Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
EU legislation on privacy and e-communications
Tobias Mahler
6th March 2012
JUR 5630 – 2012
1
1. Disposition
Normative background
Privacy and electronic communications
• Directive 2002/58/EC as amended
Data retention
• Directive 2006/24/EC
2
2. NORMATIVE BACKGROUND
3
Human rights
Article 7,
EU CHARTER OF FUNDAMENTAL RIGHTS
• Everyone has the right to respect for his or her private and family life, home and communications.
Article 8(1),
European Convention on Human Rights
– – “respect for private life … and correspondence”.
4
ECHR cases include
• ECtHR holds for first time that telephone conversations are covered by notions of “private life” and “correspondence” (see para. 41).
Klass v. Germany (1978)
• Focused on lawfulness of use of “metering” records.
Malone v. UK (1984)
• Focused on lawfulness of telephone tapping by police.
Kruslin v. France (1990)
• Focused on lawfulness of employers’ access to employees’ email communications
Copland v. UK (2007)
5
National law
Protection of communications privacy also provided for in national constitutions/other legislation: e.g., …
• Spain’s Constitution Art. 18(3)
• Germany’s Basic Law Art. 10
• Norway’s Penal Code §§ 145, 145a
• Swiss Penal Code Art. 179.
Case-law of German Federal Constitutional Court particularly protective – see espec.
• Covert surveillance of ICT systems;
• Eavesdropping on private homes;
• Retention of traffic data (see further below).
6
3. DIRECTIVE 2002/58/EC ON PRIVACY AND ELECTRONIC COMMUNICATIONS
7
A supplement
Supplements and “fine-tunes” Directive 95/46/EC
• Cannot be fully understood without consideration of latter
• (e.g., latter provides core definitions)
• Has greater reach than DPD
• (e.g., in relation to protection of legal person data)
• Still only sectoral EU data protection law (outside Third Pillar)
• Some commentators query its necessity
Replaces and repeals Directive 97/66/EC
• Focus of latter too narrow (on traditional telephony plus ISDN)
• Application to Internet was difficult to determine
8
Basic purpose
Provide for relatively detailed rules for
• protection of personal data that are
• processed in relation to certain e-communication networks and services;
harmonize national provisions on point;
create conditions for free movement of data.
9
E-Communications Framework
Framework
• Part of broader regulatory package establishing Common E-Communications Framework,
Competition
• increase competition in e-communications market;
Consumer protection
• protect consumers and users of e-communications networks/services.
10
Amended directive
Amended November 2009 by Directive 2009/136/EC
• To be transposed by June 2011.
• Consolidated version.
Main amendments:
• mandatory notification of personal data security breaches (Article 4(3));
• consent requirements for cookies (Article 5(3));
• anti-spamming measures by ISPs (Article 13(6)).
11
Scope of application (Art. 3)
Data processing in connection with
• provision of publicly available electronic communications services
• in public communications networks in the Community.
What = “electronic communication service”?
• See Framework Directive 2002/21/EC, Art. 2(c)
• content and broadcasting not covered.
12
Protection of legal persons
Protection of certain “legitimate interests” of legal persons
• in role of subscribers/users of e-communications services,
• but this protection not fully commensurate with protection of individuals
• see Arts. 12 and 13(1) dealing with
• subscriber directories and
• automated calling systems
13
Central provisions (I)
security and confidentiality of communications , (Arts. 4–5)
storage and use of communications traffic data (Arts. 6, 15)
processing of location data other than traffic data (Art. 9)
14
Central provisions (II)
calling and connected line identification
• Art. 8
content of subscriber directories
• Art. 12
unsolicited communications for direct marketing purposes
• Art. 13
• Basic rule: opt-in for spam
15
Cookies, etc.
Cookies: Art. 5(3)
• requires organizations to obtain users’ consent before placing cookies on their computers
• (previously cookies permitted only if receiver was informed and could refuse them)
Consent: how can consent be manifested?
• Does user consent when default Web browser setting is to accept cookies?
