EUROPEAN UNION COMMITTEE HOME AFFAIRS, HEALTH AND EDUCATION SUB- COMMITTEE Safe Harbour Oral Evidence and Written Submissions Contents Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) .................... 2 European Commission—Oral Evidence (QQ12-20) ....................................................................... 40 European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) ............................................................................................................................... 58 Information Commissioner’s Office—Written Evidence ................................................................ 82 Information Commissioner’s Office and European Data Protection Supervisor—Oral evidence (QQ21-32) ............................................................................................................................... 86 Information Commissioner’s Office—Supplementary Written Evidence ................................... 87 Phil Lee, Caspar Bowden and Professor Charles Raab—Oral Evidence (QQ1-11) ................. 89 Professor Charles Raab, Caspar Bowden and Phil Lee—Oral Evidence (QQ1-11) ................. 90 UK Government—Oral evidence (QQ33-46) .................................................................................. 91 Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) Evidence Session No. 1 Heard in Public Questions 1 - 11 WEDNESDAY 12 MARCH 2014 Members present Lord Hannay of Chiswick (Chairman) Baroness Benjamin Lord Judd Lord Morris of Handsworth Lord Sharkey Earl of Stair Lord Wasserman ________________ Examination of Witnesses Professor Charles Raab, University of Edinburgh, Chris Connolly, Galexia, Phil Lee, Privacy and Information Law Group, Field Fisher Waterhouse LLP, and Caspar Bowden, independent privacy expert and former Chief Privacy Adviser for Microsoft Europe Q1 The Chairman: Welcome to the Committee, and thank you very much for coming along to give us evidence. If I may, I will explain a little about the background. This Committee, as you probably know, is the sub-committee of the European Union Select Committee of the House of Lords, which is responsible for home affairs, as well as health and higher education, which are not terribly relevant to this morning. We have decided to conduct what is called enhanced scrutiny on the Commission communication about Safe Harbour. As you know, the Commission sent a communication Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) and I am sure that you are all familiar with its terms. That means that we are not conducting a full inquiry with a fully fledged House of Lords report at the end of it, but we are taking evidence from you, from the Commission’s ombudsman on data protection and Commission officials, and from the Government in the form of the Minister of State at the Home Office, and someone from the Ministry of Justice too. Those three sessions will then flow into a much more detailed letter to Ministers here about the Commission communication, which we will probably issue some time at the end of the April. Your evidence is a contribution to that process but it is not the process with which you may otherwise be familiar of a full inquiry lasting about six months, ending in a report of 60 or 70 pages. That is by way of introduction. The session is in public and is being broadcast. A transcript is being taken and a copy of the transcript will be sent to you. You may wish to make minor corrections to it but it will be published online in the uncorrected form. That is the situation. If any of you would like to make an opening statement, please do so but there is no need to do that. We can move straight to questions—it is up to you. Perhaps we could start by each of you introducing yourselves and saying what your expertise and background in this matter are. Then we can take it on from there. The other thing I would say is: please do not feel that you each have to answer every one of the questions because time, yours and ours, is probably a bit limited to allow for that. Welcome again, and would you like to begin with a word or two about yourselves and your expertise? Shall we start from this side, please? Professor Charles Raab: Thank you Chairman. I am Professor Charles Raab and I am Professor of Government at the University of Edinburgh. If I have any expertise it is in the area of privacy and data protection. I have done quite a bit of research on some aspects of surveillance and have taught on them, so that is my area of expertise. Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) Chris Connolly: Thank you Chair. My name is Chris Connolly. I am a privacy and consumer advocate, based now in the UK but previously in Australia. I have been engaged in a five or six-year campaign to seek improvements to Safe Harbour on behalf of consumers through writing reports, appearing at committees, lobbying authorities and simply dealing with individual complaints. I hope to be able to bring some insight into those today, although I am a little restricted in what I can say about complaints that are still the subject of investigation. Phil Lee: Good morning Chairman. My name is Philip Lee. I am a partner in the privacy and information law group at Field Fisher Waterhouse, so I am a legal adviser on privacy and data protection matters. In addition to that, I run our US office in Palo Alto, California, where I counsel US businesses on matters of European data protection law, so I guess that my perspective slightly differs from those of the other panellists here today in that I hope that I can bring a slightly practical element to some of the evidence I will give. Caspar Bowden: I am Caspar Bowden, and I founded many years ago the Foundation for Information Policy Research, which did a great deal of analysis and scrutiny of RIPA. Then I worked for Microsoft for nine years as Chief Privacy Adviser for 40 countries, including the EU, where I had direct experience of dramatic internal controversies concerning Safe Harbour compliance. I left Microsoft three years ago to campaign about what I discovered about ominous aspects of US surveillance law, which after Edward Snowden have become very obvious, and I wrote the official NSA briefing note for the European Parliament inquiry into the Snowden affair. Q2 The Chairman: Thank you very much. Perhaps that reminds me that the acoustics in this room are perfectly appalling, so if you could speak up and speak reasonably slowly when you are replying to questions and giving evidence, it would be a huge help. If nobody wants to make an opening statement, can we move into questions? We will start, then, with a very general question on which I imagine all of you will wish to make a contribution. What are Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) the main strengths and weaknesses of the present Safe Harbour agreement, in your view? Who would like to start on that? Chris Connolly: Thank you Chair, I would be happy to go first. It is a question that I have spent a lot of time working on, and writing articles doing research and publishing papers on, with my organisation Galexia and with other privacy and consumer advocates. To briefly summarise what I see as the main current weaknesses, the first and most relevant for this Committee is that Safe Harbour is used as a shield when European consumers complain about privacy, and specifically when they complain about national security disclosures since the Snowden revelations. These are cases such as Europe v Apple or Europe v Facebook, which were heard in Ireland, and the Microsoft and Skype cases, which were heard in Luxembourg before the local data protection commission authorities. In both those cases, in the first instance the consumer complaints were knocked back on the basis that those companies belong to Safe Harbour and therefore could not be investigated, even though after Snowden revelations had been made about those companies in relation to their participation in Prism, for example, or other disclosures. So the first and most serious issue is: should the Safe Harbour be a shield to stop even the beginning—the basics—of an investigation on a privacy and security matter? Those cases are very important. I should point out, however, that in Ireland a case has been appealed to a higher court and that the investigation has been started. The other key weaknesses are the false claims. That is where a consumer visits a website that says that it is a member of Safe Harbour. “Trust us”, it says, “Give us your information”. It might have a Department of Commerce logo on it and very often it will have another logo on it from someone such as TRUSTe, a trust mark provider, but in fact that organisation is not a member of Safe Harbour and may not have been one for many years. The FTC took some action on those recently and the average length of the false claims in the cases brought Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) this year was three and a half years. That is three and a half years of repeatedly telling consumers, “I am in Safe Harbour. Give me your information”, when in fact they were not. This is not a trivial administrative matter: if you are claiming to be in Safe Harbour, you are supposed to do annual in-house verifications of your privacy protection, signed off by the CEO. You are supposed to pay an annual fee, which all your competitors may be paying when you are not. You are supposed to join a free dispute resolution service and, again, pay an annual fee to that, which you are not doing. So these are quite serious matters.