This is a follow-up to my previous blog post entitled "How to effectively evade the GDPR  and the reach of the DPA ". Feel free to read it before reading further.

In a recent letter, the CNPD further clarified as to why they don't investigate the several breaches of Data Protection Law (Legal Basis, Purpose, Transfer, EU Representative) for thousands of Luxemburgish (and hundred thousands of European) citizens. Highlights are mine.


The letter is in French, here is a rough  synopsis in English :
  • The CNPD argues that it doesn't have to follow their Internal Guidelines on "Investigations" as although they talked to Rocketreach they did not officially open an actual investigation in this particular case. They also argue they don't need to follow the Internal Guidelines on "Decisions" as a Decision to not open an investigation is formally not a Decision as defined in their Policies. 
  • The CNPD further argues that the Luxemburgish Law on Data Protection does not specify any criteria when or when not the CNPD would need to open an investigation and thus concludes it can do so at will.
  • In the case of Rocket Reach in particular the CNPD argues that it makes no sense to open an investigation as they would not be able to ensure Rocketreach then respects the outcome. In other words, they won't make us benefit from their efforts should we seek judicial redress.











How to effectively evade the GDPR and the reach of the DPA (PART 3)

This is a post in a series of posts :
  1. How to effectively evade the GDPR  and the reach of the DPA - PART1
  2. How to deal with the DPA of Luxembourg - the CNPD <-- Interesting in the context of this post.
  3. Why Schrems is wrong

Instruction
Apollo.io is a YCombinator funded startup profiling and selling personal data of millions of European Data Subjects. That YCombinator is funding what is obviously an illegal business is beyond my understanding but out of the context of this blog post.
  • Apollo.io has to my understanding no legal basis to process my personal data
  • In order to ask access to your data, Apollo.io asks for a signed letter in which you confirm certain personal data under perjury of law. The reason they are doing that is ironically because they don't know whether you really are who you claim to be, which is rooted in the fact that the collection of the data is unlawful in the first place.
I issued a complaint against Apollo.io via the CNPD and in order for it to take less than a year for the CNPD to come back (like last time), I have added in my complaint that they are based in the US and are operating in violation of the GDPR (Election of an EU Representative).

The CNPD claims that it has no power to investigate (in the US - duh). A simple google search confirms the collection of data, which does not require you to be physically in the US. Furthermore, Apollo.io confirms it in their Email (See screenshot)

Apollo.io responds to a DSAR request

So after my complaint, the CNPD came back in record time with the following, arguing they have no legal power to investigate in the US. My personal opinion: This is a red herring. All you need to investigate is to use Google and your Webbrowser. You can do that from Luxembourg.

Original

La Commission nationale pour la protection des données (CNPD) revient à votre réclamation du 8 juillet 2020 relative à votre demande d’accès concernant vos données à caractère personnel traitées par le site « apollo.io », et plus particulièrement à vos courriels datés du 28 juillet et 1er août 2020.

Nous vous informons qu’un premier examen de votre réclamation a confirmé que le responsable du traitement est situé aux Etats-Unis d’Amérique, comme mentionné par ailleurs dans vos courriels susmentionnés.

Au sujet des responsables du traitement établis dans des pays tiers, comme les Etats-Unis d’Amérique, nous souhaitons attirer votre attention sur le considérant (116) du RGPD qui précise que: « Lorsque des données à caractère personnel franchissent les frontières extérieures de l'Union, cela peut accroître le risque que les personnes physiques ne puissent exercer leurs droits liés à la protection des données, notamment pour se protéger de l'utilisation ou de la divulgation illicite de ces informations. De même, les autorités de contrôle peuvent être confrontées à l'impossibilité d'examiner des réclamations ou de mener des enquêtes sur les activités exercées en dehors de leurs frontières. Leurs efforts pour collaborer dans le contexte transfrontalier peuvent également être freinés par les pouvoirs insuffisants dont elles disposent en matière de prévention ou de recours, par l'hétérogénéité des régimes juridiques et par des obstacles pratiques tels que le manque de ressources. »

Dans le cas de votre réclamation cela signifie que, bien qu’il nous soit possible de communiquer avec le responsable du traitement, nous ne disposons pas des pouvoirs de mener des enquêtes et de faire appliquer les décisions que nous serions amenés à prendre sur le territoire des Etats-Unis d’Amérique.

