SECOND PART:JOINT RESPONSES TO THE OPEN CONSULTATIONS OF THE EDPB AND OF THE EUROPEAN COMMISSION ON THE NEW GOVERNANCE OF INTERNATIONAL DATA TRANSFERS

Accompanying letter to EU Institutions:

To:

The European Commissioner Thierry Breton

c.c.

the President of the European Commission, Ursula von der Leyen

the President of the European Parliament, David Sassoli

the European Commissioner Margarethe Vestager

The European Commissioner Maria Gabriel

The European Commissioner Věra Jourová

The European Commissioner Paolo Gentiloni

Mr. Martin Bailey

Mr. Jorge Remuiñan-Suàrez

Mr. Sandro D’ Elia

Feedback of Associazione Culturale Diàlexis to the Gaia-X Summit, as well as to the calls on the EDPB recommendations 1/ 2000 and the Commission Implementing Decision on the new Standard Contractual Clauses

Honourable Commissioner,

Following to the previous mail exchange with you and all other concerned authorities, we are pleased to send you a copy of the feedbacks of our Association to the Gaia X Summit  and to the draft documents as above, which we are also diffusing via the web.

Whilst congratulating with you, with the Commission and the Gaia-X promoters for the tremendous  work done  for the European digital sector, we may not hide our pessimism.

In fact, 60 years since the failure of Olivetti and 8 from the one of Minitel, is lagging  the European digital sector is at least 40 years behind the US and the Chinese ones.Since it results from declarations of  the GAFAM’s top managers and from China’s “15 years’plan”, that, on about 2035, the digital race will have been finally decided,  we wonder whether the Commission really thinks that:

-we can catch-up  before that date;

-the EU will respond to the quest for European Strategic Sovereignty and for digital autonomy, expressed by all EU Institutions, or even to the modest requirement of  compliance with GDPR, as  imposed by the unequivocal documents of the EUCJ, the EDPS and the EDPB.

According to us, as demonstrated in the attached annexes, the regulatory strategy under discussion is too weak for coping with the overwhelming strength of the military-digital complex, as confirmed by:

a) the “Geopolitical Analysis of Digital Trade”, carried out on behalf of the European Pasrliament ( PE 53.616EP/EXPO/INTA/FWC/2019-01/LOT5/1/C/05);

b)the article of Stefane Fermigier and Sven Franck , “Gaia-X: A trojan horse for Big Tech in Europe” (Euractiv , 23 November), devoted to the Gaia-X Summit.

In fact, as it is written in the “Analysis”, “In contrast to the Chinese market for digital services, the European digital services sector has not been protected from US competition. While in China and the US, domestic companies are dominating the digital service market, in the EU large American multinational companies are the most important digital players …….

the digital giants roaming Silicon Valley have an exceptionally small footprint in terms of employment. However, the lack of a genuine European digital sector is problematic given its strategic geopolitical and economic value, and also its increasing relevance for (high-end) manufacturing goods….

SiliconValley, the epicentre of American digital technology, is a result of Cold War military investments into computer chips……

In each of the factors that contributed to US success, the European digital sector is at a disadvantage. …

The US CLOUD Act obliges US companies to hand over data stored outside the US to US law enforcement agencies, an action that could violate the GDPR.While the large fines for violations of the GDPR might protect against data misuse by private companies, they do not protect the privacy of European citizens against surveillance by foreign governments. To do that effectively, regulation has to be accompanied by strong cybersecurity policy and should be complemented with encryption where possible. “

According to us, there is, “de jure condito”, a blatant contradiction between the Schrems II judgement, which imposes to stop immediately data transfer towards the US, and the proposed Implementing Decision, which just imposes  to comply, within one year, with new SCC which, similarly to the old ones, will be surely challenged again in front of the EUCJ for not being compliant with GDPR.

Besides that, “de jure condendo”, the legitimate interest of European new entrants, forcefully kept outside of this market by US advocacy, GAFAM’s strength and anticompetitive practices and EU coercion inactivity  should be taken into account, as explicitly described by Fermigier and Franck:

“One has the impression that among Gaia-X founding members, the key principles of Gaia-X: (#4) digital sovereignty and self-determinatio nand (#5) free market access and European value creation have little or no priority, and that the project – while providing a vision for data portability and protection – is actually an elaborate exercise of window dressing and lip service to swoon European and national governments into providing significant additional revenues for US technologies.

