Goodbye from Watching the Connectives: hello from The Digital Watcher

Rob Bratby

To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading

European Network and Information Security Directive adopted to address cyber-threats

On 6 July 2016, the European Union (which for now includes the UK) adopted the Network and Information Security (or NIS) Directive. This imposes obligations on three sets of stakeholders: Continue reading

Europe consults on implementation of net neutrality

From 30 April 2016, Europe has been subject to net neutrality rules set out in the Connected Continent Regulation. However  those rules, set out in Articles 3 and 4 of the Regulation and reproduced below for easy reference, are framed at such a high level of abstraction as to be almost useless in assessing whether any particular practice is compliant or not. Continue reading

ECJ finds Data Retention Directive invalid. What next?

On 8 April 2014 the European Court of Justice ruled that the Data Retention Directive 2006/24/EC interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. The Directive is declared invalid. Today’s post by Sylvie Rousseau and Matthias Vierstraete explains what the court decided and the implications for national laws across Europe.

A. The Directive

Directive 2006/24/EC strives for harmonization of the Member States’ national legislations providing for the retention of data by providers of publicly available electronic communications services or of a public communications network for the prevention, investigation, detection and prosecution of criminal offences. The initial intention was that service and network providers would be freed from legal and technical differences between national provisions.

The Directive and national laws implementing the Directive were often criticized. The main argument being that massive data retention was said to endanger the right to privacy. The advocates of the rules, however, argued that these rules were necessary for authorities to investigate and prosecute organized crime and terrorism.

B. The Court of Justice

By way of preliminary rulings referred to the Court of Justice of the European Union, the Irish High Court and the Austrian Constitutional Court asked the Court of Justice to examine the validity of the Directive, in particular in the light of two fundamental rights under the Charter of Fundamental Rights of the EU, namely the fundamental right to respect for private life and the fundamental right to the protection of personal data.

Analysis of the data to be retained
The Court of Justice verified the data which providers must retain pursuant to the Directive. This data includes data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify the location of mobile equipment, the name and address of the user, the number called, IP addresses, etc. The Court observes that the retention of this data makes it possible to know the identity of the participants in communications, to identify the time of the communication, the place from where the communication took place and the frequency of communications with certain persons (§26).

This data, according to the Court allows very precise conclusions concerning private lives of persons whose data has been retained, such as habits of everyday life, places of residence, movements, social relationships and social environments frequented.

Analysis of the interference with fundamental rights
The Court comes to the conclusion that both requiring the retention of the data and allowing competent national authorities to access those data constitutes in itself interference with the fundamental right to respect for private life and with the fundamental right to the protection of personal data (respectively articles 7 and 8 of the Charter of Fundamental Rights of the European Union) (§ 32 – 36).

The Court agrees with the Advocate General when it states that the interference is “particularly serious”. The Court in this respect holds that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the person concerned the feeling that their private lives are the subject of constant surveillance” (§37).

This interference is according to the Court not only serious, but moreover it is not justified. Besides the fact that the retention of data as required by the Directive does not as such adversely affect the essence of the respect for private life and protection of personal data (content of the communications as such may not be reviewed) and the Directive genuinely satisfies an objective of general interest (public security), the Court is of the opinion that the Directive has exceeded the limits imposed by the proportionality principle (§69):

The Directive covers all persons and all means of electronic communications as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime (§57);
The Directive fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to data and their subsequent use (§60);
The data retention period is set at between a minimum of 6 months and a maximum of 24 months without any distinction being made between categories of data and not stating that the determination of the period must be based on objective criteria (§63 – 64);
The Directive does not provide for sufficient safeguards to ensure effective protection of data against the risk of abuse and against unlawful access and use (§66);
The Directive does not require data to be retained within the EU and thus does not meet the Charter’s requirement that compliance control by an independent authority is ensured.
The Court of Justice thus declares the Directive invalid.

C. What’s next?

Following the Court’s invalidation of the Directive, one could wonder how this will affect European legislation and national legislation.

Europe
The invalidity ruled by the Court applies from the day where the Directive entered into force. It is as if the Directive never existed.

The European Commission stated in a first reaction that it “will now carefully asses the verdict and its impacts”. It is not clear whether the Commission will draft new legislation replacing the invalidated Directive. Taking into account the fact that the current Commission’s term only runs until 31 October 2014, it is not much anticipated that new law will be put forward soon.

Member States
Member States having transposed the Directive into national laws may now consider the future of these laws.

