What do Snowden, Schrems and the end of Safe Harbour have in common? A tale of international espionage, blogging and data protection
The reason for the lack of blog posts on this blog since 9th November 2015 is a bit of a saga involving international espionage, the whistleblower Snowden and a legal case.
Five years ago when this blog was started in October 2010, it was set up as a free blog and hosted by an American company in America that runs WordPress called Automattic Inc. At this point in time in 2010 that was the best place to have it.
UK libel law at the time meant that is was better to have it hosted in a country with better protections for freedom of speech, however since 2010 libel laws have changed here.
Blogs process some personal information (for example if somebody leaves their name and email address to write a comment or for other reasons).
In order to protect the privacy of EU citizens, this data was covered by an international agreement between the EU and the American companies called the Safe Harbour Decision. Back in 2000 the European Commission had agreed that meant that the United State’s principles complied with European Union Law on this matter and the relevant EU directive.
However, then Snowden blew the whistle and the public and media became aware of the activities of the US intelligence community. An Austrian citizen called Maximillian Schrems was concerned about the activities of Facebook and as Facebook’s European headquarters is across the Irish Sea in Ireland complained to the Irish equivalent of what is in the UK called the Information Commissioner’s Office.
In his complaint he stated "in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities".
The Irish Data Protection Commissioner responded to Schrems by (and I’m summarising here) rejecting his complaint in part because of the Safe Harbour agreement. Schrems asked the Irish court to review whether the Irish Data Protection Commissioner’s response to his complaint had been legal. However as the Safe Harbour decision had been made at the European level, it was referred to the European Court of Justice to decide.
The European Court of Justice agreed with Schrems and found the Safe Harbour agreement was invalid. The various European data protection authorities (such as the Information Commissioner’s Office here in the UK) have given organisations affected a grace period before the possibility of enforcement action.
In the UK this grace period runs to the end of January 2016 and so organisations affected can deal with the implications.
Although some of what Schrems complained about (for example no legal right for EU citizens in America to sue the Americans for unlawful disclosure of personal information) is being addressed by a law going through the American political system called the Judicial Redress Act 2015 and there is hope in some quarters that there may be a successor to the Safe Harbour agreement, what will happen next is rather unclear.
As data protection lead, my considered opinion was this. Since the Schrems case rendered the Safe Harbour agreement invalid, the only option I was looking at that didn’t involve having a crystal ball involved switching where this blog is hosted from America to within the European Union.
Last year this blog made more money in advertising than its running costs (unusual for a blog I know) and just under a month ago I had paid £68 to Automatic Inc for an extra 10 gigabytes of space so I could write some "big data" journalism stories as previously there was a 3 gigabyte cap.
As a result of the Schrems decision that £68 has been refunded, but the files used over the 3 gigabyte cap had to be transferred to the new host for the blog.
The comments and posts also had to be transferred over. As there were five years worth of these, for some reason the transfer process didn’t work doing it all as one go, so I had to do it in five files of about a year at a time.
The internal links to the old blog before I registered the johnbrace.com domain name in 2012 I also updated manually.
Then I had to make sure the blog at its new host was compliant with another piece of EU legislation (hence the picture above of the Cookie Monster from the American TV show Sesame Street) that got transposed into UK law that referred to cookies.
So, that’s why there haven’t been any blog posts for a while, because my time has been occupied dealing with compliance issues.
Next on my list of things to do as part of this project will be setting up email addresses for this blog (that is email addresses in the format @johnbrace.com ).
Ultimately it’s considered best practice for a blog to be hosted (that is where it is physically based in the world) as near as possible to most of its users. For example another website I run that caters to a North American audience is hosted in Canada (thankfully unaffected by the Safe Harbour agreement).
As you’d expect from a hyperlocal blog, 91% of the visitors to this blog are from the United Kingdom. It therefore makes sense for it to be hosted in the UK as it will now in theory be quicker for those visiting it from the UK.
So hopefully this gives an explanation as to why I haven’t been writing as much. There is still ~3Gb of data to transfer, email addresses to set up etc. I may take a break in updating this blog over Christmas 2015 and do that in the holidays.
