privacy

The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

07 Jun 2019

Data Retention: EU Commission inconclusive about potential new legislation

By Diego Naranjo

On 6 June 2019, representatives from eight civil society organisations (including EDRi members) met with officials from the European Commission (EC) Directorate General of Home Affairs (DG HOME) to discuss data retention. This meeting, according to the EC officials, was just another one in a series of meetings that DG HOME is holding with different stakeholders to discuss potential data retention initiatives that could be put forward (or not) by the next Commission. The meeting is not connected to the publication of the conclusions by the Council on data retention published also on 6 June which coincidentally tasks the Commission with doing a study “on possible solutions for retaining data, including the consideration of a future legislative initiative”.

Ahead of the meeting, civil society was sent a set of questions about the impact of existing and potentially new data retention legislation on individuals, how a “legal” targeted data retention could be designed, and what are the specific issues (data retention periods, geographical restrictions, and so on) that could be included in case new data retention legislation were to be proposed.

According to the Commission, there are no clear “next stages” in the process, apart from the aforementioned study that will have to be prepared after the Council conclusions on data retention published on 6 June. The Commission will, in addition to this study, continue dialogues with civil society, data protection authorities, EU Fundamental Rights Agency and Member States that will inform a potential future action (or inaction) from the EC on data retention.

Four years ago EDRi met with DG HOME and presented them a study of a set of data retention laws which were likely to be considered illegal in light of the Digital Rights Ireland case. The EC then replied to our meeting and study saying that they would “monitor” existing data retention laws and their compliance with EU law. Four years after that, no infringing proceedings have been launched against any Member State and their (quite probably) illegal data retention laws.

Read more:

EU Member States willing to retain illegal data retention (16.09.2019)
https://edri.org/eu-member-states-willing-to-retain-illegal-data-retention/

Data retention – Conclusions on retention of data for the purpose of fighting crime (27.05.2019)
http://data.consilium.europa.eu/doc/document/ST-9663-2019-INIT/en/pdf

EU Member States plan to ignore EU Court data retention rulings (29.11.2017)
https://edri.org/eu-member-states-plan-to-ignore-eu-court-data-retention-rulings/

(Contribution by Diego Naranjo, EDRi)

close
05 Jun 2019

Czech Constitutional Court rejects complaint on data retention

By Iuridicum Remedium

Czech EDRi member Iuridicum Remedium (IuRe) has fought for 14 years against Czech implementation of the controversial EU data retention Directive which was declared invalid by the Court of Justice of the European Union (CJEU). After years of campaigning and many hard legislative battles, the fight has finally come to an end: on 22 May 2019, the Czech Constitutional Court rejected IuRe’s proposal to declare the Czech data retention law unconstitutional. The court ended up rejecting the claim, despite it being supported by 58 deputies of the parliament across the political spectrum.

In the Czech Republic, data retention legislation was first adopted in 2005. In March 2011, the Constitutional Court upheld first IuRe’s complaint on original data retention legislation and canceled it. In 2012, however, a new legal framework was adopted to implement the EU Data Retention Directive – that the CJEU found to contravene European law in Digital Rights Ireland case in 2014, and to comply with the Constitutional Court’s decision. This new legislation contained still problematic general and indiscriminate data retention and a number of sub-problems. Therefore, even in the light of CJEU’s decisions, IuRe decided to prepare a new constitutional complaint.

IuRe originally submitted a complaint to challenge the very principle of bulk data retention as massive collection and storage of data of people, without any link to the individual suspicion in criminal activities, extraordinary events, or terrorist threats. The CJEU already declared this general and indiscriminate data retention principle inadmissible in two of its decisions (Digital Rights Ireland and Tele2). Although the Czech Constitutional Court refers to both judgments several times, their conclusions – especially when it comes to analyse the foundations of why data retention is not in line with the Czech Constitution – does not deal with it properly.

The Constitutional Court’s main argument to declare data retention constitutional is that as communications increasingly occur in the digital domain, so does crime. Even though this could be true,it is regrettable that the Constitutional Court did not further develop this reasoning and argued why this is in itself a basis for bulk data retention. The Court also ignored that greater use of electronic communication also implies greater interference with privacy that is associated with general data retention.

The Court further argued that personal data, even without an obligation to retain it, are kept in any case for other purposes, such as invoicing for services, answering to claims and behavioral advertising. In the Court’s opinion, the fact that people give operators their “consent” to process their personal data reinforces the argument to claim that data retention is legal and acceptable. Unfortunately, the Constitutional Court does not take into consideration that the volume, retention period and sensitivity of personal data held by operators for other purposes is quite different from the obligatory data retention prescribed by the Czech data retention law. Furthermore, the fact that operators need to keep some data already (for billing purposes for example) shows that police would not be completely left in the dark without a legal obligation to store data.

In addition to the proportionality of data retention, which has not been clarified by the Court, another issue is how “effective” data retention is to reduce crime. Statistics from 2010 to 2014 show that there was no significant increase in crime or reduction of the crime detection in the Czech Republic after the Constitutional Court abolished the obligation to retain data in 2011. Police statistics presented to the Court that data retention is not helping to combat crime in general, nor facilitating investigation of serious crimes (such as murders) or other types of crimes (such as frauds or hacking). In arguments submitted by police representatives and by the Ministry of the Interior, some examples of individual cases where the stored data helped (or hampered an investigation when missing) were repeatedly mentioned. However, it has not been proven by any evidence shown to the Court that general and indiscriminate data retention would improve the ability of the police to investigate crimes.

The Court also did not annul the partially problematic parts of the legislation, such as the data retention period (six months), the volume of data to be retained, or too broad range of criminal cases where data may be required. Furthermore, the Court has not remedied the provisions of the Police Act that allow data to be requested without court authorisation in cases of search for wanted or missing persons or the fight against terrorism.

In its decision, the Constitutional Court acknowledges that stored data are very sensitive and that in some cases the sensitivity of so-called “metadata” may even be greater than the retention of the content of the communications. Thus, the retention of communications data represents a significant threat to individuals’ privacy. Despite all of this, the Court discarded IuRE’s claim to declare data retention law unconstitutional.

