ECJ finds Data Retention Directive invalid. What next?

On 8 April 2014 the European Court of Justice ruled that the Data Retention Directive 2006/24/EC interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. The Directive is declared invalid. Today’s post by Sylvie Rousseau and Matthias Vierstraete explains what the court decided and the implications for national laws across Europe.

A. The Directive

Directive 2006/24/EC strives for harmonization of the Member States’ national legislations providing for the retention of data by providers of publicly available electronic communications services or of a public communications network for the prevention, investigation, detection and prosecution of criminal offences. The initial intention was that service and network providers would be freed from legal and technical differences between national provisions.

The Directive and national laws implementing the Directive were often criticized. The main argument being that massive data retention was said to endanger the right to privacy. The advocates of the rules, however, argued that these rules were necessary for authorities to investigate and prosecute organized crime and terrorism.

B. The Court of Justice

By way of preliminary rulings referred to the Court of Justice of the European Union, the Irish High Court and the Austrian Constitutional Court asked the Court of Justice to examine the validity of the Directive, in particular in the light of two fundamental rights under the Charter of Fundamental Rights of the EU, namely the fundamental right to respect for private life and the fundamental right to the protection of personal data.

Analysis of the data to be retained
The Court of Justice verified the data which providers must retain pursuant to the Directive. This data includes data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify the location of mobile equipment, the name and address of the user, the number called, IP addresses, etc. The Court observes that the retention of this data makes it possible to know the identity of the participants in communications, to identify the time of the communication, the place from where the communication took place and the frequency of communications with certain persons (§26).

This data, according to the Court allows very precise conclusions concerning private lives of persons whose data has been retained, such as habits of everyday life, places of residence, movements, social relationships and social environments frequented.

Analysis of the interference with fundamental rights
The Court comes to the conclusion that both requiring the retention of the data and allowing competent national authorities to access those data constitutes in itself interference with the fundamental right to respect for private life and with the fundamental right to the protection of personal data (respectively articles 7 and 8 of the Charter of Fundamental Rights of the European Union) (§ 32 – 36).

The Court agrees with the Advocate General when it states that the interference is “particularly serious”. The Court in this respect holds that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the person concerned the feeling that their private lives are the subject of constant surveillance” (§37).

This interference is according to the Court not only serious, but moreover it is not justified. Besides the fact that the retention of data as required by the Directive does not as such adversely affect the essence of the respect for private life and protection of personal data (content of the communications as such may not be reviewed) and the Directive genuinely satisfies an objective of general interest (public security), the Court is of the opinion that the Directive has exceeded the limits imposed by the proportionality principle (§69):

The Directive covers all persons and all means of electronic communications as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime (§57);
The Directive fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to data and their subsequent use (§60);
The data retention period is set at between a minimum of 6 months and a maximum of 24 months without any distinction being made between categories of data and not stating that the determination of the period must be based on objective criteria (§63 – 64);
The Directive does not provide for sufficient safeguards to ensure effective protection of data against the risk of abuse and against unlawful access and use (§66);
The Directive does not require data to be retained within the EU and thus does not meet the Charter’s requirement that compliance control by an independent authority is ensured.
The Court of Justice thus declares the Directive invalid.

C. What’s next?

Following the Court’s invalidation of the Directive, one could wonder how this will affect European legislation and national legislation.

Europe
The invalidity ruled by the Court applies from the day where the Directive entered into force. It is as if the Directive never existed.

The European Commission stated in a first reaction that it “will now carefully asses the verdict and its impacts”. It is not clear whether the Commission will draft new legislation replacing the invalidated Directive. Taking into account the fact that the current Commission’s term only runs until 31 October 2014, it is not much anticipated that new law will be put forward soon.

Member States
Member States having transposed the Directive into national laws may now consider the future of these laws.

In case their national law is a literal transposition of the now invalidated Directive, the national laws meet with the same fate. One may consider that in such situation Member States should redraft their laws in order to be in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.

If national law deviates from the Directive, Member States should assess whether the deviations are in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.

The Court of Justice’s ruling may also have an impact on national cases concerning the legality of national laws implementing the Directive, as there are several cases pending before the constitutional courts.

