The privacy protection "bug" is in US legislation
The American "Cloud Act" and the European rules on personal data, to which Switzerland will join in September 2023, are not compatible, but...
What happens to our personal or even sensitive data when it reaches a Cloud?
It should immediately be said that we are protected by potentially ineffective privacy laws if the cloud is US. Recent news events have in fact recently undertaken to prove it.
Some quite striking events have raised the clamor of public opinion on the issue of information confidentiality, all on the eve of the entry into force of the new LPD or Law for the Protection of Data and Transparency in the Swiss Confederation.
At the LAC in Lugano, a 2022 "LPD Day" full of great news
A German investigation has uncovered Pandora's box
In the May 6 episode of the "Patti Chiari" broadcast of the RSI, the problem of the protection of personal data related to their use by a well-known US manufacturer of electric cars was raised.
Several episodes are highlighted, but mainly we talk about three very significant cases in which the Public Prosecutor of Berlin, Andreas Winkelmann, requested the data relating to two road accidents and a case of excess speed from the manufacturer of the vehicles involved: Tesla.
Surprisingly, he not only obtained the data which, mandatory and useful by law, correspond to the dynamics of the vehicle relating to the five seconds before the impact: the Prosecutor also received the data relating to the opening of the vehicle's door a good forty-eight seconds after the impact and even the video, recorded by the rear camera of the vehicle, relating to the intervention of the rescuers following the accident.
The Swiss Radio and Television service does not mention whether or not there was authorization from a judge for requests for access to data by the Public Prosecutor.
Secure data rooms and digital self-determination: two “musts”
The underlying problem: the United States is not the… EU
Let's take a step back though. Why is there so much talk about Tesla and very little about Renault, BMW, Mercedes and other car manufacturers? There is one problem, and only one: it is the location of the company headquarters. While Renault, BMW, Mercedes are European companies, indeed of the European Union, Tesla is an American company.
That strange perception of digital in the absence of know-how
The US Cloud Act is much less “stringent”
Is what we say a problem for our privacy?
Certainly yes, as US companies, under penalty of total cessation of their activities, must submit to an American law, the Cloud Act, where "Cloud" does not stand for the normal Internet service that probably each of us uses, but is actually an acronym that stands for “Clarifying Lawful Overseas Use of Data”.
This establishes that even the data stored "overseas", therefore outside the United States, must always be accessible by the US Government, the police forces, and other official bodies, whether they are US or foreign States, which can request it.
This means that if some entitled entity requests the vehicle manufacturer or any other service provider to access the data of a user, be it an individual or a company, the provider can object to the lawfulness of this request in the competent court In the USA.
However, the Cloud Act, approved at the federal level on March 23, 2018, superseding the Stored Communications Act (SCA) of 1986, authorizes US judges to have these providers proceed with the delivery of data even without a specific legal reason.
Digital responsibility: Swiss the first brand in the world
The potential consequences? We cannot oppose it
This opens the door to data access without the requesting bodies having the specific authorisations.
The only condition for the delivery of data is that the request comes from a body based in a state that fulfills the standard requirements of respect for human rights and privacy.
Since there is no specific regulation in this regard, at this point the provider is obliged to provide the requested data without being able, in fact, to oppose in any way.
We therefore do not know what and how much data vehicle manufacturers transmit to headquarters, but we can be sure of one thing: if the manufacturer is American, we are not protected in any way from access to information concerning us, even without our explicit consent.
The Berlin Public Prosecutor obviously works in the interest of the community, but without the authorization of a German judge, if he had requested the data directly from Tesla, which is obliged to provide them, he would probably have committed an offense in his own country.
The question is even more subtle: with the Cloud Act, not being able in fact to receive a refusal from the court, any prosecutor could request, on the basis of preventive investigations not related to an event that occurred, but only based on a suspicion, the anyone's data under any circumstances.
This would make it possible to find the evidence necessary to request ex post the legal authorization for new access to the data (since the former were hired illegally, according to European legislation).
All about privacy in the time of mass sharing
Many of our devices are made in the USA
So just avoid buying American cars?
Not really: our digital life often travels on devices that interface with software produced in the United States and that try in every way, through pop-ups or authorization requests, to access our data while we carry out our daily actions.
And the UX (or User eXperience), if you decide to ignore these login attempts, would become very impractical: you would be flooded with emails and red notifications.
I always advise all companies and individuals to interface as little as possible with this type of company, to have greater control of their digital life and personal data.
With the new law LPD (Law on the Protection of Personal Data and Transparency), which will enter into force in Switzerland on 2023 September XNUMX, it will be easier for a citizen of the Swiss Confederation to approach respect for their data.
The new legislation incentivizes privacy systems based inside and outside Switzerland to collaborate with each other, also meeting the GDPR.
In this way everyone will be able to obtain respect for their data even outside the Confederation simply by contacting the Swiss authorities.
Facebook, the data of millions of profiles publicly disclosed online
Are we safe? Lugano will go in search of answers…
Let's try to recap: will our data on the Cloud be safe with the new LPD law? Will it be enough for a US company's servers to be physically in Switzerland to be protected?
Not really: the Cloud Act allows access to our data in any case.
There is still a lot to work on, also to inform citizens of their rights. I'll try organizing the first one “LPD Day” on 14 June at the LAC in Lugano.
The Guardia di Finanza launches blanket checks on online privacy
You may also be interested in:
Young people and cryptocurrencies: how to find out more about Bitcoin…
Introducing kids to digital currencies and Blockchain can be an exciting endeavor, given their affinity for technology and innovation
“The patient at the centre”: a great hope and a meeting in the Senate
The topic of the importance of innovation in medical devices for European healthcare will be explored on 15 May in Rome by experts and politicians
by Alberto NicoliniEditor of districtbiomedicale.it, BioMed News and Radio Pico
Four countries, one gigantic ocean: the CMAR case
It is the marine corridor of the eastern tropical Pacific: Panama, Ecuador, Colombia and Costa Rica allied for the protection of seas and marine species...
Lausanne, on the trail of pollution: the story of an incinerator
A team of scientists has reconstructed the events of the Vallon waste-to-energy plant and the invisible contamination that shocked the Canton of Vaud