IuRe disagrees with the outcome of this procedure in which the Court has come to a conclusion on the constitutional conformity of the existing Czech data retention legislation. Considering the wide support for the complaint, IuRe will work on getting at least a part of existing arrangements changed by legislative amendments. In addition to this, we will consider the possibility for the EC to launch infringing proceedings or initiate other judicial cases, since we strongly believe that the existing bulk data retention of communications data in Czech law still contravenes the aforementioned CJEU decisions on mass data retention.

Czech constitutional decision (only in Czech)
https://www.usoud.cz/fileadmin/user_upload/Tiskova_mluvci/Publikovane_nalezy/2019/Pl._US_45_17_vcetne_disentu.pdf

Proposal to revoke data retention filed with the Czech Court (10.01.2018)
https://edri.org/proposal-to-revoke-data-retention-filed-with-the-czech-court/

(Contribution by Jan Vobořil, EDRi member Iuridicum Remedium, Czech Republic)

close
22 May 2019

ePrivacy: Private data retention through the back door

By Digitalcourage

Blanket data retention has been prohibited in several court decisions by the European Court of Justice (ECJ) and the German Federal Constitutional Court (BVerfG). In spite of this, some of the EU Member States want to reintroduce it for the use by law enforcement authorities – through a back door in the ePrivacy Regulation.

The ePrivacy Regulation

The ePrivacy Regulation, which is currently under negotiation, is aimed at ensuring privacy and confidentiality of communications in the electronic communications, by complementing and particularising the matters covered in the General Data Protection Regulation (GDPR). Confidentiality of communications is currently covered by the ePrivacy Directive dating back to 2002. A review of this piece of legislation is long overdue, but Member States keep delaying the process and therefore not updating necessary protections for online privacy in the EU.

Ever since 2017, the EU Ministers of Justice and Interior have been “deliberating” the Tele2 verdict by the European Court of Justice. The Court had declared the blanket retention of telecommunications metadata inadmissible. Yet the EU Member States are unwilling to accept this ruling. During an informal discussion in Valetta on 26 and 27 January 2017, the Justice and Interior Ministers expressed their wish for “a common reflection process at EU level on data retention in light of the recent judgments of the Court of Justice of the European Union” (Ref. EU Council 6713/17) to implement EU-wide data retention. This process was set in motion in March 2019 by the Presidency of the Council of the European Union. A sub-group of the Council’s Working Party on Information Exchange and Data Protection (DAPIX) was put in charge. From the very beginning, this reflection process has mainly served the purpose of finding opportunities to implement yet another instance of data retention on the EU level. This has been proven by documents published by EDRi member Statewatch.

Instead of complying with the clear rulings by the European Court of Justice (Tele 2 and Digital Rights Ireland), the responsible ministers are doing everything they can to “resurrect” data retention, potentially using ePrivacy as a basis for a new era of data retention. In a working document (WK 11127/17), the Presidency of the EU Council in 2017 concluded in addition to a specific data retention legislation it would be desirable to also collect citizens’ communications data (metadata) in ePrivacy to avoid so companies can use it for commercial purposes. The logic behind being, probably, to circumvent CJEU case law by not imposing an obligation on companies but having the data available when law enforcement needs it thanks to ePrivacy.

Private data retention

In plain words, this means: If the courts will not allow mass data retention, service providers will simply be given incentives to do so by their own choice. That is why the ePrivacy Regulation is being watered down by Member States in order to give the service providers manifold permissions to store data for a wide variety of reasons (see Article 6 of the draft ePrivacy Regulation). Those responsible are relying on the assumption that the providers’ appetite for data will be sufficient even without an explicit obligation to retain data.

The immediate problem with this type of private data retention is the fact that it weakens the protection of all users’ personal data against data hungry corporations whose main interest is making profit. What’s even worse is that, once again, a governmental function is being outsourced to private corporations. These corporations are not subject to democratic scrutiny, and they are given ever more power over the countries concerned.

In Germany, the hurdles for criminal investigators to get access to data are already very low. The e-mail provider Posteo, for example, had to pay a fine because they were unable to provide the criminal investigators the IP addresses from which a certain e-mail account had been accessed. Posteo simply hadn’t stored those data; they were erased as soon as they were received. The Court declared the fine to be justified. This decision could easily lead to a situation where private companies prefer to err on the side of caution and store even more data, just to avoid such fines.

The draft ePrivacy Regulation as proposed by the European Commission in 2017 placed relatively strict duties on service providers regarding data protection. For example, they were obliged to either erase or anonymise all data that was no longer needed. This is diametrically opposed to the goal of private data retention, and the DAPIX task force noticed it, too. As the Presidency of the EU Council statedservice providers will be given the freedom to use and store data in order to prevent “fraudulent use or abuse”. And these data could then be picked up by law enforcement doing criminal investigation.

No data retention through the back door!

EDRi member Digitalcourage wanted to know how the German government argued with respect to the data retention issue, and submitted a request for the disclosure of documents related to it. Unfortunately, the request was largely denied by the Council of the European Union, long after the legal deadline was missed. The secretariat declared that a disclosure would be a threat to public safety – the risk to the relationship of trust between the Member States and Eurojust, the EU agency dealing with judicial co-operation in criminal matters among agencies of the Member States, would be too severe. Furthermore, such a disclosure would threaten ongoing criminal investigation or judicial procedures. No further details were given. Digitalcourage lodged an appeal against this dismissal, but in addition to being asked for patience, they haven’t received an answer from the European Commission. Several requests pursuant to the Freedom of Information Act have also been submitted to German ministries.

It is unbelievable to imagine policy makers contemplating existing and potential new surveillance laws that would clearly be illegal. However, this is exacly what the DAPIX task force is doing, and they are doing it behind closed doors. The changes they propose can be found in the current draft ePrivacy Regulation. Digitalcourage will continue to request documents from the EU and the German government. As soon as the trilogue negotiations between EU Council, Commission and Parliament begin, the concerns will be voiced our concerns and a demand: No data retention through the back door!

