from the whoops! dept
In his latest “drain the swamp” move that will actually flood the entire ecosystem, Trump demanded the Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) resign immediately. This may sound like just more petty partisan BS, but it could have huge unintended consequences, including for Trump’s own companies.
Sometimes it helps to actually understand how government works before going in and smashing things.
One of the long list of nutty moves by the new Trump administration last week was to demand that the three Democratic-chosen members of the Privacy and Civil Liberties Oversight Board (PCLOB) resign by the end of the day. As far as I can tell, none of them have actually done so, but I imagine their tenure is not likely to last much longer.
Without the PCLOB providing a veneer of oversight on US surveillance, the entire EU-US data sharing framework could collapse, effectively banning Facebook, Instagram, ExTwitter, YouTube, and other US-based services (including Truth Social) from having any European users. Oops.
While this could be seen as yet another version of Trump’s dissolving of various advisory boards (including the one investigating the massive Chinese Salt Typhoon hack), there’s a potentially much bigger impact here, which could do serious damage to a ton of American internet companies, including those of the tech oligarchs who lined up behind Trump on inauguration day.
That’s because the PCLOB is written directly into a US/EU agreement that acts as a key check on US government surveillance to ensure European citizens’ data is adequately protected when transferred to the US. Without this, the EU may find the framework fails to meet its privacy standards, and thus bar American internet companies from allowing anyone in the EU to access them.
And, yes, there’s some irony here, given the whole TikTok ban nonsense. The US justified that ban based on the claim that the Chinese government could demand access to data on US users using TikTok. This is the same thing: the EU can now effectively ban US internet companies by noting that the US government can demand access to EU users on those platforms.
In the past, the US might have had a moral high ground to push back on this. But after the TikTok ban, they no longer do.
To understand the details, though, involves understanding some wonky policy that often puts most people to sleep. But stick with it.
First, there’s the PCLOB itself. It was created in 2006 as a (supposedly) independent effort to oversee government activities that might violate civil liberties, in particular looking at efforts by law enforcement and the intelligence community to spy on Americans. Basically every president since its announcement has hated that it exists. Even though it was created in 2006, it wasn’t actually staffed until 2012 (yes, Obama went four years without filling it).
For a short time, it actually did some good work pointing out how the programs exposed by Ed Snowden appeared to be both illegal and unconstitutional.
Of course, soon after that, Congress focused on undermining the PCLOB as punishment for daring to point out the problems of US surveillance programs. By the time the Trump administration came around, the Board was already effectively dead. Trump did actually appoint some members to the board last time around. But now he’s demanding all of them but one resign.
Here’s the other part of the history that’s important; the ability of US internet companies to have EU users literally depends on the existence of this board. For well over a decade, there’s been a very important, but little followed, fight between the US and the EU over “trans-Atlantic data flows” regarding US companies collecting data on EU users.
The US and the EU negotiated a “privacy safe harbor” in which US companies had to get “certified” by random consultants that they “protected” EU data properly. In the wake of the Snowden revelations, EU privacy advocate Max Schrems challenged the Safe Harbor as being a fig leaf and not actually meeting EU privacy requirements, to which the EU Court of Justice agreed, throwing out the safe harbor.
The US and EU negotiated for a while and came up with a new plan, called the “Privacy Shield” rather than Safe Harbor, though it appeared to fix none of the actual problems of the Safe Harbor. It took a few years, but the EU Court of Justice again found the Privacy Shield insufficient in another case brought by Schrems.
Once again, the US and EU negotiated and once again, rather than doing the main thing that would fix the problem (limiting NSA surveillance authorities), the US and EU came to a new agreement called the “Data Privacy Framework.”
Meta, for one, celebrated this agreement in 2023, noting that it was necessary to “continue providing our services in Europe.” It’s not clear if ExTwitter or Truth Social were even aware that this happened, but it was important to both of them as well. I will note that X is listed as being certified under the Framework on the Data Privacy Framework site.
I don’t see Truth Social on the list, though it’s possible it’s registered under another name.
So, here’s where the rubber meets the road: the key part of the Data Privacy Framework that made it more acceptable than the earlier Safe Harbor or the Privacy Shield… was that it relied on the PCLOB to step in and make sure that there was oversight of US government surveillance programs, to make sure they did not violate specific privacy rights of Europeans.
The agreement directly calls out the important role of the PCLOB:
Without the prong of oversight, it’s quite reasonable to say that the Data Privacy Framework is no longer in effect.
And that could mean that EU data protection regulators could soon step in and block data transfers of EU users to US servers, effectively blocking EU users from using any of these American services. EU privacy folks are well aware.
Max Schrems, who brought the cases that killed both the privacy safe harbor and the Privacy Shield, put out a statement about this as well.
Schrems notes that companies can still rely on the DPF framework until it is officially annulled, but that could happen relatively soon.
