privacy

The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

24 Sep 2014

The Turkish government tightens its grip over the Internet

By Heini Järvinen

On 8 September 2014, the Turkish parliament passed an amendment to the already draconian Internet law. The amendment allows the Turkish Telecommunication Authority (TIB) to block (without a court order) any website that appears to threaten “national security or public order”. Internet Service Providers (ISPs) are required to execute the blocking order of the TIB within four hours. This enables the government to block content quickly and without due process of law.

In addition to allowing blocking of websites without a court ruling, the law also obliges ISPs to store all data on web users’ activities, such as browsing history, for two years, and make it available to the authorities upon request, without a court order.

The new law, as well as other recent actions of the Turkish government, have raised concerns about freedom of speech in the country. The large majority of the traditional mainstream media is either directly or indirectly under the government control, and the Internet remains one of the few channels for free speech in Turkey, but the government is continuously increasing the measures to control also the Internet.

During the last few years, the Turkish government has blocked sites which broadcast recordings that appear to indicate corruption of government officials and appear to show dubious relationships with the fundamentalist organisations in Syria and Iraq. In spring 2014, social media platform Twitter and a video-sharing website YouTube remained blocked for several weeks. “National security and maintaining public order” were used as justifications also to this blocking.

Turkey becoming intelligence state with new Internet law (09.09.2014)
http://www.todayszaman.com/national_turkey-becoming-intelligence-state-with-new-internet-law_358245.html

Turkey tightens Internet controls, weeks into new government (09.09.2014)
http://in.reuters.com/article/2014/09/09/turkey-internet-idINKBN0H41AJ20140909

Turkey tightens grip over the internet (09.09.2014)
http://online.wsj.com/articles/turkey-tightens-grip-over-the-internet-1410279325

Turkey: Internet freedom, rights in sharp decline (02.09.2014)
http://www.hrw.org/news/2014/09/02/turkey-internet-freedom-rights-sharp-decline

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
17 Sep 2014

Public Oversight and The Rule of Law

By Joe McNamee

Between 15th-19th of September, in the week leading up the first year anniversary of the 13 Necessary and Proportionate Principles, EDRi, the EFF and the coalition behind the Principles will be conducting a Week of Action explaining some of the key guiding principles for surveillance law reform. Every day, we’ll take on a different part of the principles, exploring what’s at stake and what we need to do to bring intelligence agencies and the police back under the rule of law. You can read the complete set of posts at: https://necessaryandproportionate.org/anniversary. The Principles were first launched at the 24th Session of the United Nations Human Rights Council in Geneva on 20 September 2013.

Let’s send a message to Member States at the United Nations and wherever else folks are tackling surveillance law reform: surveillance law can no longer ignore our human rights. Follow our discussion on twitter with the hashtag: #privacyisaright

One of the most striking elements of the surveillance practices is the extent to which laws and judicial procedures have been breached, ignored and undermined by agencies whose tasks it is to uphold the rule of law.

Before the Snowden revelations, the world had drifted into an unconscious acceptance that existing and unquestioned principles of law were somehow no longer valid. The most striking example of this was the report on the “use of the Internet for terrorism purposes“ (PDF) that was published by the United Nations Office on Drugs and Crime in 2012. That report actively encourages United Nations member states to establish “informal relationships or understandings with ISPs (both domestic and foreign) that might hold data relevant for law enforcement purposes about procedures for making such data available for law enforcement investigations.” These “informal relationships” seem to be exactly what the International Covenant on Civil and Political Rights (ICCPR) prohibits in Article 17, which states that “no one shall be subjected to arbitrary or unlawful interference with his privacy”.

The same UNODC report called for long-term storage of communications data of innocent individuals. It did this despite the fact that there is no evidence that such an extensive intrusion into the privacy of innocent individuals is necessary or proportionate. Indeed, since the report was published by the UNODC, the European Court of Justice has ruled (PDF) that such measures are contrary to the primary law of the European Union. As a result, the EU’s Data Retention Directive was declared invalid. This Directive was adopted in 2006, even though no evidence of necessity or proportionality was provided when the legislation was proposed. More shockingly, EU Member States that did not consider the measures to be necessary in a democratic society were taken to court by the European Commission to force them to transpose the legislation in their jurisdictions.

