EDRi co-hosts the Privacy Camp, 26 January 2016

In the run up to CPDP conference in Brussels, civil society groups met at the fifth annual Privacy Camp to exchange views and develop new strategies. This year’s conference took place under the title “The Multiple Ways of (De/Self)-Regulation: What is at stake for Human Rights?” and included various panels and speakers from around the EU and the US involved in privacy activism. For those who missed it, we’ve provided an overview of the sessions (conference programme) below.

9:30-11:00 Opening session: Lobby X-Factor

Judges: Jennifer Baker (independent EU tech journalist), Olivier Hoedemans (Corporate Europe Observatory) and Cristian Bulumac (EU Parliament, Greens/NGL). Candidates: Raegan MacDonald (Mozilla), Walter van Holst (Vrijschrift), Joe McNamee (EDRi). Moderator: Rocco Bellanova (USL-B)

Privacy Camp kicked off with the greatest game show in the world: Lobby X-Factor. Three high-powered jury members, three world-class privacy pundits, and one proposed amendment to EU law. In order to determine an undisputed champ of EU privacy lobbying, candidates were challenged to persuade the jury of a proposal: let’s force all visitors to the Middle East to wear a tracking bracelet which uploads a selfie to a law enforcement app once per day.

Our host Rocco Bellanova first introduced the jury, composed of none other than Jennifer Baker, Olivier Hoedemans and Cristian Bulumac. Not easily impressed, it was clear from the start that contestants would have to bring their A-game to convince the Eurobubble veterans.

First off was Joe McNamee, who employed a broad range of tried-and-tested lobbying tactics. From bribing his targets with chocolate and alluding to comfy career opportunities, to simply shouting the word ‘freedom’, it was clear that Joe knew all the tricks in the lobbying book.

Raegan MacDonald displayed a markedly different style which one might call the ‘classic’ lobbying approach. The audience was amazed at her effortless stroll through the Brussels Bullshit Bingo, eliciting ‘oohs’, ‘ahs’, and riotous applause with each successive reference to synergy, stakeholders, security and innovation.

Walter van Holst took a maverick approach by focusing above all on unflinching honesty. He laid himself bare, explaining how his mortgage financing troubles had left him with no loyalty other than to his employer – therefore, the ideal lobbyist.

After tallying votes from the audience and jury members, it was Joe McNamee who took home the prize. We look forward to next year’s Privacy Camp to see if anyone dare take on our champ. Following a brief award ceremony, the participants also reflected on the real-world lessons to be learned from this experience. Bulumac noted how different strategies might be needed for different ‘targets’: while Joe’s Silicon Valley rhetoric might be able to charm assistants and younger staff, he believed that Raegan’s tried-and-tested buzzwords were unbeatable when it comes to persuading MEPs themselves. Clearly, the X-Factor was not just humorous (and dare we say glamorous?), but also educational.

11:30-12:45 Safe Harbor 2.0: a stillborn project?

Moderation: Diego Naranjo (EDRi). Speakers: Gloria Gonzalez Fuster (Vrije Universiteit Brussel), Laurent Lim (CNIL) and Marc Rotenberg (EPIC).

Following a brief introduction by Diego Naranjo, Laurent Lim kicked off the discussion by describing CNIL’s activities with regard to the Safe Harbour and international data transfers since the Schrems-decision. He also mentioned his personal skepticism of the Commission’s proposed reforms and the current viability of available alternatives (standard contractual clauses and binding corporate rules). Marc Rotenberg underlined Laurent’s conclusions by describing the shortcomings of US law in relation to international transfers. Gloria shared her experiences from visiting the US and the significance of the Schrems ruling in European law. After these opening marks, the floor was opened for discussion with the audience.

Both Laurent and Marc shared the sentiment that reaching an agreement before 1 February seemed unlikely of not impossible. “It’s too late now, the clock has run out”, Marc said. “The necessary reforms won’t happen before Tuesday. I won’t even have done my laundry before then”. EDRi can’t speak to the current status of Marc’s laundry, but he and Laurent have certainly been proven right on the lack of substantive legal reform. Laurent also added that, in his personal view, following the previous three month grace period, the question of enforcement has also become a ‘matter of credibility’ for DPAs and data protection law.

Another point of discussion was the differences in public perception between the US and the EU. Marc emphasised the converging trends in this field, debunking the conventional wisdom that Americans are freedom-oriented and Europeans are dignity-oriented. Gloria added, however, that Europeans continued to see privacy and data protection as universal rights, whereas Americans appear more amenable to exceptionalism approaches.

