The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

30 Jul 2014

Spain: Why you should care about the Citizens’ Security Bill

By Guest author

On 11 July 2014, the Spanish Council of Ministers adopted the Bill on the Protection of Citizens’ Security. The draft law comes under the authority of the Ministry of Interior which, after “hearing” the opinions of several public authorities and civil society in response to a preliminary text, adopted the bill. The legislation is intended to repeal an existing law of 1992. The proposals are strikingly and disturbingly similar to rules that have been adopted in China and which were proposed, subsequently deemed unconstitutional, in Chile.

Before becoming law, the bill has to go through the two chambers of the Spanish Parliament and, if enacted, some of the provisions of the law would be further developed by implementing regulations (cf. Article 41 and the Third Final Provision of the Bill).

So far, the Government’s proposal has been strongly criticised. Restrictions to the freedoms of assembly and expression in protests received a lot of attention in the media, but some provisions of the bill have barely been discussed.

Measures which have been overlooked in the media include Article 25, which would oblige cybercafés and similar establishments to keep records of their clients’ IDs because these establishments “exercise activities which are relevant for citizens’ security”. Non-compliance with Article 25 would result in fines ranging from 100 to 30 000 Euro. In addition to the pecuniary sanctions, the bill foresees the suspension of licenses, authorisations or permits and even the closing down of facilities (cf. Articles 36 (22), 37(9) and 39). As expressed in the report issued by the General Council of the Spanish Judiciary (a constitutional body that exercises governing functions within the judiciary), this provision broadens the scope of its predecessor, Article 12 of Law 1/1992. Both Article 25 and other provisions described below are likely to restrict data protection, privacy rights, freedom of expression, the right to information or the presumption of innocence, if adopted in their current form.

Other provisions of the Spanish Citizens’ Security Bill raise similar concerns, such as Article 26, which foresees the possibility for certain establishments (including cybercafés) to adopt physical, electronic, IT, organisational or personal security measures (cf. Article 52 of Law 4/2014 on Private Security); Article 43, which creates a Central Register of Infringements against Citizens’ Security “to appreciate recidivism”, i.e. to keep records of repeat offenders; or Article 46, which would allow the authorities that are “competent to impose sanctions in accordance with the [bill]” to have access to the data of the alleged offenders , with the sole safeguard that this access must be linked to an ongoing investigation.

Article 36(26) merits special attention. It establishes that “the non-authorised use of pictures, personal or professional data” of security forces’ officers would be categorised as a serious offence. This Article would complement Article 559 of the Criminal code proposed by the Bill on the reform of the Criminal Code, which is currently going through the Congress. If adopted, Article 559 would also criminalise the “public distribution or dissemination, by any means, of messages or orders inciting the commission of any crimes for disturbance of public order (…) or supporting the decision of committing them”, punishable by up to one year of imprisonment. This provision would, in principle, mean that taking photographs or videos, for example, of misbehaviour of security service staff would incur the risk of prosecution.

Spain is not the first country that tries to implement this type of policies. It is worth remembering that China implemented a similar policy on cybercafés a few years ago. Chinese cybercafés must require their customers’ IDs in order to access their services. As evidenced by an investigation conducted by ‘Information Times’, it resulted in a “significant loss of business”. Chile is another example. The Chilean Parliament intended to impose registration of cybercafé users, but the proposal was declared unconstitutional by the Constitutional Court in 2011.

Bill on the Protection of Citizens’ Security Law (only in Spanish, 25.07.2014)

Spanish government tones down its controversial Citizen Safety Law (28.05.2014)

Report of the General Council of the Spanish Judiciary on the Preliminary Draft Organic Law on the Protection of Citizens’ Security (only in Spanish, 27.03.2014)

The Security Law shall impose ID identification to be able to use phone booths and cybercafés (only in Spanish, 07.04.2014)

Bill on the amendment of the Spanish Criminal Code (only in Spanish, 04.10.2013)

The Constitutional Court in Chile finds a provision on cybercafé users’ register unconstitutional (only in Spanish, 12.07.2011)

China’s Internet Cafes Respond to ID Check Rules (26.07.2010)

(Contribution by Maryant Fernandez Perez, EDRi intern)



16 Jul 2014

UK: Emergency legislation on data retention pushed through

By Guest author

Faced with a lawsuit from NGOs challenging the legality of its data retention regulations (which are based on the data retention directive the European Court of Justice found unlawful in April 2014), the UK government brought in emergency legislation, a Data Retention and Investigatory Powers Bill (DRIP), to not only declare data retention to be still lawful but also expand the scope of both retention and lawful intercept in a number of ways.

