Return to opening page

Data retention and privacy rights

Its a busy time in Europe and China for those demanding to track our movements and invade our privacy. The below items are largely take from the EDRI newsletter -
which has been tracking the creeping erosion of personal freedoms. The issues raised should engender a much greater public awareness although the time for debate is nearly past.

While many may feel that the 'war on terror' merits some restriction of personal privacy, the alacrity with which this legislative drive has been embraced by Holywood adds a new dimension of control.

Final push for single EP vote on data retention

Behind closed doors, representatives of the Council of Ministers of Justice (JHA Council), representatives from the Commission and the leaders in the European Parliament of the social-democrat and Christian-democrat groups have agreed to introduce an unprecedented law (directive) on mandatory data retention in the EU. The groups have agreed to introduce mandatory retention for fixed and mobile telephony data and for internet log-in-log-off, for e-mail records and for Voice over IP records. There is only one last formal hurdle; the plenary vote in the European Parliament on Monday evening 12 December 2005.

But in practice this vote hardly has any meaning, given the majority adoption of the principles of extensive data retention. The agreed minimum period is 6 month, the maximum period 24 months. But  member states may also decide on any longer term they find necessary, including the new 15 years proposal from the Polish government (see article 3 in this EDRI-gram). This is foreseen by the new article 11: "A Member State facing particular circumstances warranting an extension for a limited period of the maximum retention period referred to in Article 7 may take the necessary (...) measures. The Member State shall immediately notify the Commission and inform the other Member States of the measures taken by virtue of this Article and indicate the grounds for introducing them."

The goal 'prevention' is deleted from this Council/EP compromise version, but that won't pose any problem for any member state that wishes to introduce or already has such legislation, since Article 15.1 of the e-privacy directive (2002/58/EC) is not replaced by this directive, but will still allow for any national retention rules. Thus member states that already have legislation for longer retention periods, such as Ireland and Italy, are not affected by this directive either.

The article about cost reimbursement is completely deleted, leaving it to the kindness of individual member states to reimburse providers or not. Access will be limited to the investigation of 'serious crimes', without any definition of 'serious' nor any limit to the access for security services. "The present Directive is without prejudice to the power of Member States to adopt legislative measures concerning the right of access to and use of data by national authorities as designated by them."

The outcome of these secret trialogue meetings underlines a fundamental deficit in the democratic construction of the EU. Councils should meet in public, as the European Ombudsman also demands and the European Parliament should not be forced into blind obedience by a Council that is unable to reach a unanimous decision itself.

The sudden change of heart of the German social-democrats, after their new coalition with the christian-democrats has most likely been the ultimate trump-card for the Council. Given the strong voting position of Germany (reflecting the amount of inhabitants) their consistent (and historically understandable) rejection of systematic surveillance was a major obstacle. In the new German government coalition, this resistance was reduced to the industry argument of not including failed caller attempts. The Council immediately jumped to this chance, and now only calls for the retention of some of these calls if companies already store such data.

"This shall include (...) unsuccessful call attempts where that data is generated or processed and stored (as regards telephony data) or logged (as regards Internet data) by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying the communication services concerned. This Directive shall not require the retention of data in relation to unconnected calls."

In an interview with the German national radio on 2 December, the new Minister of the Interior Wolfgang Schäuble explained his very positive view on data retention. Industry should not ask for cost reimbursement he said. Every citizen must keep financial records in order to file the annual tax declaration and nobody was claiming the Ministry of Finance should reimburse them for that civil duty. And because the main purpose from his perspective was the prevention of crimes, there should be broad access for security services, without any specific suspicion. The German coalition of regional data protection authorities, chaired by the independent authority of Schleswig-Holstein replied to the Council decision with a press release in which they reiterated their fundamental (constitutional) objections against the principle of retention. They call it a box of Pandora and conclude: "We expect that the European Parliament, the German parliament and the constitutional courts in Europe will make sure that this box will remain closed."