In case their national law is a literal transposition of the now invalidated Directive, the national laws meet with the same fate. One may consider that in such situation Member States should redraft their laws in order to be in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.

If national law deviates from the Directive, Member States should assess whether the deviations are in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.

The Court of Justice’s ruling may also have an impact on national cases concerning the legality of national laws implementing the Directive, as there are several cases pending before the constitutional courts.

  • Austria and Ireland are obviously at the basis of the European Court of Justice’s ruling, following their constitutional courts’ requests for a preliminary ruling concerning the validity of Directive 2006/24/EC;
  • Belgium: On 24 February 2014, the Belgian “Liga voor Mensenrechten” and “Ligue des droits de l’Homme” together filed a complaint before the constitutional court in order to obtain cancellation of the Belgian law implementing the Directive. The complaint was funded through crowdfunding. Following the Court of Justice’s ruling, some political parties already asked government to take the necessary steps and to amend the current legislation;
  • Bulgaria: In 2008, the Bulgarian Constitutional Court found part of the national law incompatible with the right to privacy;
  • France: In 2006, the French Constitutional Court ruled that French law provisions similar to those provided for in the Directive are not contrary to the constitution. However, in December 2013, the French data protection authority (CNIL) reacted vigorously against a new law enabling certain ministries, including French secret services, access to data retained by telecommunications operators, internet and hosting service providers, without prior approval from a judge. On that occasion, the CNIL called for a national debate on surveillance issues which could be influenced by the recent ECJ’s ruling.
  • Germany: The German Constitutional Court already declared the German implementing act unconstitutional in 2010;
  • Romania: In 2009, the Romanian Constitutional Court declared the national law on data retention unconstitutional as breaching, among others the right to privacy and the secrecy of correspondence;
  • Slovakia: In 2012, a complaint was filed before the constitutional court in order to assess the conformity with the constitution;
  • Spain: The Directive was implemented into national laws in 2007. The Spanish data protection authority (AEPD) had voiced its reservations about the Directive and requested the Government to accompany the implementation of these rules with measures curtailing the impact on data subjects’ privacy;
  • Sweden: In May 2013, Sweden was ordered to pay the European Commission 3 million EUR because Sweden had failed its obligation to timely implement the Directive;
  • United Kingdom: As yet there has been no official comment from the UK government or the Information Commissioner on the ruling of the Court of Justice. Controversial 2012 proposals for a Communications Data Bill to overhaul and significantly extend the UK’s data retention obligations were already in the political long grass – and the Court of Justice’s ruling means they are likely to stay there as we understand it.

Advocate General Pedro Cruz Villalón issues damning opinion on the Data Retention Directive

Last week (12/12/2013), a serious blow was dealt to one of the fundamental building blocks establishing the legal framework for retention of data for law enforcement across Europe.  Advocate General Pedro Cruz Villalón (AG) at the Court of Justice of the European Union (ECJ) delivered an opinion stating that the Data Retention Directive (DRD) is, as a whole, incompatible with the individual’s right to privacy in the Charter of Fundamental Rights of the European Union. The opinion has potentially profound implications for law enforcement agencies and for service providers subject to the retention requirements across Europe. The opinion is here.

Today’s post is courtesy of guest blogger @matthew1hunter.

Background

The DRD requires Member States to implement laws requiring telephone or electronic communications service providers to collect and retain traffic data, location data and the related data necessary to identify the subscriber or user of the services “in order to ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Article 1(1) of the DRD).  Providers are not required to collect and retain content data i.e. the data communicated itself by subscribers or users of the services. Members States are required to ensure that the data is held for periods of not less than six months and not more than two years from the date of the communication. Only competent national authorities are to be permitted access to the data.  For more information about data retention requirements, go here.

Key takeaway for service providers

Service providers should watch this space and keep their own compliance programmes under review. For service providers wrestling with retention requirements, the opinion means that doubt will remain about the correct way to build a compliance programme. If the ECJ agrees with the AG, new legislation would need to be developed though the practical impact on service providers with respect to the types of data to be collected and any reduction in retention periods is unclear.

What did the AG say?

–       The AG considers that the purposes of the DRD are legitimate.

–       However, the AG is concerned that the retained data will include a lot of information about an individual’s private life and identity. There is a risk that the data may be used for unlawful purposes. The risk may be greater because the data is not retained or controlled by the competent national authorities but by the providers and the providers do not have to retain the data within the relevant Member States.