This will be to the detriment of European technology providers such as OpenNebula or Rapid.Space, both Gaia-X Day-1 members receiving zero visibility during the Gaia-X summit. There is an ecosystem of European cloud scalers such as Proxmox Scaleway, Hetzner, Vates , or Linbit as well as European orchestration software such as OpenSVC or SlapOS . And they are being used to build alternatives to Hyperscalers. The question is whether public funding will be used to destroy them?”

In this situation, even the break up of the GAFAM according to business lines, as provided for in the proposed Internet Services Act, would not be enough, because also after that the core of the internet services will remain  firmly in the hands of the present gatekeepers, with the continuing absence of European players, the only ones  concretely in a position to retain in Europe soft power, competences, data, profits, taxable income, qualified jobs, ancillary activities. The GAFAM are more than enterprises: they are a  hybrid of sects, churches, political parties, States, intelligence services, and should be governed, beyond antitrust, and tax law, by legislations about civic freedoms, democracy, know-how protection and State secret.

As documented by economists like Evgeny Morozov, Szuszanna Zubov and Mariana Mazzuccato, and by the official documents of the relevant States, no serious digital industry, in the US, in China, in Russia, in India or in Israel,  has been born without a decisive effort of State financing, advocacy and cybersecurity.

This is a typical “market failure” of the European system: because of the absence of a strong engagement of the Union, new European enterprises  have not been growing, taxable income for the finances of Europe has been  pumped away with the complicity of many Member States which pretend to be “virtuous”, and, finally, the human rights of all European citizens, and the trade secrets of European enterprises, are put at the disposal of the sixteen intelligence intelligence agencies composing the US intelligence community, in conformity with the Cloud Act and many other US laws.

We understand the huge pressures that European Institutions are undergoing from different sides, and we think that the most appropriate roadmap would be to create, as proposed in our book “European Technology Agency”, an agency alongside the experiences of DARPA and MITI, and to define a 15 years warp-speed development program for the EU ICT industries, coordinating it with a corresponding timing schedule for forbidding  progressively all abusive practices of States and multinationals which up to now have emptied European economy, keeping it always at a lower level than the US one, and now also of the Chinese.

The matter should be dealt with in priority also within the Conference on the Future of Europe, and would be the only way for achieving sovereignty and becoming the trendsetter of worldwide debate on the Society of Intelligent Machines, as the Commission correctly purports.

Thanks to Mr. Sassoli, Mrs von der Leyen, Mr. Bailey, Mr. Draguiñan and Mr. D’ Elia, we have started a dialogue with the Institutions which we hope to continue and to further. They have always reassured us about the fact that the Commission is actively pursuing the European Strategic Autonomy, but we feel a very long road is still before us. We will also send to you further comments on the documents under preparation by Institutions, as requested by the same Commission, and to work within civil society for disseminating the consciousness about the urgency of these themes.

We would be pleased if somebody of the Commission would be allowed to participate in our debates with associates, as well with Turin citizens and civil society, on these themes.

Thanking you in advance for your attention,

For Associazione Culturale Diàlexis,

Riccardo Lala

The present document aims at constituting a single  answer, by Associazione Culturale Diàlexis, to the following open consultations:

-EDPB 1/2020

-Commission Implementing Decision on standard contractual clauses,which have a common ground, hence they may dealt with simultaneously.

For understanding our position, it is necessary to recall briefly the historical background of the Commission Implementing Decision, as well as the annexed Standard Contractual Clauses and the draft EDPB’s directive 01/2020., which both are just the last steps of a long internecine fight, which all we are called to comment.

1. From the US Postal Code to ECHELON

         European Institutions have correctly singled out international data transfers as one of the core focuses of their duties as a fledging supranational organisation, in particular for what concerns the relationship with the US intelligence legislation. More recently, national and EU leaders have focused still more this concept as “Europe’s digital band strategical autonomy”, and are striving to achieve the latter by promoting European Champions.