  • Austria and Ireland are obviously at the basis of the European Court of Justice’s ruling, following their constitutional courts’ requests for a preliminary ruling concerning the validity of Directive 2006/24/EC;
  • Belgium: On 24 February 2014, the Belgian “Liga voor Mensenrechten” and “Ligue des droits de l’Homme” together filed a complaint before the constitutional court in order to obtain cancellation of the Belgian law implementing the Directive. The complaint was funded through crowdfunding. Following the Court of Justice’s ruling, some political parties already asked government to take the necessary steps and to amend the current legislation;
  • Bulgaria: In 2008, the Bulgarian Constitutional Court found part of the national law incompatible with the right to privacy;
  • France: In 2006, the French Constitutional Court ruled that French law provisions similar to those provided for in the Directive are not contrary to the constitution. However, in December 2013, the French data protection authority (CNIL) reacted vigorously against a new law enabling certain ministries, including French secret services, access to data retained by telecommunications operators, internet and hosting service providers, without prior approval from a judge. On that occasion, the CNIL called for a national debate on surveillance issues which could be influenced by the recent ECJ’s ruling.
  • Germany: The German Constitutional Court already declared the German implementing act unconstitutional in 2010;
  • Romania: In 2009, the Romanian Constitutional Court declared the national law on data retention unconstitutional as breaching, among others the right to privacy and the secrecy of correspondence;
  • Slovakia: In 2012, a complaint was filed before the constitutional court in order to assess the conformity with the constitution;
  • Spain: The Directive was implemented into national laws in 2007. The Spanish data protection authority (AEPD) had voiced its reservations about the Directive and requested the Government to accompany the implementation of these rules with measures curtailing the impact on data subjects’ privacy;
  • Sweden: In May 2013, Sweden was ordered to pay the European Commission 3 million EUR because Sweden had failed its obligation to timely implement the Directive;
  • United Kingdom: As yet there has been no official comment from the UK government or the Information Commissioner on the ruling of the Court of Justice. Controversial 2012 proposals for a Communications Data Bill to overhaul and significantly extend the UK’s data retention obligations were already in the political long grass – and the Court of Justice’s ruling means they are likely to stay there as we understand it.
Posted in Belgium, Court decision, Data protection, EU, Fixed, France, Germany, Mobile, Regulatory action, Spain, Telecoms, UK | Tagged , | 1 Comment

Advocate General Pedro Cruz Villalón issues damning opinion on the Data Retention Directive

Last week (12/12/2013), a serious blow was dealt to one of the fundamental building blocks establishing the legal framework for retention of data for law enforcement across Europe.  Advocate General Pedro Cruz Villalón (AG) at the Court of Justice of the European Union (ECJ) delivered an opinion stating that the Data Retention Directive (DRD) is, as a whole, incompatible with the individual’s right to privacy in the Charter of Fundamental Rights of the European Union. The opinion has potentially profound implications for law enforcement agencies and for service providers subject to the retention requirements across Europe. The opinion is here.

Today’s post is courtesy of guest blogger @matthew1hunter.

Background

The DRD requires Member States to implement laws requiring telephone or electronic communications service providers to collect and retain traffic data, location data and the related data necessary to identify the subscriber or user of the services “in order to ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Article 1(1) of the DRD).  Providers are not required to collect and retain content data i.e. the data communicated itself by subscribers or users of the services. Members States are required to ensure that the data is held for periods of not less than six months and not more than two years from the date of the communication. Only competent national authorities are to be permitted access to the data.  For more information about data retention requirements, go here.

Key takeaway for service providers

Service providers should watch this space and keep their own compliance programmes under review. For service providers wrestling with retention requirements, the opinion means that doubt will remain about the correct way to build a compliance programme. If the ECJ agrees with the AG, new legislation would need to be developed though the practical impact on service providers with respect to the types of data to be collected and any reduction in retention periods is unclear.

What did the AG say?

-       The AG considers that the purposes of the DRD are legitimate.

-       However, the AG is concerned that the retained data will include a lot of information about an individual’s private life and identity. There is a risk that the data may be used for unlawful purposes. The risk may be greater because the data is not retained or controlled by the competent national authorities but by the providers and the providers do not have to retain the data within the relevant Member States.

-       The AG said that the DRD does not provide minimum guarantees for access to the data and its use by the competent national authorities. (i) A more precise definition of “serious crime” would help to define when competent authorities are able to access the data. (ii) Access should be limited to judicial authorities or independent authorities. Any other access requests should be subject to review by judicial authorities or independent authorities so that access is limited to only the data that is strictly necessary. (iii) Member States should be allowed to prevent access to data in certain circumstances e.g. to protect individuals’ medical confidentiality. (iv) Authorities should be required to delete the data once used for the relevant purposes. (v) Authorities should be required to notify individuals of the access, at least after the event when there is no risk that the purpose for accessing the data would be compromised.

-       Finally, the AG said that he could not find sufficient justification for not limiting the data retention period to one year or less.

What does this all mean?

-       For now the existing requirements remain but may be subject to review. The AG’s opinion is not binding on the ECJ or indeed on any Member State.  Nevertheless, the opinion carries weight and in many cases the ECJ has gone on to follow opinions delivered by the AG.  The Judges of the ECJ are still deliberating and judgment will be given at a later date.

-       The AG also proposed that the effects of stating that the DRD is invalid should be postponed so, even if the ECJ agrees with the AG, the ECJ could allow the EU legislature a reasonable period to adopt remedying measures, so that the DRD is no longer incompatible with the Charter of Fundamental Rights.

