privacy

The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

07 Mar 2018

Czech BBA for Ministry of Industry and Trade for data retention

By Iuridicum Remedium

The winners of the 13th edition of the Czech Big Brother Awards were announced on 15 February 2018 in Prague. The awards are intended to draw public attention to privacy issues and related alarming trends. The Big Brother Awards are based on a concept created by EDRi member Privacy International. In the Czech Republic, the contest is organised by EDRi member Iuridicum Remedium (IuRE) since 2005.

An eight-member jury comprising of experts on new technologies, lawyers, human rights defenders as well as journalists chose the winners out of forty nominations sent in by the general public. The awards in four different categories went to the Ministry of Industry and Trade, Member of the Parliament (MP) Jiří Běhounek, Equa bank, and the Office of the Government. Non-profit organisation Open Whisper Systems won the positive award, named after Edward Snowden.

The award for the biggest privacy intruder in the long-term perspective went to the Ministry of Industry and Trade – the Ministry in charge of the Electronic Communications Act containing legislation related to data retention, which defines the obligation of providers of electronic communication services to collect metadata and store it for the needs of police and other authorities over a period of six months. Such data is very sensitive as it reveals who was involved in the communication as well as the whereabouts of the users of communication services. The Court of Justice of the European Union (CJEU) has already twice identified such data collection as unacceptable and unconstitutional. In addition, statistics show that this massive collection of data does not result in the decrease of the number of crimes committed nor in the increase in cases successfully solved by the police. Moreover, as is often the case, this measure is most likely to hit all others but the intended group of people – individuals involved in organised crime know how to avoid it. “The jury decided to award the Ministry for its inactivity in a situation where fundamental rights of all citizens are being undermined,” said Jan Vobořil, executive director of IuRe.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The award for the biggest business privacy intruder went to Equabank for forcing its clients to agree to provide the so-called TelcoScore – which is based on the data from mobile phone operators. A typical use of TelcoScore is to verify the client’s credibility. The bank requests it from a telecoms company providing such information. The score is calculated based on 60 different data that the operator has about the client. Although clients are asked to agree with this procedure, in practice they cannot avoid it. This trend is dangerous, as it leads to a situation where clients will have no other option than to agree. “The score is calculated based on unrelated data, such as the client’s whereabouts, mobile phone use, number of journeys abroad, frequency of exchanging the telephone, and so on. “This can mean that in the future our actions can have unexpected impacts in other unrelated areas of life – and this could lead to permanent stress, conformism, and self-censorship,” explained Voboril. All three biggest mobile phone operators present on the Czech market do currently sell customer data in this way.

The award for biggest administrative privacy intruder went to MP Jiří Běhounek for his proposal for an amendment to the Act on Health Services that introduced an unrestricted access to electronic healthcare documentation. As part of the Electronic Identification Act, it passed through the legislative process. It establishes a so-called National Contact Point, through which broad access to electronic medical documentation, including access from abroad, should be facilitated. Alarmingly, there are no limits to this, nor does the legislative text mention whether the patient can influence which data is shared and how.

Last but not least, the positive awards named after Edward Snowden goes to Open Whisper Systems which developed Signal application for encrypted mobile communication. Signal is an encrypted communicator designed primarily for mobile platforms (Android, iOS) for messaging and voice messaging. It can encrypt text messages, pictures as well as phone calls. Signal is now generally regarded as the most secure communication platform in terms of encryption. It has two major advantages. The communication is end-to-end encrypted, which means that only the end users themselves have access to its content. The second advantage is that Signal is an open source application meaning everyone can check what happens with the data.

Czech Big Brother Awards
https://bigbrotherawards.cz/

(Contribution by Jan Vobořil, EDRi member Iuridicum Remedium – IuRE, Czech Republic)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
07 Mar 2018

Data retention “reflection process”: Council working documents

By Statewatch

A number of “working documents” discussed as part of the Council of the EU’s “reflection process” on the mandatory retention of telecommunications data have been released following an access to documents request submitted to the Council by EDRi member Statewatch.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The documents provide an insight into some of the issues that have been discussed by Member States’ representatives and EU agencies who, since March 2017, have participated in a sub-group of the Council’s Working Party on Information Exchange and Data Protection (DAPIX) to “facilitate a common reflection process at EU level on data retention in light of the recent judgments of the Court of Justice of the European Union”.

The documents include overviews of the legal framework for telecommunications data retention in the Member States, a presentation from Europol on the possibility of introducing a new measure on “targeted data retention”, and proposals for using the forthcoming ePrivacy Regulation to make possible some form of data retention.

It can be observed that the use of working documents does not serve the interests of transparency, as they are not automatically listed in the Council’s register of documents and will likely only become available to the public through dedicated requests or leaks.

Statewatch requested access to all minutes/“outcome of proceedings” produced by the Council working group “DAPIX (Friends of Presidency) – Data retention” and all working papers/non-papers/other documentation submitted to that working group. Some documents were released in full, others were released in censored form while others could not be released at all, on the basis of argumentation from the Council’s transparency department.