The impunity that led to the EU Directive to be adopted and enforced was also evident in an “evaluation report“ (PDF) adopted by the European Commission in 2012. That report was forced to recognise that one of the three main reasons for proposing the legislation in the first place – ensuring cross-border access to historical records – was statistically insignificant in practice. The European Commission felt that it was politically safe to take the position that this could be explained by cross-border access being facilitated by “domestic operators” “rather than launching mutual legal assistance procedure [sic] which may be time consuming without any guarantee that access to data will be granted”. No Member State – and no press publication – publicly raised any concern that data was being extracted about citizens, across borders, without authorisation, in situations where national judiciaries would not necessarily grant access to the data.

We cannot uphold the law by breaking the law. We cannot fight lawlessness by undermining the rule of law with impunity.

close
10 Sep 2014

The Principles Week of Action: A world without mass surveillance

By Guest author

Between 15 and 19 September, several digital rights organisations, including EDRi and many of its members, will be celebrating the first anniversary of the 13 International Principles on the Application of Human Rights to Communications Surveillance. The Principles were first launched in the Palais des Nations in Geneva on 20 September 2013.

Drawing on international law and jurisprudence, the Principles articulate the obligations of governments under international human rights law in the digital age. The Principles are a product of a collaborative effort of privacy experts, human rights lawyers and civil society groups. They provide a tool to evaluate and help reform governments’ surveillance practices.

On the occasion of their first anniversary, a series of blog posts will be published in order to raise awareness on global mass surveillance issues such as metadata, data retention, transparency and the integrity of communications. EDRi member Access is also hoping to publish an implementation guide providing more details on how to apply the Principles into law.

Finally, as part of this week of action, Access will be coordinating the presentation of awards to those who have championed the Principles and a negative prize for those who have worked against the Principles. The public can participate in nominating the candidates – individuals, government officials, agencies, or companies – for these awards before 12 September. Awards’ winners will be announced during the Week of Action.

The 13 Necessary and Proportionate Principles
https://en.necessaryandproportionate.org/take-action/redpatodos

Principles Questionnaire Form: Help us celebrate the one-year anniversary of the Principles!
https://docs.google.com/a/accessnow.org/forms/d/1djUkW3vpB7CWJ2LWerNQiIkuzkwz7nXuh4BUTMD1ky0/viewform

(Contribution by Estelle Massé, EDRi member Access, International)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
27 Aug 2014

Online freedoms in Serbia still under threat, analysis shows

By Guest author

SHARE Foundation, an organisation dedicated to protecting digital rights in Serbia, analysed the state of online media freedoms in the country. Examples of technical attacks on media websites, threats and insults to online journalists show a worrying trend of pressure in the digital environment.

During the devastating floods that hit Serbia and the region in May 2014, many cases were witnessed where freedom of expression and information online were endangered. Websites that published information criticising the actions of the Serbian government during the floods were attacked and the entire blog section on a popular daily newspaper website was taken down after a satirical post. Also, citizens were questioned by the police because they expressed their opinion on social media. In the following two months, the situation did not improve to an appreciable extent.

These issues caused reactions from the international community. OSCE Representative on Freedom of the Media, Dunja Mijatovic, expressed her concerns because of the incidents, while the Head of the European Union Delegation in Serbia, Michael Davenport, and the United States Ambassador to Serbia, Michael Kirby, called for the respect of the right to free speech on the Internet. Member of the European Parliament Marietje Schaake sent a letter to European Commissioner Stefan Füle regarding the media situation in Serbia.

Several Serbian media websites, as well as a blog written by two journalists, could not be accessed on multiple occasions due to offensive technical measures, such as distributed denial-of-service (DdoS) attacks. For example, pescanik.net, a web portal of an independent radio station promoting civil society values, was attacked during June 2014 after it published articles about the allegedly plagiarised PhD thesis of the Serbian Minister of Internal Affairs and the allegedly non-existent London PhD of the former rector of a well-known private university in Serbia. One of the authors of the articles about the PhD scandals claimed that her private email correspondence has been illegally accessed. Another example is the website of the daily newspaper Kurir, which was also attacked and made inaccessible several times, the most recent attack occurring on 10 August 2014. It should be noted that these are not the first cases of media websites being under attack. Last December, the website of the Center for Investigative Journalism of Serbia (CINS) was hacked after it published a story about self-censorship in the Serbian online media. They suffered technical attacks again this February.