So what’s the Wirral Council angle to all this? It boils down to my attitude towards the "rule of law". As an investigative journalist I often write about the public sector’s non-compliance with legislation.
However there’s an unwritten rule I’ve had in force since 2012 (that although if I did I could use internal resources to do so which seem to match those of say a local council) that I don’t go down the Schrems route and start challenging the decisions of public sector bodies through the courts.
Ultimately I’m one for political solutions rather than legal ones. Writing about a public sector body not complying with the law is one thing, but (don’t try to laugh too hard at this point) I’ve developed a policy of generally not interfering in the internal affairs of the public sector here.
The public sector as a result don’t interfere in my life much* (*to give one example telling Biffa to stop collecting the rubbish each week).
My job is to report on matters. I haven’t been a member of a political party for three years and I believe to do so would damage my independence considering my day job.
My role now, is not political activism or to overthrow governments (yes I did a fair bit of that in my more radical youth peacefully I might point out through the ballot box and political means), but to just do my job.
Ten years ago I went for a long walk from South Fulton, Georgia, across the state line to South Fulton, Tennessee and had a long think about what I wanted to do with my life. Many of the people I’d grown up with on the Wirral (the very people who if they’d stayed could have made it a much better place) had left the Wirral and for various reasons (for example career) lived elsewhere.
I knew at the time Merseyside had problems* (*yes an understatement but this was before the 2008 financial crash) and I made a choice then that altered the course of my life over the last ten years. I decided that morally from an ethical perspective that I should return and do my best to make the world a slightly better place, rather than do what many of the people I’d grown up with do and leave.
Just like Schrems was influenced in his lawsuit by time spent working in America, the time I spent in America probably influenced me in the battles I’ve had over the past few years over the issue of filming public meetings.
Freedom of speech and the diversity of media that exists in the UK are a precious matter. This blog for example allows for political speech and discourse to happen. Without such a pressure valve for society, so people can express their opinion, very bad things would happen.
Part of my formal university education (something I don’t often refer to on this blog and my days in student union politics) was about terrorism, counter-terrorism, political struggles etc and I’m sure no-one following the news will be unaware of the recent sad events that happened in France.
International politics (although I could probably write another few thousand words on the subject) is probably a little beyond the scope of this blog post. Ultimately some local politicians here on Merseyside can at times be parochial in their outlook.
I however have to take a global perspective on matters. Blogging is not just about the person writing the blog, but the community that reads the blog. Although I’m under no obligation to be open and transparent about such matters I feel considering the rumours that start going round when I stop blogging for a bit it was better to set the record straight.
I will end by making a point that’ll probably only make sense to data protection professionals or those with an interest in this area. There are protections written in to the data protection legislation to cover journalism. Ultimately the 8th data protection principle which states "Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data" doesn’t apply to journalism.
However the seventh data protection principle does apply which states "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
There’s nothing I can do really to prevent the intelligence community taking an interest in this blog. In turn the intelligence community would argue and have argued that what they do is lawful. Even if this blog is hosted in the UK, GCHQ (Government Communications Headquarters) could quite happily spy on it without me knowing. Under the Five Eyes intelligence sharing agreement they could share this signals intelligence with other countries such as the NSA in America. So just be aware of what you put online as privacy died a death a long time ago. It is a trivial matter for the intelligence community to access the deep web (for example email accounts and parts of websites that aren’t available to the public).
There are also plenty of companies that for public relations purposes monitor blogs and social media. Despite the current concerns over the relatively minor costs to the public sector in responding to FOI (Freedom of Information) requests, untold £millions of your money is spent by the UK public sector on public relations. Plenty of parts of the public sector (even locally here on Merseyside) have commercial subscriptions to such services to find out what is being written about them. For every one John Brace there are an estimated four to five people working in public relations.
I exist in a world of embarrassing information that powerful people and organisations would probably prefer me not to publish. So apologies for the lack of responses to comments and emails over the last fortnight.
I will finish my last sentence with a bit of free public relations advice (unlike the public sector who pays £650+VAT for this sort of advice), never cheese off the press.
If you click on any of the buttons below, you’ll be doing me a favour by sharing this article with other people.