The panel also discussed the responsibilities and discretion of DPAs in handling complaints. From the audience, Max Schrems commented that the CJEU did not rule on this issue in his case. Marc, however, suggested that a duty to handle this complaint is implied by the logic of the judgment. While no consensus was reached on this point, it was suggested that Commission investigations might provide an impetus for more active enforcement at national level, especially in light of the hundreds of complaints launched against the Irish Data Protection Commissioner.

Finally, the issue of data localisation was raised. The panellists quickly agreed to refrain from using the unhelpful term ‘balkanisation’ and also that this trend would not in any way ‘break the internet’. Gloria noted that localisation does not generally yield concrete results for the protection of privacy, but that it can be a useful bargaining tool when negotiating with US legislators. Marc echoed this notion, stating that localisation can have a ratcheting effect on levels of privacy protection.

11:30-12:45 TTIP, TiSA, CETA and Co.:Trade agreements and digital rights

Moderation: Maryant Fernández Pérez (EDRi) Speakers: Walter van Holst (Vrijschrift), Ralf Bendrath (European Parliament, Policy Advisor), Jan-Willem Verheijden (EU Commission, Trade in Services Unit, DG Trade), Delphine Misonne (USL-B)

The panel discussed the main issues of trade agreements (in particular TTIP, TiSA, CETA) and their impact on digital rights.

Jan-Willem Verheijden, EU Commission Trade Official, opened the debate. Referring to TTIP and TiSA, he argued that they do not include the protection of personal data and do not affect data protection laws. From his point of view, the topic of data protection would not be touched by trade agreements as they deal with fundamental rights, “which are not negotiable”. On the other hand, he observed that data flows are important for the US and EU.

The second panelist was Ralf Bendrath, senior policy advisor to Jan Albrecht MEP. He observed that the protection of personal data is not a trade barrier but a fundamental freedom to be respected. Another important point touched by the MEP policy advisor was that the TiSA general exception based on Article XIV GATS offers insufficient protection for EU data protection rules. He also expressed his dislike of the “national security exceptions” provisioned in TiSA. Furthermore, quoting the draft TiSA text, he was wondering why the Commission chose to copy only parts of the e-Commerce Directive dealing with the topic of spam into the agreement, instead of the entire section.

Walter van Holst then took the floor and highlighted various concerns to civil society, including cryptographic standards and software source code disclosure requirements bans before moving on to more general issues. He questioned the validity of touching so many regulatory areas through secretly negotiated, take-it-or-leave-it trade agreements. Especially topics like ISDS (Investor State Dispute Settlement) and the proposed regulatory cooperation touch the fundamentals of our democracies and the rule of law. When the discussion arose about the necessity of multilateral or bilateral agreements instead of the existing GATT-frameworks, he pointed out that this had mostly to do with Brazil, India and China rightfully refusing to adopt US and EU-style IPR-legislation from which they have nothing to gain.

The final word was given to Delphine Misonne (USL-B researcher). In relation to TTIP, she criticised the ISDS system and stressed that the perceptions of the agreements’ issues are very different on both sides of the Atlantic. Having focused her academic research on environmental law, she also underlined that, regarding TTIP, there is a lack of public debate on environmental issues.

14:00-15:30 – Litigation activism and its future

Moderation: Ulf Buermeyer (Berlin Superior Court and CIHR). Speakers: Max Schrems (Europe vs Facebook), Adrienne Charmet (LQDN), Gus Hosein (Privacy International).

The panellists’ introductory remarks focused on their respective experiences with litigation activism. Common ground soon emerged, with the speakers stressing the high workload and related costs associated with litigation, and the importance of finding lawyers willing to provide expertise to help build a case. Gus Hosein added how Privacy International had benefited greatly from the the strong tradition of pro bono work in Anglo-saxon law firms.

A central theme was the importance of communications and PR throughout the litigation process. Gus warned against ‘hollow victories’; without the support of public opinion, favourable judgments may fail to lead to needed reforms – as occurred with the ECHR’s decision on prisoner voting rights in Hirst v UK. Max was praised for his effective communications strategies such as distributing FAQs to journalists directly after the judgment – in Gus’ words: ‘simple, correct, sexy’. Max advised to draft various statements in preparation for various possible outcomes. He also added that targeting large, popular companies is helpful in generating media attention, since journalists are eager to write on such issues. Adrienne described La Quadrature’s success with amicus curiae briefs to the Conseil d’Etat, for which they had crowd-sourced comments and feedback from over 500 participants.

