Event Recording

I'm None of your Business

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
After fancy sound, let's dive right into it. I was asked to talk a little bit about EUS data transfers and that whole saga. So there're basically two court of justice rulings to Supreme court of the European union saying you can't just use a us cloud provider because of various GDPR violations. And to dive into these rulings slightly as much as like 20 minutes allow, this is basically the year of this presentation. I'm just gonna get this point out if way what's the background. So basically snow and disclose these slides that you can see here, that's that were these, this well known kind of Snowden disclosures, the slides, as you can see, they're about 10 years old, just not from the graphics. The graphics already look shitty 10 years ago, but a lot of the stuff we know about us surveillance is ancient. So we just know the general law that they are programs, but some of the programs may be different, maybe more vast today than we know from the Snowden slides.
Basically, there are two things. There's what they call upstream. And back then prism upstream basically means that data is collected on the backbone of the internet. And prism means that data is collected, which you now call downstream right from service providers. So let's say if you have Microsoft, Amazon cloud, whatever they have to forward data to the NSA based on that law, the interesting thing is that we actually know these individual companies in the us. Otherwise there was usually more kind of secrecy about surveillance. And here we have a decent understanding of who is doing what this American law is called. Pfizer 7 0 2 or also 1881, a it has two numbers. And that law is kind of interesting because it says that there has to be what they call an electronic communication service provider. So basically a telco company, a cloud provider, anything like that.
And that company must hold what they call foreign intelligence information. So anything that is relevant for the foreign conduct of the United States. So very, very broad terminology. And that's all you need. You don't need a criminal. You don't need any kind of espionage. You don't need anything else. You don't need a judge. They can basically just say, there's something on the Amazon web service cloud providers on, on their cloud service. We're interested in it. We wanna have that stuff. That's basically how the law works. There is kind of, so to say classified elements, the, the law requires that there's a certification for one year that is done by court. However, that is not a review by court. As we usually have it in a normal court case, it is a certification of the whole surveillance program. So the government in the us walks up to the us court says that's how our surveillance system is gonna work for the next year.
And then they sign that off. It's not a review of an individual surveillance situation. The interesting thing is what that's for is so-called minimization and targeting procedures. And they're here to filter out Americans because under the fourth amendment of the us constitution, all of this would be absolutely legal within the us because it would violate us fundamental rights, but us fundamental rights only apply to what they call us person. So permanent residents and us citizens and anybody else in the world just doesn't have any fundamental rights. And therefore you basically filter it and say, okay, as long as we don't touch the American data, we can use all the global data for our surveillance. There's then a so-called directive to the service provider that asks that service provider to open. What by all logical means would be an API to actually pull that data out.
All of that is classified. So even the people within the companies are not allowed to know how this works in detail. So the CEO, for example, of Microsoft, wouldn't be allowed to know that that happens within Microsoft, which makes it super easy for them to deny all of that in all public presentations and say, we have never heard about it, cuz they cannot possibly have heard about the details of it. We brought a case where I'm kind of this little Austrian smiley down here. I had a contract with Facebook, Ireland that sits in Ireland for text avoidance reasons. My data again goes to Facebook, us, and basically it's then surveillance under upstream and prism under different under these different legal instruments. And we went with this whole case to the court of justice. That's kind of the American side. And basically the case that we brought just quickly on European data protection loss of the GDPR.
There's one thing that is there since 1995, but basically everybody ignored for more than 25 years is a general expert prohibition on personal data. So in the U you're technically not allowed to send personal data abroad as a fundamental rule. That's because if we have fundamental rights and protections in Europe and you just move that data out of that protected space in that moment, all your protection would be gone. So you basically have to say data cannot leave that protected area. There are exemptions that so-called irrigations for what you could call necessary transfer. So if you book a hotel in North Korea, the booking obviously has to go there no matter if it's North Korea. So there are exemptions for these cases. But the big problem that we have is outsourcing so cases where it's just easier, more convenient, nicer to, to host data abroad, but where it's technically not really necessary, you could use a provider in Europe as well.