Computers and Internet were originally military in nature, and, with priority, intelligence projects. Even the practical functioning of Internet was tested thanks to military funds among DARPA-friendly research centers. Its whole development was paid by the DoD, and the core of their functioning is still defense-related.

The utilization of Internet for “covert operations” was anticipated by the one in nuclear warfare. First of all, the Anti-missile Defense System is based on the capability, by Big Data, to forecast, detect, monitor, prevent and counterattack any offensive act of potential enemies. In nuclear warfare, the objective need to act within a span of a few minutes since a nuclear attack renders the intervention of human beings absolutely irrelevant, and, on the contrary, the whole digital system essential. One could say that all present day digital intelligence is ancillary, in last instance, precisely to the need for an enhanced decision-making capability of computers during a potential Unlimited Warfare attack. In practice, all patterns of present days’ civilization tend to be organized alongside these needs: each citizen is either a tool in the hands of the Apparatus, or an enemy and a target.gital ace of conflict

Since its beginning, Mass Surveillance  had been used as part of wartime censorship for controlling communications that could damage the war effort and aid the enemy. For example, during World Wars, every international telegram from or to the United States sent through companies such as Western Union was reviewed by the US military. After the wars were over, surveillance continued in programs such as the Black Chamber following World War I and Project Shamrock and COINTELPRO following World War II.  

2.From ECHELON to the Schrems cases

Billions of dollars per year have been spent, by agencies such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), to develop, purchase, implement, and operate systems such as Carnivore,ECHELON, and Narus Insight to intercept and analyze the immense amount of data that traverses the Internet and telephone system every day. The Echelon Wikileaks and Prism cases have shown as this surveillance works.

ECHELON, a surveillance program established in 1971 by the United States with the aid of four other signatory states to the UKUSA Security Agreement, also known as “the Five Eyes” has evolved beyond its military and diplomatic origins into “a global system for the interception of private and commercial communications” (mass surveillance and industrial espionage). Former NSA employee Margaret Newsham claims that she worked on the configuration and installation of software that makes up the ECHELON system while employed at Lockheed Martin. Britain’s The Guardian newspaper summarized the capabilities of the ECHELON system as follows:”A global network of electronic spy stations that can eavesdrop on telephones, faxes and computers. It can even track bank accounts. This information is stored in Echelon computers, which can keep millions of records on individuals.”Schmidt and Cohen, members of Google’s Board, have written that, in the XXI Century, Google will substitute Lockhead in leading America to the control of the world.

In July 2000, the Temporary Committee on the ECHELON Interception System was established by the European Parliament to investigate the surveillance network. In 2001, the Committee recommended that citizens of member states routinely use cryptography in their communications to protect their privacy. In its report, the committee stated categorically that the Echelon network was being used to intercept not only military communications, but also private and business ones. James Bamford, in The Guardian in May 2001, warned that if Echelon were to continue unchecked, it could become a “cyber secret police, without courts, juries, or the right to a defence“.

3. After September 11

Since the September 11 terrorist attacks, a vast domestic intelligence apparatus has been built in the USA to collect information using NSA, FBI, local police, state homeland security offices and military criminal investigators. The intelligence apparatus collects, analyzes and stores information about millions of (if not all) American citizens, many of whom have not been accused of any wrongdoing. Under the Mail Isolation Control and Tracking Program, the U.S. Postal Service photographs the exterior of every piece of paper mail that is processed in the United States — about 160 billion pieces in 2012. The FBI developed the computer programs “Magic Lantern” and CIPAV, which they can remotely install on a computer system, in order to monitor a person’s computer activity. The NSA has been gathering information on financial records, Internet surfing habits, and monitoring e-mails. They have also performed extensive analysis of social networks such as Myspace.

The PRISM special source operation system legally immunized private companies that cooperate voluntarily with U.S. intelligence collection. According to The Register, the FISA Amendments Act of 2008 “specifically authorizes intelligence agencies to monitor the phone, email, and other communications of U.S. citizens for up to a week without obtaining a warrant” when one of the parties is outside the U.S.. PRISM was first publicly revealed on 6 June 2013, after classified documents about the program were leaked to The Washington Post and The Guardian by American agent Edward Snowden.

