To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading
To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading
On 6 July 2016, the European Union (which for now includes the UK) adopted the Network and Information Security (or NIS) Directive. This imposes obligations on three sets of stakeholders: Continue reading
From 30 April 2016, Europe has been subject to net neutrality rules set out in the Connected Continent Regulation. However those rules, set out in Articles 3 and 4 of the Regulation and reproduced below for easy reference, are framed at such a high level of abstraction as to be almost useless in assessing whether any particular practice is compliant or not. Continue reading
On 8 April 2014 the European Court of Justice ruled that the Data Retention Directive 2006/24/EC interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. The Directive is declared invalid. Today’s post by Sylvie Rousseau and Matthias Vierstraete explains what the court decided and the implications for national laws across Europe.
A. The Directive
Directive 2006/24/EC strives for harmonization of the Member States’ national legislations providing for the retention of data by providers of publicly available electronic communications services or of a public communications network for the prevention, investigation, detection and prosecution of criminal offences. The initial intention was that service and network providers would be freed from legal and technical differences between national provisions.
The Directive and national laws implementing the Directive were often criticized. The main argument being that massive data retention was said to endanger the right to privacy. The advocates of the rules, however, argued that these rules were necessary for authorities to investigate and prosecute organized crime and terrorism.
B. The Court of Justice
By way of preliminary rulings referred to the Court of Justice of the European Union, the Irish High Court and the Austrian Constitutional Court asked the Court of Justice to examine the validity of the Directive, in particular in the light of two fundamental rights under the Charter of Fundamental Rights of the EU, namely the fundamental right to respect for private life and the fundamental right to the protection of personal data.
Analysis of the data to be retained
The Court of Justice verified the data which providers must retain pursuant to the Directive. This data includes data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify the location of mobile equipment, the name and address of the user, the number called, IP addresses, etc. The Court observes that the retention of this data makes it possible to know the identity of the participants in communications, to identify the time of the communication, the place from where the communication took place and the frequency of communications with certain persons (§26).
This data, according to the Court allows very precise conclusions concerning private lives of persons whose data has been retained, such as habits of everyday life, places of residence, movements, social relationships and social environments frequented.
Analysis of the interference with fundamental rights
The Court comes to the conclusion that both requiring the retention of the data and allowing competent national authorities to access those data constitutes in itself interference with the fundamental right to respect for private life and with the fundamental right to the protection of personal data (respectively articles 7 and 8 of the Charter of Fundamental Rights of the European Union) (§ 32 – 36).
The Court agrees with the Advocate General when it states that the interference is “particularly serious”. The Court in this respect holds that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the person concerned the feeling that their private lives are the subject of constant surveillance” (§37).
This interference is according to the Court not only serious, but moreover it is not justified. Besides the fact that the retention of data as required by the Directive does not as such adversely affect the essence of the respect for private life and protection of personal data (content of the communications as such may not be reviewed) and the Directive genuinely satisfies an objective of general interest (public security), the Court is of the opinion that the Directive has exceeded the limits imposed by the proportionality principle (§69):
The Directive covers all persons and all means of electronic communications as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime (§57);
The Directive fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to data and their subsequent use (§60);
The data retention period is set at between a minimum of 6 months and a maximum of 24 months without any distinction being made between categories of data and not stating that the determination of the period must be based on objective criteria (§63 – 64);
The Directive does not provide for sufficient safeguards to ensure effective protection of data against the risk of abuse and against unlawful access and use (§66);
The Directive does not require data to be retained within the EU and thus does not meet the Charter’s requirement that compliance control by an independent authority is ensured.
The Court of Justice thus declares the Directive invalid.
C. What’s next?
Following the Court’s invalidation of the Directive, one could wonder how this will affect European legislation and national legislation.
The invalidity ruled by the Court applies from the day where the Directive entered into force. It is as if the Directive never existed.
The European Commission stated in a first reaction that it “will now carefully asses the verdict and its impacts”. It is not clear whether the Commission will draft new legislation replacing the invalidated Directive. Taking into account the fact that the current Commission’s term only runs until 31 October 2014, it is not much anticipated that new law will be put forward soon.
Member States having transposed the Directive into national laws may now consider the future of these laws.
In case their national law is a literal transposition of the now invalidated Directive, the national laws meet with the same fate. One may consider that in such situation Member States should redraft their laws in order to be in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.