This article was first published at https://digitalcourage.de/blog/2019/eprivacy-private-data-retention-through-the-back-door

Digitalcourage
https://digitalcourage.de/en

ePrivacy: Private data retention through the back door (in German, 18.04.2019)
https://digitalcourage.de/blog/2019/eprivacy-private-vorratsdatenspeicherung-durch-hintertuer

(Contribution by EDRi member Digitalcourage, Germany)

close
27 Feb 2019

New UK counter-terrorism law limits online freedoms

By Index on Censorship

The Counter-Terrorism and Border Security Act 2019 became law in the United Kingdom (UK) in February, after passing through UK parliament with less debate than many had hoped, while Brexit dominated the political agenda. The new law is problematic in many ways, including the way in which it limits freedom of expression and access to information online. It also creates extensive new border security powers, which include accessing information on electronic devices.

The draft law was widely criticised by civil society organisations, which led to some changes to the text. However, the changes were limited and did not do enough to safeguard freedom of expression and access to information.

edri.org/wp-content/uploads/2015/09/Supporters_banner.png” alt=”—————————————————————– Support our work – make a recurrent donation! edri.org/supporters/ —————————————————————–” class=”wp-image-8690″/>

The new law criminalises publication of pictures of clothes, symbols, or for example of a flag in a way that raises “reasonable suspicion” – an expression that leads into a low legal threshold – that the person publishing the picture is a member or supporter of a terrorist organisation. “Publication” includes posting on social media pictures or video that have been taken privately at home. This could be, for example, a selfie with a poster in the background that shows the symbol of a terrorist organisation.

As previously reported in the EDRi-gram, parliament’s Joint Committee on Human Rights found that this clause “risks a huge swathe of publications being caught, including historical images and journalistic articles”. United Nations rapporteur Fionnuala Ní Aoláin, in a submission that expressed serious concerns about the draft law, found that the clause risks criminalising “a broad range of legitimate behaviour, including reporting by journalists, civil society organizations or human rights activists as well as academic and other research activity.”

A related problem is that the UK authorities have admitted that at least 14 organisations that are currently listed as terrorist organisations do not meet the criteria for being on the list.

Another clause makes it a crime to watch or otherwise access information online that is likely to be useful to a person committing or preparing acts of terrorism. It also includes, for example, watching the content over the shoulder of another person who is sitting by a computer.

After debates in parliament, the government agreed to make a change, which states that working as a journalist or carrying out academic research is an acceptable excuse for accessing material online that could be useful for terrorism. This was a positive change, but not nearly sufficient, and the clause is still very problematic. No terrorist intent is required, and if someone for example watches a terrorist video online because she or he wants to understand why people might be drawn to terrorism, the person risks a long prison sentence.

The law also introduces wide new border security powers connected to a new and vaguely defined crime of “hostile activity”. Under the new powers, anyone can be stopped on the border, even if there are no suspicions that the person has been involved in hostile activity, and it’s a crime not to answer questions by the border officers or hand over to them requested information. A draft code of practice, which will guide how border officers use the powers, specifies that information “may include passwords to electronic devices”. During the first hour of questioning there is no right to a lawyer.

How this deeply concerning piece of legislation will work in practice remains to be seen. We fear that vague and overbroad provisions lead to arbitrariness and discrimination affecting human rights defenders, journalists, or ethnic minority groups on the grounds of mere suspicion.

Index on Censorship
https://www.indexoncensorship.org/

UK counter-terrorism law would restrict freedom of expression (26.09.2018)
https://edri.org/uk-counter-terrorism-law-would-restrict-freedom-of-expression/

(Contribution by Joy Hyvarinen, EDRi observer Index on Censorship, the United Kingdom)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
20 Feb 2019

FRA and EDPS: Terrorist Content Regulation requires improvement for fundamental rights

By EDRi

On 12 February 2019, the European Union Agency for Fundamental Rights (FRA) published an Opinion regarding the Regulation on preventing the dissemination of terrorist content online. In the same day, the European Data Protection Supervisor (EDPS) submitted its comments on the topic to the responsible committee in the European Parliament. These two texts complement EDRi’s analysis and the previous Report prepared by three UN Special Rapporteurs on the proposal.

FRA: Substantial threats for freedom of expression

In its Opinion, FRA structures its criticism around four main areas.

First, it calls to improve the definition of “terrorist content”. The Opinion highlights the need to add to this definition the concept of “incitement” or giving specific instructions to commit terrorist offences. The definition of such instructions should be aligned with the Terrorism Directive and specific actions such as “providing specific instructions on how to prepare explosives or firearms”. Further, the text calls to limit the proposal to content disseminated to the public and to exclude from the Regulation’s scope certain forms of expression, such as content that relates to educational, journalistic, artistic or research purposes.

Second, FRA calls to ensure that fundamental rights safeguards are in place through “effective judicial supervision”. Currently, there is no mention in the proposal of any “independent judicial authority in the adoption or prior to the execution of the removal order”. FRA also reminds of the need to avoid a disproportionate impact on the freedom to conduct a business when having to react to notices for removals of terrorist content in a very short time-frame (up to one hour in the original proposal). FRA suggests instead a reaction time of 24 hours from the receipt of the removal order. Regarding safeguards in cross-border removal orders, the Opinion calls to ensure that the authorities of the Member State where the content is hosted are “empowered to review the removal order in cases where there are reasonable grounds to believe that fundamental rights are impacted within its own jurisdiction.” FRA thus encourages the EU legislator to require a notification by the issuing Member State to the host Member State – in addition to the notification to the hosting service provider – when the removal order is issued.

Third, FRA states that the proposal “does not sufficiently justify the necessity of introducing the mechanism of referrals”, and suggests to distinguish between content needing a removal order and content requiring a referral.