Working documents produced and discussed during the Council’s “reflection process” on data retention:

1. Europol Study on the data retention regime applying in the EU Member States (WK 3570/2017 INIT, LIMITE, 4 April 2017, pdf):
http://www.statewatch.org/news/2018/feb/eu-council-data-retention-europol-study-laws-wk-3570-17.pdf

2. European Judicial Cybercrime Network (EJCN) on the effects of the CJEU judgement (WK 3596/2017 INIT, LIMITE, 4 April 2017, pdf):
http://www.statewatch.org/news/2018/feb/eu-council-data-retention-ejcn-questionnaire-wk-3596-17.pdf

3. Data Retention – State of play in the Member States (WK 5206/17, LIMITE, 8 May 2017, pdf):
http://www.statewatch.org/news/2018/feb/eu-council-data-retention-state-of-play-ms-wk-5206-17.pdf

4. A submission from Europol that has been censored: Data categories to be retained for law enforcement purposes (WK 5380/2017 INIT, LIMITE, 11 May 2017, pdf):
http://www.statewatch.org/news/2018/feb/eu-council-data-retention-europol-data-to-be-retained-wk-5380-17-censored.pdf

5. Not a working document, but not previously published: Note from the Presidency: Targeted data retention – Exchange of views (9558/17, LIMITE, 23 May 2017, pdf):
http://www.statewatch.org/news/2018/feb/eu-council-data-retention-targeted-9558-17.pdf

6. Censored document from the Council Presidency: Ensuring the availability of data for the purposes of prevention and prosecution of crime = Presentation of options and exchange of views (WK 9380/17 INIT, LIMITE, 12 September 2017, pdf):
http://www.statewatch.org/news/2018/feb/eu-council-data-retention-availability-of-data-wk-9380-17-censored.pdf

7. Europol: Proportionate data retention for law enforcement purposes (WK 9957/2017 INIT, LIMITE, 21 September 2017, pdf):
http://www.statewatch.org/news/2018/feb/eu-council-data-retention-europol-presentation-targeted-data-ret-wk-9957-17.pdf

8. Censored document from the Presidency: Availability of data and issues related to data retention – elements relevant in the context of e-Privacy = Exchange of views (WK 11127/2017 INIT, LIMITE, 10 October 2017, pdf):
http://www.statewatch.org/news/2018/feb/eu-council-data-retention-eprivacy-reg-context-wk-11127-17.pdf

This is a shortened version of an article originally published by EDRi member Statewatch :
http://www.statewatch.org/news/2018/feb/eu-drd-reflection-docs.htm

(Contribution by EDRi member Statewatch, the United Kingdom)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
22 Feb 2018

In the making: The largest internet filter Europe has ever seen

By EDRi

European policy makers are working on the largest internet filter we’ve ever seen. That might sound a tad dramatic, but it’s really not an overstatement. If the proposal is accepted, websites such as Soundcloud, eBay, Facebook and Flickr will be forced to filter everything you want to upload. An algorithm will be the boss over which of your uploads will be seen by the rest of the world and which won’t.

Why haven’t I heard about this before?

This internet filter is tucked away in a proposal for new European copyright regulation. Internet filters can’t and shouldn’t be used to regulate copyright. They don’t work. But there’s a much bigger problem: once it’s installed, the internet filter can -and will- be used for a myriad of other purposes. We bet you anything that policy makers are gleefully awaiting the internet filter in order to use it in their latest battle, be it fake news, terrorism or undesirable political opinions.

Main issues

There are a lot of reasons not to want an internet filter. These are the three most important ones:

  1. It’s an attack on your freedom of expression. You will have to get permission to speak.
  2. Filters like these tend to make lots of mistakes and it will be up to you to fight them. (Spoiler alert: you can’t.)
  3. Platforms will be incentivised to avoid risk – at the cost of your freedom.

What can you do?

The following weeks are crucial. Tweet or e-mail your representatives that are part of the JURI committee. On 20-21 June they will be deciding on the upload filter. Use the hashtag #CensorshipMachine or #filterfail and let your representatives know you’re against the internet filter (Article 13)! You can find the Members of the European Parliament (MEPs) relevant to you here:

We’ve written some tweets to inspire you, but feel free to compose your own!

  • .@MEP Stand up for our freedom of expression online. Please oppose the #censorshipmachine in the #copyright Directive proposal.
  • .@MEP Stand up for our privacy online. Please oppose the #censorshipmachine in the #copyright Directive proposal.”
  • .@MEP Show that you care about culture and free speech: oppose the #censorshipmachine in the #copyright Directive proposal.”
  • .@MEP Internet filters don’t work. Please delete article 13 of the #copyright Directive proposal! #filterfail

We already tweeted at MEPs in their own language, check it out.
https://edri.org/lets-stop-the-censorship-machine/

Twitter_tweet_and_follow_banner

close
29 Jan 2018

EDRi-gram – 15 years of digital rights news (and counting)

By EDRi

15 years ago this day, on 29 January 2003, we published our very first EDRi-gram. To celebrate this occasion, we are looking back at the articles in this first newsletter.

If you are feeling nostalgic, you can read the original EDRi-gram Number 1 here:
http://history.edri.org/edrigram/number1

A lot has changed, a lot stays the same.


Copyright Directive

Implementing the European Copyright Directive
(Click the link to read the original article)

In 2003, we had just escaped one of the biggest threats to the internet in Europe, the so-called “web caching ban”. Copyright fundamentalists tried to ban the incidental copies made by networks, unless they were separately authorised.

In 2018, we are facing one of the biggest threats to the internet in Europe. Copyright fundamentalists are trying to force everything uploaded to the internet to be subject to prior authorisation and/or upload filtering by internet hosting services.


Data retention

Rally Members European Parliament against data retention
(Click the link to read the original article)

In 2003, we were at the start of a long campaign by certain EU Member States to impose mandatory data retention, using the proposed ePrivacy Directive as a tool to achieve this goal.

In 2018, and despite two European Court rulings rejecting mandatory data retention, we are faced with a campaign from certain EU Member States to impose mandatory data retention, using the proposed ePrivacy Regulation as a tool to achieve this goal.


