Google: data-controller responsible for personal data in their index


The long awaited decision in the so called “Google Spain” (CJEU case C-131/12) is in, with a smash.

The court, contrary to AG JÄÄSKINEN, considers search engines to be data controllers that process personal data in view of the Data Protection Directive 95/46/EC. As such, they are obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, even when its publication in itself on those pages is lawful, IF the interests of the data subject to have the result removed outweighs public interests of retaining the results. As a rule, the interests of the data subject not only override the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name.

This decision provides individuals legal means to have their data removed from search engines. It does not create a blanket order and takedown right (or obligation for search engines to take dawn data) because the search engine will have still have to balance the interests. The interests of Google and the general public, however, have lost weight in this balance.

This is an important win for individuals. All is not lost for privacy.



Staying under the radar


The Observer’s John Naughton on the sobering story of Janet Vertesi‘s attempts to conceal her pregnancy from the forces of online marketers.

Even more sobering, though, are the implications of Professor Vertesi’s decision to use Tor as a way of ensuring the anonymity of her web-browsing activities. She had a perfectly reasonable reason for doing this – to ensure that, as a mother-to-be, she was not tracked and targeted by online marketers.

But we know from the Snowden disclosures and other sources that Tor users are automatically regarded with suspicion by the NSA et al on the grounds that people who do not wish to leave a digital trail are obviously up to no good. The same goes for people who encrypt their emails.

This is why the industry response to protests about tracking is so inadequate. The market will fix the problem, the companies say, because if people don’t like being tracked then they can opt not to be. But the Vertesi experiment shows that if you take measures to avoid being tracked, then you increase the probability that you will be. Which is truly Kafkaesque.

Data Retention Directive declared invalid by EU Court of Justice


On 8 April 2014, the Court of Justice of the European Union has declared the Data Retention Directive (2006/24/EC) invalid.

The Court, in a very comprehensive judgment, has ruled that the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality by adopting the Data Retention Directive.
The retention of traffic data may be appropriate for attaining the objectives of fighting serious crime and terrorism, “but the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue are not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary”.

1. The directive covers all individuals, all means of electronic communication, and all traffic data without any differentiation, limitation or exception.

2. The directive fails to lay down any objective criterion that the data can only be accessed for the intended purposes by by the competent authorities.

3. The blanket retention period (to be decided on a member state basis between 6 months and 24 months) is incompatible with the notion of data minimization (only retain what is strictly necessary).

4. There are insufficient safeguards against abuse and unlawful access to the data.

5. The directive fails to require the data to be retained within the EU, and hence effective oversight by an independent EU authority is not guaranteed.

Source Press Release no 54/14, Luxembourg, 8 April 2014

Nothing to hide


Bea Edwards for Huffington Post:

‘When we say, “I’m not a terrorist, so why should I care what the NSA does,” we’re forgetting a crucial fact: we don’t decide any longer whether we’re terrorists. Nor do we decide whether we’re going to be terrorists. Someone else does. We don’t know who those people are, or why they think that. We’ve never spoken to them, met them or seen them, nor have they spoken to us.’

So true.

Bulk collection


Ellen Nakashima for the Washington Post:

“An analysis of 225 terrorism cases inside the United States since the Sept. 11, 2001, attacks has concluded that the bulk collection of phone records by the National Security Agency “has had no discernible impact on preventing acts of terrorism.”

In the majority of cases, traditional law enforcement and investigative methods provided the tip or evidence to initiate the case, according to the study by the New America Foundation, a Washington-based nonprofit group.

No idea how credible this Foundation is though.

Insurance policy


Outgoing deputy director John C Inglis of the NSA in an interview on NPR (reported on in the Guardian), arguing strongly against curtailing the substance of domestic surveillance activities:

“I’m not going to give that insurance policy up, because it’s a necessary component to cover a seam that I can’t otherwise cover,” Inglis said.

That shows show much of what’s wrong with the NSA.

Politics decide on the limits, not the director of the NSA. A ‘careful separation of powers and iron-clad rights watched over by a vigilant public’ are what separates us from tyranny.

Facial recognition nightmare (begins)


C’net on an upcoming app for Android, iOS, and Google Glass called NameTag that will allow you to photograph strangers and find out who they are — complete with social networking and online dating profiles.

As founder Kevin Alan Tussy [li] says:

“People will soon be able to login to and choose whether or not they want their name and information displayed to others. It’s not about invading anyone’s privacy; it’s about connecting people that want to be connected. We will even allow users to have one profile that is seen during business hours and another that is only seen in social situations. NameTag can make the big, anonymous world we live in as friendly as a small town.”

Sure, just what we needed, not.

“In the US, it will also match the photo against over 450,000 entries in the National Sex Offender Registry and other criminal databases.”

Wow, that’s a relief. So it’s safe to talk to your NameTagged strangers.

Worst part, according to C’net it is opt-out.

“It’s a little unclear, but what that seems to indicate to us is that, if you want to keep your privacy — and your option to identify yourself — intact, you’ll need to create a NameTag profile — opt-out, not opt-in.”

What a surprise.

Constitution-Free Zone


Poor Americans, it gets worse than this. The American Civil Liberties Union has determined that

“that nearly 2/3 of the entire US population (197.4 million people) live within 100 miles of the US land and coastal borders. The government is assuming extraordinary powers to stop and search individuals within this zone. This is not just about the border: This ‘Constitution-Free Zone’ includes most of the nation’s largest metropolitan areas.”