Fourth, the Opinion states that the proposed proactive measures of the Regulation come very close to a general monitoring obligation. This is not only prohibited by Article 14 of the EU’s eCommerce Directive, but also generally incompatible with individuals’ right to freedom of expression under Article 11 of the Charter of Fundamental Rights in the European Union. Thus, FRA proposes to delete from the Regulation text the obligation for Hosting Service Providers’ (HSPs) to introduce proactive measures.

EDPS: Concerns for the Regulation’s data retention and GDPR compliance

While the EDPS issued similar concerns regarding the definition of terrorist content and the “one hour rule”, it also issued some targeted comments on the concerns surrounding potentially privacy intrusive elements of the Regulation proposal.

In the Regulation proposal, Hosting Service Providers’ have obligations to retain data of supposed terrorist content that they delete or disable access to on their platform. The EDPS presents substantive doubts whether such obligations would be compliant with case law of the Court of Justice of the European Union (CJEU). This opinion was based on the assessment that the proposed measures, in similarity to the Data Retention Directive that was struck down by the CJEU in 2014, do not lay down specific criteria regarding the time period and access and use limitations for the retained data. The EDPS is further not convinced of the overall usefulness of data retention measures in the Terrorist Content Regulation, given that the text obliges HSPs to promptly inform the competent law enforcement authorities of any evidence regarding terrorist offences.

On the proposal’s foreseen proactive measures, the EDPS stated that automated tools for recognising and removing content would likely fall under Article 22 of the General Data Protection Regulation (GDPR), which regulates citizens’ rights in automated decision making and profiling activities. This would, in turn, require more substantive safeguards than the ones provided in the Commission’s proposal, including case-specific information to the data subject, understandable information about how the decision was reached, and the right to obtain human intervention in any case.

The observations of the EU’s most important fundamental rights institutions feed into a steady stream of criticism of the proposal. These represent noteworthy positions for policy makers in the legislator institutions, particularly in the European Parliament’s LIBE, CULT and IMCO committees that are currently adopting their positions. It is now more evident than ever that the proposed Terrorist Content Regulation needs substantive reform to live up to the Union’s values, and to safeguard the fundamental rights and freedoms of its citizens.

Read more:

EDRi Recommendations for the European Parliament’s Draft Report on the Regulation on preventing the dissemination of terrorist content online (December 2018)
https://edri.org/files/counterterrorism/20190108_EDRipositionpaper_TERREG.pdf

All Cops Are Blind? Context in terrorist content online (13.02.2019)
https://edri.org/context-in-terrorist-content-online/

Terrorist Content: LIBE Rapporteur’s Draft Report lacks ambition (25.01.2019)
https://edri.org/terrorist-content-libe-rapporteurs-draft-report-lacks-ambition/

CULT: Fundamental rights missing in the Terrorist Content Regulation (21.01.2019)
https://edri.org/cult-fundamental-rights-missing-in-the-terrorist-content-regulation/

Terrorist Content: IMCO draft Opinion sets the stage right for EP (18.01.2019)
https://edri.org/terrorist-content-imco-draft-opinion-sets-the-stage-right-for-ep/

(Contribution by Diego Naranjo and Yannic Blaschke)

Twitter_tweet_and_follow_banner


close
16 Jan 2019

EU Member States willing to retain illegal data retention

By IT-Pol

With its judgments in April 2014 (Digital Rights Ireland ) and December 2016 (Tele2 ), the Court of Justice of the European Union (CJEU) ruled that blanket data retention was illegal under EU law. Rather than repealing their illegal data retention laws, EU Member States have instead adopted a tactic of ignoring the highest court of the European Union under the pretence of a “common reflection process” with an expert data retention working group under the Working Party on Information Exchange and Data Protection (DAPIX).

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

At the Justice and Home Affairs (JHA) Council meeting on 6-7 December 2018, the state of play of the expert working group on data retention was discussed. Council document 14319/18 prepared for the meeting reveals that the common reflection process has produced no tangible results towards compliance with the Tele2 judgment: replacing general and indiscriminate (blanket) data retention with targeted data retention. Member States appear to be happy with their current and illegal data retention regimes and do not want to make any changes. A recurring element in the Council document is the unwillingness of Member States to accept the Tele2 judgment, often disguised under a very selective reading of the judgment.

The expert working group has considered the concept of “restricted data retention”, previously analysed in the EDRi-gram. The main novelty is that Member States are supposed to limit the data categories to be retained to what is strictly necessary. No limitation is foreseen with respect to the persons concerned, which means that data about the entire population is retained, as with the current data retention regimes. Therefore, restricted data retention cannot possibly comply with the Tele2 judgment. However, even the token gesture of limiting the data categories has no support among Member States. They claim that the data categories which are not necessary for law enforcement purposes are already excluded. Based on this premise, Member States even contend that “there is no general and indiscriminate retention of data as referred to in the Tele2 judgment”, which is rather remarkable since the CJEU has stated the exact opposite in the Tele2 judgment.

The renewable retention warrant (RRW) proposal is another attempt by Member States to circumvent the Tele2 judgment. While the warrant only covers a single provider of electronic communications services for a fixed period of validity, all providers are expected to be covered by different warrants that are constantly renewed because the RRW would be rendered ineffective for law enforcement purposes if not all providers are covered. In practice, the RRW will be indistinguishable from the current blanket data retention regimes. With the exception of one Member State, which uses a similar system (undoubtedly the United Kingdom), there is no support for the RRW since the system would be too complex and inefficient and would require changes to national laws on criminal procedure.

After two years of “reflection” on the Tele2 judgment, Member States and their expert working group have not come up with a single realistic alternative to the current blanket data retention regimes that the CJEU has ruled to be illegal under EU law. The Council document does not describe a single suggestion which would actually make the data retention scheme targeted and limit the persons concerned by the measure, even though this is expressly required by the CJEU in paragraph 110 of the Tele2 judgment.

The second part of Council document 14319/18 deals with access to the retained data. According to the Tele2 judgment, access to the retained data must be limited to investigations involving serious crime and must be subject to review by a court or an independent administrative authority. As a general rule, only data of individuals suspected of being involved or implicated in a crime can be accessed.