There's just, I don't know, less, less options and so on and maybe more expensive and so on. And what all of these outsourcing situations, there are laws for that as well in GDPR. But what they do is that they basically expend the GDPR bubble into other countries. So let's say there's a country that doesn't have any privacy laws. There's a vacuum. You can fill that with a contract. So you basically sign a contract between, let's say an American company and the European company saying the American companies follow, gonna follow the GDPR. And therefore it can receive data from the U would make a lot of sense. If there is a vacuum, the problem is in the us. There's not just a vacuum. There is a conflicting law, this F a 7 0 2 thing. And that directly contradicts European law. So we have two different jurisdictions that exactly say the opposite and a company has to comply with both of them at the same time, which is basically impossible.
So the charter of fundamental rights in Europe says, you gotta have privacy. Pfizer says you gotta do surveillance. And as a company that uses one of, of these tools, they're called Santa contractual, clauses, privacy shield, BCRs you kind of have to conflict with one of the two jurisdictions. And right now they usually conflict with the European one because that's the one that doesn't bite as much as Americans. And that's kind of where all of this ends, we had two instruments previously, one called safe Harbor, the other one called privacy shield. And both of them were killed by the court of justice. The Supreme European court that deals with these things, privacy shield was the second attempt by the European commission to do a data transfer deal. And this whole thing is a hundred pages. So I'm not gonna go into this obviously for the next 20 minutes, but you can see a couple of the techniques that European commission has used to kind of strike a new deal, despite not really having adequacy in the us.
One of the things that they did is they, for example, in the press release said that the us authorities assured the European union, that there is no indiscriminate or mass surveillance by national security authorities sounds good. But if you read it in detail, they don't say there is no surveillance. They say the Americans have assured us, there is no surveillance. It's a bit like if you ask Chinese and they're like, yeah, we assure you that there's no problems with the UGOs. We all know it's it's there is a problem, but obviously the Chinese government will assure you that fundamental rights are upheld in China as well. You can trust it or not. What European commission did is that they basically just looked at that assurance instead of actually looking off what happens on the ground, how they did that, is that, for example, even in the annex of that decision, they say that there is bulk collection in six cases.
So bulk collection is American for mass surveillance and in the press release, it says there is no mass surveillance. And even in its own documents that are attached to the decision, it says there's box surveillance. In six cases, if you dive a little bit deeper, where that comes from, there is a footnote on that word bulk. And if you follow that footnote, you realize that they say it's actually not box surveillance in their definition. If you collect the whole haystack to find the needle, because you're only looking for the needle and therefore you don't do mass surveillance and you can still inject the whole haystack of data. And just by using these different wordings and definitions, you get to a result where say, oh, there is no mass surveillance, just because you define mass surveillance out of your definition of mass surveillance. And that is kind of the wording and the, the politics that happens back there.
The court of justice also asked that there's gotta be court in the us, and instead of a court, they have the system where there is a European that can go to the local data protection authority that would raise an issue with a undersecretary in the us foreign department, the state department, which would then talk to the us government and get back to you with a very standard answer. And in each case where you have a complaint about mass surveillance, you would get that answer where it says the case was investigated. Either the us complied or didn't comply. And it was remedied, therefore, but you are not allowed to say, to know which situation you were actually in and in the end denied to confirmed nor denied that there was any kind of surveillance anyways. So if that's your court and your redress as a fundamental, right, you can guess that you're never gonna get anything, then this answer, and you'll never gonna have real redress in any meaningful way.