Posted in Belgium, Broadband, Data protection, EU, Fixed, France, Germany, Government policy, Mobile, Regulatory action, Spain, Telecoms, UK | Tagged | Leave a comment

Insight to China, India and Japan’s communications markets from Ofcom report

Ofcom this week published its most recent report comparing the UK’s communications (telecoms, TV, radio, web and post) market with 16 other countries, including China, India and Japan.  Whilst Ofcom’s press releases have focused on the comparatively good performance of the UK (which oddly enough seems to reflect well on the UK regulator – Ofcom), the report also contains some useful insight into the three of Asia’s biggest economies: China, India and Japan.

Some of the interesting snippets of information from the report include:

  • Mobile take up continued to exceed population size across all comparator countries with the exception of China. However, in China the number of mobile connections per 100 people more than doubled in the last five years, up from 40 to 83.
  • Smartphone ownership is now commonplace among comparator countries. Excluding Japan, which has a very high take up of advanced featurephones not readily available in other countries, the US was the only country to report a smartphone take-up level of less than 50% in our online survey. The majority of respondents in all other countries reported that they now use a smartphone.
  • Global TV revenues increased in 2012, by 4.1% year on year, to £252bn, driven by an increase in both subscription and net advertising revenues (up 4.4% and 4.6% respectively). Despite the challenging economic conditions, global TV revenues have increased by 4.4% on a compound annual basis over the four years since 2008. As in 2011, the BRIC countries – Brazil, Russia, India and China – experienced the largest year-on-year growth, with their joint revenues increasing by £4bn, or 12.4%, in 2012, to £37bn.
  •  Japan had the second highest spend, at £7.50 per head on mobile advertising.

The table below (reproduced from the Ofcom report) summarises key statistics by market:Ofcom summary table

Posted in Broadband, China, Commercial activity, Fixed, France, Germany, India, Japan, Mobile, Spain, Telecoms, UK | Tagged , , , | Leave a comment

Singapore launches new cloud security standard

Singapore’s Infocomm Development Authority (IDA) has launched a new cloud security standard: Multi-Tier Cloud Security (MTCS) Standard For Singapore (SS 584). The IDA explains that the objective of the standard is: “to provide businesses with greater clarity on the levels of security offered by different cloud service providers (CSPs).”

Objectives

The IDA’s fact sheet explains that: [Customer clarity is achieved] “through third-party certification and a self-disclosure requirement for CSPs covering service-oriented information normally captured in Service Level Agreements.”

Self-disclosure requirement

The disclosure covers areas generally addressed through contractual service levels including:

  • data retention;
  • data sovereignty;
  • data portability;
  • liability;
  • availability;
  • BCP/DR;
  • incident and problem management.

Tiered Security Levels

The standard defines three tiers of security, with tier 1 being the base level and tier 3 being the most stringent:

  • Tier 1: Designed for non-business critical data and system, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services (e.g.: Web site hosting public information)
  • Tier 2: Designed to address the need of most organizations running business critical data and systems through a set of more stringent security controls to address security risks and threats in potentially moderate impact information systems using cloud services to protect business and personal information (e.g.: Confidential business data, email, CRM – customer relation management systems)
  • Tier 3: Designed for regulated organizations with specific requirements and more stringent security requirements. Industry specific regulations may be applied in addition to these controls to supplement and address security risks and threats in high impact information systems using cloud services (e.g.: Highly confidential business data, financial records, medical records).

Certification bodies

The five certification bodies are the British Standard Institute, Certification International Pte Ltd, DNV Business Assurance, SGS International Certification and TUV SUD PSB Certification.

Cross-certification

The IDA explains that it will work to cross-certify the MTCS SS with other international standards or certification schemes – such as the International Standard Organization (ISO) 27001 Information Security Management System (ISMS) and Cloud Security Alliance (CSA) Open Certification Framework (OCF).

Commentary

In the wake of increasing global concern about data security, this initiative by Singapore is in line with its policy to promote Singapore as a data hub and is welcome. However, the small size of the Singapore domestic market and continued suspicion of cloud solutions by other regulatory bodies (notably the Monetary Authority of Singapore) means that this may have limited market impact without engagement by a wider range of regulators.

Meanwhile across the ASEAN region, current policy winds are increasingly blowing towards requiring data (especially financial data) to  either be kept out of the cloud, or in national clouds. To continue the weather metaphor, on the bright side it is possible that if and when it is concluded some provisions of the Trans-Pacific Partnership (TPP) may roll-back some of the more nationalistic requirements currently in force or being considered.

Posted in ASEAN, Data protection, Outsourcing, Regulatory action, Singapore | Tagged , , | Leave a comment

Singapore’s final data protection guidelines adopt business-friendly approach

On September 24, Singapore’s Personal Data Protection Commission published its final advisory guidelines on how the country’s Personal Data Protection Act 2012, which governs the collection, use, and disclosure of personal data, will be interpreted and applied.

As expected, these adopt a business friendly approach. For more details see my post on ZDNet’s Legal Tech blog here.

 

 

Posted in ASEAN, Data protection, Singapore | Tagged | Leave a comment