A week before the meeting of the JHA Council, on 24 November 2005 the LIBE committee of the European Parliament had agreed to a more limited set of data and retention period of 6-12 months. While this outcome in the LIBE committee was a serious set-back for digital rights groups, at least the LIBE committee had the decency to introduce strict limits to the use of the data (only with a judicial warrant!), truly independent oversight mechanisms and demands for extensive, public statistics on the use.

The day before the vote in the LIBE committee, EDRI and XS4ALL presented the +58.000 signatures to the petition against data retention to the chairman of LIBE, Jean Marie Cavada and to rapporteur Alexander Alvaro. The petition was also presented to 3 MEPs opposing data retention: Kathalijne Buitenweg (group leader of the Greens); Edith Mastenbroek (social democrat) and Charlotte Cederschiˆld (christian democrat). Pictures of the presentation can be found at the campaign WIKI.

While Alvaro proposed a maximum retention of 3 months for telephony data only, LIBE enlarged the list with location data and internet log-in log-off data, for a period of 6-12 months (to the discretion of member states). Another serious set-back for civil society was the new definition of 'serious crimes', based on the European Arrest Warrant. This list includes 'piracy', and this will become a criminal offence under the proposed new Commission decision on Intellectual Property Enforcement, including cases of downloading 'on a commercial scale'. But even this list is obviously too limiting for the Council, given its refusal to define serious crimes.

Possibly the Council and some members of parliament have fallen for the dramatic call from the audiovisual entertainment industry not to exclude them from access to the new European data well. In a press release from 23 November, the  Creative and Media Business Alliance (companies and media associations) and IFPI urge the MEPs to include all criminal offences in the scope of the directive. They specifically refer to the Intellectual Property Enforcement Directive when they write: "For this legislation to be meaningful, it is essential that service providers retain the relevant data for a reasonable period and that the data can be disclosed for appropriate purposes. The proposed Directive on data retention should serve to facilitate this."

On Wednesday morning 7 December, EDRI will participate in a public hearing about data retention in Brussels, represented by Sjoera Nas, your EDRI-gram editor. The hearing is organised by the Greens in the European Parliament. Other speakers include representatives from EuroISPA, ETNO and the European Data Protection Supervisor (EDPS).

EDRI and PI call on EP to reject data retention

European Digital Rights and Privacy International are urgently calling on the individual members of the European Parliament to reject the misguided compromise proposal on data retention. Party leaders of the Christian-democrats and social-democrats in the parliament have agreed behind closed doors to allow for mandatory data retention of telephony and internet data for a period of 6 to 24 months, with even longer terms at the individual discretion of every member state, including the purpose of 'prevention of criminal offences'. This compromise completely overrules the suggestions of the appropriate parliamentary LIBE committee and ignores all the legal and technical objections against the inclusion of location and internet data.

On Tuesday 6 December the open letter will be offered to all 731 members of the European Parliament, endorsed by many digital rights groups, providers, consumer unions and other concerned parties. The full list of endorsements will be available on Tuesday afternoon 6 December.

The letter mentions 5 reasons to reject the proposal:

1. This Directive invades the privacy of all Europeans. The Directive calls for the indiscriminate collection and retention of data on a wide range of Europeans' activities. Never has a policy been introduced that mandates the mass storage of information for the mere eventuality that it may be of interest to the State at some point in the future.

2. The proposed Directive is illegal. It contravenes the European Convention on Human Rights by proposing the indiscriminate and disproportionate recording of sensitive personal information. Political, legal, medical, religious and press communications would be logged, exposing such information to use and abuse.

3. The Directive threatens consumer confidence. More than 58,000 Europeans have already signed a petition opposing the Directive. A German poll revealed that 78% of citizens were opposed to a retention policy. The Directive will have a chilling effect on communications activity as consumers may avoid participating in entirely legal transactions for fear that this will be logged for years.