Pressure on journalists has also become frequent in Serbia, especially on the local level. Natalija Miletic, a Serbian journalist working in Germany, asked Prime Minister of Serbia Aleksandar Vucic questions about alleged media censorship and plagiarism during a joint press conference in Berlin with German Chancellor Angela Merkel. She did not receive answers. After the conference the Serbian Embassy in Berlin told her not to request press passes in the future. RTV journalist Mladenovac Dragan Nikolic was arrested because of a post on his Facebook profile about the recent floods – because he allegedly “damaged the reputation” of a high-ranking official of the ruling Serbian Progressive Party (SPP).

These examples taken from the analysis by the SHARE Foundation show that the state of freedom of expression and media in the Serbian online sphere is of considerable concern. The great number of different cases that happened during the past two months highlights that state bodies need to be more active in solving problems and reacting to violations of digital rights and freedoms. Tendencies of different actors to discourage citizens and media to express themselves freely on the Internet create a “chilling effect” and we must continue our struggle for the Internet as a place of open access, as well as free and decentralised exchange of information. It is very important to openly speak about all problems that endanger freedom of speech and information on the Internet so they do not become “business as usual”.

To create awareness for freedom of speech and other digital civil rights issues in the region, EDRi, the SHARE Foundation and Wikimedia are organising an event “Energise! Network! Mobilise!” on 4-5 September in Belgrade, Serbia. The two-day event consisting of panels and workshops will gather activists, civil society organisations and citizens interested in learning more about these issues to exchange their experiences, share knowledge and network.

Analysis of Internet freedoms in Serbia
http://shareconference.net/en/defense/analysis-internet-freedoms-serbia

Energise! Network! Mobilise! in Belgrade, 4-5 September
http://energise-network-mobilise.tumblr.com/

Internet remembers everything
http://shareconference.net/en/defense/internet-remembers-everything

Government online censorship in Serbia worrying trend, says OSCE media freedom representative (27.05.2014)
http://www.osce.org/fom/119173

Letter to Štefan Füle concerning censorship in Serbia (11.06.2014)
http://www.marietjeschaake.eu/2014/06/letter-to-stefan-fule-concerning-censorship-in-serbia/

The big Serbian information shutdown (07.07.2014)
http://newint.org/blog/2014/07/07/serbia-media-censorship/

Online and citizen media on a turning point: if they wish, web platforms can be equalled with media (06.08.2014)
http://shareconference.net/en/defense/online-and-citizen-media-turning-point-if-they-wish-web-platforms-can-be-equalled-media

(Contribution by Bojan Perkov, SHARE Foundation, Serbia)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
27 Aug 2014

Ukraine: Sanctions against Russia to result in media censorship?

By Heini Järvinen

On 12 August, the Ukrainian parliament (Verkhovna Rada) approved in first reading a draft law (No. 4453) to impose sanctions on Russian companies and individuals over their alleged support and financing of separatism in Ukraine. The draft law included provisions to allow the Ukrainian National Security and Defence Council (RNBO) to shut down or block any website or TV or radio station without a court order on the grounds of national security.

The draft law was submitted to the parliament by Prime Minister Arseniy Yatsenyuk on 8 August, only four days before the first reading, with no input from outside advisers. It was made available to the public only once it had passed the first reading, with an impact study stating that

“the bill does not require consultation with civil society”.

Local journalists and media activists as well as international press freedom organisations immediately criticised the draft law, calling it a “major setback for freedom of information in Ukraine”, and accusing the government of using concerns about national security as an excuse to introduce censorship.

As a response to the quick reaction from civil society, Mykola Tomenko, parliamentary deputy and head of the parliament’s committee on freedom of speech, announced on 13 August that the parliament was working to remove the media censorship elements from the draft law.

Tetiana Semiletko, a lawyer working for the Kyiv-based Media Law Institute stated that

“we also see that our own media might be banned, shut down or restricted, with nothing more than a decision by the security council and a presidential decree.”