Nous vous informons dès lors que nous traitons votre réclamation dans une perspective de collaboration du responsable du traitement, compte tenu du fait que nous ne disposons pas du pouvoir d’imposer à ce responsable du traitement des actions en vue d’améliorer ses pratiques en matière de protection des données, avec pour conséquence qu’il nous serait impossible de poursuivre votre réclamation de manière effective en cas d’absence de collaboration du responsable du traitement.

En restant à votre disposition pour tout renseignement complémentaire, nous vous prions d’agréer, Monsieur Zoller, l’expression de nos sentiments distingués.

 

Translation (via Deepl.com)

The National Commission for Data Protection (CNPD) goes back to your complaint of 8 July 2020 concerning your request for access to your personal data processed by the "apollo.io" site, and more specifically to your e-mails dated 28 July and 1 August 2020.

We would like to inform you that a first examination of your complaint has confirmed that the data controller is located in the United States of America, as also mentioned in your above-mentioned e-mails.

As regards controllers established in third countries, such as the United States of America, we would like to draw your attention to recital (116) of the GDPMR which states that: 'When personal data cross the external borders of the Union, this may increase the risk that individuals may not be able to exercise their data protection rights, in particular to protect themselves against unlawful use or disclosure of such information. Similarly, supervisory authorities may be faced with the impossibility to investigate complaints or activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventive or remedial powers, heterogeneous legal regimes and practical obstacles such as lack of resources. »

In the case of your complaint, this means that, although we may communicate with the data controller, we do not have the authority to investigate and enforce any decisions we may make in the United States of America.

We therefore inform you that we are processing your complaint on the basis of cooperation from the data controller, given that we do not have the power to impose actions on the data controller to improve its data protection practices, with the result that it would be impossible for us to pursue your complaint effectively if the data controller did not cooperate.

Please do not hesitate to contact us if you require any further information, Mr. Zoller, for which we thank you.


I have taken the decision to formally complain to the German Regulator (as Apollo.io has not chosen an EU Representative, there is no one shop mechanism that should apply). I will keep you updated on progress - if any. 








 


Introduction
As many of you know the Schengen Agreement (Named after the Luxemburg City "Schengen" where it was signed) introduced the free flow of goods and people across the European Union and many claim it to be on of the core backbone agreements of the European Union.

Synopsis
Germany decided to introduce border controls following the SARS-CoV-2 Epidemic during  March-Mai 2020. Luxembourg has a particular situation that is best displayed via this illustration: every day over 1/3 of the entire working population enters the country via Germany, France, and Belgium to drive home in the evening thus passing these very borders every day. 



Germany decided, for reasons that are still not clear to me as of today, that Luxembourg nationals (not germans) need to have a justified reason to enter Germany (a limited list of these existed). It appears that German State Heads believed that the virus somehow differentiates between nationalities and that this made total sense considering the thousands of German border commuters enter and exit every day "freely".

Back to the topic.  The Schengen agreement allows for the introduction of border controls under certain rules and under certain requirements. I have been curious to find out what Germany brought forward as reasons as I could not imagine a scientific reason to do just that.

Title3, Chapter 2 of the Schengen Accord details under which conditions and form the border control could be introduced.Relevant Articles:

Art. 25.1 & 25.2  :

  • Where [..] there is a serious threat to public policy or internal security in a Member State, that Member State may exceptionally reintroduce border control [..] for a limited period of up to 30 days or for the foreseeable duration of the serious threat [..]