4. The Directive burdens EU industry and harms global competitiveness. Retention of all this data creates additional costs of hundreds of millions of Euros every year. These burdens are placed on EU industry alone. The U.S., Canada and the Council of Europe have already rejected retention.

5. The Directive requires more invasive laws. Once adopted, this Directive will prove not to be the ultimate solution against serious crimes. There will be calls for additional draconian measures including: - the prior identification of all those who communicate, thus requiring ID cards at cybercafes, public telephone booths, wireless hotspots, and identification of all pre-paid clients; - the banning of all international communications services such as webmail (e.g. Hotmail and Gmail) and blocking the use of non-EU internet service providers and advanced corporate services.

According to the letter, the vote is a key moment, that might set in motion a chain of events that will lead to a surveillance society. The compromise-proposal lacks limits to the access and limits to the use. "Though the Council claims retention will combat terrorism, for years it has rejected limiting the legislation to such investigations. Even if access to this data were limited by the Parliament to a list of serious crimes nothing prevents the expansion of this list: already the Copyright Industry has called for access to this data to combat file-sharing online."

The European Parliament will have its first and final vote on Monday evening 12 December in Strasbourg. Given the low attendance in general in Strasbourg, and the fact Monday evening many attending MEPs won't have arrived, the vote seems reduced to a showpiece.

Polish plans for 15 years mandatory data retention

In Poland, the parliamentary leader of the new social-right governing party 'Law and Justice', Przemyslaw Gosiewski, has called for a new law to introduce mandatory telephony data retention for 15 years. His call followed an article the day before, on 22 November 2005, in the leading newspaper Gazeta Wyborcza with a cry from local investigators that they are unable to effectively prosecute corruption without telephony billing data from the last 4 years.

Poland only just formed a new minority-government after the elections, but the new conservative government does not seem to have a clear plan on this issue. They seem to have just responded spontaneously, but with a large parliamentary majority as the unfortunate result.

Gosiewski can count on support from two smaller populist parties: Andrzej Lepper's 'Selfdefense' and the extreme nationalists from the 'Union of Polish Families'. Both parties are most eager to prove that most (rich) entrepreneurs are thieves.

To make matters even worse, the conservative-liberal opposition from Platforma Obywatelska (Citizens Platform) also did not object to this proposal, and neglected to present itself as a defender of civil rights. The platform considers itself to be the 'almost governing' party, with a tendency to support all moves towards a so called 'stronger state'.

EDRI-observer ISOC Poland is trying to fight the proposal and has already contacted several ministers.  They aim to also engage the Polish Commissioner for Civil Rights Protection and the Inspector General for the Protection of Personal Data.

Urgency procedure for draft French anti-terrorism law

The French government has decided to apply the urgency procedure to a new anti-terrorism draft law, with only one reading by each Chamber. The draft law was already passed by the National Assembly (French Lower House) on 29 November 2005 and will be examined by the French Senate in late December or early January 2006. The proposal creates increasing powers for the police and the intelligence services, thus undermining the protection of formal judicial procedures.

The law will extend the use of video-surveillance, authorising private parties to install CCTV cameras in public places "likely to be exposed to terrorist acts", and in places open to the public when they are "particularly exposed to risks of aggression or theft". Obviously, this covers almost any public or privately-owned place, including shops. In case of emergency, CCTV cameras may be installed prior to any authorisation.

The draft law also extends telecom data retention possibilities, by putting cybercafe owners and WiFi providers (whether wireless Internet access is free or with payment) in the same category as telecom operators. This means, in practice, that cybercafe owners, as well as bars, restaurants and hotels will have to ask their customers for their IDs for Internet use in their establishments. Any logged data may also be seized directly by the police, without any judicial order, as is obliged currently.

Another major aspect of this draft law is a serious violation of freedom of movement. Anywhere on French territory, the police is authorised to take photographs of car plates and of people travelling by car on French roads, for the purpose of "fighting car theft". Furthermore, an administrative authority may allow for law enforcement to take pictures of people attending big public events (like football matches or street demonstrations), for the purpose of "public order preservation".