On 14 August, the parliament voted to adopt the national security law. 244 parliamentarians out of 450 supported its adoption. The law establishes a legal right to implement sanctions against 172 individuals and 65 entities in Russia and other countries for supporting “terrorism” in Ukraine. The sanctions include a provision to halt natural gas transit from Russia through Ukrainian territory, and to target Russia’s defence, financial and transport sectors.

Compared to the draft law approved on first reading, most of the censorship measures were removed or softened, and the law will not have impact on the freedom of media. However, even if the suggested media provisions were finally dropped, the parliament has proposed moving some of them into existing media laws to achieve more control over media and to simplify imposing bans. The threat is therefore very much alive.

Ukrainian parliament approves very dangerous draft law on first reading (12.08.2014)
http://en.rsf.org/ukraine-ukrainian-parliament-approves-very-12-08-2014,46793.html

Ukrainian law would allow authorities to block websites, along with other media (13.08.2014)
http://gigaom.com/2014/08/13/ukrainian-law-would-allow-authorities-to-block-websites-along-with-other-media/

New sanctions bill raises free-press fears in Ukraine (13.08.2014)
http://www.rferl.org/content/ukraine-sanctions-russia-free-press/26529268.html

Ukraine approves bill to impose sanctions on Russia (14.08.2014)
http://www.business-standard.com/article/news-ians/ukraine-approves-bill-to-impose-sanctions-on-russia-114081400892_1.html

In the fight against Russia, Ukraine flirts with kremlinesque Internet censorship (14.08.2014)
http://globalvoicesonline.org/2014/08/14/ukraine-russia-censorship-media-security-sanctions/

Ukraine passes law on Russia sanctions, gas pipelines (14.08.2014)
http://www.rferl.org/content/ukraine-legislation-sanctions-russia/26530692.html

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
30 Jul 2014

Spain: Why you should care about the Citizens’ Security Bill

By Guest author

On 11 July 2014, the Spanish Council of Ministers adopted the Bill on the Protection of Citizens’ Security. The draft law comes under the authority of the Ministry of Interior which, after “hearing” the opinions of several public authorities and civil society in response to a preliminary text, adopted the bill. The legislation is intended to repeal an existing law of 1992. The proposals are strikingly and disturbingly similar to rules that have been adopted in China and which were proposed, subsequently deemed unconstitutional, in Chile.

Before becoming law, the bill has to go through the two chambers of the Spanish Parliament and, if enacted, some of the provisions of the law would be further developed by implementing regulations (cf. Article 41 and the Third Final Provision of the Bill).

So far, the Government’s proposal has been strongly criticised. Restrictions to the freedoms of assembly and expression in protests received a lot of attention in the media, but some provisions of the bill have barely been discussed.

Measures which have been overlooked in the media include Article 25, which would oblige cybercafés and similar establishments to keep records of their clients’ IDs because these establishments “exercise activities which are relevant for citizens’ security”. Non-compliance with Article 25 would result in fines ranging from 100 to 30 000 Euro. In addition to the pecuniary sanctions, the bill foresees the suspension of licenses, authorisations or permits and even the closing down of facilities (cf. Articles 36 (22), 37(9) and 39). As expressed in the report issued by the General Council of the Spanish Judiciary (a constitutional body that exercises governing functions within the judiciary), this provision broadens the scope of its predecessor, Article 12 of Law 1/1992. Both Article 25 and other provisions described below are likely to restrict data protection, privacy rights, freedom of expression, the right to information or the presumption of innocence, if adopted in their current form.

Other provisions of the Spanish Citizens’ Security Bill raise similar concerns, such as Article 26, which foresees the possibility for certain establishments (including cybercafés) to adopt physical, electronic, IT, organisational or personal security measures (cf. Article 52 of Law 4/2014 on Private Security); Article 43, which creates a Central Register of Infringements against Citizens’ Security “to appreciate recidivism”, i.e. to keep records of repeat offenders; or Article 46, which would allow the authorities that are “competent to impose sanctions in accordance with the [bill]” to have access to the data of the alleged offenders , with the sole safeguard that this access must be linked to an ongoing investigation.