  • Border control at internal borders shall only be reintroduced as a last resort, and in accordance with Articles 27, 28, and 29. The criteria referred to, respectively, in Articles 26 and 30 shall be taken into account in each case where a decision on the reintroduction of border control at internal borders is considered pursuant, respectively, to Article 27, 28, or 29.
Art 26 ("Criteria") :

  • Where a Member State decides, as a last resort, on the temporary reintroduction of border control [..] it shall assess the extent to which such a measure is likely to adequately remedy the threat to public policy or internal security, and shall assess the proportionality of the measure in relation to that threat.
Art. 27  : 
  • Where a Member State plans to reintroduce border control [..], it [...]  shall supply the following information :
    (a) the reasons for the proposed reintroduction, including all relevant data detailing the events that constitute a serious threat to its public policy or internal security;
    (b) the scope of the proposed reintroduction, specifying at which part or parts of the internal borders border control is to be reintroduced;
    (c) the names of the authorized crossing-points;
    (d) the date and duration of the planned reintroduction;
    (e) where appropriate, the measures to be taken by the other Member States.

Art. 28 :
  • If the serious threat to public policy or internal security persists beyond the period provided for in paragraph 1 of this Article, the Member State may decide to prolong the border control at internal borders for renewable periods of up to 20 days. In doing so, the Member State concerned shall take into account the criteria referred to in Article 26, including an updated assessment of the necessity and the proportionality of the measure, and shall take into account any new elements.

Requesting Acces to the Documents
Germany appears to have a solid Information Access law ("Informations Zugangs Gesetz") that even allows foreign nationals to request documents that are even sent free of charge across the European Union. 

My Initial Request for Information from the 04.05.2020 included the Information and requests below :
  • A copy of the Notification Letter addressed to the European Commission
  • Which reasons, data, and other factors led to the conclusion that proportionality of the measure in relation to that threat is adequate. (Quoting Art 26)
  • During the time the BMI decided to forbid Luxemurgish nationals entry to Germany (unless they demonstrated important reasons). Luxemburg had on average 15 (!) infections per week including German commuters, so my question was: In light of 15 infections per week how did Germany come to the conclusion that "proportionality of the measure in relation to that threat that Luxembourg nationals pose is adequate".

My Request to the BMI
Answer


One of their answers included the following quite revealing sentence :
  • "We are not required to communicate legal assessments that have yet to be done"

I am publishing these documents because they may have historic value and offer food for thought. 

Why food of thought you might as? Well, Germany didn't really give a reason as required by the Articles 25/26/27/28 that would explain how closing the borders is necessary and proportional. In the first letter, it states it's intent and simply "that it is required" and in every followup letter extending the closure (a total of 4), Mr. Seehofer just points to the first letter creating a circular non founded argument.  Especially in the context of thousands of daily german commuters that stay for a minimum of 9 hours in Luxembourg (In offices, Hospitals, and so forth) closing the border to Luxemburgish nationals made absolutely no sense whatsoever and could be even seen as being discriminatory.

Summary of my Analysis (There may be more in these letters but that's currently all I am being equipped to answer). Please feel free to contact me in case you stumble across something you want to point out.

  • 15 March 2020 (Letter1): Notification per Article 28 of the planned 10 days of Border Controls. Art. 28 is referenced.

    Reason given :

    German
    "Unser Gemeinames Ziel muss  angesicht der raschen Zunahme der Infektionen sein, möglichst frühzeitig Reisende aus Risiko gebieten sowie diejenigen mit Anzeichen für eine derartige Infektion zu erkennen um auf diese weisen durch unverzügliche medizinische Massnahme eine weitere Verbreitung bestmöglich einzudämmen"

    "Auch unter Berücksichtigung der grossen Bedeutung de Grenzkontrollfreien reisens innerhalb das Schengenraums bin ich der Ueberzeugung dass die vorübergehende  Wiedereinführung  von Binnen Grenzkontrollen eine notwendige flankierende Maßnahme zur Eindämmung der Ausbreitung und Unterbrechung der Infektionskettendarstellt.

    English (Translation)
    "In view of the rapid increase in infections, our common goal must be to identify traveler from risk areas early as possible and to identify those who show signs of such an infection in order to reduce its spread as far as possible through immediate medical measures.

    Also consider the importance of border control-free travel within the Schengen area, I am convinced that the temporary reintroduction of internal border controls is a necessary accompanying measure to contain the spread and interruption of the infection chain."