Software patents

New patent law on software threatens innovation
(Click the link to read the original article)

In 2003, European activists were faced by a massive, lobby-driven, well-financed attempt to impose software patents in Europe. The proposal was ultimately rejected, in one of the most unlikely of all “David and Goliath” successes of European activists.


Entitlement cards

Update: United Kingdom
(Click the link to read the original article)

In 2003, the UK government was trying to impose national ID cards through the back door via a national public service “entitlement” card.

In 2018, the Irish government is trying to impose national ID cards via a (“mandatory but not obligatory”) national public service entitlement card.


German censorship

Action against governmental censorship in Germany
(Click the link to read the original article)

In 2003, the German authorities were pushing censorship through the demonstrably ineffective use of blocking by internet access providers.

In 2018, the German authorities are pushing censorship through the coercion of internet services to delete content more quickly.


Recommended reading

“The Human Rights Network in Moscow has just released a very useful online report about online privacy in Russia. According to the introduction fundamental human rights and freedoms – freedom of speech, freedom of information, privacy – are apparently unprotected on the Net. While Russian Internet is growing these rights and freedoms suffer from frequent and widespread invasion.”

In 2003, our recommended reading was a study about online restrictions in Russia:
https://web.archive.org/web/20030506121238/http://www.hro.org:80/docs/reps/privacy/2002/eng/index.htm

In 2018, the story continues:
https://www.hrw.org/news/2017/08/01/russia-new-legislation-attacks-internet-anonymity


Oh no! Did you miss the 363 previous editions of the EDRi-gram? No worries, you can read all of them here and here.

And it’s of course never too late to subscribe to our newsletter!

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
10 Jan 2018

Proposal to revoke data retention filed with the Czech Court

By Iuridicum Remedium

On 20 December 2017, EDRi member Iuridicum Remedium (IuRe) filed a request with the Constitutional Court of the Czech Republic to revoke the Czech data retention related legislation.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The filing of the request was achieved in close cooperation with the Czech Pirate Party, whose 22 deputies were for the first time elected to the Chamber of Deputies of the Czech Parliament in October 2017. Apart from the Czech Pirate Party, the proposal also won the support of Members of the Parliament across five other parties represented in the Chamber of Deputies. Altogether, 58 signatures were gathered.

The proposal was prepared also thanks to means granted by the Digital Rights Fund. It builds on a similar successful proposal filed by IuRe with the Constitutional Court of the Czech Republic in 2011. In 2012, a new data retention system was adopted that implemented the EU Data Retention Directive that was in force at that time. The recent proposal aims at revoking this new law.

The proposal challenges, in particular, the Electronic Communication Act, the Police Act and the Criminal Procedure Act as well as the implementing legislation which defines the range of data to be kept. Currently, operational and localisation data on electronic communications are stored for six months. Apart from the police and other law enforcement bodies, intelligence agencies, as well as the Czech National Bank, may use the data. According to the Czech Telecommunication Office, for example, mobile phone data were requested in over 470 000 cases in 2016 alone.

The complaint to the court considers the principle of general and indiscriminate data collection a fundamental problem. It relies on two key decisions made by the Court of Justice of the European Union (CJEU) – in cases Digital Rights Ireland and Watson/Tele 2. In both cases, this measure was rejected. The proposal also explains that Czech and German statistical data demonstrates that the absense of data retention did not affect the level of criminality nor the number of criminal cases solved. The proposal also suggests revoking of selected sections of the Police Act that allow data to be requested without court permission. Furthermore, it suggests revocation of selected parts of the Code of Criminal Procedure, which do not sufficiently limit the possibility of requiring data related to serious crimes only.

Based on IuRe’s experiences from 2011, the decision of the Constitutional Court of the Czech Republic can be expected in approximately one year time.

IuRe and Pirate party send complaint on general surveillance of citizens to the Constitutional Court (only in Czech, 20. 12. 2017)
http://www.iure.org/15/pirati-iure-podali-navrh-na-zruseni-plosneho-sledovani-obcanu-ustavnimu-soudu-cr

Czech Republic: Data retention – almost back in business (01.08.2012)
https://edri.org/edrigramnumber10-15czech-republic-new-data-retention-law/

Czech Constitutional Court rejects data retention legislation (06.04.2011)
https://edri.org/edrigramnumber9-7czech-data-retention-decision/

Czech Parliament – close in implementing data retention directive (04.06.2008)
https://edri.org/edrigramnumber6-11czech-data-retention/

European fund for digital rights launched (08.02.2017)
https://edri.org/european-fund-for-digital-rights-launched/

(Contribution by Jan Vobořil, EDRi member Iuridicum Remedium, Czech Republic)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
29 Nov 2017

EU Member States plan to ignore EU Court data retention rulings

By IT-Pol

Documents made publicly available through EDRi member Statewatch reveal that EU Member States are exploring all possible options to keep, and in fact expand, their current data retention regimes. The general plan is based on a new concept of ”restricted data retention”, which is really blanket data retention with a new name, along with amendments to the draft e-Privacy Regulation to facilitate blanket data retention. Member States are considering whether these new elements should be introduced through an EU instrument or through national law in each Member State.