–       The AG said that the DRD does not provide minimum guarantees for access to the data and its use by the competent national authorities. (i) A more precise definition of “serious crime” would help to define when competent authorities are able to access the data. (ii) Access should be limited to judicial authorities or independent authorities. Any other access requests should be subject to review by judicial authorities or independent authorities so that access is limited to only the data that is strictly necessary. (iii) Member States should be allowed to prevent access to data in certain circumstances e.g. to protect individuals’ medical confidentiality. (iv) Authorities should be required to delete the data once used for the relevant purposes. (v) Authorities should be required to notify individuals of the access, at least after the event when there is no risk that the purpose for accessing the data would be compromised.

–       Finally, the AG said that he could not find sufficient justification for not limiting the data retention period to one year or less.

What does this all mean?

–       For now the existing requirements remain but may be subject to review. The AG’s opinion is not binding on the ECJ or indeed on any Member State.  Nevertheless, the opinion carries weight and in many cases the ECJ has gone on to follow opinions delivered by the AG.  The Judges of the ECJ are still deliberating and judgment will be given at a later date.

–       The AG also proposed that the effects of stating that the DRD is invalid should be postponed so, even if the ECJ agrees with the AG, the ECJ could allow the EU legislature a reasonable period to adopt remedying measures, so that the DRD is no longer incompatible with the Charter of Fundamental Rights.

Why bring your own device (BYOD) is not just an IT issue

I was fortunate this week to be both a speaker and a panellist at Questex Asia’s ‘BYOD and Mobile Security conference held in Singapore. It turned out I was the only lawyer in a room of 200 plus IT people, which was an interesting experience. Having made my presentation (Olswang_Asia_BYOD_presentation) my conversations with delegates brought home to me how hard it can be to effect change within an organisation.

Whilst speakers had run through the organisational benefits from BYOD, and it is clear from my experience that generation X and generation Z are increasingly demanding the ability to bring their smartphones and tablets to work, as any change requires the buy-in and collaboration between at least IT, legal HR and senior management many organisations were struggling to actually change in a structures where any stakeholder saying ‘no’ could stop implementation.

My message that the legal issues (whilst important and needing to be dealt with) shouldn’t stop BYOD deployment seemed to give comfort to some of the delegates I spoke to.

As is always the case with these things, two days after I had delivered the talk the UK Information Commissioner published their guidelines on BYOD. I was heartened to read that the guidance covers pretty the same ground as my talk, albeit (not unsurprisingly for regulatory guidance) with a somewhat more negative view.

Mobile broadband at heart of Europe’s recently adopted Radio Spectrum Policy Programme as WRC 12 concludes in Geneva

The wheels of European legislation have slowly turned, and last week Europe adopted a five-year radio spectrum policy programme, at Parliament’s second reading under the co-decision procedure. Readers will recall that last summer two key issues remained outstanding between the Council of Ministers and Parliament – the date by which the 800 MHz band should be cleared and the minimum amount of spectrum to be made available for mobile broadband.

In the usual European fashion, Parliament prevailed on one issue (at least 1200 MHz to be available for mobile broadband by 2015) and the Council on the other (800 MHz band to be cleared by 2013). Somewhat unusually, this horse-trading has resulted in a very good outcome with spectrum being made available early and in sufficient quantity to place Europe in a strong position globally in the race to enable mobile broadband. Of course, implementation is in the hands of Member States, so it remains to be seen how this will play out in practice.

Meanwhile, over in Geneva, the four yearly world radio conference of the ITU finished on Friday. The provisional final acts are available here, and whilst I’ve not yet had time to review in detail, mobile broadband appeared to do well there as well with press reports that additional spectrum in the 700 MHz band may also be made available.

New EU Data Protection Proposals: what you need to know

Today’s blog post is courtesy of my friends and colleagues Clive Gringras and Claire Walker who have published a helpful guide to the new European Data Protection proposals.

“Today, 25 January 2012, the European Commission unveiled its proposals for far reaching changes to EU privacy legislation.

We foresee the Regulation being in force by 2015. Every aspect of an organisation’s compliance obligations will increase – and there will be fines of up to 2% of global turnover for breach. We highlight the top three immediate action points to consider. We also provide seven further action points to address in the months ahead.