Article 36(26) merits special attention. It establishes that “the non-authorised use of pictures, personal or professional data” of security forces’ officers would be categorised as a serious offence. This Article would complement Article 559 of the Criminal code proposed by the Bill on the reform of the Criminal Code, which is currently going through the Congress. If adopted, Article 559 would also criminalise the “public distribution or dissemination, by any means, of messages or orders inciting the commission of any crimes for disturbance of public order (…) or supporting the decision of committing them”, punishable by up to one year of imprisonment. This provision would, in principle, mean that taking photographs or videos, for example, of misbehaviour of security service staff would incur the risk of prosecution.

Spain is not the first country that tries to implement this type of policies. It is worth remembering that China implemented a similar policy on cybercafés a few years ago. Chinese cybercafés must require their customers’ IDs in order to access their services. As evidenced by an investigation conducted by ‘Information Times’, it resulted in a “significant loss of business”. Chile is another example. The Chilean Parliament intended to impose registration of cybercafé users, but the proposal was declared unconstitutional by the Constitutional Court in 2011.

Bill on the Protection of Citizens’ Security Law (only in Spanish, 25.07.2014)
http://www.congreso.es/public_oficiales/L10/CONG/BOCG/A/BOCG-10-A-105-1.PDF

Spanish government tones down its controversial Citizen Safety Law (28.05.2014)
http://elpais.com/elpais/2014/05/28/inenglish/1401272039_980140.html

Report of the General Council of the Spanish Judiciary on the Preliminary Draft Organic Law on the Protection of Citizens’ Security (only in Spanish, 27.03.2014)
http://www.poderjudicial.es/cgpj/es/Poder_Judicial/Consejo_General_del_Poder_Judicial/Actividad_del_CGPJ/Informes/Informe_al_Anteproyecto_de_Ley_Organica_de_Proteccion_de_la_Seguridad_Ciudadana

The Security Law shall impose ID identification to be able to use phone booths and cybercafés (only in Spanish, 07.04.2014)
http://www.elconfidencial.com/espana/2014-04-07/la-ley-de-seguridad-obligara-a-identificarse-con-el-dni-para-usar-locutorios-y-cibercafes_112647/

Bill on the amendment of the Spanish Criminal Code (only in Spanish, 04.10.2013)
http://www.congreso.es/public_oficiales/L10/CONG/BOCG/A/BOCG-10-A-66-1.PDF

The Constitutional Court in Chile finds a provision on cybercafé users’ register unconstitutional (only in Spanish, 12.07.2011)
http://www.tribunalconstitucional.cl/wp/ver.php?id=2011

China’s Internet Cafes Respond to ID Check Rules (26.07.2010)
http://www.chinahearsay.com/china-Internet-cafes-respond-id-check-rules/

(Contribution by Maryant Fernandez Perez, EDRi intern)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
16 Jul 2014

UK: Emergency legislation on data retention pushed through

By Guest author

Faced with a lawsuit from NGOs challenging the legality of its data retention regulations (which are based on the data retention directive the European Court of Justice found unlawful in April 2014), the UK government brought in emergency legislation, a Data Retention and Investigatory Powers Bill (DRIP), to not only declare data retention to be still lawful but also expand the scope of both retention and lawful intercept in a number of ways.

For example, the UK government has awarded itself the extra-territorial power to demand assistance with surveillance of UK persons from foreign companies that provide communications services to people in Britain. This means that the UK security and intelligence services can demand that Google UK wiretap someone associated with Britain, rather than filing an application via the relevant mutual legal assistance treaty.

UK civil society campaigned actively against the new legislation. Many Members of Parliament (MP) received hundreds of emails each from EDRi member Open Rights Group’s (ORG) and a campaigning community 38 Degrees’ supporters, as well as phone calls from concerned constituents.

The law was pushed through the House of Commons on 15 July, while the press were distracted by a reshuffle of the Cabinet. Following secret negotiations, it was supported by all three main parties. They claimed untruthfully that the new law creates no new powers. The government was claiming it was an emergency and without it the powers needed by the police to fight terrorists and paedophiles would be lost.

“This fast track legislation contains sweeping surveillance powers that will affect every man, woman and child in the UK. The Bill contains the powers for Government to continue to mandate the blanket retention of the communications data of the whole population for 12 months,”

concludes the briefing on the fast-track Data Retention and Investigatory Powers Bill by Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and English PEN.