Finally, the draft law allows the French ministry of Interior to collect and process PNR (Passenger Name Record) data of any traveller to or from non-EU countries, for the purpose of fighting illegal immigration. Not only are the French willing to apply to non-EU countries what the US have done to the EU, but they are also extending the idea beyond air travel, since travelling by sea or rail is also concerned.

The French Data Protection Authority (CNIL) has expressed serious reservations on this draft law. However, the French ministry of Interior has made it clear that it has no intention to listen, stating in a communique that "each party must take its responsibility". In a joint press conference with the French Human Rights League and other French NGOs as well as magistrates and lawyers trade-unions, EDRI member IRIS also assessed the dangers of the draft law, explaining how it violates the finality and proportionality principles.

New anti-terrorism measures in Denmark

Like France, Denmark is also working on a new round of anti-terrorism measures, to be presented to Parliament in the spring of 2006. The proposals are quite far reaching and encompass a range of intrusions into citizens' digital privacy.

Among the most notorious proposals are:

• a recommendation to let the authorities monitor the entire spectrum of telecommunications taking place within a delimited geographical area such as an apartment complex;

• to allow intelligence services to request any information stored in any government database about any citizen without it being part of an ongoing investigation;

• the introduction of mandatory screening of airline passenger lists by intelligence services;

•  to oblige all operators of services for electronic communications to implement technical measures to enable the authorities to wiretap any given communication at short notice.

• a delegation to local authorities of the power to put in place CCTV surveillance of public spaces and open areas - a practice which previously had been disallowed.

The initiatives are part of a 49 item 'wish list' compiled by civil servants at the request of the government in the wake of the 7/7 bombings in London.

The initial reaction among legal experts, telecom operators and citizens' rights groups has been one of strongly outspoken opposition in relation to many of the proposals, which seems to have put the government on the defensive.

An action plan to further debate and implement the proposals was recently put forward in Parliament and won backing, although a majority had reservations. The political parties are now be invited to consult with government on the initial legislative drafts. In connection with this, the Parliamentary judicial committee has announced an expert conference on the initiatives in January 2006 and the government is expected to put forward its proposed legislation by spring of 2006. Digital Rights in Denmark are working pro-actively to influence public opinion in these matters.

Launch of Digital Rights Ireland

Digital Rights Ireland will formally launch at a press conference in the Conference Room in Pearse Street Library, at 11-am on Tuesday 6 December. The group has been formed to defend civil, human and legal rights in a digital age. Digital Rights Ireland will be discussing its mission, and current developments in relation to Data Retention, IRMA legal action and other matters.

Digital Rights Ireland is chaired by UCD Law Lecturer TJ McIntyre and is comprised of academics, journalists and technologists. The group believes that citizens' digital rights are being eroded - the rights we expect in the real world are being stripped from us in the online world. Protection of these rights will involve public promotion of digital rights, and lobbying for their protection where required.

Digital Rights Ireland is a contact point for policy makers who wish to gauge the impact of their regulation in this complicated, and sometimes technical, area. In addition, the group aims to provide an informed position on issues in the digital rights field, free from any commercial or political bias. Current areas of concern for the group include data retention, rights to privacy/data protection, helping people to fight spam, and intellectual property issues. Digital Rights Ireland also aims to inform citizens of their rights, and how to exercise them. To that end, collaborators already have produced pamphlets and research material on areas such as SMS spam and the Data Protection & Freedom of Information Acts. Further pamphlets, on matters such as libel liability for online speech, will follow shortly.

The foundation of Digital Rights Ireland is directly related to two political developments.

First, under current Irish law, citizens' electronic communications data must be retained for 3 years. This includes the physical location of every mobile phone in the country, and the numbers dialled from every mobile and land line. It may be accessed, without a court order or specific ministerial order, by the Gardai. This access need not be in response to any crime. If the Gardai are satisfied that it might be useful in the prevention of a crime (not limited to serious crime), it is permissible.