The Communications Assistance for Law Enforcement Act (CALEA) requires that all U.S. telecommunications and Internet service providers modify their networks to allow easy wiretapping of telephone, VoIP, and broadband Internet traffic. In early 2006, USA Today reported that several major telephone companies were providing the telephone call records of U.S. citizens to the National Security Agency (NSA), which is storing them in a large database known as the NSA call database. This report came on the heels of allegations that the U.S. government had been conducting electronic surveillance of domestic telephone calls without warrants

Commercial mass surveillance often makes use of copyright laws and “user agreements” to obtain (typically uninformed) ‘consent’ to surveillance from consumers who use their software or other related materials. This allows gathering of information which would be technically illegal if performed by government agencies. This data is then often shared with government agencies – thereby – in practice – defeating the purpose of such privacy protections.

Google-hosted services many web sites on the Internet are effectively feeding user information about sites visited by the users, and now also their social connections, to Google:” Google will also know more about the customer – because it benefits the customer to tell Google more about them. The more we know about the customer, the better the quality of searches, the better the quality of the apps”.

Facebook also keep this information, as it has been ascertained in the ongoing procedures in front of national regulators, of the Court of Justice and of the Commission.

New features like geolocation give an even increased admission of monitoring capabilities to large service providers like Google, where they also are enable to track one’s physical movements while users are using mobile devices. With Google as the advertising provider, it would mean that every mobile operator using their location-based advertising service would be revealing the location of their mobile customers to Google. This data is valuable for authorities, advertisers and others interested in profiling users, trends and web site marketing performance. Google, Facebook and others are increasingly becoming more guarded about this data as their reach increases and the data becomes more all inclusive, making it

The CLOUD Act amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.

4.The battle around the US CLOUD Act

In considering the impact of the newly adopted US CLOUD Act, by the  “Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence”, the European Data Protection Board (EDPB) stated that “By choosing to create a legal avenue under US law for US law enforcement authorities to require disclosure of personal data directly from service providers who fall under US jurisdiction, irrespective of where the data is stored, the US Congress enacts into US law a practice of US governmental entities likely to bypass the Mutual legal assistance in criminal matters treaty (MLAT)2 in force between the European Union and the United States of America.….. The US CLOUD Act therefore entails the possibility that such electronic communication or remote computer service providers are compelled to answer a request by US law enforcement authorities for the disclosure of personal data that are subject to the provisions of the GDPR. … The US CLOUD Act thus states an extraterritorial reach of powers under the US Stored Communication Act….”                        

“ This aspect of the CLOUD Act is not compatible with international law:……..”

5.Privacy Shield and General Contractual Clauses.

Two conflicting legal logics face each other. From one side, we have the “traditional liberal-democratic” legal order, embodied in European Law, which predicates that any kind of interference in the private sphere is prohibited. In exceptional cases, as in the case of criminal procedure or of military intelligence, it must be carried out by the responsible authorities, with formal authorizations and documentation, and for a limited period and scope.

From the other side, we have the American system, as it has evolved especially since September 11, that considers that an “unlimited warfare” is under way among, from one side, “Western Civilization”, and, from the other side, “The Rest”; that the US are “the policeman of the world”, and that, therefore, they must use military instruments for preventing and  fighting “terrorists”, who may be even American citizens (like  the “Taliban Johnny”). Therefore, taking into account the fact that today’s warfare is mainly a digital warfare, US agencies have the right and the duty to interfere with whichever activity is carried out, by anybody, in the world, for detecting, preventing and striking whichever activity which could result dangerous for “Western Civilization”.

The idea that, via a formal bureaucracy of certifications, it would have been possible to skip this substantive contradiction is a childish trick, which the European Court of Justice has had the merit to disclose, but which risks to result winning after two Schrems Cases notwithstanding the recent rhetorics of “European Digital and Strategic Autonomy”.