• Yes. “Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application”
• Cf. recitals 17 and 25 in consolidated version of Directive 2002/58/EC; cf. recital 66 in Directive 2009/136/EC
Encouragement of PETs
• e.g., recital 9 and Article 14 (standardization of ICT so that it is privacy-friendly)
16
Privacy vs. IPR
CJ decision Promusicae v Telefonica de Música de España
• Directive 2002/58/EC
• does not require ISPs “to communicate personal data
• in order to ensure effective protection of copyright in the context of civil proceedings”,
• but Mbr States may introduce laws with such requirement,
• if not in conflict with fundamental rights or proportionality principle
Part of broad battle between IPR-holders and ISPs over access to IP address data and identities behind these.
17
4. DATA RETENTION
18
Data retention: basic requirements
Duty to retain data for 6 m – 2 y (Art. 3)
• Police (all branches?)
• Intelligence services?
• In specific cases
• Procedures and conditions
• to be defined in national law,
• in accordance with necessity and proportionality requirements.
Access to be given to “competent national authorities” (Art. 4)
• Not data “revealing the content of … communication” (Article 5(2);
• see too Article 1(2) (“including information consulted using an electronic communications network”).
• Watertight distinction?
Does not cover content?
19
Retain data
Access
data
Use
data
ECJ case on legal basis
• claiming Directive is without proper legal basis in EU law
• claimed that Directive = First Pillar instrument dealing with Third Pillar matters.
• ECJ: legal basis = OK
Ireland (later joined by Slovakia)
• Nullifying 2004 decisions by Commission and Council on PNR transfers
• because they applied to matters currently falling outside scope of Community law – namely,
• public security and
• prevention of crime.
Cf. ECJ case re. transfer of PNR data to USA
20
Current status is uncertain
Transposition
• Several states have not yet transposed directive
National court decisions
• Several national data retention laws have been declared void by national courts.
Evaluation (Art. 14)
• Official evaluation report
• Shadow evaluation report
• Evaluation of Directive continuing with search for data
21
Cases in national constitutional courts
•Data retention breaches with proportionality principle.
Romania
•Data retention & use encroachment on interest protected by Constitution Art 10(1)
•Proportionality requires sophisticated & well-defined provisions on
•data security,
• to limit the use of data,
• for transparency and
• legal protection.
•Majority opinion: Requirements were not fulfilled, legislation is void.
Germany
•The Czech Constitutional Court declared national data retention legislation unconstitutional on 31 March 2011.
Czech Republic
22
Surveillance
Innocent people under surveillance
Without sufficiently clear legal basis
Presumption of innocence
Clarity
23
Access to and use of data
Proportionality principle
• The more severe the encroachment through data retention is
• the stricter the requirements re. access and use of data need to be.
Strict requirements: serious crimes?
• Catalogue of serious crimes is required
• Too wide: ”crime involving use of telecommunications equipment”
• Too unclear: Danger prevention and intelligence services use
24
Access
data
Use
data
Access to and use of data
Distinction required between
• Individual items of traffic data
• Limited data sets
• Complete profile (”personality” / location)
Requirements re. use required
• Immediate use
• Deletion (must be documented)
25
Access
data
Use
data
Data security
Risk
• Court considers risk to be high
Measures to be assessed
• Data to be retained on separate computers without Internet access;
• Asymmetric encryption (keys kept separate);
• A “principle of four eyes”;
• Log access to data.
26
Retain data
Surveillance and transparency
• ”Diffusely threatening feeling of surveillance”
• ”legitimate suspicion … regarding privacy and … abuses”
Suspicion
• May reduce exercise of personal freedom Panopticon
• Notification about use of retained data
• Secret use only in exceptional cases, and then with subsequent notification.
Transparency
27
Anonymity and IP-addresses
Less severe requirements
• No access to data
• No profile, only an individual item of data
• Justified by significance of Internet-based crime
• Any type of crime qualifies
No legitimate expectation of anonymity
• Internet cannot be a space outside the law in a state governed by the law
• However, transparency required: legitimate expectation to know when we don’t communicate anonymously.
28
Trust relations
Confidential communication
• Anonymous counselling
No access by law enforcement agencies
29
THANK YOU FOR YOUR ATTENTION! QUESTIONS?
30