For example, the UK government has awarded itself the extra-territorial power to demand assistance with surveillance of UK persons from foreign companies that provide communications services to people in Britain. This means that the UK security and intelligence services can demand that Google UK wiretap someone associated with Britain, rather than filing an application via the relevant mutual legal assistance treaty.

UK civil society campaigned actively against the new legislation. Many Members of Parliament (MP) received hundreds of emails each from EDRi member Open Rights Group’s (ORG) and a campaigning community 38 Degrees’ supporters, as well as phone calls from concerned constituents.

The law was pushed through the House of Commons on 15 July, while the press were distracted by a reshuffle of the Cabinet. Following secret negotiations, it was supported by all three main parties. They claimed untruthfully that the new law creates no new powers. The government was claiming it was an emergency and without it the powers needed by the police to fight terrorists and paedophiles would be lost.

“This fast track legislation contains sweeping surveillance powers that will affect every man, woman and child in the UK. The Bill contains the powers for Government to continue to mandate the blanket retention of the communications data of the whole population for 12 months,”

concludes the briefing on the fast-track Data Retention and Investigatory Powers Bill by Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and English PEN.

“This is in direct contradiction of a Court judgement which held that blanket indiscriminate retention of communications data breached human rights.”

Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and English PEN briefing on the fast-track Data Retention and Investigatory Powers Bill

#DRIP heroes, round one (15.07.2014)

The DRIP myth list (14.07.2014)

(Contribution by Ross Anderson, EDRi member Foundation for Information Policy Research, United Kingdom, and Jim Killock, EDRi member Open Rights Group, United Kingdom)




16 Jul 2014

Slovenia: Data retention unconstitutional, deletion of data ordered

By Guest author

The Constitutional Court of the Republic of Slovenia abrogated the data retention provisions of the Act on Electronic Communications (ZEKom-1) in its judgement U-I-65/13-19 of 3 July 2014 following the constitutional request lodged by the Information Commissioner in March 2013 and ECJ judgment of 8 April 2014 in Joined Cases C-293/12 and C-594/12.

The Court abrogated ZEKom-1 articles 162, 163, 164, 165, 166, 167, 168 in 169 and instructed operators of electronic communications to delete retained data immediately after the judgment is published in the Official Gazette. The Court holds data retention as disproportionate for the following reasons:

  • unselective retention of data iconstitutes a breach of rights of a large proportion of population that did not provide any reason tj justify such this; – blanket data retention does not provide for anonymous use of communications, which is particularly important in cases where untraceable use is necessary (e.g. calling for help in mental distress);
  • arguments for the selected retention periods (8 months for internet related and 14 months for telephony related data) were not provided nor explained in the legislative preparatory documents;
  • the use of retained data was not limited to serious crime.

The Slovenian Information Commissioner Nataša Pirc Musar welcomed the ruling and sees it as an important step in protection of the right to privacy and data protection. The Court recognised the importance of personal data protection in relation to the use of modern information and communication technologies, particularly when used by law enforcement as repressive bodies of the state.

The Commissioner has been regularly warning about the problems of major breaches of privacy by law enforcement created by introduction of surveillance technologies. These tend to be used indiscriminately on large proportions of population, thereby encroaching on their right to privacy and data protection. The availability of new technologies such as drones, IMSI catchers and similar has, in several cases, led to requests by the police to the Ministry of Justice to legislate their use and to provide legal grounds enabling their deployment. Unfortunately these requests have often not been backed by sufficient assessments as regards their impact on human rights. In order to allow for transparency and to ensure that new law enforcement powers respect the principles of necessity and proportionality, the Commissioner has issued guidelines on privacy impact assessments (PIA) for the introduction of new police measures, representing a methodological framework for a prudent, reasonable and legitimate introduction of new measures.

