Privacy & Compliance Laws Imminent. Are you ready?

As reported by Access Policy, The U.S Senate is poised to vote on the Cybersecurity Information Sharing Act (CISA), a privacy-invading surveillance bill masquerading as a cybersecurity bill. While there are many, many problems with this legislation, one of the most egregious is how it relates to the recent European court decision on “Safe Harbor” — and how it enables the collection of even more of our private data.


Recently, as reported in the National Law Review, the Court of Justice of the European Uni on (CJEU) gave an important ruling which any business transferring personal data between the EU and the United States should know about — in particular those that make use of the “Safe Harbor” scheme for data transfer.

What is CISA?

CISA is a piece of legislation that is currently being debated in the United States legislative branch and being rushed to try to bring a vote. As reported by the Sunlight Foundation, When someone shows up with a bill that promises to help secure America’s online infrastructure, it sounds like something we can all get behind.

That was the idea behind the Cybersecurity Information Sharing Act of 2015 (CISA), but there are colossal problems with this bill, including significant issues with accountability and transparency.


CISA’s architects wanted it to be immune to FOIA, it also adds a whole new exemption to it — the 10th in total, contained within FOIA. The unintended consequences of this would be enormous. Each of the nine current exemptions have enormous case law surrounding them, have been interpreted differently over time, and not a single one applies specifically to only one bill. They describe whole classes of information — trade secrets or national security information — not just “information shared with or provided to the Federal Government pursuant to the Cybersecurity Information Sharing Act of 2015,” like CISA does. That’s bad practice, unpredictable and sets a terrible precedent.

What is Safe Harbor?

Data protection standards vary across the world, and historically US law has not provided the same level of protection for personal data as exists in the EU. As a result, European data protection laws have typically required parties transferring data fr om the EU to the United States to obtain informed consent to the transfer of data and/or take purposive steps to safeguard it to European standards.

The ruling by the CJEU union has far reaching consequences since the Charter of Fundamental Human Rights is anchored in the Lisbon treaty. This means the rulings are legally binding and can’t be circumvented by new treaties as reported by Glyn Moody containing quotes by Steve Peers fr om his detailed legal implications analysis.


The Safe Harbor scheme was one way in which data could be lawfully transferred to the United States. It was set up in 2000 by a European Commission finding that adequate protection for personal data would be provided by US undertakings that self-certified their adherence to a set of rules known as the Safe Harbor principles.

What’s happened with Safe Harbor?

In the case of Schrems v Data Protection Commissioner, the CJEU has now decided that Safe Harbor is not, in fact, safe enough. In particular, the CJEU found that the Commission’s decision establishing the Safe Harbor scheme was flawed, and is therefore invalid.
More generally, the CJEU also confirmed that a Commission decision that a third country ensures an adequate level of protection for an individual’s personal data and related rights does not stop either (i) an individual bringing a claim in relation to the transfer of his personal data to that country; or (ii) a national data protection authority from investigating his complaint.

What’s happening with CISA?

As reported this week, by Marcy Wheeler, In the latest round of debates, Senator Richard Burr (Chairman of the U.S. Senate Intelligence Committee) did some significant goalpost moving. Whereas in the past, he had suggested that CISA might have prevented the Office of Public Management hack, on 20 Oct, he suggested CISA would lim it how much data got stolen in a series of hacks. His claim is still false (in almost all the hacks he discussed, the attack vector was already known, but knowing it did nothing to prevent the continued hack).


Burr also likened this bill to a neighborhood watch, wh ere everyone in the neighborhood looks out for the entire neighborhood. He neglected to mention that that neighborhood watch would also include that nosy granny type who reports every brown person in the neighborhood, and features self-defense just like George Zimmerman’s neighborhood watch concept does. Worse, Burr suggested that those not participating in his neighborhood watch were had no protection, effectively suggesting that some of the best companies on securing themselves — like Google — were not protecting customers. Burr even suggested he didn’t know anything about the companies that oppose the bill, which is funny, because Twitter opposes the bill, and Burr has a Twitter account.

Feinstein (Senator Dianne Feinstein, the Vice Chair of the Senate Intelligence Committee) was worse. She mentioned the OPM hack and then really suggested that a series of other hacks — including both the Sony hack and the DDOS attacks on online banking sites that stole no data! — were worse than the OPM hack.

Yes, the Vice Chair of SSCI really did say that the OPM hack was less serious than a bunch of other other hacks that didn’t affect the national security of this country. Which, if I were one of the 21 million people whose security clearance data had been compromised, would make me very very furious.

Where do Tech Companies Stand?

As reported by The Guardian, Twenty-two of the world’s top technology companies are firmly against the controversial Cybersecurity Information Sharing Act (CISA) now on the floor of the Senate, according to a new poll by internet activists Fight for the Future.

The poll lists Apple, Google, Twitter and Wikipedia as opposing the legislation while Comcast, HP, Cisco and Verizon are among the 12 companies who back or have remained silent on the bill. Cisa is aimed at tightening online security but has been criticised as infringing on civil liberties and privacy.


The bill would allow private industry to share user information with the Department of Homeland Security, which would be compelled to share it across “relevant government agencies”, presumably including the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA). The bill has been touted by its supporters, notably the US Chamber of Commerce, as entirely voluntary, but in fact, as Wired points out, other such “voluntary” programs mandate the kind of data reported and the frequency of the reports.

Restrictions on the kinds of data private industry can compile from customers are significantly more lax than those within the government itself, and the granular levels of detail businesses could offer the government about user behavior – which are currently used primarily for advertising – have become a heated topic of debate


Apple in particular came out swinging against the bill on Tuesday evening, issuing a statement saying that it did not support “the current CISA proposal,” to the Washington Post. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”

Fight for the Future’s list doesn’t just cover CISA; the group also breaks down industry support for the NSA-backed plan to ins ert “back doors” into cryptography and whether respondents support reform of the Electronic Communications Privacy Act, or ECPA (Reagan-era legislation which allows law enforcement to request all electronic messages older than six months by serving the provider with a subpoena, rather than a search warrant)


What Steps Can Be Taken?

In the United States, Congress has alternative legislation that would be better for privacy and better for security. To start, the Senate should approve the Judicial Redress Act, already approved by the House of Representatives. The Bill would extend a limited set of privacy protections to individuals from certified countries (including, presumably E.U. Member States). It would grant limited rights to to non-U.S. citizens in cases when their personal information transferred for law enforcement purposes has been misused under certain sections of the U.S. Privacy Act of 1974. However, the bill does not allow people to initiate legal claims against companies for privacy breaches that take place in the U.S. With large exceptions and limited geographic reach, this bill would be just a first step in protecting the rights of non-U.S. persons.

Congress should also reform FISA Amendments Act Section 702, which is se t to sunset at the end of 2017, to bring elements of the National Security Agency’s spying in line with international human rights standards. The CJEU based its decision on two programs operated under 702 — PRISM and Upstream — which most egregiously affect non-U.S. persons. The NSA uses PRISM to obtain internet communications from U.S. tech companies and Upstream to query data entering the U.S. through fiber optic cables. In addition, we need substantial reform and declassification of Executive Order 12333, a secret law that authorizes the NSA to collect and store all communications — content as well as metadata — provided that such collection occurs outside the United States.


What suggestions do you have to counter the legal Cyber Fail Chain?