The European Union as Global Information Regulator & Other Policy Topics Peter Swire Engage CISO Roundtable with the GT Institute for Information Security & Privacy Atlanta December 3, 2018
Overview Swire background Research highlights: Intelligence agency oversight Cross-Border Data Forum Non-code aspects of cybersecurity The EU as global regulator of information You know about GDPR Irish standard contract clause case going to European Court of Justice – could massively cut off flows of personal data from EU to U.S.
Swire Activities Today Professor GT, privacy and cybersecurity Associate Director for Policy, GT Institute for Information Security and Privacy Senior Counsel, Alston & Bird (Jim Harvey, David Keating, etc.) 2018 Andrew Carnegie Award for “Protecting National Security and Human Rights in the New Era of Data Localization”
US, EU, and Global Data Flows 1998 book from the Brooking Institution on US/EU privacy disputes
Background President Clinton’s Chief Counselor for Privacy Negotiation of US/EU “Safe Harbor” for privacy Chaired White House Working Group on updating wiretap and intelligence law for the Internet President Obama’s Review Group on Intelligence and Communications Technology (2013) (“NSA Review Group”)
The Situation Room: December 2013
U.S. Intelligence Oversight & Reform Since 2013 Review Group: 46 recommendations White House in 2014 reported 70% had been adopted More since then, notably USA Freedom Act (2015) I remain active in this area: was the U.S. speaker last Friday in Malta at International Intelligence Oversight Forum GT Professor Annie Antón announced last month as one of the first technology amicus curiae for the Foreign Intelligence Surveillance Court, and the only academic.
MLA & Cross-Border Government Access to Data Technology/market changes Before, evidence for serious crime in Paris was in Paris Now, email, social network, and other content often held in a different nation EU E-Evidence report: 55% of cases have evidence across borders We need to build a new international system as cross-border law enforcement requests become the norm
Cross-Border Developments GT project since 2015: http://www.iisp.gatech.edu/cross-border-data-project US passed CLOUD Act in March, 2018 New system of “executive agreements” first announced in our research EU proposed E-Evidence rules as well US/EU negotiations slated for January US/UK agreement may be made public in January
www.crossborderdataforum.org
Goals of Cross-Border Data Forum Fulfill legitimate law enforcement requests for data relevant to the investigation of serious crimes. Protect and promote privacy and human rights as essential to new legal approaches. Provide a workable regime for the companies holding data of interest to law enforcement. Safeguard the internet by resisting calls to localize data and splinter the internet.
Non-code Aspects of Cybersecurity October 2018, Communications of the ACM “A Pedagogic Cybersecurity Framework: A Proposal for Teaching the Organizational, Legal, and International Aspects of Cybersecurity” New framework for organizing and emphasizing the non-code aspects of cybersecurity OSI stack has 7 layers Layer 8: organizational Layer 9: legal/government Layer 10: international
EU as Global Information Regulator EU Data Protection Directive in effect since 1998 GDPR went into effect this year The spread of privacy laws to > 120 countries Most are based on the EU approach GDPR enforcement is just beginning New, serious challenges to online advertising on claim that no “consent” to third-party advertising tracking CNIL Vectuary Privacy International complaint about Experian, Acxiom, and others
1998 Privacy Laws Comprehensive Proposed Sectoral None
2018 Privacy Laws Comprehensive Proposed Sectoral None
Will the EU Create the Great Firewall of Europe? 2000: Safe Harbor agreement October 2015: European Court of Justice struck down Safe Harbor in Schrems decision One concern – strict enough commercial privacy rules Major concern -- scope of US surveillance activities; may not be “adequate” if NSA and other surveillance takes place once the data gets to the US December 2015: Swire testimony about safeguards and reforms in US surveillance law July 2016: final approval of EU/US Privacy Shield to replace Safe Harbor
The Legal Challenges European Court of Justice in Schrems did not (quite) find that US surveillance made transfers “inadequate” It did strike down Safe Harbor, expressing detailed concerns that NSA surveillance is so pervasive that data of EU citizens cannot be safe in the US
Case Headed to European Court of Justice Current Schrems v. Facebook case: Challenge in Ireland to “standard contract clauses” that are used as lawful basis to send data to US and elsewhere Irish privacy commissioner – SCCs seem as legally weak as Safe Harbor 300-page Swire testimony on actual U.S. law and practice: https://www.alston.com/en/resources/peter-swire-irish-high-court-case-testimony Irish judge: agreed with the privacy commissioner, and has referred broad questions to the ECJ
What if the ECJ Rules the US is Not Adequate? If ECJ says SCCs are illegal, no good way to over-rule that Binding legal effect of ECJ decision No mechanism for constitutional amendment Would require change to Lisbon Treaty What will happen? ECJ briefing in early 2019 Result is unclear If the court remains strict, may need large data separation between EU and US operations Consider that possibility as you establish your systems
Questions and discussion? Intelligence oversight Cross-Border Data Forum Non-code aspects of cybersecurity EU and online advertising EU and may block transfers to US