The Information Commissioner Pirc Musar emphasised that this is one of her most important achievements during her 10-year mandate which is now ending. The decision of the Court represents an important part in the debate about the necessity and proportionality of the use of surveillance measures and technologies in the context of law enforcement and intelligence agencies.

Request to the Constitutional Court (only in Slovenian)

Decision of the Constitutional Court (only in Slovenian, 03.07.2014)

Electronic Communications Act (ZEKom-1)

Information Commissioner of the Republic of Slovenia (only in Slovenian)

Privacy Impact Assessment (PIA) Guidelines for the Introduction of new Police Powers

(Contribution by Andrej Tomšič, Deputy Information Commissioner, Information Commissioner, Republic of Slovenia)




04 Jun 2014

Denmark: Data retention is here to stay despite the CJEU ruling

By Heini Järvinen

Following the Court of Justice of the European Union (CJEU) ruling on 8 April 2014, which declared the data retention directive 2006/24/EC invalid, the Danish parliament asked the government about the implications for the Danish data retention law. On 2 June 2014, the government presented its response in a 30-page legal analysis and at a meeting in the Justice Committee of the parliament.

The Danish data retention law was passed by parliament in June 2002, so there is no direct reference to the data retention directive. The specific rules were delayed until September 2006, with effect from 15 September 2007, in part because of technical difficulties with specifying workable data retention rules. One of the difficulties faced at the time was that  of ensuring that the rules included the requirements of the EU directive. The Danish law exceeds the requirements of the invalid data retention directive in several respects, especially as far as internet data retention is concerned. The Danish law contains a requirement for session logging which includes data about every 500th internet packet transmitted, specifically source and destination IP addresses and port numbers, as well as a timestamp for the packet. The retention period is one year for all telephone and internet data.

The conclusion of the legal analysis from the Danish Ministry of Justice is that the Danish retention law is not affected by the CJEU ruling on 8 April. This is based on a very narrow interpretation of the CJEU ruling, as explained below.

The special session logging requirements in the Danish law will, however, be lifted immediately, but the reason for this is not the CJEU ruling. Instead, the motivation is the technical difficulties of using the retained data on internet sessions for police investigations. These problems were also known in 2013 when a majority in the Danish parliament decided to postpone a revision of the data retention law, including the heavily critised session logging part.

In its legal analysis of the CJEU ruling on the data retention directive, the Danish Ministry of Justice first notes that the Charter of Fundamental rights applies to the Danish data retention law even though the national law no longer transposes an EU directive. This reasoning is based on Article 15.1 of the e-privacy directive 2002/58/EC and an interpretation of the CJEU ruling C-617/10 (Fransson case).

The Ministry of Justice then notes that the CJEU ruling on data retention is based on three elements:

  1.  The directive covers all electronic communication for all persons (paras. 57-59)
  2. The directive does not contain objective criteria for access to the retained data (paras. 60-62)
  3. The retention period is not based on objective criteria (paras. 63-64)

Before assessing the Danish national law on the these elements, the Ministry of Justice emphasises that the CJEU ruling is based on all three elements, and that there is doubt about the weight given to the individual elements. This point plays an important role in justifying the conclusion reached in the legal analysis.

Firstly, The Danish data retention law covers all persons and all communications, so with respect to the points in paragraphs 57-59, there is no difference between the Danish law and the directive.

Secondly, The Danish Administration of Justice Act contains rules for access to the data. A prior court order is required, except in urgent cases, and there must be grounds for suspicion against the individual whose retained data is accessed. Also, access is restricted to “serious crime”, where the main rule is a prison term of six years or more. However, a number of criminal offences with shorter maximum prison sentences than six years are also included, in particular criminal offences where multiple offenders are likely to work together and use electronic communication for their criminal activities. For example, credit card fraud is included in the list of offences where retained telecommunications data can be used for police investigations.