On 15 September 2017, the EU Counter-Terrorism Coordinator (EU CTC) submitted a new data retention proposal to Member States. The proposal was discussed at a meeting of the Working Party on Information Exchange and Data Protection (DAPIX) Friends of the Presidency (FoP) on 18 September 2017. A partial report of the discussions at the DAPIX FoP meeting can be found in Council document 13845/17.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The judgement of 21 December 2016 by the Court of Justice of the European Union (CJEU) in the Tele2 case (joined cases C-203/15 and C-698/15) concerned the national data retention laws that are still in place after the annulment of the Data Retention Directive in 2014. The EU CTC notes that data retention cannot be ”general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” since this would violate paragraph 134 of the Tele2 judgement. In the Tele2 judgement (paragraphs 108-111), the CJEU outlines a targeted data retention regime which does not include every subscriber.

The EU CTC, considering input received from Member States, makes it clear that he is not at all interested in targeted data retention. Instead, the EU CTC proposes the concept of ”restricted data retention” on the basis that it is necessary to fight terrorism and serious crime, including cyber attacks. This measure has to be limited to the strictly necessary and be based on objective evidence. However, according to the EU CTC, the measure can cover the entire population, even though this is quite obviously blanket data retention.

The justification for this is claimed to be paragraph 106 of Tele2, which states that data retention must be restricted to (i) particular time periods and/or geographical and/or a group of persons likely to be involved, in one way or another, in a serious crime or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime. In essence, the EU CTC argues that the entire population, perhaps with an opt-out for persons bound by a legal obligation of professional secrecy (such as lawyers, journalists and doctors), could fall under the second category, ”persons who could, for other reasons, contribute, through their data being retained, to fighting crime”.

While deliberately covering the entire population, the EU CTC emphasises that other aspects of the data retention measure must be limited to what is absolutely necessary. What this means is not clear from the proposal, but it could include some differentiation with respect to categories of data and service providers. Minor operators, such as WiFi access points at pizza restaurants could be excluded since that data ”may potentially not be indispensable for retention”, as the EU CTC carefully notes. As far as the purpose limitation is concerned, there is nothing novel about the reinvention of restricted data retention. The annulled Data Retention Directive also limited data retention to the purpose of investigation, detection and prosecution of serious crime.

The critical aspect of restricted data retention is obviously that the entire population is covered. The EU CTC argues that this can meet the necessity test. However, the CJEU has ruled twice that a data retention measure which covers all subscribers exceeds the limits of what is strictly necessary. Referring to the entire population as ”persons who could, for other reasons, contribute, through their data being retained, to fighting crime” clearly fails to satisfy the requirement of objective criteria that establish a connection between the personal data to be retained and the objective pursued. The CJEU has referred to this principle several times, most recently in paragraph 191 of opinion 1/15 on the EU-Canada PNR agreement. Moreover, paragraph 110 of the Tele2 judgment specifically says that ”conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected.”

The DAPIX FoP meeting report mentions that, while the CJEU rules out general data retention, it “does not solely permits” (sic) targeted data retention (which appears to mean that data retention that is not forbidden by the ruling may be permitted). Therefore, there are other legally possible regimes for non-general data retention. This is undoubtedly true, but largely irrelevant. Since the proposed unrestricted yet “restricted” data retention covers the entire population, it cannot possibly be classified as non-general data retention. The DAPIX FoP report refers to the proposed concept as ”restricted data retention and targeted access”, but the Tele2 judgment makes it very clear that safeguards and limitations at the access stage are not sufficient and cannot justify blanket (general) data retention.

The proposal from the EU CTC contains some general comments about the data categories (communication services) to be retained. It is claimed that approaches in some Member States show that a number of data categories are indeed not necessary (and, by implication, illegal).

The new focus on cyber attacks, where data retention is claimed to be key for attribution and investigation, could easily lead to more retention of internet traffic data, in particular, perhaps even internet connection records as in the UK Investigatory Powers Act (information about every internet packet, including all destination IP-addresses). Moreover, Europol has recently complained about the unavailability of data from internet service providers that use Carrier Grade network address translation (CG-NAT) since a large number of subscribers may share the same IP address. Data retention requirements to address the technical limitations caused by CG-NAT would, in most cases, substantially increase the amount of data collected. The DAPIX FoP report describes a matrix with categories of data to be retained, for example content data, traffic data, location data, and subscribers’ data. Except for content data (where generalised data retention would, incidentally, not respect the essence of the fundamental rights), this is simply the list of data categories in the annulled Data Retention Directive and the current data retention laws in Member States. In summary, the proposal of the EU CTC could easily lead to more data being retained per subscriber, despite the claim that a “peeling off” approach is taken to limit the data categories.

Data retained for business purposes, such as billing data, will be complementary to the data covered by the mandatory data retention regime. The EU CTC foresees that the new mandatory data retention regime will also cover over-the-top (OTT) service providers like Google and Facebook, and it is noted in the proposal that OTT operators collect much more data for business purposes than traditional telecommunications operators. In this connection, the EU CTC fails to mention (or, possibly, understand) that the proposed e-Privacy Regulation seeks to create a level playing field by subjecting all electronic communications service providers, whether OTT or telecommunications providers, to the same privacy rules.

The proposal from the EU CTC respects the strict access conditions set out in the second part of the Tele2 ruling. Access to retained data must be solely for the purpose of fighting terrorism and serious crime and must be subject to a prior court review. With the exception of terrorism cases, access can only be granted to data of individuals suspected of involvement in serious crime (Tele2 paragraph 119). The EU CTC also mentions pseudonymisation and encryption, and that this could facilitate searches of the retained encrypted data with decryption only on the basis of a warrant. The purpose of this is not entirely clear, since the retained data, as the general rule, can only be accessed with a prior court review for a specific person. It could perhaps mean that searches of encrypted or pseudonymised data are not intended to count as access to the retained data, and that such searches can be used to find persons of interest who can then, under certain substantive conditions, be depseudonymised subject to a court review. If data on specific persons could only be accessed after a prior court review, there would not really be a need for encrypted searches. Encryption is, of course, a useful security measure for the stored data, but that is an entirely different issue.

