ORG policy update/2015-w49

This is ORG's Policy Update for the week beginning 30/11/2015

If you are reading this online, you can also subscribe to the email version.

National developments

GCHQ accused of unlawful hacking

GCHQ has appeared before the Investigatory Powers Tribunal accused of widespread unlawful hacking activities, known as "Computer Network Exploitation" (CNE). The legal complaint was brought by Privacy International and seven Internet service and communications providers, who argue that the hacking is unlawful under Articles 8 and 10 of the European Convention of Human Rights. A ruling has not yet been made as the hearing is ongoing.

GCHQ has admitted for the first time that they carry out CNE, whereas previously they have refused to confirm or deny such activity. Documents released to the Tribunal also reveal that the Commissioner of the Intelligence Services had concerns about the breadth and legal basis of "thematic warrants" that provide authorisation for generalised categories of people or places and that most overseas CNE activities are not signed off on an individual basis by the Secretary of State.

The Government recently published the draft Investigatory Powers Bill, which is currently undergoing pre-legislative scrutiny. The draft Bill includes provisions to strengthen the statutory basis for CNE.

Joint Committee on draft IPB hear evidence

The Joint Select Committee tasked with the pre-legislative scrutiny of the draft Investigatory Powers Bill has heard evidence from Government and law enforcement agencies and from commissioners and report authors this week. The evidence sessions can be viewed online:

Two further sessions will take place next week, with ORG and several other civil society organisations acting as witnesses on Wednesday 9 December.

The Joint Committee is accepting written submissions on the draft Bill until 21 December. The Committee is focusing on whether the powers being sought are legal, necessary, workable and carefully defined and sufficiently supervised. It also has specific questions regarding interception, communications data, data retention, equipment interference, bulk personal data and oversight. Submissions can be made online.

Europe

Agreement reached on EU PNR scheme

The European Commission and the European Parliament have reached an agreement on the proposed EU Passenger Name Record (PNR) scheme after trilogue negotiations. PNRs are used for operational purposes by the travel industry to manage reservations and therefore hold sensitive personal data. PNR schemes operate by profiling and categorising passengers before travel in order to assess risk. The EU PNR scheme plans to collect data for all passengers travelling by air through EU member states, however negotiations have been problematic: discussions started in 2007 and stalled, with the issue resurfacing in early 2015.

MEP Timothy Kirkhope, who had been leading negotiations, had said that he expected a deal addressing Parliament's concerns about the scheme to be struck by the end of the year. The Council accepted the compromise proposal which includes intra-EU flights in the scheme and sets the data retention period for unmasked data at 6 months. The proposal will now go to the LIBE Committee to vote on, with a draft directive being voted on by the European Parliament early next year.

MEPs granted access to confidential TTIP documents

An agreement has been made with the European Commission to allow members of the European Parliament to have access to all confidential documents about the Transatlantic Trade and Investment Partnership (TTIP) trade agreement negotiations between the EU and the US. The negotiations have been widely criticised for a lack of transparency that has hindered democratic scrutiny of the deal. The agreement will provide secure access to the full "consolidated texts" outlining the position of the US. While previous steps have been taken to improve transparency, this is the first time these confidential documents will be widely accessible to MEPs.

Schrems submits privacy complaints against Facebook in three member states

Privacy activist, Max Schrems, has filed complaints to the data protection authorities in Ireland, Belgium and Germany. He argues that they should ban Facebook from transferring data to the US as the company does not request consent for such transfers and cannot safeguard the privacy of EU citizens' data against US government surveillance.

This follows the CJEU Safe Harbor judgment in October which ruled that the EU-US data transfer agreement was invalid, which was itself a result of Schrems's earlier complaint to the Irish DPA about Facebook's data transfer procedures.

International

NSA ends bulk phone data collection programme

The NSA's programme to collect bulk metadata about telephone calls has ended. It was declared unlawful by a court in May 2015 and the NSA were ordered to end the activity by the USA Freedom Act, with a deadline of 29 November 2015. The NSA must now request telecommunications data on an individual basis from telecommunications service providers.

This contrasts with the approach of the UK Government whose recently published draft Investigatory Powers Bill has extensive provisions to allow the intelligence and security agencies to continue collecting bulk datasets.

ORG Media coverage

See ORG Press Coverage for full details.

2015-12-02 – International Business Times - Google accused of 'spying on students' by privacy pressure group
Author: Anthony Cuthbertson
Summary: Jim Killock quoted on the collection of data from educational devices and tools given to children at school.

ORG Contact Details

Staff page