Some EU data protection policy developments in 2008

By EDRi · January 28, 2009

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Will the 2008 be remembered as the Data Retention implementation year or the
first Freedom not Fear day? As always with the conclusions, we might answer
better this question in 2009 or 2018. But let’s look at some facts from the
last year now

One of the main hot privacy topics during 2008 was related to the
implementation of the EU data retention Directive 2006/24/EC in several
European countries. Despite the fact that data retention has been resisted
in some countries in Europe, with 15 March 2009 as the final day for
starting to retain Internet-related data, most of the EU member states
adopted data retention laws only in 2008. The reactions have been strong,
but in just a few cases led to the review of the respective laws.

Germany has seen large debates and protests after the adoption of the data
retention law at the end of 2007. In February 2008, the German Working Group
on Data Retention submitted to the German Federal Constitutional Court the
mandates of over 34 000 citizens willing to fight against the storage of
their telecommunications. A preliminary decision taken by the Court on 19
March 2008 supported the case, considering that parts of the German act are
unconstitutional pending review.

In Bulgaria, on 11 December 2008, the Bulgarian Supreme Administrative Court
(SAC) annulled article 5 of the national legislation that implements the
Data retention Directive, following a lawsuit initiated by Access to
Information Program(AIP). Article 5 of the Bulgarian Regulation # 40 that
was issued by the State Agency on Information Technologies and Communication
and the Ministry of Interior provided for a “passive access through a
computer terminal” by the Ministry of Interior, as well as access without
court permission by security services and other law enforcement bodies, to
all retained data by Internet and mobile communication providers.

The European Court of Justice (ECJ) is still considering the action started
on 6 July 2006 by Ireland against the Council of the European Union and
European Parliament on the formal grounds for adopting the Data Retention

A first hearing of the action by ECJ took place on 1 June 2008 in
Luxembourg. The legal basis of the data retention directive was supported by
the European Parliament and Council, but also by the Commission, Spain,
Netherlands and EDPS, Peter Hustinx. On 14 October 2008, the ECJ Advocate
General gave his opinion on the case considering the data retention
directive was founded on an appropriate legal basis, therefore recommending
the dismissal of the action. The decision of the Court will be made public
on 10 February 2009.

The German Working Group on Data Retention drafted an amicus curiae brief in
this case claiming that the data retention directive was also illegal on
human rights grounds, breaching the right to respect for private life and
correspondence, the freedom of expression and the protection of property.
The German Group was joined by several civil liberties NGOs and professional
associations, including EDRi.

It appears that the ECJ will not look into those aspects, but a future
action is possible in asking the European Court to consider the
compatibility with human rights. This could be initiated by the German
Federal Constitutional Court as an issue realted with the action from the
German Working Group of Data Retention and/or by the Irish courts, following
the action initiated by EDRi-member Digital Rights Ireland.

An international day of action against data retention took place on 11
October under the name “Freedom not Fear”. During that day, protests took
place in more than 15 countries worldwide against surveillance measures such
as the collection and retention of all telecommunications data. The
surveillance of air travellers and the biometric registration of citizens
was another subject of the “Freedom not Fear” day, as 2008 has seen
developments on the issue.

The PNR US-EU agreement continued to raise questions and worries with many
negotiations between the US government and the European Commission. In
March, the German Working Group on Data Retention published two applications
to the European Court of Justice contesting the transfer of PNR data to the
US arguing that the collection of all PNR data violated the basic right to
privacy and protection of our personal data, authorities were given an
unforeseeable use of the data for other purposes, and that passengers’
sensitive data were not effectively protected against access. A recent
report from US Department of Homeland Security (DHS) regarding the Passenger
Name Record (PNR) information from the EU-US flights confirms a number of
major disfunctionalities, that proves the DHS did not comply with the EU
agreement or with the US legislation in its use of PNR.

At the European level, despite the large opposition, the European Council
decided to extend the PNR scheme to the EU space, following the position of
some governments which expressed their intention to even extend the PNR
scheme to all types of travel and even among EU countries.
The text proposed in October 2008 included the choice of individual states
to take the measure at the national level meaning that PNR would be
collected by all Member States on all flights in and out of the EU and the
choice of surveying intra-community flights belonged to the Member States.

The attempt to pile up DNA databases was continued in 2008 with the UK as
leader. However the European Court of Human Rights (ECHR) decision taken on
4 December in the Marper case could change the way things are working today.
ECHR confirmed that, in agreement with Article 8 of the European Convention
on Human Rights, the retention of cellular samples, fingerprints and DNA
profiles constituted an infringement of the right for private life.

On 24 September 2008, the Telecom Package of rules governing the Internet
and telecoms sectors proposed by the European Commission was approved by the
European Parliament in the first reading. Despite the amendments brought by
the EP, the package is still worrying the civil rights groups, both on data
retention and IP issues. The voluntary data retention issue is one of the
major hot topics contested by the civil society (see also the first article
in this EDRi-gram).

A promising amendment was proposed by the European Parliament to the
ePrivacy Directive that included the obligation of the information society
services providers to notify personal data related security breaches to the
national authorities which was suggested by the European Data Protection
Supervisor’s opinion in April. But the new texts suggested by the Commission
and the Council seem to contradict the Parliament and the final decision
will probably be taken in the second reading, estimated for April 2009.

We can not wish to have a conclusion that may clear the waters. The
optimists will look at the full part of the glass where we might see the
ECHR Marper
case. The pesmists mights see the EU PNR scheme or some strange provisions
of the Telecom Package.

EDRI page on data retention

EDRI page on PNR

EDRI page on biometrics

EDRi page on privacy

National data retention policies