In the final part of the proposal, the EU CTC considers the role of the draft e-Privacy Regulation in relation to restricted data retention. The EU CTC notes that the Tele2 judgment is stricter than the annulment of the Data Retention Directive since Article 15(1) of the e-Privacy Directive makes data retention an exception to the main rule of erasure once the communication is completed. The EU CTC hypothesises that the draft e-Privacy Regulation could be amended to make blanket data retention easier. According to the EU CTC, it should be considered to allow storage of communications data in Article 7 of the draft e-Privacy Regulation if legally required to assist governments to fight serious crime and terrorism. However, a provision of this type would still be a restriction on the fundamental rights to privacy and data protection of subscribers, and the restriction would have to satisfy the conditions of Article 52(1) of the Charter of Fundamental Rights. This would not necessarily be different from the current situation with Article 15(1) of the e-Privacy Directive or Article 11 of the draft e-Privacy Regulation.

Working document on contributions to the discussion on data retention, EU Counter-Terrorism Coordinator, WK 9699/2017 INIT, LIMITE (15.09.2017)
http://www.statewatch.org/news/2017/nov/eu-council-ctc-working-paper-data-retention-possibilities-wk-9699-17.pdf

Retention of communication data for the purpose of prevention and prosecution of crime, Council document 13845/17, LIMITE (30.10.2017)
http://www.statewatch.org/news/2017/nov/eu-council-data-retention-legal-aspects-13845-17.pdf

Carrier-Grade Network Address Translation (CGN) and the Going Dark Problem, Council document 5127/17, LIMITE (16.01.2017)
http://www.statewatch.org/news/2017/jan/eu-europol-cgn-tech-going-dark-data-retention-note-5127-17.pdf

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
29 Nov 2017

Eurojust: No progress to comply with CJEU data retention judgements

By IT-Pol

A recently published Eurojust report on data retention in Europe confirms that EU Member States failed to make meaningful progress towards complying with fundamental rights standards, as clarified by the two Court of Justice of the European Union (CJEU) rulings banning blanket data retention.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The CJEU has delivered two rulings on mandatory data retention of traffic and location data (metadata) for electronic communications services. In the Digital Rights Ireland judgement of 8 April 2014 (joined cases C-293/12 and C-594/12), the Data Retention Directive 2006/24/EU was declared invalid. This was followed by the Tele2 judgement of 21 December 2016 (joined cases C-203/15 and C-698/15), where the CJEU ruled that Article 15(1) of the e-Privacy Directive, read in the light of the Charter of Fundamental Rights of the European Union, precludes national laws which require general and indiscriminate retention of metadata (blanket data retention). Only targeted data retention is allowed under EU law.

A month after the Tele2 ruling, the Council Legal Service sent an analysis of the judgement to Member States, where it concluded that ”a general and indiscriminate retention obligation for crime prevention and other security reasons would no more be possible at national level than it is at EU level, since it would violate just as much the fundamental requirements as demonstrated by the Court’s insistence in two judgements delivered in Grand Chamber”. This was a clear message to Member States who had hitherto claimed that the annulment of the Data Retention Directive in April 2014 did not affect their national data retention laws. When the analysis of the Legal Service was released to the public on 27 March 2017 (Council document 5884/17), the paragraph containing this critical sentence was redacted.

Despite the clear judgement in the Tele2 case, blanket data retention laws are still in place in most Member States. EDRi member Privacy International surveyed 21 national data retention laws and examined their compliance with fundamental rights standards. None of the 21 laws are currently in compliance with these standards, as interpreted by the CJEU judgements in Digital Rights Ireland and Tele2.

This conclusion is confirmed by a recent Eurojust report ”Data retention regimes in Europe in light of the CJEU ruling of 21 December 2016 in Joined Cases C-203/15 and C-698/15” (Council document 10098/17, LIMITE) which was made publicly available by EDRi member Statewatch on 20 November 2017. The Eurojust report covers 25 EU Member States (as well as Norway and Switzerland), and is based on a detailed questionnaire sent to members of the European Judicial Cybercrime Network (EJCN) in March 2017.

According to the survey, five Member States (Austria, the Netherlands, Romania, Slovenia and Slovakia) do not currently have mandatory data retention, as their previous laws were invalidated by constitutional or high courts in accordance with the CJEU judgement on the Data Retention Directive. For the remaining Member States that responded to the survey, the Eurojust report concludes that “none of the countries have national legislation that obliges the targeted retention of data linked to specific persons or geographical locations”. In other words, their national data retention laws cover all subscribers, which is illegal under EU law.

Some respondents indicated that “they considered that their data retention regime is targeted by virtue of the limitations set with regard to retention periods and/or reason for the data retention”. However, this notion of “targeted” is rejected by the Eurojust report, as it is clearly not in line with the standards of the Tele2 judgement.

For access to the retained data, the majority of respondents state that a judicial review is required before access is granted. The replies also state that access is granted depending on the seriousness of the crime being investigated. The Eurojust questionnaire does not ask the respondents whether access to the retained data, as a general rule, can only be granted to “data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime”. This is a requirement in the Tele2 judgement (paragraph 119), except in terrorism cases.