“This is in direct contradiction of a Court judgement which held that blanket indiscriminate retention of communications data breached human rights.”

Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and English PEN briefing on the fast-track Data Retention and Investigatory Powers Bill https://www.openrightsgroup.org/assets/files/pdfs/reports/DRIP_joint_briefing.pdf

#DRIP heroes, round one (15.07.2014)
https://www.openrightsgroup.org/blog/2014/drip-heroes

The DRIP myth list (14.07.2014)
https://www.openrightsgroup.org/blog/2014/the-drip-myth-list

(Contribution by Ross Anderson, EDRi member Foundation for Information Policy Research, United Kingdom, and Jim Killock, EDRi member Open Rights Group, United Kingdom)

 

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
16 Jul 2014

Slovenia: Data retention unconstitutional, deletion of data ordered

By Guest author

The Constitutional Court of the Republic of Slovenia abrogated the data retention provisions of the Act on Electronic Communications (ZEKom-1) in its judgement U-I-65/13-19 of 3 July 2014 following the constitutional request lodged by the Information Commissioner in March 2013 and ECJ judgment of 8 April 2014 in Joined Cases C-293/12 and C-594/12.

The Court abrogated ZEKom-1 articles 162, 163, 164, 165, 166, 167, 168 in 169 and instructed operators of electronic communications to delete retained data immediately after the judgment is published in the Official Gazette. The Court holds data retention as disproportionate for the following reasons:

  • unselective retention of data iconstitutes a breach of rights of a large proportion of population that did not provide any reason tj justify such this; – blanket data retention does not provide for anonymous use of communications, which is particularly important in cases where untraceable use is necessary (e.g. calling for help in mental distress);
  • arguments for the selected retention periods (8 months for internet related and 14 months for telephony related data) were not provided nor explained in the legislative preparatory documents;
  • the use of retained data was not limited to serious crime.

The Slovenian Information Commissioner Nataša Pirc Musar welcomed the ruling and sees it as an important step in protection of the right to privacy and data protection. The Court recognised the importance of personal data protection in relation to the use of modern information and communication technologies, particularly when used by law enforcement as repressive bodies of the state.

The Commissioner has been regularly warning about the problems of major breaches of privacy by law enforcement created by introduction of surveillance technologies. These tend to be used indiscriminately on large proportions of population, thereby encroaching on their right to privacy and data protection. The availability of new technologies such as drones, IMSI catchers and similar has, in several cases, led to requests by the police to the Ministry of Justice to legislate their use and to provide legal grounds enabling their deployment. Unfortunately these requests have often not been backed by sufficient assessments as regards their impact on human rights. In order to allow for transparency and to ensure that new law enforcement powers respect the principles of necessity and proportionality, the Commissioner has issued guidelines on privacy impact assessments (PIA) for the introduction of new police measures, representing a methodological framework for a prudent, reasonable and legitimate introduction of new measures.

The Information Commissioner Pirc Musar emphasised that this is one of her most important achievements during her 10-year mandate which is now ending. The decision of the Court represents an important part in the debate about the necessity and proportionality of the use of surveillance measures and technologies in the context of law enforcement and intelligence agencies.

Request to the Constitutional Court (only in Slovenian)
https://www.ip-rs.si/fileadmin/user_upload/Pdf/ocene_ustavnosti/ZEKom_-_Zahteva_za_oceno_ustavnosti__data_retention_.pdf

Decision of the Constitutional Court (only in Slovenian, 03.07.2014)
https://www.ip-rs.si/fileadmin/user_upload/Pdf/sodbe/US_RS_ZEKom-1_3julij2014.tif

Electronic Communications Act (ZEKom-1)
http://www.akos-rs.si/acts

Information Commissioner of the Republic of Slovenia (only in Slovenian)
https://www.ip-rs.si/

Privacy Impact Assessment (PIA) Guidelines for the Introduction of new Police Powers
https://www.ip-rs.si/fileadmin/user_upload/Pdf/smernice/PIA_guideliness_for_introduction_of_new_police_powers_english.pdf

(Contribution by Andrej Tomšič, Deputy Information Commissioner, Information Commissioner, Republic of Slovenia)

 

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
04 Jun 2014

Denmark: Data retention is here to stay despite the CJEU ruling

By Heini Järvinen

Following the Court of Justice of the European Union (CJEU) ruling on 8 April 2014, which declared the data retention directive 2006/24/EC invalid, the Danish parliament asked the government about the implications for the Danish data retention law. On 2 June 2014, the government presented its response in a 30-page legal analysis and at a meeting in the Justice Committee of the parliament.