That's directly in contract conflict with the requirements by the court of justice. They basically do in these cases, what they call a proportionality test. It's very standard test on the European law. You basically look at the public interest and the fundamental, right? And you try to balance the two with each other, therefore steps in it. I'm not gonna go into that. But usually we have cases where they see the proportionality is off and you're in the red zone. And therefore the law is invalid proportionality. That was, was for example, data retention, where they kept all the phone records and tried to analyze them. However, there's also the possibility that there's a violation of the essence of a fundamental, right? Which means the violation is so fundamental that you don't even have to do a proportionality test anymore. One of the little cases where that's always the situation is in torture, there is no proportion at torture.
That's always a violation of the essence, but otherwise we usually have a proportionality test. And this case was the first time where the court of justice said, you violate the essence of a fundamental, right, because there is literally no court in the us that you could go to. So it's not a limited court, but it's just no court, same thing on the surveillance side, in the first case. So we cut to a result where you have two tests. You basically have to be in the us compliant with the GDPR and this chart of fundamental rights, which is the fundamental rights of the European union. That was probably a lot of information for people here that are very legalese and very, probably not easy to relate to. But I'm trying to try to kind of break that down into practical consequences for data transfers to the us.
So usually you're somewhat fine if it's a necessary transfer. I'm again, generalizing that if you wanna have more details, it's an article for 49 of the GDPR. What's really interesting. How is this whole outsourcing debate? So anybody using a us cloud provider and, and how much that's possible, and in these situations, you can basically build little groups. If you have a situation where you have transfers, that is non-personal data. So you'd send, I don't know, some video footage or whatever. That's not containing any kind of persons then you're probably fine. So you usually have no problem there whatsoever. There are these so-called necessary transfers. So let's say you book a hotel in New York. No problem. There you send an email to an American colleague. No problem. There you fall under 49. A lot of people when this case was published were kind of screaming that all of that wouldn't be possible anymore.
That's not what this case was actually about. The real problem is if you send data to a so-called electronic communication service provider in the us that falls under one of these surveillance laws, and that is usually all the big cloud provider. So literally Amazon has a list of how many requests they get per year. Microsoft has one, Google has one, Facebook has one and so on. And that also expands to servers that are hosted in Europe. A lot of these American providers now said, no worries. We're just gonna have a server in Europe. And everything's fine. The interesting thing is that American law doesn't have a geographic limitation. The limitation that it has is as long as an American company has what they call custody possession or control of the data. They must give it out no matter where the server is. Now, there is an option that American company says, okay, we're gonna have a server that is hosted in Europe and we technically don't have access to it because we have it in a sub-company that we can somehow not manage or not gonna be able to tell them that they gotta hand that data out.
That may be an option. That's a bit what Microsoft did with this German cloud solution. If anybody came across that, and that could be a path forwards, but generally just the location of the server doesn't really matter from a legal perspective, there are situations where data's transferred to the us, to a company that is a normal company, not a cloud provider. So let's say Hanza has like a office in New York that is its own company, but is not an electronic communication service provider. It doesn't fall in any of these surveillance laws. Therefore you could potentially say, okay, that's fine. As long as it's end-to-end encrypt, blah, blah, blah. That is kind of the status quo right now under the law, we filed then 101 complaints as a test drive because we have these data protection in authorities in Europe. And they're wonderful in writing guidelines and papers and so on, but in actually enforcing stuff, not so much.
So we've just checked websites that used Google analytics and basically Facebook pixel scanned for them and filed against the comp the, the companies or the websites per country in EU that had the highest visitor account. So basically a couple of pages, each EU member states, because we had kind of double and so on and in the end ended to be 101 complaints. So we decided we get some donations on it. And there are a couple of these main arguments, a lot of the industries right now using to say why all of that should be somehow legal. The first and most common argument is sorry, we removed it. So most of the cases when you actually file a complaint on any of that, the re result is that Google analytics is removed from the website. And therefore the problem is solved. The American companies. Now talk about so-called supplementary measures.