If national law deviates from the Directive, Member States should assess whether the deviations are in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.
The Court of Justice’s ruling may also have an impact on national cases concerning the legality of national laws implementing the Directive, as there are several cases pending before the constitutional courts.
Last week (12/12/2013), a serious blow was dealt to one of the fundamental building blocks establishing the legal framework for retention of data for law enforcement across Europe. Advocate General Pedro Cruz Villalón (AG) at the Court of Justice of the European Union (ECJ) delivered an opinion stating that the Data Retention Directive (DRD) is, as a whole, incompatible with the individual’s right to privacy in the Charter of Fundamental Rights of the European Union. The opinion has potentially profound implications for law enforcement agencies and for service providers subject to the retention requirements across Europe. The opinion is here.
Today’s post is courtesy of guest blogger @matthew1hunter.
The DRD requires Member States to implement laws requiring telephone or electronic communications service providers to collect and retain traffic data, location data and the related data necessary to identify the subscriber or user of the services “in order to ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Article 1(1) of the DRD). Providers are not required to collect and retain content data i.e. the data communicated itself by subscribers or users of the services. Members States are required to ensure that the data is held for periods of not less than six months and not more than two years from the date of the communication. Only competent national authorities are to be permitted access to the data. For more information about data retention requirements, go here.
Key takeaway for service providers
Service providers should watch this space and keep their own compliance programmes under review. For service providers wrestling with retention requirements, the opinion means that doubt will remain about the correct way to build a compliance programme. If the ECJ agrees with the AG, new legislation would need to be developed though the practical impact on service providers with respect to the types of data to be collected and any reduction in retention periods is unclear.
What did the AG say?
– The AG considers that the purposes of the DRD are legitimate.
– However, the AG is concerned that the retained data will include a lot of information about an individual’s private life and identity. There is a risk that the data may be used for unlawful purposes. The risk may be greater because the data is not retained or controlled by the competent national authorities but by the providers and the providers do not have to retain the data within the relevant Member States.
– The AG said that the DRD does not provide minimum guarantees for access to the data and its use by the competent national authorities. (i) A more precise definition of “serious crime” would help to define when competent authorities are able to access the data. (ii) Access should be limited to judicial authorities or independent authorities. Any other access requests should be subject to review by judicial authorities or independent authorities so that access is limited to only the data that is strictly necessary. (iii) Member States should be allowed to prevent access to data in certain circumstances e.g. to protect individuals’ medical confidentiality. (iv) Authorities should be required to delete the data once used for the relevant purposes. (v) Authorities should be required to notify individuals of the access, at least after the event when there is no risk that the purpose for accessing the data would be compromised.
– Finally, the AG said that he could not find sufficient justification for not limiting the data retention period to one year or less.
What does this all mean?
– For now the existing requirements remain but may be subject to review. The AG’s opinion is not binding on the ECJ or indeed on any Member State. Nevertheless, the opinion carries weight and in many cases the ECJ has gone on to follow opinions delivered by the AG. The Judges of the ECJ are still deliberating and judgment will be given at a later date.
– The AG also proposed that the effects of stating that the DRD is invalid should be postponed so, even if the ECJ agrees with the AG, the ECJ could allow the EU legislature a reasonable period to adopt remedying measures, so that the DRD is no longer incompatible with the Charter of Fundamental Rights.
Ofcom this week published its most recent report comparing the UK’s communications (telecoms, TV, radio, web and post) market with 16 other countries, including China, India and Japan. Whilst Ofcom’s press releases have focused on the comparatively good performance of the UK (which oddly enough seems to reflect well on the UK regulator – Ofcom), the report also contains some useful insight into the three of Asia’s biggest economies: China, India and Japan.
Some of the interesting snippets of information from the report include:
Japan had the second highest spend, at £7.50 per head on mobile advertising.
I was fortunate this week to be both a speaker and a panellist at Questex Asia’s ‘BYOD and Mobile Security conference held in Singapore. It turned out I was the only lawyer in a room of 200 plus IT people, which was an interesting experience. Having made my presentation (Olswang_Asia_BYOD_presentation) my conversations with delegates brought home to me how hard it can be to effect change within an organisation.
Whilst speakers had run through the organisational benefits from BYOD, and it is clear from my experience that generation X and generation Z are increasingly demanding the ability to bring their smartphones and tablets to work, as any change requires the buy-in and collaboration between at least IT, legal HR and senior management many organisations were struggling to actually change in a structures where any stakeholder saying ‘no’ could stop implementation.