The Danish data retention law was passed by parliament in June 2002, so there is no direct reference to the data retention directive. The specific rules were delayed until September 2006, with effect from 15 September 2007, in part because of technical difficulties with specifying workable data retention rules. One of the difficulties faced at the time was that  of ensuring that the rules included the requirements of the EU directive. The Danish law exceeds the requirements of the invalid data retention directive in several respects, especially as far as internet data retention is concerned. The Danish law contains a requirement for session logging which includes data about every 500th internet packet transmitted, specifically source and destination IP addresses and port numbers, as well as a timestamp for the packet. The retention period is one year for all telephone and internet data.

The conclusion of the legal analysis from the Danish Ministry of Justice is that the Danish retention law is not affected by the CJEU ruling on 8 April. This is based on a very narrow interpretation of the CJEU ruling, as explained below.

The special session logging requirements in the Danish law will, however, be lifted immediately, but the reason for this is not the CJEU ruling. Instead, the motivation is the technical difficulties of using the retained data on internet sessions for police investigations. These problems were also known in 2013 when a majority in the Danish parliament decided to postpone a revision of the data retention law, including the heavily critised session logging part.

In its legal analysis of the CJEU ruling on the data retention directive, the Danish Ministry of Justice first notes that the Charter of Fundamental rights applies to the Danish data retention law even though the national law no longer transposes an EU directive. This reasoning is based on Article 15.1 of the e-privacy directive 2002/58/EC and an interpretation of the CJEU ruling C-617/10 (Fransson case).

The Ministry of Justice then notes that the CJEU ruling on data retention is based on three elements:

  1.  The directive covers all electronic communication for all persons (paras. 57-59)
  2. The directive does not contain objective criteria for access to the retained data (paras. 60-62)
  3. The retention period is not based on objective criteria (paras. 63-64)

Before assessing the Danish national law on the these elements, the Ministry of Justice emphasises that the CJEU ruling is based on all three elements, and that there is doubt about the weight given to the individual elements. This point plays an important role in justifying the conclusion reached in the legal analysis.

Firstly, The Danish data retention law covers all persons and all communications, so with respect to the points in paragraphs 57-59, there is no difference between the Danish law and the directive.

Secondly, The Danish Administration of Justice Act contains rules for access to the data. A prior court order is required, except in urgent cases, and there must be grounds for suspicion against the individual whose retained data is accessed. Also, access is restricted to “serious crime”, where the main rule is a prison term of six years or more. However, a number of criminal offences with shorter maximum prison sentences than six years are also included, in particular criminal offences where multiple offenders are likely to work together and use electronic communication for their criminal activities. For example, credit card fraud is included in the list of offences where retained telecommunications data can be used for police investigations.

Thirdly, the Ministry of Justice argues that the retention period in the Danish law is based on objective criteria. The retention period is one year for all types of data, but the Ministry of Justice cites preparatory work for the 2002 data retention law  in which the one-year retention period was justified on grounds that terrorist attacks such as 9/11 are often planned for more than six months, so a retention period of one year would be appropriate.

In the final conclusion of the 30-page legal analysis, the Ministry of Justice emphasises that the CJEU ruling is based on all three elements, and that the weight given to each individual element is not clear. During the meeting in the Justice Committee, the Minister of Justice said that they had found it difficult to read and evaluate the CJEU decision.

Since the Danish data retention law “only” has a problem with the first element of the CJEU ruling, the mass surveillance part (paras. 57-59), the Danish Ministry of Justice argues that there is no reason to assume that the Danish law is in conflict with the Charter of Fundamental Rights.

During the meeting the minister was asked repeatedly by Member of Parliament Pernille Skipper about paragraphs 57-59. Each time the answer was that the Ministry of Justice looked at the combined weight of the three elements in the CJEU ruling, and because there was doubt as to what weight should be given to the three elements individually, the minister saw no conflict between the Danish law and the Charter of Fundamental Rights.