    Commentary: What a display of nativity and a simplistic view of the world. As if somehow the virus would differentiate between Germans and Luxemburgih nationals and that refusing entry to the country would allow for "Immediate medical measures".  Also of note is that Luxemburg is quite clearly an area of collateral damage where no data whatsoever justified closing the borders to Luxemburgish nationals.  We see no analysis of whether or not the measures are proportionate to the threat. My opinion is simple, in case of Luxembourg, there is a very very high probability they were not.

    Also, note the choice of words: "Flankierende Massnahme" is usually used to describe the political approach to immigration of third party nations (outside of the EU).

  • 19 March 2020  (Letter 2): Adds  Air Travel ways to the list of border controls

  • 25 March 2020 (Letter 3): Extends Border Control another 20 days
    Reason given : "Based on the previous communications"

  • 14th of April 2020 (Letter 4): Extends Border Control by another 20 days
    Reason given : "Based on the previous communications"

  • 4th of May 2020: Extended by 14 days
    Reason given:  "Fragile situation development"& "Based on previous communication"

Copies of the letters

Letter 1




Letter 2




Letter 3




Letter 4




Letter 5










Other posts in this series :
By now you should know about the EUJC ruling on the Privacy Shield. I am going to keep this one short and sweet - I believe the judgment to be more far-reaching than NOYB is explaining on their website. The reasoning is very simple.

To demonstrate this let's take a look at the questionnaire that NOYB made available for companies.
The first question is :



We can stop right there. The problem is that for every US-based company that isn't solely working with Paper and pigeons only (and even then) the answer is always YES. Your potential Data Processor in the USA is going to use Verizon / ATT / (you name it) and as such you will always have a data processor that is subject to FISA702 in the middle somewhere.  As the leaks of Edward Snowden have clearly shown, Telcos are being used as an entry vector for mass surveillance. It is irrelevant whether or not your direct counterpart is subject to surveillance laws.

Let's continue regardless :


Answer to 5a) is: You can't (Quote me on this - I know what I am talking about). There is no way to escape mass surveillance as a company in the US. You would have to build all of your communication channels on 0 knowledge type protocols. Even if they exist for your use case they are most likely not supported by other businesses you will have to communicate with, or by your remote workforce.  You also need to consider other laws, such as "Export Restrictions" and "Anti-Money Laundering" also giving the US HQ access to a lot of information, sometimes even via a direct data pipe to the EU. (A vector that NOYB is forgetting about)

The companies that can confidently answer yes to the above may exist in some niche segments or some niche use cases. As an example - I hear you say "But we use TLS" - that's a pretty naive view and ridiculous protection against a nation-state adversary given capabilities and funding for mass surveillance by law. 

So unless you can demonstrate that every digital communication is "unbreakable" by a nation-state you are still subjecting EU data subjects to mass surveillance. So even if you are using SCCs as a legal basis of transfer, unless you communicate via Pidgeons your SCCs can be challenged and likely aren't valid. 

In other words, by the end of the NOYBs'  questionnaire, you will have understood that realistically you can't use SSCs as a means to legally transfer EU Personal data in 99.9% of the cases. 

So what does that mean for inter-company transfers to the US? (Example: Apple Ireland to Apple US). Well, they are unlikely to come to the conclusion that they can't protect the data, and whoever sits on the button in Europe has been chosen to follow along with the logic of the US HQ (not just on that issue). Hint: The performance review within US Companies of EU employees is always done in the US at some level. 

How can you spot that? The Data Privacy Notice will somewhere say "You agree that your personal data is shared within the group of companies". That means you agree to transfer your data to the US. Want to object? Ask your DPA to enforce that the company can no longer transfer your personal data to the US. You will see your account closed and your agreement terminated. Why? I don't know any Big US company that would be able to offer the service without exchanging any personally identifiable (as defined in GDPR) information with the US at this point in time.

Examples:

Mastercard Data Privacy Notice 


Amazon Germany - Deep into the Reference Circle between Data Privacy Notice and
Terms and conditions


Sight, we all know how this will work out - we will just pretend we can protect the data adequately in the US. As they say in Germany "Wo kein Kläger, da kein Richter" - hence Support NOYB via Donation here.

As a summary: you are given a questionnaire that you will always end up answering negatively too if you'd answer it truthfully and equipped with known unknowns.  I liked the title too much to let go of it. Sue me.