Game Changing Developments in Privacy Requirements

There are two items of news which, in my view, have not been adequately reported in the media or not correctly covered.

The first is that Europe’s highest court has overturned the EU’s Data Retention requirement, saying it is unconstitutional.  This suit was brought by Digital Rights Ireland.  That renders illegal all the laws in Europe Union countries regarding mass surveillance.  Certainly the governments in each EU country will react differently to this news and draft new legislation.  The European Parliament already had been discussing new privacy laws.  Their ideas are still in draft.

The second news is that Brazil has just passed a law that will require, in my view, Google and other internet companies to provide point-to-point email encryption.  That means either replacing SMTP with SMTP over TLS or giving email users a digital certificate.  Either one of these would require a huge effort as (1) very few email systems are using TLS with SMTP and (2) giving email users digital certificates would take years, and smaller companies might not be able to do that at all, because of its complexity and the need to build systems to do that.

The Associated Press says, “Service providers must develop protocols to ensure email can be read only by senders and their intended recipients. Violators are subject to penalties including fines and suspension.”  Brazil is known to go after foreign companies who do not comply with local requirements.  It charged two Google executives in Brazil with criminal violations, until YouTube agreed to remove certain material.

The other important part of the Brazilian law is that it mandates net neutrality.  That means ISPs cannot charge customers different rates for different kinds of traffic or throttle different kinds of traffic.   German ISPs are already is not following the principle of net neutrality. In the USA, with recent agreements between Netflix and Comcast, and movements by AT&T to charge for peer-to-peer settlement, have violated the net neutrality principle.  This could result in companies having to pay more for data center connections, since their ISP at some point is going to need to cross one of these level 2 and level 3 carriers.  That is what is meant by “peer-to-peer settlement.”

One item that was not included in the Brazilian law is: internet companies are not required to keep data on citizens of Brazil located inside the borders of Brazil.  As you know, that would be almost impossible to do, since databases are not segregated by the geographical located of each user record.

The new law was announced at the beginning of the “#NetMundial (World Internet) conference in São Paulo. Privacy experts from around the world are gathered there.  You can see the agenda here.