The Minister of Justice also announced that the Danish government would propose a revision of the Danish data retention law in the next parliamentary session 2014-15. The minister suggested that this could lead to new data retention requirements, for example related to internet sessions. The current session logging requirements were only lifted because they could not produce data that the police could actually use, not because of any inherent conflict with fundamental rights. The decision to lift the session logging requirements was heavily criticized by the Conservative Party and the Danish People’s Party. It appears that ideological arguments in favour of storing all available data are considered more important than the practical consideration that the data cannot be used. Such ideological motivations also appear to override the obvious fact that, as the data are not useable, their collecting is patently not necessary and is, therefore, unquestionably contrary to the legal obligations of the Charter of Fundamental Rights and European Convention on Human Rights.

Legal analysis from the Danish Ministry of Justice (only in Danish, 02.06.2014)
http://justitsministeriet.dk/sites/default/files/media/Pressemeddelelser/pdf/2014/Notat%20om%20logningsdirektivet.pdf

Webcast of meeting in Justice Committee of the Danish parliament (only in Danish, 02.06.2014)
http://www.ft.dk/webtv/video/20131/reu/td.1130634.aspx

Homepage of Pernille Skipper, Member of Parliament for the Red-Green Alliance (only in Danish)
http://www.ft.dk/folketinget/findmedlem/elpesk.aspx

EDRi-gram: Denmark: Government postpones the data retention law evaluation (13.02.2013)
http://history.edri.org/edrigram/number11.3/dk-postpones-data-retention-evaluation

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

close
04 Jun 2014

Turkey: Highest court rules YouTube ban violates freedom of speech

By Heini Järvinen

Turkey’s highest court ruled on 29 May 2014 that access to video-sharing site YouTube has to be restored. A brief decision published on the court’s website stated that the block was unconstitutional and violated individual rights and freedom of expression. On 3 June the access to the site was finally restored.

Until now Prime Minister Recep Tayyip Erdogan’s government refused to implement lower court decisions to lift the ban  because “criminal content”, which refers to a recording of a key security meeting on Syria that was leaked online, remains available on the site.

Twitter and YouTube were blocked in Turkey in March, just days before critical elections, after recordings alleging corruption of Prime Minister Erdogan and his inner circle were shared on the platforms. Turkey’s telecommunications regulator imposed the block initially as a “precautionary administrative measure”. The block have had limited effect, as many Internet users have circumvented it by virtual private network (VPN) systems and TOR. The block on Twitter was lifted on 2 April, but the limits on YouTube remain, despite decisions from lower courts ordering the ban to be lifted.

The blocking of the social media platforms was seen by Erdogan’s critics as an attempt to prevent further details of the corruption scandal from being revealed. Erdogan on the other hand has claimed that the whole campaign to cast a slur on him has been engineered by Fethullah Gulen, an influential Turkish imam based in the United States. Gulen has denied the allegations.

Turkey unblocks YouTube after 2 months (03.06.2014)
http://mashable.com/2014/06/03/turkey-unblocks-youtube/?utm_content=buffer71afb&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Turkish court orders YouTube access to be restored (29.05.2014)
http://www.bbc.com/news/technology-27623640

Turkey’s top court rejects YouTube ban (29.05.2014)
http://www.aljazeera.com/news/middleeast/2014/05/turkey-top-court-rejects-youtube-ban-2014529195032711672.html

Turkey’s top court rules YouTube ban is unconstitutional (29.05.2014)
http://online.wsj.com/article/BT-CO-20140529-708787.html

Turkey’s top court rules YouTube ban violates freedom of speech (29.05.2014)
http://www.hurriyetdailynews.com/turkeys-top-court-rules-youtube-ban-violates-freedom-of-speech.aspx?pageID=238&nID=67172&NewsCatID=339

Turkey’s Top Court Rules YouTube Ban is Unconstitutional (29.05.2014)
http://online.wsj.com/article/BT-CO-20140529-708787.html

Does Erdogan really want Gulen in Turkey? (06.05.2014)
http://www.al-monitor.com/pulse/originals/2014/05/erdogan-gulen-extradition-turkey-mistake.html

close