Respondents of the Eurojust survey were also asked about the impact of the CJEU judgement in relation to the admissibility of evidence in court. Five countries reported on court rulings where the admissibility of evidence from data retention was evaluated by the court. So far the evidence has been deemed admissible by courts, although one of the five cases (in Ireland) is still pending on appeal. This part of the Eurojust report shows a clear concern that evidence obtained from illegal data retention could one day be ruled inadmissible by courts.

The legal uncertainty regarding the admissibility of evidence obtained from data retention is by no means surprising. Unless Member States quickly amend their data retention laws to bring them into compliance with the CJEU standards, it is reasonable to expect that there will be more challenges to the admissibility of the evidence. Even if national courts generally allow illegally obtained evidence in specific cases, the courts may eventually rule differently when prosecutors consistently submit evidence that is only available because of illegal data retention laws. The fundamental right to a fair trial may certainly be questioned if the state systematically relies on evidence that is obtained in violation of established human rights standards.

Finally, the Eurojust survey asks about initiatives at the national level to change the data retention legislation. In ten Member States, a review or assessment of the legislation is ongoing, and three Member States are in the process of drafting amendments. The Eurojust report also outlines the substantive legal changes being planned or considered by Member States. Most of these seem concerned with access to the retained data, such as limiting access to serious crime only. This would address a narrow reading of the 2014 Digital Rights Ireland ruling, whereby blanket data retention may be understood as theoretically possible if sufficient safeguards for access are put in place. With the 2016 Tele2 ruling that interpretation is clearly rejected by the CJEU. Only one Member State (Austria) specifically mentions the introduction of targeted data retention and quick freeze.

Informal remarks of the respondents show a clear preference for blanket data retention with arguments that it is impossible to determine in advance the individuals who will commit crimes and thus the data that needs to be retained. There are also claims that storing data indiscriminately for all citizens is more acceptable since the alternative, targeting specific persons or particular geographical locations, could result in criminal investigations that are considered discriminatory. Some respondents also indicated that the necessary balance is already guaranteed by the limitations placed on access to the retained data.

The last argument is particularly odd since the CJEU has clearly ruled in Tele2 that restrictions on access to the retained data are not sufficient. The retention of data must also meet objective criteria that establish a connection between the data to be retained and the objective pursued. In particular, such conditions must ensure that data is not retained on everyone (Tele2 paragraph 110). However, this does not mean that “the individuals who will commit crimes must be determined in advance”. The CJEU rulings in Digital Rights Ireland and Tele2 only require objective evidence to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences (Tele2 paragraph 111).

There is also the possibility of retaining data on specific persons or a group of persons at an early stage of an investigation based on evidence or intelligence which does not currently meet the substantive requirements for access to metadata. If the police gathers further evidence to substantiate the suspicion for the person of interest and can make a reasoned request for access to data, retained metadata from the past of the suspected person will become available to the police. However, it will not be possible to “look into the past” of every possible citizen since this will require retention of data on everyone. The CJEU has ruled twice that this practice of mass surveillance is illegal.

Eurojust Report: Data retention regimes in Europe in light of the CJEU ruling of 21 December 2016 in Joined Cases C-203/15 and C-698/15
http://statewatch.org/news/2017/nov/eu-eurojust-data-retention-MS-report-10098-17.pdf

Information note from the Council Legal Service on the judgement of the Court in joined cases C-203/15 and C-698/15, Council document 5884/17, unredacted version (01.02.2017)
https://netzpolitik.org/wp-upload/2017/05/rat_eu_legal_service_vds_20170201.pdf

National Data Retention Laws since the CJEU’s Tele-2/Watson judgement, Privacy International (06.09.2017)
https://privacyinternational.org/node/1511

Data retention regimes in Europe in light of the CJEU ruling of 21 December 2016 in Joined Cases C-203/15 and C-698/15, Eurojust, Council document 10098/17
http://statewatch.org/news/2017/nov/eu-eurojust-data-retention-MS-report-10098-17.pdf

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
29 Nov 2017

Italy extends data retention to six years

By Hermes Center

On 8 November 2017, the Italian Parliament approved a Regulation on data retention that allows telecommunication operators to save telephone and internet data for up to six years.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The Italian Coalition for Civil Liberties and Rights (CILD) and EDRi observer member Hermes Center for Transparency and Digital Human Rights published their statement criticising the lack of scrutiny and meaningful debate about the Regulation prior to its approval. They also stated that the measure is to the detriment of the privacy of citizens, and could have extremely serious consequences for all of us. The two organisations have been voicing concerns since July 2017, when the provision was inserted into a transposition law following a European Council Directive 2014/33/EU on the “safety of lifts”.

In particular, the Regulation is in unequivocal breach case of law of the Court of Justice of the European Union and results in a clear conflict of law with current Italian privacy regulations, as pointed out by the president of the Italian Data Protection Authority Antonello Soro in October 2017.

Also, on 13 November, the European Data Protection Supervisor Giovanni Buttarelli commented that the newly approved Italian Regulation definitively fails to respect the European approach to data retention.

It seems inevitable that the law will be challenged in court.