Three immediate impacts

  • Non EU businesses need to select an EU Member State Scenario: a large Asian company holds personal data on Asian servers about its many EU customers. It has purposely not established a presence in the EU but will now need to decide which of the EU Member States in which it has customers to appoint its DP representative. It will need to balance the attractiveness of the enforcement approach in that state with other factors.
  • Systems design Scenario: the architecture for a new IT system is under discussion between the CTO and CEO of a large EU business. To future-proof the system, the CTO must take into account the Regulation’s changes such as allowing consumer data to be permanently deleted (R2BF) and should ensure that all processing operations involving personal data are adequately documented.
  • Outsourcing agreements Scenario: a five-year outsourcing contract involving data processing is under negotiation. The deal will be signed this year, well before the impact day of the Regulation, which will be some time in 2015. Because the processing will continue after impact day, the parties today need to anticipate in the agreement that their data protection obligations will change.

Please see here for our initial analysis of 10 potential practical impacts.”

PS – thanks for the feedback from some of my blog readers who travelled from  Paddington station today. You know who you are!

Commission attacks roaming charges with structural market intervention as well as price caps

The European Commission yesterday announced measures which directly intervene in the roaming market. These measures are in addition to the expected continuation of price caps on voice and SMS and new caps on data downloads.

The Commission, first under Vivianne Reding and now under Neelie Kroes, has adopted an agenda in  relation to roaming (as part of the Digital Agenda) with the explicit aim of reducing the differential between national and roaming tariffs to zero by 2015.

The Commission also published yesterday a paper setting out the background to the new proposed measures, which explains their view, drawing on BEREC’s analysis, that the structure of the market inhibits competition acting as a constraint on prices. As a result, in the Commission’s view, without structural intervention there is an ongoing requirement for price regulation with no prospect of it being withdrawn. Their analysis clearly shows the influence of Commissioner Kroes’ prior competition job, with two proposals to address their identified conclusions in the demand and supply side of the market.

Taking the demand side first, the paper cites factors including the bundling of roaming with domestic minutes, high switching costs, the lack of adequate substitutes and the competitive focus on the domestic tariff as contributing towards a lack of competitive pressure on roaming prices. Their proposed solution is to decouple the sale of roaming from the domestic bundle by allowing consumers to buy roaming services from an operator other than their home network. The Commission hopes this will lower switching costs and increase demand elasticity as well as improving tariff transparency.

Looking then at the supply side of the market, the Commission identifies that it will need to mandate wholesale roaming access in order to facilitate market entry of competitors (in particular MVNOs) to the retail roaming market.

Whilst the Commission sees these measures as delivering the required outcomes in the long-term, over the medium term they propose an extension of  existing retail voice and SMS price caps and new price caps for data downloads until at least 2016 and wholesale price caps for a longer period until at least 2022. In both cases the Commission reserves the right to lift the caps if the structural solutions deliver the desired market outcome, although they also reserve the right for additional structural intervention.

In terms of market impact, this is clearly more bad news for the mobile network operators. In a week where some UK operators have withdrawn handset subsidies for some pre-pay customers, it remains to be seen whether this will result in ‘water-bed’ price increases in domestic tariffs as the mobile operators face increased capital expenditure requirements as they embark on an expensive program of spectrum acquisition and LTE roll-out to meet the increasing consumer demand for data services. This will be more positive news for MVNOs and I would expect more market entrants in that segment.

Internet regulation: building consumer trust?

Today’s FT article by Vittorio Colao, CEO of Vodafone, highlights the importance of regulation for all the players in the on-line ecosystem – those building the pipes and plumbing of network infrastructure, those creating compelling content and services and those who provide search, aggregation or other services.

His central thesis is that both regulators and market players should use building consumer trust as their guiding principle.

In concrete terms he suggests that trust will be built by ensuring that the internet has rules (which need to go beyond self-regulation) that ensure respect for:

  • ownership (especially of intellectual property);
  • privacy; and
  • human and social rights.

Digging into the next layer of detail, he supports the ability of national authorities to be able to direct infrastructure providers to block access to illegal content or services, provided that this is extended to providers of internet based communications services and that the costs are fairly allocated.  He also agrees on the importance of competition and non-discrimination for network access whilst arguing that price control for broadband access will not stimulate the investment in broadband infrastructure that governments want.

Ostensibly a reaction to recent comments made by Mark Zuckerberg, CEO of Facebook, at French convened pre-G8 internet summit (or eG8) that called for the internet to be free of regulation, in reality this exchange highlights that the net neutrality debate has really started to cross the Atlantic in earnest. The topic is now on the political agenda at the highest level, so it remains to be seen whether the Commission and national regulators will be able to maintain their so far balanced approach.