Thirdly, the Ministry of Justice argues that the retention period in the Danish law is based on objective criteria. The retention period is one year for all types of data, but the Ministry of Justice cites preparatory work for the 2002 data retention law  in which the one-year retention period was justified on grounds that terrorist attacks such as 9/11 are often planned for more than six months, so a retention period of one year would be appropriate.

In the final conclusion of the 30-page legal analysis, the Ministry of Justice emphasises that the CJEU ruling is based on all three elements, and that the weight given to each individual element is not clear. During the meeting in the Justice Committee, the Minister of Justice said that they had found it difficult to read and evaluate the CJEU decision.

Since the Danish data retention law “only” has a problem with the first element of the CJEU ruling, the mass surveillance part (paras. 57-59), the Danish Ministry of Justice argues that there is no reason to assume that the Danish law is in conflict with the Charter of Fundamental Rights.

During the meeting the minister was asked repeatedly by Member of Parliament Pernille Skipper about paragraphs 57-59. Each time the answer was that the Ministry of Justice looked at the combined weight of the three elements in the CJEU ruling, and because there was doubt as to what weight should be given to the three elements individually, the minister saw no conflict between the Danish law and the Charter of Fundamental Rights.

The Minister of Justice also announced that the Danish government would propose a revision of the Danish data retention law in the next parliamentary session 2014-15. The minister suggested that this could lead to new data retention requirements, for example related to internet sessions. The current session logging requirements were only lifted because they could not produce data that the police could actually use, not because of any inherent conflict with fundamental rights. The decision to lift the session logging requirements was heavily criticized by the Conservative Party and the Danish People’s Party. It appears that ideological arguments in favour of storing all available data are considered more important than the practical consideration that the data cannot be used. Such ideological motivations also appear to override the obvious fact that, as the data are not useable, their collecting is patently not necessary and is, therefore, unquestionably contrary to the legal obligations of the Charter of Fundamental Rights and European Convention on Human Rights.

Legal analysis from the Danish Ministry of Justice (only in Danish, 02.06.2014)

Webcast of meeting in Justice Committee of the Danish parliament (only in Danish, 02.06.2014)

Homepage of Pernille Skipper, Member of Parliament for the Red-Green Alliance (only in Danish)

EDRi-gram: Denmark: Government postpones the data retention law evaluation (13.02.2013)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

04 Jun 2014

Turkey: Highest court rules YouTube ban violates freedom of speech

By Heini Järvinen

Turkey’s highest court ruled on 29 May 2014 that access to video-sharing site YouTube has to be restored. A brief decision published on the court’s website stated that the block was unconstitutional and violated individual rights and freedom of expression. On 3 June the access to the site was finally restored.

Until now Prime Minister Recep Tayyip Erdogan’s government refused to implement lower court decisions to lift the ban  because “criminal content”, which refers to a recording of a key security meeting on Syria that was leaked online, remains available on the site.

Twitter and YouTube were blocked in Turkey in March, just days before critical elections, after recordings alleging corruption of Prime Minister Erdogan and his inner circle were shared on the platforms. Turkey’s telecommunications regulator imposed the block initially as a “precautionary administrative measure”. The block have had limited effect, as many Internet users have circumvented it by virtual private network (VPN) systems and TOR. The block on Twitter was lifted on 2 April, but the limits on YouTube remain, despite decisions from lower courts ordering the ban to be lifted.

The blocking of the social media platforms was seen by Erdogan’s critics as an attempt to prevent further details of the corruption scandal from being revealed. Erdogan on the other hand has claimed that the whole campaign to cast a slur on him has been engineered by Fethullah Gulen, an influential Turkish imam based in the United States. Gulen has denied the allegations.