The Irish Government is currently one of a group of four countries seeking to have this requirement extended across the EU, and broadened to include your online activities. If passed, this will require Internet Services Providers to log every email you send and every web page you visit. Digital Rights Ireland will act to keep Irish people informed about these issues, to defend their right to privacy from unwarranted infringement and to ensure that all legislation proposed and passed is in line with European and Irish Human Rights Law.

Secondly, the Irish Recorded Music Association is currently seeking to sue individuals they say they have identified as having uploaded music onto file-sharing networks. DRI are in favour of civil, legal and human rights being protected in a digital world. That must extend to the legal rights of copyright holders, as much as individuals. However, protection of copyright cannot come at the expense of the civil right to privacy.

The Irish Recorded Music Association has also publicly stated that it believes that it's illegal to transfer music from your (legally bought) CDs to your (legally bought) iPod or MP3 player. DRI believes that the law in this area needs to be clarified - and if things like this are illegal, that the law needs to be changed.
All about Digital Rights Ireland

Illegal video surveillance on Slovenian motorways

In Slovenia the number of installed surveillance video cameras on the roads is increasing rapidly. Apart from the CCTV systems on sections of so called "smart motorways" - which enable real-time monitoring of important traffic parameters and the informing of drivers via traffic portals - a large number of surveillance video cameras is installed on the whole Slovenian motorway network.

Article 74 of Slovenian Personal Data Protection Act requires that "a public or private sector person that conducts video surveillance must publish a notice to that effect. Such notice must be visible and plainly made public in a manner that enables individuals to acquaint themselves with its implementation at the latest when the video surveillance begins."

DARS (Motorway company in the Republic of Slovenia) has published such notices on toll collection booths. However, there are many sections (so called "open sections" and "half-open sections") of motorways on which drivers do not have to cross toll collection station in order to use the motorway. The use of such sections is free of charge. These sections are also equipped with video surveillance systems, but the drivers have no opportunity to get informed that they are entering the zone of video surveillance.

The Slovenian Personal Data Protection Inspector, Mr. Joze Bogataj confirmed that DARS is breaching article 74 of Personal Data Protection Act in case of motorway sections where drivers are not informed by toll booths or otherwise. There is one escape for video surveillance on these roads: it can be justified only if the video cameras are not able to capture image in sufficient quality, so that veivehiclechle number plates are not readable.

According to a statement by a police representative on 7 November on Radio Slovenia 1, DARS' video surveillance cameras on certain motorway sections are also used by the police for the prosecution of traffic offences. Therefore, the video cameras are most likely able to capture images in a way that vehicle number plates can be read from the recorded image.

Inspector Bogataj made the point that there is no special law that would permit DARS to perform video surveillance without having to comply with article 74 of Personal Data Protection Act.

On the 23 August 2005, there were 859 video surveillance cameras installed on the Slovenian motorway network, including those for monitoring toll collection stations (information provided by DARS).

NL supreme court ruling on internet anonymity

The Supreme Court of the Netherlands ruled on 25 November 2005 in a landmark case against the freedom of internet users to express their opinion anonymously. The Supreme Court upheld a previous court verdict in which internetportal Lycos was forced to hand over the personal data of one of its subscribers to the Dutch stamp trader Pessers.

Mr Pessers trades in postage stamps on the auction portal eBay and was accused of fraud by a Lycos subscriber, who published Mr Pesser's name on his website. Subsequently Pessers demanded the personal data from the subscriber in order to sue for damages. But Lycos refused and was taken to court. After the initial verdict, Lycos did hand over the data, but only to find out the address data were false. Pessers started another procedure, to force Lycos to find other ways to retrieve the correct information, but that demand was declined.

