deepagopi2011 - Fotolia

Legal spears fly at Privacy Shield

Police Scotland is investigating the implications of the end of Safe Harbour. Service providers must comply with UK law, regardless of where they are based

Privacy Shield, the European Commission’s proposed replacement for the illegal Safe Harbour agreement governing personal data transfers to the US, is facing serious legal threats even before it is ratified by the European Parliament.

Police Scotland, the country’s national police force, has issued a statement saying is it looking at the European Court judgement, following a case brought by Austrian student Max Schrems, which struck down Safe Harbour.

Det Supt Brenda Smith, the officer in charge of matters relating to data protection for Police Scotland, told Computer Weekly: “We are fully aware of the European judgement in relation to case C362/14 Maximillian Schrems v Data Protection Commissioner and that it is our expectation that multinational service providers operating in the UK act in accordance with UK laws, including the Regulation of Investigatory Powers Act 2000. 

“Their obligations are set out in the Data Retention and Investigatory Powers Act 2014 (DRIPA), which makes clear that anyone providing a communications service for customers in the UK, regardless of where that service is provided from, should comply with lawful requests made under the Regulation of Investigatory Powers Act 2000.”

This reflects the opinion given to prime minister David Cameron in 2014 by Sir Anthony May, then investigatory powers commissioner, that “Section 1(1) of RIPA makes it an offence for a person intentionally and without lawful authority to intercept at any place in the UK, any communication in the course of transmission by means of a public postal service or public telecommunications system”.

The EC statement on Privacy Shield refers to the Schrems judgement, but does not mention why the judgement struck down the Safe Harbour agreement. In its findings of fact for the European Court, and which are part of the judgement, the Irish High Court had found that the US was engaged in “indiscriminate mass surveillance” using PRISM, a programme run for the US National Security Agency in Europe by a number of the internet giants.

The companies identified in the European Court’s finding of facts are Apple, Microsoft (including Hotmail), Google, Facebook, Yahoo, Youtube, Pal Talk, AOL and Skype.

The orders given to these companies are to obtain their clients’ “email, chat, video and voice, videos, photos, stored data, VoIP, file transfers, video conferencing, notification of target activity, logins, online social networking details, special requests”.

As Sir Anthony May pointed out, the first of these, the interception of emails, is a criminal offence.

May’s second opinion to the prime minister covers all the rest of the activities ordered on the companies by the US spooks and was that “unjustified and disproportionate invasion of privacy by a public authority in the UK would breach Article 8 of the European Convention of Human Rights just as much here as in other parts of the European Union”. 

Although they are not public authorities, the internet companies are bound by the Data Protection Act, which would prohibit all of the data theft involved.

Police Scotland’s approach mirrors remarks given to Computer Weekly in 2014 by GCHQ, which stated: “It is expected that all multinational firms operating in the UK act in accordance with our laws, including RIPA. The Data Retention and Investigatory Powers Act 2014 makes clear to those companies that provide communications services to British users have an obligation to comply with our legislation. We expect all communication service providers to now comply with the law.”

This focus on the criminal aspects of PRISM, which are completely ignored by the EC, augurs badly for the proposed agreement. It also implies serious strains between the US and the UK over the matter.

Read more on IT for telecoms and internet organisations