Turkey unblocks YouTube after 2 months (03.06.2014)

Turkish court orders YouTube access to be restored (29.05.2014)

Turkey’s top court rejects YouTube ban (29.05.2014)

Turkey’s top court rules YouTube ban is unconstitutional (29.05.2014)

Turkey’s top court rules YouTube ban violates freedom of speech (29.05.2014)

Turkey’s Top Court Rules YouTube Ban is Unconstitutional (29.05.2014)

Does Erdogan really want Gulen in Turkey? (06.05.2014)

04 Jun 2014

Citizens demonstrate against data retention in Switzerland

By Heini Järvinen

On 31 May 2014, several hundred demonstrators gathered in front of the Swiss parliament in Berne to protest against mass surveillance by means of the so-called “data retention” of communications metadata.

A legislative proposal that would significantly expand state powers of surveillance has already been approved by the Council of States (the smaller chamber of the Swiss parliament, considered the upper house), without any significant opposition or media attention. Known by its German acronym “BÜPF”, the Swiss law on communications surveillance already imposes a requirement on telecommunication and Internet providers to record metadata of various forms of electronic communication and keep this data available for six months for possible law enforcement purposes. The proposed revision would expand the duration to twelve months and at the same time expand the scope of the surveillance: It would allow the authorities to not only require commercial communications providers to conduct surveillance on behalf of the state, but anyone operating any kind of communications equipment, for example a private wireless network, would have to support state surveillance and keep it secret. Many of the demonstrators were particularly expressing their concern about provisions that would allow the police to compromise the computers of suspects with trojan software and to use remote eavesdropping devices for mobile telephones, so-called IMSI catchers.

Even though the number of participants in the demonstration was not large by international standards (estimates ranged from “around 400” to “a bit under 700”, while the police officers who had come to check on gathering gave an estimate of “around 500”), it was still seen as a significant success in the Swiss context where previous demonstrations on digital rights issues had been smaller.

More significant than the number of participants was the broad range of political parties as well as civil society and business organisations officially supporting the protest. In particular, the list of organisers included the youth organisations of all major political parties across the entire political spectrum. On this basis, activists are optimistic that even if the legislative proposal is adopted by the parliament, it can still be defeated by means of a public referendum, which must be held if demanded by at least 50000 people who have voting rights.

A successful referendum would not end data retention in Switzerland. It would only defeat the change of the law that intends to expand its duration as well as the scope of communications surveillance. Since Switzerland lacks a constitutional court with the authority to declare a law invalid because it violates the constitution, and where the internationally recognised right to privacy is recognised as a fundamental right, the only realistic path to ending the data retention entirely in Switzerland appears to be to go through all the courts in Switzerland, and if they keep the decision unchanged, to bring the case to the European Court of Human Rights.

Demonstration against surveillance and data retention in Bern (only in German, 31.05.2014)

Busting BÜPF: Proposed Swiss surveillance law threatens privacy, sparks protest (30.05.2014)

ISOC-CH supports the STOP-BÜPF campaign (07.05.2014)

EDRi-gram: Swiss data retention visualisation (07.05.2014)

(Contribution by Norbert Bollow, EDRi observer)

21 May 2014

Legal analysis of the Data Retention ruling of the European Court

By Heini Järvinen

The legal service of the Council of the European Union has produced an analysis of the ruling of the Court of Justice of the European Union on the data retention Directive. While these documents are normally confidential, this text has been leaked and provides interesting insights into the ruling – making one wonder what justification could possibly exist for it being kept from the public in the first place.

The document points out what should have been already clear – that the Court will not consider any such measure legal unless it is accompanied by adequate safeguards and unless the measure is strictly necessary. The European Commission previously appears to have believed that including a text saying “this Directive respects fundamental rights” (recital 22 of the Directive) had some magical legal significance that was enough to ensure compliance. Other examples of this approach can be found in proposals as varied as the proposed Directive on suspicionless storage and transfer of passenger name records (“This Directive respects the fundamental rights and the principles of the Charter of Fundamental Rights of the European Union” and even ACTA “preserves fundamental freedoms such as freedom of expression”).