Although the Court acknowledges that the content on the website was not 'apparently unlawful', the Court ruled that Lycos was required to hand over the data. In the view of the Court Pessers had made it 'sufficiently plausible' that the website 'could be' unlawful.

The outcome of the Supreme Court verdict is that ISPs in the Netherlands will have to evaluate two questions regarding websites when receiving complaints. The ISPs will have to take websites off-line after a notice and takedown request when that website is 'apparently unlawful'. This is a direct result of the e-commerce directive (2000/31/EC). The Court has now added a second question. If the website 'could be' unlawful then the ISP will have to hand over the personal data of the website owner. The music industry in the Netherlands has taken a great interest in the case Lycos/Pessers. The Dutch anti-piracy organisation Brein even paid for Pessers legal costs hoping that the ruling would enable them to get the personal data of peer-to-peer users through their access providers.

As a result of this ruling, ISPs in the Netherlands will have to evaluate a complex series of questions. Although Lycos decided to fight the legal battle to the very end, it is expected that most ISPs will not follow this example. It could become quite simple in the Netherlands to gain someone's personal data through an ISP if all it takes is to convince the ISP that the website involved 'could be' unlawful.

There is some light at the end of the tunnel as the Court stresses in its verdict that the conclusion only applies to the specific conflict between Lycos and Pessers and does not constitute a general rule.

Advocate General European Court rejects PNR deal

On 22 November 2005 the Advocate General of the European Court of Justice has advised to annul the EU-US agreement on the transfer of passenger data. The AG does not answer the privacy-questions raised by the European Parliament, but finds the agreement unacceptable under the subsidiarity rule of the European Union. Only the member states should decide on these matters, not the European Commission.

US Customs have had access to the passenger lists of Europeans flying to the US since May 2004. European commissioner Frattini promised to send the European Parliament an evaluation in May 2005, but nothing has surfaced yet.

The full court ruling will follow early in 2006. The court might still come up with a ruling that addresses the privacy-issue.

Cryptography almost banned in the Czech Republic

The Czech Lower House recently approved of a law introducing a new Penal Code, including a ratification of the Cybercrime convention.

The original version, prepared by the Ministry of Justice, contained a provision that would criminalise hacking and cracking IT systems, but due to misguided and very unclear wording it also criminalised legitimate activities such a cryptography, IT security testing etcetera.

The vagueness of the new law would have posed a serious threat of arbitrary criminalisation of legitimate activities and legal uncertainty in general.

Together with a coalition of crypto-analysts, EDRI-observer IuRe was successful in suggesting amendments of the proposal, basing it more literally on the text of the Convention.

The Senate still has to approve of the law, but nobody expects any challenges to the revised and improved provision.

EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 21 members from 14 European countries and 5 observers from 5 more countries (Italy, Ireland, Poland, Portugal and Slovenia). European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams.

Finally proving that the attack on personal freedom is not limited to the EU this report last month from China.

China limits SMS
taken from xinghua

The Chinese government have issued new guidelines that seek to limit the use of cell phones for text messaging.

Mass communication via cell phone played a role in recent anti-Japan rallies such as this, involving some 40,000 demonstrators in Guangzhou, south China. China Photos / Getty Images
A circular issued by the Ministry of Public Security, the communist internal political police, stated that it is illegal to send short text messages that can have “massive influence.”

Chinese leaders fear text messaging could be used for pro-democracy and anti-communist political activities.

The effort appears aimed at curbing mass communication through cell phones, such as occurred in recent months when large-scale anti-Japanese demonstrations were triggered by widespread text messages.

The statement said that some text messages were sent posing as banks to defraud or blackmail people. There also have been obscene and pornographic messages, gambling and violent content.

Other illegal text messages have been related to such criminal activity as the sale of firearms, ammunition, explosives, smuggled cars, narcotics, knockout drops, obscene articles and counterfeit money.

The circular said action would be taking against anyone using text messages that violate the constitution, laws or decrees.

see also here