The discussion also turned to the United States, where NGOs appear to litigate more actively. To explain this activity, US activist Marc Rotenberg (EPIC) pointed to the beneficial cost apportionment rules in the US which allow each side to bear its own costs (as opposed to the loser pays principle common in Europe). He also stressed the efficacy of amicus curiae briefs. However, downsides of the US system included the comparative difficulty of suing companies outside of a class action context, and the distribution of class action damages to non-neutral NGOs under the cy-près doctrine.

Other themes throughout the panel included the difficulty of finding lawyers trained in privacy and data protection law (and who don’t work ‘for the other side’); the balance between litigation before national courts and European courts; and the advantages brought by the General Data Protection Regulation regarding damage rules, collective redress and direct access to the CJEU.

The panel also discussed possible next steps in strengthening European litigation activism. They stressed the importance of international exchange and communication and combining resources from various actors. This could include technical expertise from the hacker community, litigation experience from professional lawyers, specialist legal knowledge from privacy activists and the financial means of larger NGOs such as consumer organisations. The need for a coordinating hub or network at European level was mentioned repeatedly. At these points, many eyes turned towards EDRi’s representatives in the room, although it was also acknowledged that these activities would involve a serious workload and require serious investments.

14:00-15:30 – Technology, regulation,…: What response to mass surveillance? (privacy by design & by default, obfuscation)

Moderation: Rocco Bellanova(USL-B and PRIO) Speakers: Eleanor Saitta (OpenITP and IMMI), Jérémie Zimmermann (La Quadrature du Net), Julia Powles (University of Cambridge and the Guardian)

The afternoon panel focused on mass surveillance and the possible responses to it. Eleanor Saitta spoke first. She argued that regulation is a key instrument and a cost driver (in other words, it can make surveillance more expensive) as it can lead companies towards different business models. Regulation is also important for innovation, and has a very critical role in preserving our freedom to build solutions that prevail on surveillance. In this sense, regulation is a tool that could be useful, as it gets market to build infrastructures. Julia Powles, (the Guardian and University of Cambridge) agreed on this point, as to her it is really important that regulation could lead the way to technology.

Jeremie Zimmermann intervened in the discussion. In his opinion, the topic of mass surveillance represents a collective failure. The failure consists in the fact that, after two years since Snowden’s revelations no one dared to bring legal action against the Safe Harbour agreement (only a student had this idea). A second failure is the battle for convincing inside and outside the institutions that privacy matters: “we may somehow give up on this elaborate bourgeois problem” and try to elaborate different communication strategies. We should pay attention on the concept of intimacy, which is different from the concept of privacy. Building on this, another failure enumerated by Jeremie Zimmermann was the fact that privacy campaigns did not reach the public in an extensive manner. Talking about regulation and technology is not sufficient, and a more cultural approach would be needed.

16:00-17:30 – Closing Session: New surveillance laws in the wake of Charlie Hebdo and 13/11

Moderation: Estelle Massé (Access) Speakers: Ton Siedsma (Bits of Freedom), Jim Killock (OpenRights Group), Anna Biselli (Digitale Gesellschaft) , Agnès de Cornulier (La Quadrature), Jesper Lund (IT-Pol)

The closing session aimed to create a dialogue on new surveillance laws in the wake of Charlie Hebdo and 13/11 events. The panel gathered NGOs representatives from Bits of Freedom, Open Rights Group, Digitale Gesellschaft, La Quadrature, and IT-Pol. With this composition, the panel was intended for NGOs to share their views on possible next steps for joint campaigning on the issue of mass surveillance.

Agnès de Cornulier, representative of the French association La Quadrature du Net, took the floor first. She explained how 2015 was a black year for freedoms in France: many security measures were enacted, and the state of emergency has been unreasonably prolonged. Particularly, Agnès focused on the proposed bill on the state of emergency, expressing her concerns regarding measures for police searches of electronic devices, Internet censorship and freedom of association.

Ton Siedsma then explained the current situation in Netherlands, following Minister Ronald Plasterk’s proposal amending the Dutch Intelligence and Security Act of 2002. He also pointed out that Bits of Freedom created an online consultation tool in order to help citizens respond the public consultation on the security bill.

Jesper Lund spoke about the mass surveillance situation in Denmark, referring in particular to the Danish anti-terror proposal issued on 19 February 2015 and the new Danish PNR proposal.

The situation in Germany was covered by Anna Biselli, from Digitale Gesellschaft. First, she talked about the German political situation that led to the data retention bill proposal on June 2015. Secondly, she added that a new draft legislation on public secret services should be announced by the first days of February 2016. Digitale Gesellschaft is waiting for it in order to analyse its contents.

(Contribution by Elisabetta Biasin and Paddy Leersen, EDRi interns)