Ironically, Trump’s own Truth Social could be one of the casualties if the EU decides to pull the plug on data transfers. Without a PCLOB rubber stamp, Truth Social may find itself locked out of the European market entirely. And while that might not matter too much to Trump, I would imagine the same thing matters quite a bit to “First Buddy” Elon Musk, whose ExTwitter has been losing tons of users and really needs EU users.
In other words, Trump’s reckless move threatens to cut off American tech giants from one of their most important markets, in a misguided attempt to avoid basic oversight and accountability.
So, yeah, for all of Zuckerberg sucking up to Trump, it may lead to losing EU users on Facebook, Instagram and WhatsApp. What good is self-removing your own spine to suck up to an ignorant authoritarian, when that authoritarian’s bull in a china shop approach to governing might just wipe out one of your largest markets?
from the stay-tuned-for-the-Supreme-Court-flip dept
It’s a grind. But it’s been worth it. Last week, the court that’s been handling Agron Hasbajrami’s case for nearly a decade finally said what plenty of people have been saving for nearly as long: the FBI’s warrantless searches of NSA collections to target US persons’ communications and data violates the Constitution. Here’s Andrew Crocker and Matthew Guariglia of the EFF, detailing the lengthy background of this case (and this win) in a couple of concise paragraphs:
It’s been five years since the Second Circuit Appeals Court ruled — albeit not all that convincingly — that some backdoor searches of Section 702 collections might violate the Fourth Amendment. Five years later, the lower court has applied this limited guidance to arrive at the conclusion [PDF] the Appeals Court strongly hinted at: backdoor searches targeting US persons require the use of a warrant.
The court says none of the warrant exceptions apply to backdoor searches, at least not in this case. And the government cannot hope to dodge warrant requirements by claiming the search resulting in the NSA’s collection isn’t actually the FBI’s search, since all it searches is data and communications already obtained by another government agency.
The FBI also cannot use built-in procedures meant to minimize interception of US persons’ communications as a justification for warrantless searches. That the NSA has to examine its collections to minimize stockpiles of US persons’ data doesn’t mean it’s ok for the FBI to do basically the same thing, but with the explicit intent of warrantlessly accessing US persons’ information.
The minimization procedures are there to limit incidental collection of domestic communications. That alone strongly suggests the NSA cares more about the Fourth Amendment than the FBI does. That the FBI has decided to twist these protections into something it can use to avoid seeking warrants just makes it all the more obvious why warrants should be required for these searches.
And if that’s not convincing enough, there’s this bit of bench-slapping:
If you can’t see the embed, it’s two fully redacted paragraphs that close with this sentence:
Yes, there’s a lot that’s been redacted but the end result is out there in plain English, free of redactions: the FBI needs warrants to search Section 702 collections. The good faith exception applies to this case, which means it won’t do much for the defendant, who was arrested in 2011 for alleged material support for terrorism. But it does apply going forward, for the time being. The government will certainly appeal this ruling. And it might take an act of Congress to actually make warrant requirements permanent. Even if this turns out to be temporary, it’s still significant. And hopefully the law laid down here will be utilized by others facing similar circumstances.
Companies: eff
from the new-front dept
As you may have noticed, the tech world is full of news about TikTok, its ban, its reprieve and possible sale, and whether it represents a security threat to the US and its citizens. Of course, the question of whether TikTok is spying on its users and sending data back to China is broader than that. It can also be asked of the other rising Chinese tech companies, and not just in the US, but globally. That includes the EU, which has famously strict laws aiming to protect citizens’ personal data. So it was probably inevitable that complaints under the EU’s General Data Protection Regulation (GDPR) should be filed against Chinese companies. And it was probably inevitable that the person and organization to do so would be Max Schrems and his noyb.eu team that have weaponized the GDPR with huge success. Here’s their latest move, which is a significant one:
The post on the noyb.eu site explains what Chinese companies need to do in order to make legal transfers of personal data from the EU:
It was the lack of an “adequacy decision” at the time that caught out the European Commission itself when it transferred EU personal data to the US, discussed in a recent Techdirt post. Alongside what noyb.eu calls “High risk of data access by [Chinese] authorities”, there is also the fact that it is almost impossible for foreign users to exercise their rights under Chinese data protection law. That law may exist, but:
The final ground for noyb.eu’s complaint flows from a rather quixotic attempt to get Chinese tech companies to explain what happens to the personal data of EU citizens:
That’s hardly a surprise, but it does provide another ground for asking data protection authorities in five EU countries — Austria, Belgium, Greece, Italy and the Netherlands — to order the immediate suspension of data transfer to China by the tech companies involved. And then there is the matter of the fines that can be imposed under the GDPR:
As noyb.eu puts it, “the rise of Chinese apps opens a new front for EU data protection law,” one that is likely to assume ever-greater importance as Chinese tech companies achieve growing success in global markets. Alongside the political battles in the US, this latest GDPR complaint by Schrems and his team is likely to be a key development in the privacy and tech worlds.
Filed Under: adequacy, austria, belgium, china, data protection, eu, fines, gdpr, greece, italy, max schrems, netherlands, noyb, tiktok ban, us