Ominously for the Commission, the Legal Service says that necessary steps must now be taken with regard to “existing, proposed and future legislation”. A footnote lists some examples of the existing legislation and proposed legislation that is now called into question:

“Examples of such provisions are the (already allowed) access by law enforcement authorities to the Visa Information System (VIS) and to EURODAC (database of asylum seekers). Two proposals of this nature currently under examination are the draft Passenger Name Record (PNR) Directive, which could potentially concern the data of between 500 million to 1,5 billion persons a year (see CLS opinion in doc. 8850/11) and the draft “entry/exit” data base of all foreign travellers entering/exiting the EU which provide for the registration of the 10 finger prints of each foreign traveller and to which many delegations wish the law enforcement authorities to have access.”

The Legal Service chooses to rely on paragraph 42 of the ruling that “the retention of data for the purpose of allowing the competent national authorities to have possible access to those data (…), genuinely satisfies an objective of general interest” to argue that the court upheld “the general approach of data retention as a tool to fight terrorism”. The analysis chooses to ignore salient analysis elsewhere in the ruling. In particular, this Legal Service analysis does precisely what the Court criticises in paragraph 65, in that it seeks to claim a broad justification “without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.” It is very questionable whether it can be argued that untargeted data retention was accepted in principle by the Court. Analysis elsewhere in the Legal Service document does, importantly, seem to accept this.

The unacceptably chaotic (thanks to the railroading of the EU’s decision-making process by the UK Presidency of the Council at the time) text is laid bare by the analysis. It explains that, on the one hand, safeguards regarding access to the data could not be included because it was ostensibly a measure to harmonise the market. On the other hand, the “harmonisation” was limited to giving a very wide range of options for the retention periods – ranging from 6 to 24 months. The implication appears to be that, had the legal basis been correct (or, more likely, if it can be corrected in the future), some of the Court’s criticisms could have been avoided.

Under the heading “Consequences of the judgement for the Council”, the legal service concludes:

  • the Court of Justice will not satisfy itself with anything less than a strict assessment of the proportionality and necessity of measures that constitute serious restrictions to fundamental rights, however legitimate the objectives pursued by the EU legislature.
  • such measures do not stand a serious chance of passing the legality test unless they are accompanied by adequate safeguards in order to ensure that any serious restriction of fundamental rights is circumscribed to what is strictly necessary and is decided in the framework of guarantees forming part of Union legislation instead of being left to the legislation of Member States.

It is quite obvious from the Legal Service opinion that the European Commission needs to  withdraw the proposed Directive on PNR. However, if previous experience is anything to go by, Commissioner Malmstroem will choose to do nothing, fearing that doing what obviously needs to be done will upset some Member States.

Court page on data retention case

Legal Service analysis (05.05.2014)

(Contribution by Joe McNamee – EDRi)

21 May 2014

ENDitorial: Google Spain vs AEPD – the cup is half full

By Heini Järvinen

Judgements from the Court of Justice of the European Union (CJEU) are typically meant to settle debates about European law, not to stir them up. Last week’s judgement on Google versus Spain falls short of this goal. It is definitely groundbreaking and parts of its analysis have a beautiful logic. That Google is a data controller only makes sense, due to the manner which it collects, reuses and (automatically) ranks the data in question.

One can only welcome the Court’s reaffirmation of the almost twenty year old principle that a controller has a responsibility to make sure personal data is correct. From that perspective Google can only blame itself: it would not have ended up with this judgement if it had been more diligent about ensuring that its search results are sufficiently relevant and up to date. This is what its search service is all about, after all.

The judgement is equally logical in its analysis of Google’s claim that it was outside Spanish jurisdiction. The precedent it created may be novel, but was entirely predictable: if it walks like a duck, quacks like a duck, it probably is a duck. Any tech company from outside the EU that has massive EU operations, including operating companies and which clearly targeting services to the EU market should not be surprised when finding itself within the competence of EU Data Protection Authorities.

