9th Newsletter -> 2 - 8 September 2016

AG Mengozzi: Agreement between EU and Canada on airline passenger data infringes privacy

EU and Canada signed an Agreement in 2014 with the intention of fighting terrorism, which enables retention and sharing of airline passenger data to the Canadian authorities. The agreement involves transfer of Passenger Name Records (PNR) of passengers flying by carriers operating flights between the EU and Canada. PNRs include passengers’ names, travel dates, itineraries, ticket and contact details, travel agents, and other information. The European Parliament asked the Court of Justice of the European Union (CJEU) for an opinion on whether it is in line with the EU treaties and Charter of Fundamental Rights.

Advocate General Paolo Mengozzi issued his non-binding opinion where he said that certain provisions of the Agreement went against the EU Charter of Fundamental Rights. In his view the CJEU should make sure that the proposed measures reflect a fair balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be able to enjoy a high level of protection of his private life and his or her own data. The  main privacy issue with the proposed Agreement lies in the fact that the authorities are allowed to use the PNR data beyond what is strictly necessary for the prevention and detection of terrorist offences and serious crime.

On the other hand the AG believes that the Agreement could be compatible with EU fundamental rights following certain conditions. The Agreement should not allow collection of sensitive data, the offences for which data can be retained should be listed exhaustively, and the number of targeted persons can be limited to those who can be reasonably suspected of participating in a terrorist offence.

Read more HERE

Read the AG’s full opinion HERE

View other bilateral PNR agreements and decisions HERE

_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

German intelligence agency violated several privacy laws

A confidential report by the german Federal Data Protection Commissioner (FDPC) Andrea Voßhoff revealed that the country’s intelligence agency Bundesnachrichtendienst (BND) seriously violated the country's laws. Legal analysis performed by the FDPC in July 2015 on the practices undertaken by the agency resulted in listing 18 serious legal violations and filing 12 formal complaints. The report said that the BND created seven databases without the appropriate legal approval, which were all ordered to be deleted and not to be used again by the Commissioner Voßhoff.

The analysis also revealed that the BND used a version of XKeyscore software, which is formerly secret computer system first used by the United States National Security Agency (NSA) for searching and analysing global Internet data. The data that the BND collected using this piece of software was then sent to the NSA. These data transfers present an additional severe violations of fundamental rights as they contained approximately 14 million items every day. The BND tried to filter the collected data by using a special filtering system, which was intended to remove all data from German citizens and individuals to adhere to the requirements of the Article 10 of the German constitution. However, the FDPC concluded that filtering wasn't sufficient, which meant that these transfers had breached German law.

Read more HERE

Read more about XKeyscore HERE

_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Tech Companies Support Microsoft’s lawsuit against the U.S. government  

In April 2016 Microsoft filed a lawsuit against the U.S. government in U.S. District Court in Seattle, arguing that a law that can prohibit technology companies from telling customers when law enforcement comes looking for their data is unconstitutional. Microsoft challenges a law-enforcement mechanism which is allegedly being used in a way that violates its rights and those of its customers. More specifically, Microsoft claims that the portion of the Electronic Communications Privacy Act (ECPA) that authorises the so-called “gag” orders violates Microsoft customers’ Fourth Amendment right to protection from unreasonable searches and seizures. When law-enforcement agencies get a warrant to grab email or other data stored online, they can request a court order to bar Internet service providers from informing the user their documents were seized. Microsoft said it has received about 5,600 federal demands for consumer data in 18 months, almost half accompanied by such gag orders.

A number of technology companies, including Amazon, Apple, Google, and Mozilla, media enterprises, corporations, United States Chamber of Commerce, other organisations and former law-enforcement officials filed briefs in support of Microsoft’s lawsuit against the U.S. government over the ECPA. The document, also known as a “friend-of-the-court” brief, is designed to act as a legal show of support for Microsoft’s views. The U.S. government stated that the “gag” orders can be necessary to prevent the subject of a search from acting differently while the investigation is continuing.

Read more HERE and HERE

Read more about the Microsoft lawsuit HERE

Read the full “friend of the court” brief from former law enforcement officials HERE

_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________