Once again, Member States are reluctant to accept the restrictions imposed by the CJEU. Since there is no EU law or CJEU guidance defining “serious crime”, this task is left to Member States. Some Member States have a very broad definition, even to the point of including crimes that cannot be regarded as serious because of their low maximum sentence, but are nonetheless claimed to be perceived as serious by the general public. It is also noted in the Council document that without access to retained data, criminal investigations in cybercrime cases would often “turn out to be futile because digital evidence would be unavailable”. However, when data retention of electronic communications metadata is a particularly serious interference with fundamental rights, as the CJEU has established (Tele2 paragraph 100), access to the retained data must be subject to strict rules and will not always be available for law enforcement authorities. Since more and more activities are related to the online environment, making a complete carve out for crimes committed online would deprive the privacy and data protection safeguards at the access level of almost any meaning.

The Council document notes that the judicial review regimes of most Member States are in line with the prerequisites set out by the CJEU, through a prior review by a court/judge, an independent administrative authority or the prosecution office. However, by silently adding the prosecution office, which is not an independent judicial authority, to the list, Member States are rather misleadingly overstating their compliance with the Tele2 judgment regarding the requirement of independent review of access requests.

Finally, Member States are very reluctant to limit the access to the retained data to persons that are suspects or accused persons, as required by the CJEU, except in special cases involving terrorism (paragraph 119 of the Tele2 judgment). The main reason for this is that “proceedings are commenced not against certain individuals, but against (at least in the beginning) unknown perpetrators.” This suggests that law enforcement authorities routinely use data retention to find possible suspects of a crime, for example through cell phone tower inquiries where information is obtained about all persons that are present in a certain area. Data-mining investigations like this affect a large number persons, some of whom may become suspects simply because of their presence in a certain area (location data). The Tele2 judgment only allows broad access to the retained data as an exception in particular cases involving terrorism, but Member States want to turn the exception into the general rule by only requiring a connection to criminal investigations when retained data is accessed.

At the JHA Council meeting in December, ministers agreed to continue “the work at experts level to explore avenues to develop a concept of data retention within the EU.” However, this is precisely what the expert working group has been doing for the past two years, without delivering a single proposal for data retention that respects the requirements of the Tele2 judgment.

This puts the European data retention situation at a stalemate. Member States refuse to even think of alternatives to their current blanket data retention regimes, but they cannot have blanket data retention, at least not legally, because the CJEU has ruled that it is illegal under EU law. The European Commission is the “guardian of the Treaties”, but appears unwilling to start infringement proceedings against Member States even if it is “monitoring” them. Legal action at the national level against data retention laws is, of course, a potential way out of the stalemate. Litigation is currently being pursued in some Member States, and in the past has been successful in a number of Member States.

However, Member States are fighting for their blanket data retention regimes at other levels than ignoring the Tele2 judgment. One possibility is that the future ePrivacy Regulation will present a more “favourable” environment for data retention than the current ePrivacy Directive – something that the Council is actively working on. This could give Member States a “fresh start” on data retention since the CJEU would have to assess the national data retention laws against the new ePrivacy Regulation, but still interpreted in light of the (unchanged) Charter of Fundamental Rights. There is also the risk that the CJEU could revise its stance on data retention in some of the new cases that are pending before the Court (C-623/17 from UK, C-520/18 from Belgium, and C-511/18 and C-512/18 from France). The first question in C-520/18 is very similar to the first question in the Tele2 case, that is whether Article 15(1) of the ePrivacy Directive, read in the light of the Charter of Fundamental Rights, precludes a general obligation to retain traffic data for providers of electronic communications services. Member States would undoubtedly see this as an opportunity to “retry” the Digital Rights Ireland and Tele2 cases before the CJEU.

Data retention – state of play. Council document 14319/18 (23.11.2018)
http://data.consilium.europa.eu/doc/document/ST-14319-2018-INIT/en/pdf

EU Member States plan to ignore EU Court data retention rulings (29.11.2017)
https://edri.org/eu-member-states-plan-to-ignore-eu-court-data-retention-rulings

EU Member States fight to retain data retention in place despite CJEU rulings (02.05.2018)
https://edri.org/eu-member-states-fight-to-retain-data-retention-in-place-despite-cjeu-rulings

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
07 Nov 2018

NGOs urge Austrian Council Presidency to finalise e-Privacy reform

By Epicenter.works

EDRi member epicenter.works, together with 20 NGOs, is urging the Austrian Presidency of the Council of the European Union to take action towards ensuring the finalisation of the e-Privacy reform. The group, counting the biggest civil society organisations in Austria such as Amnesty International and two labour unions, demands in an open letter sent on 6 November 2018 an end to the apparently never-ending deliberations between the EU member states.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

It is today 666 days since the European Commission launched its proposal. The e-Privacy regulation is an essential aspect for the future of Europe’s digital strategy and a necessity for the protection of modern democracies from ubiquitous surveillance networks. Echoing European citizens rightful demands for protections of their online privacy, the organisations ask the Austrian Presidency to lead the way into a new privacy era by concluding the e-Privacy dossier by 2019.

The letter comes in a context in which a parliamentary inquiry from the Austrian Social Democratic party tries to shed light on the lobby connections of the Austrian government regarding the hampering of secure communications for its citizens. Right now, the Austrian government’s position is closely aligned with the interests of internet giants like Facebook and Google, big telecom companies and the advertisement industry.

The Austrian government has recently fast-tracked negotiations on the controversial e-evidence proposal, which would weaken the rule of law and foster further surveillance of citizens’ online behaviour. This is a stark contrast to the meager effort Austrian representatives put into negotiations around legislative proposals that aim to protect the fundamental right to privacy – a topic missing from the Austrian Council Presidency agenda.

In order to ensure that e-Privacy laws will not be used as excuse for the establishment of new repressive instruments, epicenter.works demands a clear commitment to the prohibition of data retention. Data retention has been found unconstitutional in different European countries, while epicenter.works was plaintiff in the 2014 proceedings of the European Court of Justice (ECJ) annulling the data retention directive. A circumvention of the ECJ’s ban through the e-Privacy regulation could expose EU citizens to indiscriminate mass-surveillance and severely undermine trust in EU institutions.