My message that the legal issues (whilst important and needing to be dealt with) shouldn’t stop BYOD deployment seemed to give comfort to some of the delegates I spoke to.
As is always the case with these things, two days after I had delivered the talk the UK Information Commissioner published their guidelines on BYOD. I was heartened to read that the guidance covers pretty the same ground as my talk, albeit (not unsurprisingly for regulatory guidance) with a somewhat more negative view.
The wheels of European legislation have slowly turned, and last week Europe adopted a five-year radio spectrum policy programme, at Parliament’s second reading under the co-decision procedure. Readers will recall that last summer two key issues remained outstanding between the Council of Ministers and Parliament – the date by which the 800 MHz band should be cleared and the minimum amount of spectrum to be made available for mobile broadband.
In the usual European fashion, Parliament prevailed on one issue (at least 1200 MHz to be available for mobile broadband by 2015) and the Council on the other (800 MHz band to be cleared by 2013). Somewhat unusually, this horse-trading has resulted in a very good outcome with spectrum being made available early and in sufficient quantity to place Europe in a strong position globally in the race to enable mobile broadband. Of course, implementation is in the hands of Member States, so it remains to be seen how this will play out in practice.
Meanwhile, over in Geneva, the four yearly world radio conference of the ITU finished on Friday. The provisional final acts are available here, and whilst I’ve not yet had time to review in detail, mobile broadband appeared to do well there as well with press reports that additional spectrum in the 700 MHz band may also be made available.
“Today, 25 January 2012, the European Commission unveiled its proposals for far reaching changes to EU privacy legislation.
We foresee the Regulation being in force by 2015. Every aspect of an organisation’s compliance obligations will increase – and there will be fines of up to 2% of global turnover for breach. We highlight the top three immediate action points to consider. We also provide seven further action points to address in the months ahead.
Three immediate impacts
PS – thanks for the feedback from some of my blog readers who travelled from Paddington station today. You know who you are!
The European Commission yesterday announced measures which directly intervene in the roaming market. These measures are in addition to the expected continuation of price caps on voice and SMS and new caps on data downloads.
The Commission, first under Vivianne Reding and now under Neelie Kroes, has adopted an agenda in relation to roaming (as part of the Digital Agenda) with the explicit aim of reducing the differential between national and roaming tariffs to zero by 2015.
The Commission also published yesterday a paper setting out the background to the new proposed measures, which explains their view, drawing on BEREC’s analysis, that the structure of the market inhibits competition acting as a constraint on prices. As a result, in the Commission’s view, without structural intervention there is an ongoing requirement for price regulation with no prospect of it being withdrawn. Their analysis clearly shows the influence of Commissioner Kroes’ prior competition job, with two proposals to address their identified conclusions in the demand and supply side of the market.
Taking the demand side first, the paper cites factors including the bundling of roaming with domestic minutes, high switching costs, the lack of adequate substitutes and the competitive focus on the domestic tariff as contributing towards a lack of competitive pressure on roaming prices. Their proposed solution is to decouple the sale of roaming from the domestic bundle by allowing consumers to buy roaming services from an operator other than their home network. The Commission hopes this will lower switching costs and increase demand elasticity as well as improving tariff transparency.
Looking then at the supply side of the market, the Commission identifies that it will need to mandate wholesale roaming access in order to facilitate market entry of competitors (in particular MVNOs) to the retail roaming market.
Whilst the Commission sees these measures as delivering the required outcomes in the long-term, over the medium term they propose an extension of existing retail voice and SMS price caps and new price caps for data downloads until at least 2016 and wholesale price caps for a longer period until at least 2022. In both cases the Commission reserves the right to lift the caps if the structural solutions deliver the desired market outcome, although they also reserve the right for additional structural intervention.
In terms of market impact, this is clearly more bad news for the mobile network operators. In a week where some UK operators have withdrawn handset subsidies for some pre-pay customers, it remains to be seen whether this will result in ‘water-bed’ price increases in domestic tariffs as the mobile operators face increased capital expenditure requirements as they embark on an expensive program of spectrum acquisition and LTE roll-out to meet the increasing consumer demand for data services. This will be more positive news for MVNOs and I would expect more market entrants in that segment.