     6.Schrems I

     Based on these facts, Max Schrems had filed a first complaint against Facebook for storing illegally his data with the Irish Data Protection Commissioner (“DPC”) already in 2013(!). The DPC first rejected the complaint as “frivolous and vexatious”(!!). Mr Schrems appealed against the DPC and ultimately won: In that case, C-362/14 Schrems, the CJEU (“Court of Justice of the European Union”, confirmed his view and ruled that mass surveillance violates European fundamental rights, since it allows massive storage and transfer abroad of European’s data collected without their informed consent. The CJEU struck down the previous “Safe Harbor” system (worked out by Commission and Parliament) that facilitated EU-US data transfers. This system was urgently replaced by the Commission at the last minute with the “Privacy Shield” system in 2016. According to Maximilian Schrems: “Privacy Shield is an updated version of the illegal ‘Safe Harbor’. Nothing in US surveillance law was changed or fixed.”

     After the first CJEU decision on “Safe Harbor”, Facebook claimed it would not use “Privacy Shield” but, on the contrary, the so-called “Standard Contractual Clauses” (SCCs).  SCCs are a contract between an EU company (here Facebook Ireland) and a non-EU company (here Facebook Inc, in California) in which the foreign company pledges to respect Europeans’ privacy. The present Decision simply updates the SCC vetoed by the CJEU without any relevant change.

     Under the EU privacy laws (“GDPR”) and the SCCs, a “data export” to a third country is only legal if the exporting company (in this case Facebook Ireland Ltd) can ensure “adequate protection” in the US. In practice, this turned out to be impossible, because US surveillance laws (such as FISA 702 and EO 12.333) is imposerd by the US (and massively enforsced by 16 intelligence agencies, as documented by Edgar Snowden).

         Given the situation above and the ruling of the CJEU in the “Safe Harbor” case, Mr Schrems consequently requested the Irish DPC in 2015 to use Article 4 of the SCCs, which allows the DPC to order Facebook to “suspend” the data transfers in individual cases.  While the DPC now agreed with Mr Schrems that US surveillance laws violate EU law, they did not take direct action.

7.Schrems II

     The DPC, however, did not follow the request of Mr. Schrems, but instead filed a lawsuit against Facebook and Mr. Schrems before the Irish High Court, with the aim to refer the case back to the CJEU – this time on the validity of the SCCs- The Irish High Court complied with the DPC’s request and referred eleven questions to the CJEU, despite the resistance of Mr. Schrems and Facebook (who both opposed the reference for different reasons).  

     The Court of Justice ruled on July 16, 2020 (Schrems II Case), that the Standard Contractual Clauses and that the transfer of Europeans’ data towards the States, not guaranteeing an adequate protection, is forbidden. So, since almost all providers are US platforms, and the Cloud Act imposes to such platforms to make available the data wherever they are stored, inserting data into the Internet is tantamount as delivering them directly to the US intelligence community.

      In practice, this means that, according to the DGPR as interpreted constantly by the EUCJ, all transfers of data via internet providers are forbidden. Now, because European citizens and enterprises have been used since a long time to utilize the Internet, and the legal devices like Safe Harbour, Privacy Shield and Standard Contractual Clauses are not valid, most of the current web transactions and operations are illegal

         According to Mr. Schrems: “In simple terms: EU law requires privacy, while US law requires mass surveillance. The question is, what happens when an EU company follows US rather than EU law?”(“In Deutschland gilt nicht deutsches Recht”). As Schrems correctly pointed out, the principles of US legislation (mass surveillance as a necessary instrument for maintaining and enlarging the “hidden Empire”, and the opposite principle of the EU (to forbid mass surveillance in defense of citizens’ rights), are at the opposite extremes.  And, being Europe in the worse negotiating condition, it could obtain an ,at least partial, victory, only via a very hard fight.

  8.The low-profile approach of the Commission (and of EDPB)

         The Schrems cases are offering European Institutions and companies the opportunity to reverse the situation at least partially, emphasizing the existence of such basic contradiction, what renders illegal per se the continuation of the present state of things.

         Unfortunately, the power relationships between the two banks of the Atlantic are still too unbalanced:

a)from a cultural and military point of view;

b)from the technical and commercial point of view (the OTTs are absolute monopolists);

c)from the legal point of view (the US may not be obliged by the EU to abolish their intelligence legislation, which in practice allows them to spy everything and everybody everywhere, and which is essential for their imperial project);

d)from the practical point of view, European authorities claim to be unable to get rid from US platforms because there is no European platforms able to do the same things, and in any case free trade would require not to privilege European firms. In reality, all of these conditions could be quickly reversed if there would be a political will. Gaia-X, JEDI and Qwant are tentatives in this direction, not exploited up to now.