Open Letter sent to Austrian Government (in German only, 06.11.2018)
https://epicenter.works/content/offener-brief-wir-brauchen-eprivacy

Parliamentary inquiry from the Austrian Social Democratic Party (in German only, 29.10.2018)
https://www.parlament.gv.at/PAKT/VHG/XXVI/J/J_02174/index.shtml

Council continues limbo dance with the ePrivacy standards (24.10.2018)
https://edri.org/council-continues-limbo-dance-with-the-eprivacy-standards/

ePrivacy: Public benefit or private surveillance? (24.10.2018)
https://edri.org/eprivacy-public-benefit-or-private-surveillance/

ECJ: Data retention directive contravenes European law (09.04.2014)
https://edri.org/ecj-data-retention-directive-contravenes-european-law/

(Contribution by Thomas Lohninger, EDRi member epicenter.works)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
24 Oct 2018

CJEU introduces new criteria for law enforcement to access to data

By IT-Pol and EDRi

On 2 October 2018, the Court of Justice of the European Union (CJEU) delivered a new ruling in the “Ministerio Fiscal” case on access to data retained by electronic communications service providers under the scope the ePrivacy Directive.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

While investigating the robbery and theft of a mobile phone, the Spanish police asked an investigating magistrate to order various providers of electronic communications services to disclose the telephone numbers that had been activated during a twelve-day period with the International Mobile Equipment Identity (IMEI) code of the stolen mobile device, as well as the names and addresses of the subscribers for the SIM cards used for this activation. The request was denied by the magistrate on grounds that the criminal offence did not fulfill the requirements for serious offences in the Spanish Law 25/2007 on the retention of data relating to electronic communications and to public communication networks. On appeal by the prosecutor, a Spanish court referred the case to the CJEU.

The CJEU ruled that access to retained data for the purpose of determining the owners of the SIM cards used for activation of a mobile device entails an interference with the owners’ fundamental rights to privacy and personal data protection. However, the CJEU clarified that if the purpose for accessing the retained data is solely to obtain the subscriber identity, Article 15(1) of ePrivacy Directive allows restrictions of the rights provided for by the Directive for the prevention, investigation, detection, and prosecution of criminal offences – not just serious criminal offences.

What is interesting about this ruling is that in its previous Tele2/Watson judgment, the CJEU had ruled that access to the retained data is limited to cases involving serious crime. To reconcile the two rulings, the CJEU explains that this is because the objective pursued by the access must be proportionate to the seriousness of the interference with the fundamental rights that the access entails. The Tele2 case is concerned with access to retained data which, taken as a whole, allows precise conclusions to be drawn regarding the private lives of the persons concerned. Such access constitutes a serious interference with fundamental rights and can be justified only by the objective of fighting serious crime. If, however, the access to retained data is a non-serious interference, as in the present case involving access to the subscriber’s identity, access can be justified by the objective of fighting criminal offences generally.

The question that immediately comes to mind is whether this new case in any way departs from the strict conditions for access to retained data set forth in the Tele2/Watson judgment, and, in particular, whether the Ministerio Fiscal case waters down some of these conditions, thus allowing for access to retained data by law enforcement authorities in a greater number of scenarios.

First and foremost, it is important to note that the overlap between the two judgments is fairly small since they are concerned with very different questions:

The object of the Tele2/Watson case is the retention of data which, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained (first part of the judgment) and access to such data retained by electronic communications service providers (second part).

In contrast, the Ministerio Fiscal case is concerned with the presumably very narrow situation where accessing data does not constitute a serious interference. This includes obtaining a subscriber identity. However, the CJEU confirms that access to retained data which reveals the date, time, duration and recipients of the communications, or the locations where the communications took place, must be regarded as a serious interference since that data allows precise conclusions to be drawn about the private lives of the persons concerned (cf. paragraph 60 of the ruling). In these situations, access to the retained data must be limited to cases involving serious crimes, as in the Tele2 case.

There is, however, one scenario where the new judgment may add some confusion to the interpretation of the Tele2 judgment. According to paragraphs 108-111 of the Tele2 judgment, targeted data retention requirements for the purpose of fighting serious crime are compatible with EU law (unlike general and undifferentiated data retention which is illegal under EU law). Moreover, it would be natural to read paragraph 115 of the Tele2 judgment as always limiting the access to such retained data to cases involving serious crime because the targeted data retention requirement in itself constitutes a serious interference with fundamental rights that can only be justified by the objective of fighting serious crime. Allowing access to the retained data in cases not involving serious crime would arguably undermine the purpose limitation at the retention stage.

The CJEU did not define what can constitute a serious crime. Similarly, the Ministerio Fiscal ruling does not clearly refer to why the data was retained in the first place or whether that should affect the conditions for access to the retained data.

Because there is no apparent connection to why the data is retained, the CJEU now seems to say in paragraphs 54-61 of the Ministerio Fiscal ruling that if access is only sought to minor parts of the retained data, for example only for the purpose of obtaining the subscriber identity, accessing that data does not constitute a serious interference, even if the data is only available in the first place because of a (targeted) data retention order that can only be justified by the objective of fighting serious crime. This situation could arise in practice if the data retention order includes all data items in the (annulled) Data Retention Directive for a targeted group of persons, but access to the retained data is only requested for the purpose of determining the identity of a subscriber who has been assigned a specific dynamic IP address.

