government officials to see these records without a warrant Allows targeted equipment interference by police and intelligence agencies (hacking) and bulk interference for national security matters Legally obligates communication service providers to assist with targeted interception of data and with interference Requires communication service providers in the UK to have the ability to remove encryption; foreign companies are not required to remove encryption Creates new crimes of unlawfully accessing internet records, and of working for a communication service provider and revealing that data has been requested

Australia? Allows surveillance for economic purposes (e.g., US does not) Access to metadata does not require a warrant. Mandatory data retention requires that metadata be collected by ISPs and stored for 2 years No constitutional rights to privacy No reciprocal Safe Harbor program as between US and EU

Canada? Intelligence services not required to notify other government bodies of surveillance actions taken Companies allowed to voluntarily disclose information to the government where they think it may pose a security risk, without notifying customers

China? No court order needed for the Public Security Bureau to intercept data or compel access to data stored by private companies (some exceptions for cloud storage) Disclosure of personal data to the government is not considered a leakage of personal data, and is generally not objectionable. Liability may arise if personal data is divulged to third parties which causes damages to the data subject. The operation and working procedures of intelligence services are top secret. There is virtually no public information of how they function, and as a matter of reality, their work is generally outside of judicial review. No right to be forgotten

France? Economic surveillance is authorized, and court orders are not necessary to intercept calls, emails, or other communications It is a criminal offense in France for someone involved in a surveillance program to reveal the existence of this surveillance Privacy rights are applicable on a territorial basis, not on a citizenship basis. Therefore, French and US citizens have the same protection on French territory. On November 30, 2015 France adopted a new law that allows French Intelligence Services to conduct surveillance programs targeting communications issued from and received outside of France. This law was adopted to provide a legal ground to existing intelligence services practices e.g., surveillance of under-sea internet cables).

Germany? No court order required for intelligence agencies to obtain data Telecommunications providers are required to enable monitoring and recording. Providers of telecommunications services are required to technically implement surveillance measures and to allow surveillance services to set up respective devices at their premises Data subjects are notified of surveillance after its completion U.S. companies or the U.S. government are not covered by German data protection rules as long as they refrain from collecting, processing and using data within Germany. “Right to be forgotten” applies (in EU generally)

India? The right to privacy has been recognized as a fundamental right by Indian courts. Law enforcement authorities and intelligence agencies do not need court orders to intercept communications

Japan? Intelligence services do not operate surveillance programs. Only law enforcement may seek warrants to intercept communications Subjects whose data are accessed by law enforcement or whose communications are wiretapped must be notified of this surveillance

For your protest projects… Civil Disobedience - Know Your Rights Training Wednesday, February 8, 2017 12:45-2:00pm Room 190, Stanford Law School