The presence of non-EU subjects among the owners of the single network poses national security problems that have already emerged in the case-law of the European Court of Justice by Andrea Monti
Among the many aspects related to the creation of the unified Italian telecommunication network, the relationship between personal data protection, the presence of non-EU owners in the corporate structure and national security deserves special consideration. Indeed, given the criticality of the telecommunications sector, the absence of full control by Italy opens up the risk of foreign interference in the protection of the fundamental interests of the State, as highlighted in the Huawei case.
The nature and extent of the problem become apparent by recomposing the different tiles of the current political and legal mosaic.
First tile: the European Court of Justice Schrems II judgment
One tile is the issue of the exchange of data between Italy (or rather the EU) and the USA.
Deciding on a claim filed against Facebook, on 16 July 2020, the EU Court of Justice, with the “Schrems II” judgment, ruled that the right to the protection of European citizens’ personal data, guaranteed by Article 7 of the Nice Charter, requires the exchange of data with countries that do not provide adequate guarantees of protection from the invasiveness of foreign security services. Consequently, the Baden-Württemberg Data Protection Supervisor has imposed the use of ‘intelligence-proof’ encryption in exchanges with the USA. At the moment, the guidelines are not shared by other authorities around the EU, but they are consistent with the taxonomy of the protection of the rights of European citizens and therefore, it is not impossible to think that other authorities would follow this course.
The principle of law expressed by the Court and applied by the German Data Protection Authority is simple: the US has the legitimate power to access any data present within its borders, but this does not imply that US companies that process data of European citizens can make them available to US intelligence bodies. Therefore, either the data are protected by actions – even legitimate ones – of the US security apparatus, or their transfer overseas must stop.
It is debatable whether or not Regulation 679/16 EU (the “GDPR”) applies to national security issues because the regulation itself expressly excludes the option. Nevertheless, the Court grounded its ruling on the Charter of Fundamental Rights of the European Union which, if we exclude the (never-born) EU Constitution itself, is as close as possible to an actual EU Chart.
Second tile: Microsoft Corp. v. The United States and the Cloud Act
A second tile is that of the US federal government’s attempt to indirectly access data stored on the European servers of US companies, without going through international cooperation procedures. In short, the mechanism provided for an order to the American parent company (and therefore the legitimate recipient of the measure) to have the information delivered by the European subsidiaries and then to make it available to the US authorities.
In 2018, the US Supreme Court wrote the final word on the judicial dispute caused by the Federal Government’s request to Microsoft Corp. to deliver the data stored on the servers of its Irish subsidiary. An indirect way, therefore, to circumvent international cooperation agreements but, above all, the sovereignty and criminal law of EU countries.
In the first instance, in 2013, the judge in the Southern District of New York ruled in favour of the US government, stating that the Stored Communication Act of 1986 had no territorial limits. In 2016, the Secon Circuit Court of Appeal overturned the verdict, and the case went to the Supreme Court. Before the Supreme Court can rule, however, the US approves the “Cloud Act” which regulates the problem of access to data that US companies hold abroad, and dictates (unilaterally) the rules under which US authorities can access the data in question. According to the Cloud Act, it is up to the US judge to decide whether or not the request made by the federal authorities violates the rights of Italian (in our case) citizens.
Third tile: CryptoAG and operation Thesaurus
The use of apparently “normal” companies by intelligence structures is such a widespread practice that it has attracted the attention of the American film industry, which in 1990 made Air America, a film inspired by the homonymous company secretly used by the CIA during the Vietnam War to transport people and supplies of various kinds.
Between 1970 and 1993, as reported by The Guardian, the Swiss company Crypto AG marketed its products for “secure communications” to bodies and institutions in about a hundred countries. Being, however, controlled by the CIA and the German intelligence services, CryptoAG had designed these devices so that the two intelligence structures could easily decipher the confidential communications of their clients.
Fourth tile: the “damages (for intelligence) caused by Legislative Decree 103/95
The liberalisation of the Italian telecommunications market began with the famous (or notorious) Legislative Decree 103/95. The characteristic of the business model of the time was the decoupling of access to the internet provider gateway and the use of services. In practice, the user bore two costs: that of the equally infamous “TUT” (Tariffa Urbana a Tempo) which ended up in the monopolist’s coffers and that of internet services cashed by internet providers. Progressively, however, the latter also began to offer connectivity directly through circuits rented by the operator or through proprietary networks. To date, therefore, there is no public telecommunications network, but a series of interconnected networks, regulated by the Electronic Communications Code.
This situation has complicated by several orders of magnitude the possibility for law enforcement and intelligence services of having direct and “discreet” access to communications, data and – thanks to routers supplied directly to the client – to the private networks of citizens and institutions.
The return to the single network would greatly facilitate interception activities and all those of interest to security services, since the technological interlocutor would be one and the activities in question can be carried out downstream of the internet providers’ data centres.
The future manager of the single network, the one-stop-shop for digital intelligence activities, will have among its more or less direct owners Kkr, an American fund whose governance also includes former Marine General and former CIA director David Petreus.
The US law allows the federal government to obtain data from American companies in the availability of their subsidiaries located in the EU, without necessarily going through international cooperation agreements.
US intelligence practices (not only) include the use of front organisations. The future single operator will certainly not be the new CryptoAG, nor will it lend itself to abusive mass surveillance actions (already prohibited by the ruling of the EU Court of Justice that in 2014 repealed the data-retention directive. However, since the devil is in the detail, it will be necessary that AccessCo (or whatever its name will be) is structured to comply not only with the EU Court of Justice’s indications on the “impermeability” of EU data but also with the requirements of the Conte-Huawei Decree on the security of all equipment and infrastructure of the new network.
That the problem is not only Chinese has been known at least since 2002 when, with a report (eighteen years later never addressed, at least publicly) ALCEI an association for the protection of civil rights online, reported to the Italian Data Protection Authority the presence of a severe vulnerability of routers that at the time were provided to users of internet services.
To date, however, there is no evidence that the Data Protection Authority (if not the European Data Protection Board) is also involved in the AccessCo project to assess the impacts on the fundamental rights and freedoms of Italian and EU citizens.
On the other hand, it would be useful for this to take place already at this early stage in order to avoid that blocking problems could arise in the future caused by a lack of assessment of the impact of Article 7 of the Nice Charter which could compromise the whole project.
The Baden-Württemberg Data Protection Supervisor has already demonstrated how extensive the ramifications of data protection are and what (negative) economic effects they can have.
Forewarned is forearmed.