Leaving aside this potential weakening of the strict Tele2 conditions for access to retained data, there are three main positive aspects of the new judgment from a digital rights perspective:

  1. The judgment clarifies that traffic data under the ePrivacy Directive includes the subscriber name and the IMEI address of the mobile device (cf. paragraphs 40-42). This implies that access to such data falls within the scope and safeguards of the ePrivacy Directive, and that the ePrivacy Directive cannot be circumvented by attempts to expand to definition of subscriber data.
  2. The judgment notes in paragraph 51 with reference to the Court’s Opinion on the EU-Canada Passenger Name Records (PNR) agreement that access to any retained data, including subscriber identity, constitutes an interference with the fundamental right to the protection of personal data. Therefore, the CJEU requires substantive and procedural conditions based on objective criteria for the access to the retained PNR data, and the access must be subject to prior review by a court or an independent administrative body. In the Ministerio Fiscal case, the CJEU was not asked to consider substantive and procedural conditions for access. Nonetheless, paragraph 51 of the judgment has potential implications for other parts of EU law, most notably the proposed e-Evidence Regulation, which allows for access to not just subscriber data, but also so-called access data (data necessary to identify the user of a service) for all criminal offences and without any requirements of prior review by a court (a prosecutor’s approval can be sufficient) or an independent administrative body.
  3. In paragraphs 34-37 of the Ministerio Fiscal judgment, the CJEU reiterates what it said in the Tele2/Watson judgment – that national legislation permitting access by competent authorities to personal data retained by electronic communications service providers cannot be regarded as activities of the state that fall outside the scope of Article 15(1) of the ePrivacy Regulation, since the access by competent authorities necessarily presupposes processing of personal data by the electronic communications service providers.

CJEU judgment in case C-207/16 Ministerio Fiscal (02.10.2018)
http://curia.europa.eu/juris/document/document.jsf?docid=206332&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=252986

CJEU judgment in joined Cases C‑203/15 and C‑698/15 (Tele2/Watson)
http://curia.europa.eu/juris/document/document.jsf?text=&docid=186492&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2525180

(Contribution by Jesper Lund, IT-Pol, Denmark, and Maryant Fernández Pérez, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
26 Sep 2018

UK counter-terrorism law would restrict freedom of expression

By Guest author

Freedom of expression campaigners, human rights groups and legal experts are raising concerns that proposed new counter-terrorism legislation in the United Kingdom would restrict freedom of expression and limit access to information online.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The UK Parliament is currently considering the Counter-Terrorism and Border Security Bill, which could become law within a few months. The government aims to build on existing laws to fill gaps and close perceived loopholes. However, in doing so, the bill goes very far, including restricting online activity, which undermines fundamental rights to freedom of expression.

For example, the bill would make it a crime to view online content that is likely to be useful for terrorism, even if you have no terrorist intent (and even if you are watching over someone else’s shoulder). The crime would carry a prison sentence of up to 15 years. It would make the work of investigative journalists and academic researchers difficult and risky – as mistakenly landing on an offending page could have major consequences. The first version of this clause required a person to access the wrong content three times, but the government has amended this to become a “one-click rule” rather than the original “three-click rule”.

The bill would criminalise publishing (for example, posting on social media) a picture or video clip of clothes or a flag in a way that raises “reasonable suspicion” that the person doing it is a member or supporter of a terrorist organisation. Parliament’s Joint Committee on Human Rights recommended that this clause be withdrawn or amended because it “risks a huge swathe of publications being caught, including historical images and journalistic articles” and because of its potentially very wide reach and interference with Article 10 of the European Convention on Human Rights. The government has not taken this recommendation into account.

United Nations special rapporteur Professor Fionnuala Ní Aoláin has expressed concerns that the proposed clause “runs the risk of criminalizing a broad range of legitimate behaviour, including reporting by journalists, civil society organizations or human rights activists as well as academic and other research activity”. She has expressed concerns about several parts of the bill and emphasised that it should be brought in line with the UK’s obligations under international human rights law.

EDRi member Index on Censorship believes that the bill is not fit for purpose and should go back to the drawing board. It would significantly impact freedom of expression online, damage journalism and academic research, and signal the wrong direction for future online regulation in the UK.

Counter-Terrorism and Border Security Bill 2017-19
https://services.parliament.uk/Bills/2017-19/counterterrorismandbordersecurity.html

“Reckless” counter-terror bill a threat to academic research (17.09.2018)
https://www.indexoncensorship.org/2018/09/reckless-counter-terror-bill-a-threat-to-academic-research/

Joint Committee on Human Rights Legislative Scrutiny: Counter-Terrorism and Border Security Bill – Ninth Report of Session 2017–19
https://publications.parliament.uk/pa/jt201719/jtselect/jtrights/1208/1208.pdf

Mandate of the Special Rapporteur on the promotion and protection of human rights and
fundamental freedoms while countering terrorism (17.07.2018)
https://www.ohchr.org/Documents/Issues/Terrorism/SR/OL-GBR-7-2018.pdf

Counter-Terrorism and Border Security Bill not fit for purpose (10.09.2018)
https://www.indexoncensorship.org/2018/09/counter-terrorism-and-border-security-bill-not-fit-for-purpose/

(Contribution by Joy Hyvarinen, EDRi observer Index on Censorship, the United Kingdom)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
11 Jul 2018

Danish High Court ruling on data retention use and file sharing cases

By IT-Pol

On 7 May 2018, the Eastern High Court in Denmark delivered a ruling that internet service providers (ISPs) are not required to disclose subscriber information in file sharing cases. This represents a major change of the previous legal practice in Denmark, where rightsholders were routinely granted access to subscriber information for alleged file sharers, even if the identification required access to retained data from mandatory data retention.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Two Danish law firms have specialised in legal action against file sharers in cooperation with the German file sharing monitoring company MaverickEye UG, which is well known from similar activities in other European countries. MaverickEye monitors BitTorrent file sharing networks and collects IP addresses of the participants in the BitTorrent swarm. In order to verify that the copyrighted work is made available from the IP address in question, a small piece of the file is downloaded using a modified BitTorrent client. For each copyrighted work, MaverickEye provides information about IP addresses and timestamps to the relevant rightsholders or, in most cases, the specialised law firms that represents them. The next step is to seek a court order requiring the ISPs to identify the actual subscribers that have used the IP addresses at the specific time. This is the critical step and legal practice varies among EU Member States.