The choice of the Commission has been to address this issue with a low profile: “The EU is acting to mitigate such concerns through mutually beneficial international cooperation, such as the proposed EU-US Agreement to facilitate cross-border access to electronic evidence”.If this approach would be logical in a “normal” situation, it is no more such in the present “constant emergency” situation, where all decisions and policies have to be decided within a very short time, even forcing the legal mframework (because of the “Existential Risk”connected with AI outsmarting Mankind, because the Hair Trigger Alert, because of Global Warming and impending Pandemics). In fact, decisions  about vaccines are  adopted by the Commission within a few hours.

     It is noteworthy that the situation is rendered worse by the fact that both European Institutions and Member States are still more dependent on the US platforms than citizens and enterprises, because they have often subcontracted to the OTTS all their digital services, so that the most sensible data of Institutions, autorities, enterprises and citizens are available to the US intelligence community, as proven by many cases of unfair competition of US companies which would not have been possible without economic espionage.

      It is sufficient to look at the EDPS directives for communications inside the EU Institutions and the Interinstitutional agreement with Microsoft, for seeing that Microsoft has much more access to European confidential information than the European authorities themselves. What is prohibited to European authorities, armies, courts, police, is allowed to the 16 US intelligence agencies. As the EDPB  has noted, there is an inversion of the roles of controller and controlled, what is witnessed by the uncovered plan of Google to destabilize the present Commission.

It is this which has obliged the Commission to reword the Standard Contractual Clauses, inserting provisions about the controller-controlled relationship, which cannot work because US providers cannot breach the criminal military law of their country.

     Long discussions have been made on the ILA, with Microsoft, by journalists, the Commission and the EU Ombusdman. However, taking into account first of all the security character both of the EU rules and of the US laws imposing the disclosure to the intelligence community ( without any protection for foreign subjects), it is clear that the Institutions should not have signed such agreement with Microsoft, shall renegotiate the existing ones and shall be very attentive before signing another. The mere change of the wording of the SCC  does not change anything in the above objective session.

     As soon as the Schrems II decision was adopted on July 16 , the EDPS issued the Own Initiative Paper concerning the ILA, criticizing the ILA not for its core contents, but for a lot of details unbelievably inequitable, which not even a private company would have accepted.    Immediately thereafter , the EDPB and the Commission have issued new provisions which are simple reeditions of the previous documents invalidated by the EUCJ

     The present “standstill” situation is particularly negative for European businesses, which are at disadvantage vis-à-vis their American and Chinese counterparts, for several reasons:

a)to be exposed a continuous industrial and commercial espionage, which renders almost useless investing in R&D;

b)to be subject to inquiries and fines from US authorities;

c)not to be able to start businesses on markets already occupied by the OTTs;

d)to be obliged to comply with measures (like the ones against Iran), that European authorities have not approved or (like the North Stream) have even sponsored.

     For these reasons, an action is starting for transferring into Europe at least part of the storage of data (the Gaia-X initiative).This precious initiative will certainly not solve the problem, because American providers participating in Gaia-X will still be under an obligation to supply the data to the their authorities, but at least they will be constrained in servers located in Europe and will be more easily controlled as to the compliance with the GDPR. The problem is that it is established that also Danish and German intelligence is spying other Member States on behalf of NSA, i.a intercepting international cables.

9.Strategical autonomy

Being privacy on the Internet strictly connected with military, political and commercial intelligence, it is clear that a genuine data protection will not be reached until also a defence autonomy will exist (the “strategical autonomy”).

For the above reasons,  the

This is not a reason for not doing anything. The only correct approach would be to indicate a timing-schedule for a well defined phase-out of US control (and for the temporary permission of  data transfers under certain conditions during the different phases according to principles like the “red”, “orange” and “Yellow” zones for Covid-19).The Phase-our should last about 15 years

In the meantime, Europe should construct, always in phases, its Strategical Autonomy(cultural, intelligence, technological, military, political, economic).