Some EU data protection policy developments in 2008
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
Will the 2008 be remembered as the Data Retention implementation year or the first Freedom not Fear day? As always with the conclusions, we might answer better this question in 2009 or 2018. But let's look at some facts from the last year now
One of the main hot privacy topics during 2008 was related to the implementation of the EU data retention Directive 2006/24/EC in several European countries. Despite the fact that data retention has been resisted in some countries in Europe, with 15 March 2009 as the final day for starting to retain Internet-related data, most of the EU member states adopted data retention laws only in 2008. The reactions have been strong, but in just a few cases led to the review of the respective laws.
Germany has seen large debates and protests after the adoption of the data retention law at the end of 2007. In February 2008, the German Working Group on Data Retention submitted to the German Federal Constitutional Court the mandates of over 34 000 citizens willing to fight against the storage of their telecommunications. A preliminary decision taken by the Court on 19 March 2008 supported the case, considering that parts of the German act are unconstitutional pending review.
In Bulgaria, on 11 December 2008, the Bulgarian Supreme Administrative Court (SAC) annulled article 5 of the national legislation that implements the Data retention Directive, following a lawsuit initiated by Access to Information Program(AIP). Article 5 of the Bulgarian Regulation # 40 that was issued by the State Agency on Information Technologies and Communication and the Ministry of Interior provided for a "passive access through a computer terminal" by the Ministry of Interior, as well as access without court permission by security services and other law enforcement bodies, to all retained data by Internet and mobile communication providers.
The European Court of Justice (ECJ) is still considering the action started on 6 July 2006 by Ireland against the Council of the European Union and European Parliament on the formal grounds for adopting the Data Retention Directive.
A first hearing of the action by ECJ took place on 1 June 2008 in Luxembourg. The legal basis of the data retention directive was supported by the European Parliament and Council, but also by the Commission, Spain, Netherlands and EDPS, Peter Hustinx. On 14 October 2008, the ECJ Advocate General gave his opinion on the case considering the data retention directive was founded on an appropriate legal basis, therefore recommending the dismissal of the action. The decision of the Court will be made public on 10 February 2009.
The German Working Group on Data Retention drafted an amicus curiae brief in this case claiming that the data retention directive was also illegal on human rights grounds, breaching the right to respect for private life and correspondence, the freedom of expression and the protection of property. The German Group was joined by several civil liberties NGOs and professional associations, including EDRi.
It appears that the ECJ will not look into those aspects, but a future action is possible in asking the European Court to consider the compatibility with human rights. This could be initiated by the German Federal Constitutional Court as an issue realted with the action from the German Working Group of Data Retention and/or by the Irish courts, following the action initiated by EDRi-member Digital Rights Ireland.
An international day of action against data retention took place on 11 October under the name "Freedom not Fear". During that day, protests took place in more than 15 countries worldwide against surveillance measures such as the collection and retention of all telecommunications data. The surveillance of air travellers and the biometric registration of citizens was another subject of the "Freedom not Fear" day, as 2008 has seen developments on the issue.
The PNR US-EU agreement continued to raise questions and worries with many negotiations between the US government and the European Commission. In March, the German Working Group on Data Retention published two applications to the European Court of Justice contesting the transfer of PNR data to the US arguing that the collection of all PNR data violated the basic right to privacy and protection of our personal data, authorities were given an unforeseeable use of the data for other purposes, and that passengers' sensitive data were not effectively protected against access. A recent report from US Department of Homeland Security (DHS) regarding the Passenger Name Record (PNR) information from the EU-US flights confirms a number of major disfunctionalities, that proves the DHS did not comply with the EU agreement or with the US legislation in its use of PNR.
At the European level, despite the large opposition, the European Council decided to extend the PNR scheme to the EU space, following the position of some governments which expressed their intention to even extend the PNR scheme to all types of travel and even among EU countries. The text proposed in October 2008 included the choice of individual states to take the measure at the national level meaning that PNR would be collected by all Member States on all flights in and out of the EU and the choice of surveying intra-community flights belonged to the Member States.
The attempt to pile up DNA databases was continued in 2008 with the UK as leader. However the European Court of Human Rights (ECHR) decision taken on 4 December in the Marper case could change the way things are working today. ECHR confirmed that, in agreement with Article 8 of the European Convention on Human Rights, the retention of cellular samples, fingerprints and DNA profiles constituted an infringement of the right for private life.
On 24 September 2008, the Telecom Package of rules governing the Internet and telecoms sectors proposed by the European Commission was approved by the European Parliament in the first reading. Despite the amendments brought by the EP, the package is still worrying the civil rights groups, both on data retention and IP issues. The voluntary data retention issue is one of the major hot topics contested by the civil society (see also the first article in this EDRi-gram).
A promising amendment was proposed by the European Parliament to the ePrivacy Directive that included the obligation of the information society services providers to notify personal data related security breaches to the national authorities which was suggested by the European Data Protection Supervisor's opinion in April. But the new texts suggested by the Commission and the Council seem to contradict the Parliament and the final decision will probably be taken in the second reading, estimated for April 2009.
We can not wish to have a conclusion that may clear the waters. The optimists will look at the full part of the glass where we might see the ECHR Marper case. The pesmists mights see the EU PNR scheme or some strange provisions of the Telecom Package.
EDRI page on data retention
EDRI page on PNR
EDRI page on biometrics
EDRi page on privacy
National data retention policies