Our phone and web data will be stored for 6 years: what about our rights? (12.11.2017)
https://cild.eu/en/2017/11/12/phone-web-data-will-stored-6-years-rights/

Court of Justice of the European Union: The Members States may not impose a general obligation to retain data on providers of electronic communications services (21.12.2016)
https://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145en.pdf

European Data Protection Supervisor: “EU is the leader in data protection” (only in Italian, 13.11.2017)
http://www.lastampa.it/2017/11/13/esteri/garante-privacy-ue-sulla-protezione-dei-dati-leuropa-leader-edTINi7G4UzW0KvDtM6emL/pagina.html

‘6 years data retention, Court of Justice of EU may cancel it’. Interview to Prof. Filippo Benelli on likely CJEU action (only in Italian, 09.11.2017)
https://www.key4biz.it/data-retention-6-anni-corte-giustizia-ue-annullarla-intervista-filippo-benelli-universita-macerata/204732/

Metadata of phone and internet traffic: must be stored for 6 years (only in Italian, 08.11.2017)
http://www.repubblica.it/tecnologia/sicurezza/2017/11/08/news/dati_traffico_telefonico_e_telematico_dovranno_essere_conservati_per_6_anni-180604974/

(Contribution by Antonella Napolitano, the Italian Coalition for Civil Liberties and Rights CILD, and Fabio Pietrosanti, Hermes Center for Transparency and Digital Human Rights, Italy)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
20 Sep 2017

Should video-sharing platforms be part of the AVMSD?

By Maryant Fernández Pérez

The Audiovisual Media Services Directive (AVMSD) is currently being reformed. After going through several legislative stages, the AVMSD is now being negotiated in trilogues, that is, informal, secret negotiations between the European Parliament (representing citizens) and the Council (representing EU Member States), facilitated by the European Commission (representing EU interests). As part of the negotiations, a key question will have to be addressed: should some or all video-sharing platforms be covered by the AVMSD and, if so, how?

On the one hand, there are demands for holding video-sharing platforms like YouTube responsible for content (including legal content) that is published on their sites or apps because of the impact online content has on the public debate and our democracies. On the other hand, these platforms are not producing or publishing content, but only hosting it. The AVMSD covering platforms that are so radically different from those that the Regulation was originally created to regulate – cross-border satellite TV services – would not make sense, as EDRi’s position paper, published on 14 September 2017, argues.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Video-sharing platforms, and social media generally, are not traditional media. While their activities influence (and even manipulate) the population, regulating video-sharing platforms as traditional media is not the solution to undesired impacts on our societies. When two services – linear broadcasting of editorially-controlled content and non-linear hosting of content produced by others – are significantly different, achieving a level playing field through a “one-fits-all” approach is not always possible. The consequences of getting it wrong can have a damaging effect on freedom of expression, competition, the fight against illegal material online and the protection of children in the online environment. At the Council meeting, seven Member States made unusually impassioned pleas to reject the proposed approach, mainly on grounds of freedom of expression. For these reasons, the deletion of the provisions that extend the scope of the AVMSD would be the most rational option, as the EDRi’s position paper suggests.

Failing deletion, EDRi recommends to clarify the definition of what constitutes “video-sharing platforms” and “user-generated content”. In addition, EDRi’s position paper asks for more predictability when asking companies to take action, to avoid abuses, ensure predictability and defend freedom of expression. For instance, some proposals on the table in the trilogue negotiations ask video-sharing platforms to restrict incitement to hatred based on political opinions or “any other opinions”. Asking platforms to delete hate speech based on “any other opinions” is likely to lead to arbitrary restrictions, and affect how we express ourselves online. Another reason to be cautious is that certain provisions would ask these companies to have a “self-regulatory” role in the “moral” development of children. Do we really want companies to decide what is good for the “moral” development of our kids?

Fighting against illegal hate speech, terrorism and child abuse is very important. However, asking companies, to decide what should be acceptable or not in our society is worrisome. Numerous examples demonstrate that content is being restricted in video-sharing and social media platforms without accountability or real redress. Creating a situation where video-sharing platforms are forced to regulate more of our communications and give themselves more leeway to decide on what content we can access or not, despite what the law deems to be illegal, will not be beneficial for the EU.

EDRi position on AVMSD trilogue negotiations (14.09.2017)
https://edri.org/files/AVMSD/edriposition_trilogues_20170914.pdf

ENDitorial: AVMSD – the “legislation without friends” Directive? (14.06.2017)
https://edri.org/avmsd-the-legislation-without-friends-directive/

Audiovisual Media Services Directive reform: Document pool
https://edri.org/avmsd-reform-document-pool/

(Contribution by Maryant Fernández Pérez, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
06 Sep 2017

Denmark: Targeted ANPR data retention turned into mass surveillance

By IT-Pol

Since mid 2016, Denmark has a nationwide automatic number plate recognition (ANPR) system with stationary cameras at 24 locations and mobile cameras mounted on 48 police cars. The ANPR system is currently being integrated with POL-INTEL, the new Danish system for intelligence-led policing (predictive policing), which is supplied by Palantir Technologies. Expansion of the ANPR system with more cameras can be expected in the coming years.

Preparations for the ANPR system started in 2014. Besides the public tender and subsequent deployment of the ANPR equipment, a legal framework for using ANPR was also put in place. The Ministry of Justice decided in 2015 that it was sufficient to lay down rules for processing ANPR information in an administrative order. This meant that surveillance with ANPR was introduced in Denmark without ever being debated in the Parliament.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The legal framework for ANPR makes a distinction between hits and no-hits when a number plate of a vehicle is scanned by the ANPR equipment. Hits are number plates on the police hotlist – that is vehicles which are wanted by the police for reasons ranging from unpaid insurance, mandatory inspections skipped by the owner, vehicles reported stolen, to suspected involvement in criminal activities. Vehicles registered in the Schengen Information System (under Council Decision 2007/533/JHA) by other EU Member States for discreet checks (Article 36) or sought for purposes of seizure (Article 38) can also be put on the hotlist. No-hits are number plates with no match on the hotlist.