If the subscriber names and addresses can be obtained from the ISPs, the law firm can either file a lawsuit demanding compensation for copyright infringement or send a letter to the subscriber with a proposed settlement for the case. The latter is generally the preferred option since lawsuits are expensive, and the alleged copyright infringement using BitTorrent is often limited to a single film or TV-series episode/season. In Denmark, the settlement offer from the law firm has typically been a payment of 200 to 300 euros for a single film. Only a handful of lawsuits have been filed with Danish courts, so most claims have either been settled or dropped if the subscriber denies having taken part in the alleged file sharing activity.

Based on Danish case law for three file sharing cases at the two High Courts around 2008, the subscriber does not automatically become legally responsible for file sharing from the IP address. The rightsholder must prove who has committed the file sharing act in order to obtain compensation. This burden of proof can be very difficult to meet if the subscriber for instance has an open WiFi network, has allowed guests to use his/her internet connection, or if there are several persons in the household. Most subscribers are probably not aware of this, so it is quite likely that many cases have been settled by paying the offered settlement amount of 200 to 300 euros.

The current wave of legal action started in 2014, and according to information from the recent High Court ruling of 7 May 2018, the two Danish law firms have obtained subscriber information for some 200,000 IP addresses. This shows the massive scale of the monitoring operation of file sharing networks by MaverickEye. Access to subscriber information for a large number of IP addresses has also been reported in Sweden by TorrentFreak, incidentally involving the same Danish law firm as the present case.

Each court application for subscriber identification consists of a large number of IP addresses, for example 4000 IP addresses in the case ruled by the High Court on 7 May 2018. Because of the Danish data retention law, ISPs hold information about assignment of dynamic IP addresses for 12 months, so there is no urgent need for the law firm to quickly seek a court order for subscriber identification when information about the file sharing activity has been received from MaverickEye. A large batch of IP addresses from the same ISP can be collected before seeking the court order for subscriber identification from that ISP.

Until recently, this assembly-line strategy by the two law firms to send letters to alleged file sharers did not meet any legal challenges. In most cases, Danish ISPs do not object to a court application for subscriber information, and there is no court hearing for the application. The sole purpose of the court order, which is granted without any objections, is to provide a legal basis for the ISP to disclose the personal data (subscriber information) to the rightsholder.

However, between 2016 and 2017 the large Danish ISPs finally changed their response strategy and started to object to the court applications for subscriber information. Besides the administrative cost of handling the large number of requests for subscriber information and the increasing news media reporting of ISP customers complaining about file sharing allegations based on information obtained by law firms from their own ISP, the Tele2 data retention judgment (joined cases C-203/15 and C-698/15) of the Court of Justice of the European Union (CJEU) also played a major role.

According to the Tele2 judgment, general and undifferentiated (blanket) data retention is illegal under EU law. Moreover, access to the retained data, whether from (illegal) blanket data retention or targeted data retention, must be limited to what is strictly necessary. For criminal offences, the Tele2 judgment specifically states that access can only be granted for serious crime. Paragraph 115 of the Tele2 does not completely rule out that access to the retained data can be granted for civil claims, as there is an indirect reference to the Promusicae case C-275/06. However, when access to the retained data for criminal offences is strictly limited to serious crime, it does not seem to be proportionate to grant access to the retained data in civil proceedings involving only a minor copyright infringement, such as file sharing of a single film or TV series.

In a case involving Telenor and TeliaSonera, the District Court of Frederiksberg considered the data protection issues (noting that it was unclear whether this had been done in previous cases), but followed the established practice of ruling in favour of the rightsholder on 24 October 2017, that is ordering the disclosure of subscriber information. The ISPs appealed the court decision to the Eastern High Court. The ruling from the High Court on 7 May 2018, which reverses the ruling from the District Court and blocks disclosure of the subscriber information, is mainly based on an interpretation of the e-Privacy Directive 2002/58/EU and case law of the CJEU in Tele2, Promusicae and Bonnier C-461/10.

The e-Privacy Directive imposes an obligation of confidentiality on ISPs with respect the subscribers’ use of the internet. ISPs must delete traffic data, such as assignment of dynamic IP addresses, when it is no longer needed for the purpose of the transmission of a communication. According to statements to the High Court given by Telenor, TeliaSonera and a third ISP not involved in the case (TDC), information about assignment of dynamic IP addresses to individual subscribers is retained for at most 3-4 weeks for operational purposes. Therefore, the necessary information is only available in a special system for law enforcement access because of the Danish data retention law which has a mandatory 12-month retention period.

The High Court then considers the case law of Promusicae and Bonnier, and notes that the e-Privacy Directive does not preclude national legislation which requires disclosure of subscriber information in civil proceedings on copyright infringement, but that it must be possible to consider the opposing interests in an application for disclosure.

In the present case, the High Court finds that there are compelling reasons against disclosure. The information needed to identify the subscribers is only available because of the data retention obligation, and the sole purpose of the data retention provisions is to enable the police to obtain access to retained data for the purpose of investigation and prosecution of criminal offences. The Court is aware that the civil claims cannot be pursued without access to subscriber information, and that it is likely that there has been a substantial copyright infringement. After balancing the opposing interests, the Court finds that this does not outweigh the confidentiality of communication for the subscribers under the e-Privacy Directive. Therefore, the request for disclosure of subscriber information is denied. The decisive factor in the High Court ruling is the Danish data retention law which limits access to the retained data for the purpose of investigation and prosecution of criminal offences.

Read more:

Denmark: Our data retention law is illegal, but we keep it for now, EDRi (08.03.2017)
https://edri.org/denmark-our-data-retention-law-is-illegal-but-we-keep-it-for-now/

ISPs Win Landmark Case to Protect Privacy of Alleged Pirates, TorrentFreak (08.05.2018)
https://torrentfreak.com/isps-win-landmark-case-protect-privacy-alleged-pirates-180508

Copyright Trolls Hit Thousands of Swedish ‘Pirates’ With $550 ‘Fines’ (23.10.2017)
https://torrentfreak.com/copyright-trolls-hit-thousands-of-swedish-pirates-with-550-fines-171023/

(Contribution by Jesper Lund, IT – Pol, EDRi member, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close