So they basically say the law in the us is terrible. We know, but we did some magic to kind of fix the prom. I'm gonna go through this magic and why it doesn't really get you anywhere. And the third one is a very kind of legalistic creative idea is what they call a risk based approach. I'm gonna get into that. Why that's bullshit in a second, the supplementary measures is the idea that you can add something technically or organizationally to make sure that the us government can access the data. The interesting thing is we actually brought that up at the court of justice. So it's literally my submissions that had that idea in the first time. It's just that half of the legal industry is now trying to, it's basically a small hole that they try to squeeze jumbo jets through, which doesn't really get you in into a situation where this actually works, but you can divide the supplementary measure into two things.
First of all, first of all, you have technical supplementary measure measures that usually work quite well. And they go towards like a, what you could see zero knowledge situation. So let's say your problem is upstream surveillance on the backbone of the internet. If you have end entry end encryption, you can legitimately say, it's not realistic that the NSA's gonna capture that and get all the data. If the encryption is really good and blah, blah, blah, it's all the technical question. I'm a lawyer. So there may be limitations on that too, but generally conceptually, that could make sense. You could say, okay, I just have backup data that I don't need to process. Anyways, I just encrypted in Europe. I have the key, it goes onto us server and I get it back and encrypted here, decrypted here, again, could work all of this kind of zero knowledge stuff could be a solution to still use a us server and the us recipient being able to say I can't access it so far.
Therefore I don't, I can't forward it to the NSA either. There's all these kind of different contractual things that usually don't work because us law doesn't allow any of that. So there's a lot of text, usually in the supplementary measures that don't really get you anywhere for what I'm saying. I'm basically relying also on the European data protection board that put these things together as well after like I think a hundred pages of analysis and you get to exactly the same results. So what did Facebook do with all of that? They did what they call a transfer impact assessment. So lawyers writing 100 pages while all of that should be somehow legal. Even though the court of justice said twice, it's not, we actually wanted to publish that, but Facebook threatened us to Sue us. So we read it out online. So if you can sleep, there is an option of me reading out transfer impact assessments for like an hour or so, but basically what they do is that they list endless, endless ideas of how they could somehow solve that prom.
And there's things like, oh, we have a legal team that actually reviews request like duh. Yeah. Someone has to read that email that gets in, but that doesn't solve the prom that you still have to comply with. It. There's tons of these examples. My favorite one was actually the one from Google. We published that on our website as well. They're one of the things is that they have technical measures, which is putting fence around their data center and having a sign saying do not enter that's the technical solutions to go against NSA surveillance that they then put on pages and pages of, of these supplementary measures. All of that went in front of the French data production authority, the Austrian one, the European one and the Dutch one, halfway data only have guidelines. And all of them rejected this idea of supplementary measures in this situation.
There are other countries and other situations where that could be an option, but just for us surveillance, you don't really get anywhere there. The other thing is the so called risk based approach. So there are so-called risk elements in the GDPR where the law says dependent on your risk. You have to do the following or not, but it's limited to certain articles. And the one on data transfer doesn't have any of these, but a couple of like smart lawyers just decided that, oh, let's just call this a general principle of the, the GDPR. And therefore let's apply risk from article, I don't know, a 32 and move it into the forties and just say there, we now do risk as well, even though the law explicitly doesn't have risk elements in this here, that's the second one that they're now trying and tried to sell as well.
And that was just rejected to a week ago by the Austrian data protection authority last point, and just gotta be really quick to not run too much over time. There is now this new EO us framework. So that was announced a couple weeks ago. So fund the line and Biden got together and said, Woohoo, we're gonna have a wonderful solution to do this all over again. This announcement basically has three headlines and not much more. They basically say that privacy shield will stay as it is. So they will use the same system. They will add an executive order to introduce this proportionality test that I showed before into us law. And they will have a so-called data protection court, which is not a court. What is an executive order? You probably remember Trump with this Sharpie things where he signed something. That's exactly an executive order.