The ANPR system is designed to serve a dual purpose. If a police car with mobile ANPR equipment encounters a vehicle on the hotlist, the police officers get a signal from the ANPR device, so that they can decide whether to pursue the vehicle or not. This part of the ANPR system is actively promoted by the Minister of Justice and the Danish National Police as a huge help for police officers on the road. The second purpose of the ANPR system, which is rarely mentioned in public by the same authorities, is the passive retention of number plates encountered by either mobile ANPR in police cars or the stationary ANPR cameras. The location, timestamp, and a picture of the vehicle, which may include the driver and passengers, is also stored in the central ANPR database.

Retention periods for ANPR hits range from three months to two years, depending on the reason for being on the hotlist. If a vehicle is on the hotlist because of unpaid insurance or skipped mandatory inspections, the mobile ANPR equipment can be used to stop the vehicle and confiscate the number plates. Retention of location information in cases like this is neither necessary nor proportionate since any further processing of the ANPR data will be totally unrelated to the reasons for putting the vehicle on the hotlist.

However, the main controversy has been around the retention of no-hits, that is vehicles that are not even wanted for minor offences such as driving without insurance. The original plan of the Danish National Police was to retain all no-hits for 30 days and use this information for backward-looking investigations, such as using data mining (profiling) to determine persons of interest based on their proximity to the time and place where a crime was committed. The Danish Data Protection Agency (DPA) objected to the proposal to retain all ANPR no-hits. In an Opinion of 17 March 2015, the DPA concluded that blanket retention of all no-hits was not legal, and that retention of no-hits could only be done under certain conditions, for example in connection with targeted surveillance at the border.

Due to the opinion of the Danish DPA, the ANPR administrative order of December 2015 provides that no-hits can be retained for up to 30 days only if the no-hit is registered in connection with a targeted police operation, which must be limited in time and geographic area. These conditions bear some resemblance to paragraph 59 of the judgment on the Data Retention Directive (joined cases C-293/12 and C-594/12) by the Court of Justice of the European Union (CJEU) in April 2014. Accordingly, only targeted data retention, and not blanket data retention, is allowed for the Danish ANPR system. Unfortunately, the administrative order does not give any guidance as to how a limited time period and a limited geographic area should be interpreted, except that this will be specified in internal guidelines by the Danish National Police.

During the summer 2017, it was revealed through freedom of information (FOI) requests that most no-hits were actually retained in the ANPR system. Specifically, the Danish National Police decided in November 2016 that all 24 locations with stationary ANPR cameras are part of targeted police operations running until the end of 2017. This decision paved the way for retaining all no-hits from the stationary ANPR cameras for 30 days. No-hits from the mobile ANPR equipment are not covered by this decision, and hence not necessarily retained on a general basis for 30 days, but the mobile cameras account for less than 10% of the scanned number plates.

The FOI request further revealed that 830 000 no-hits are retained every day, and that the ratio between retained no-hits and hits is 90:1. The Danish National Police has repeatedly denied FOI requests for documents showing the location of the stationary ANPR cameras, but since the cameras are very visible in the landscape, their location has been mapped by activists. The unofficial map at the website www.anpg.dk shows that roughly half of the ANPR cameras are placed at border crossings (all intra-Schengen borders), whereas the other half covers major traffic intersections. The map indicates a strategic positioning of the stationary ANPR cameras in areas where lots of vehicles are encountered every day.

In essence, the ANPR system has become a tool for mass surveillance since 99% of the retained number plates are not of any interest to the police when the location of the vehicle is stored in the central database. The justification for storing no-hits is subsequent processing for unknown purposes and that the data may be useful for the police. Moreover, the opinion of the Danish DPA, that no-hits can only be processed in the ANPR system under certain conditions rather than generally as the police wanted initially, and the targeted data retention regime prescribed by the ANPR administrative order, have been completely subverted by the decision of the Danish National Police to include all stationary ANPR cameras all the time in “targeted” police operations where no-hits can be retained for 30 days.

After the story was reported in Danish news media, the police confirmed that all no-hits from the stationary ANPR cameras are retained. In a later interview with Dagbladet Information, the Danish National Police called the criticism misguided. The retention of no-hits is geographically limited to the locations where the police has decided to put up stationary ANPR cameras. Even though there are cameras throughout Denmark, as seen on the unofficial map, not every road in Denmark is covered by ANPR, and in that sense, only a limited geographic area is subject to surveillance. According to the police, the requirement of “a limited time period” is satisfied by putting an end date on the targeted police operation allowing no-hits to be retained. This end date can, however, be extended with a later decision by the police.

On 13 August 2017, EDRi member IT-Pol Denmark and Bitbureauet filed a complaint with the Danish DPA about the retention practices for ANPR no-hits. The complaint is currently being investigated by the DPA.

EDRi: New legal framework for predictive policing in Denmark (22.02.2017)
https://edri.org/new-legal-framework-for-predictive-policing-in-denmark/

EDRi: Denmark about to implement a nationwide ANPR system (02.07.2014)
https://edri.org/denmark-implement-nationwide-anpr-system/

Unofficial map with the location of Danish ANPR cameras
https://anpg.dk/

Danish car owners subject to extensive surveillance even though they are not suspected of anything, Dagbladet Information (only in Danish, 25.07.2017)
https://www.information.dk/indland/2017/07/danskere-bil-udsat-omfattende-overvaagning-politiet-mistaenkt

Complaint to the Danish Data Protection Agency about retention practices for ANPR no-hits (only in Danish, 13.08.2017)
https://itpol.dk/sites/itpol.dk/files/anpg-klage.pdf

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close