Matters get quite a bit complicated at the point where the Court ascribes a level of gatekeeper activity to Google Search without even the merest mention of the need to balance privacy with freedom of expression (although an unclear reference to the public interest is made). We can only hope that national courts that asked these prejudicial questions will consider such points. It should be noted, however, that the Court has left the initial decision on complaints entirely in Google’s hands. If national courts do not insist on such a balance, then Google should appeal to the European Court of Human Rights in Strasbourg. Not because we feel that the end result on the material substance of this case is as disastrous for freedom of expression as some commentators have claimed, but that the CJEU’s omission of this essential balance sets a worrisome precedent and makes this judgement a very incomplete one.

The silver lining on this cloud is that Google now has an opportunity to put its money where its mouth is. Unlike take down notices in cases of alleged copyright infringement, where the consequences for intermediaries for taking a common sense approach are so harshly punished by draconian copyright enforcement rules, the data protection environment is benign enough that it should allow Google to take on this challenge without causing chilling effects for the freedom of expression. Google has always claimed to be a champion of freedom of expression. Now is its time to shine and to come up with take-down procedures that are less, for lack of a more polite term, braindead than those it feels forced to employ for copyright claims. Procedures that are transparent, accountable, objective and fair.

Judgement of the court (13.05.2014)

(Contribution by Walter van Holst – EDRi member Vrijschrift – Netherlands)

07 May 2014

Slovak Constitutional Court suspends data retention legislation

By Heini Järvinen

The European Court of Justice ruled on 8 April, in a case brought before the Court by EDRi member Digital Rights Ireland, together with the Austrian Working Group on Data Retention, that the Data Retention Directive contravenes European law.

On 23 April 2014, the Slovak Constitutional Court preliminary suspended Slovak implementation of the Directive as a result of a pending case (PL. ÚS 10/2014) that was launched by European Information Society Institute (EISi). This means that the retention laws are still formally valid, but have no legal effect until the Court decides on the merits of the complaint.

However, only the provisions mandating data retention itself are suspended, while provisions on access to those informations are for now left intact. This means that providers of electronic communication will soon lose any legal obligation to store data about users. Already collected data will not need to be destroyed, and it stays open to interpretation whether providers may or may not disclose these historical data to state authorities upon request. Any storage of the meta-data of users will thus need to be limited to that permitted by data protection legislation (2002/58/EC, 95/46/EC) until the Court finally decides on the case.

Slovak Constitutional Court suspends data retention legislation (24.04.2014)

First European constitutional court suspends data retention after the decision of the Court of Justice of EU (28.04.2014)

Opinion of EISi on the scope of applicability of Digital Rights Ireland C-293/12 & C-594/12 (21.04.2014)

ECJ: Data retention directive contravenes European law (09.04.2014)

The fight against data retention mandates in Slovakia (10.10.2012)

07 May 2014

Swiss data retention visualisation

By Heini Järvinen

The Swiss civil society group Digital Society Switzerland is working on building opposition to the practice of the “data retention” – the requirement for telecommunications companies to store for six months meta-data (such as information on who emailed or called whom, and where the telephones were located) and to make it available for law enforcement purposes upon demand – with the goal that this practice will ultimately be ended.

The most recent action has been the publication of a visualisation of six months worth of “data retention” data for one of the members of the Swiss national parliament – with his permission of course. Balthasar Glättli chairs the parliamentary group of the Green Party, and he uses electronic communications quite actively. The visualised data about his communications consequently yield a quite detailed picture about his movements and in fact about his entire life, especially when – as shown in the visualisation – the “data retention” data is combined with publicly available data such as information that was posted on Twitter or Facebook.

This illustrates the seriousness of the invasion of privacy that is caused by the law which requires, by means of this “data retention”, a significant degree of surveillance of the whole population, regardless of any prior suspicion.

The visualisation has been co-produced by Digital Society Switzerland, OpenDataCity, “Schweiz am Sonntag”, and Arte. It may be freely embedded in any website or media product. Significant inspiration was taken from the pioneering action of Malte Spitz in Germany.

The life of National Councillor Balthasar Glättli under surveillance: Interactive visualisation of data retention in Switzerland

Data retention in Switzerland

It’s tracking your every move and you may not even know (26.03.2011)

(Contribution by Norbert Bollow, EDRi observer)