It's an internal order within the executive branch in the us that just says, I'm your boss. Don't do this shit, but it doesn't generate rights. It's not a law in any kind of way. It just tells your own people in the executive branch don't do something. And in this executive order, they want to add this poor personality test from the European union. So the court of justice found twice that F is basically a violation of the essence in the proportionality test. As we have it. Now, we want to add the word ality into us law, but still wanna do the same surveillance. So they all say, we're gonna keep on doing the surveillance. The only option that you have is that you basically say under us definition of proportionality, we just gonna move proportionality over like shit. So we used the same word and we can both say we do proportionate surveillance, but it actually just gets a different meaning.
There is already something like that with what they call reasonable exploitation of privacy in Europe, there is a totally different view of what that means than the us then for the court. They basically said we're gonna keep more or less the, the onwards person system with the same standard answer that you would get. But let's just add a couple of people. So it's more independent even though it's still part of the executive and then they will do a review to an actual court. Now, the interesting thing is the only thing apparently that you can review is this text down here, which always has to be the same anyways. So if you file a lawsuit at the law at the court, you're like, I got the text that I should get, I'm unhappy with it. And of course gonna say like, that's all you get. Why are you even in front of me?
So the only thing you can possibly complain about is, I don't know, typos in the text or something, but not any kind of substantive prom. Last point is that the commercial data usage will still be done under privacy shield, which is having these privacy principles from about 2000. So in the GDPR 2018, we had a lot of kind of more strict regulation in Europe. And this new system in the us would have to be essentially equivalent. But for example, a couple of highlights instead of like consent or another legal basis, the us only has opt out. So they can basically process your data as much as you want to, unless you kind of scream and say, no, there's full access in Europe, you get a copy of your data in the us. It's readily limited in thes data has to be necessary for your purpose.
So you literally really have to have that data in the us system. It only has to be relevant and almost anything can be relevant. So just by using these differences, you'll even on the, on the commercial side have, have vast differences. What's the FA way forward for all of this. We'll probably have this new framework by the end of the year. It, there will be a draft decision and a final decision. There's gonna be a review process within the European union. And very likely, we're just gonna challenge this thing about a couple of weeks later again, and we'll probably start this whole process from the get go again. So we'll probably have another couple of years to fight over these data transfers because we have an executive in the European union that just cannot follow anything that the court of justice has ever said, and just tries the same thing over and over again, and engages in this endless ping pong, because that's a rather negative end note, one positive end note, I think in the long run, what we need is a equal level of protection.
So we need some kind of what they call a no spy agreement. So with among democratic countries to say, it depends not on your citizenship, if you fall under surveillance or not, but on your actual doing so there's gotta be a court that reviews it, no matter if you're a German Austrian or some else in the world, and that would allow free flow of data again, but having this very nationalistic approach in the us of our us citizen or not gets you into a lot of these troubles, big promise, you would need the us Congress for this and us. Congress can right now not even pass a law. So we're waiting that that hopefully happens. I ran a bit over time, but thank you, nevertheless. I hope that was useful for you guys. So
You very much.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Evolving Identity and Access Management for the Digital Era

Join Identity & Access Management experts from KuppingerCole Analysts and Broadcom as they discuss how business IT is changing, and the implications for IAM. They will define modern IAM and explain why and how IAM needs to change to support modern app development, regulatory compliance,…


Continual Access Control, Policies and Zero Trust

Trust no one, always verify. We know that Zero Trust phrase already. But this principle is rather abstract - how and where exactly should we do that? Martin sits down with Jackson Shaw, Chief Strategy Officer at Clear Skye to discuss one very important part of Zero Trust: Identity and…

Analyst Chat

Analyst Chat #154: 2022 Wrapped Up - Major Trends in IAM and Cybersecurity

Another year gone already! It's time to take a look back at 2022. Martin Kuppinger and Matthias talk about what happened in the past year and identify top trends in IAM and Cybersecurity. They go beyond technology but also look at processes and business models. By this, they also…

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Event Recording

The Future of Access Management: The Role of Contextual Intelligence, Verifiable Credentials, Decentralized Identity and Beyond

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00