EU legislation on privacy and e-communications

Tobias Mahler

6th March 2012

JUR 5630 – 2012

1

1. Disposition

Normative background

Privacy and electronic communications

• Directive 2002/58/EC as amended

Data retention

• Directive 2006/24/EC

2

2. NORMATIVE BACKGROUND

3

Human rights

Article 7,

EU CHARTER OF FUNDAMENTAL RIGHTS

• Everyone has the right to respect for his or her private and family life, home and communications.

Article 8(1),

European Convention on Human Rights

– – “respect for private life … and correspondence”.

4

ECHR cases include

• ECtHR holds for first time that telephone conversations are covered by notions of “private life” and “correspondence” (see para. 41).

Klass v. Germany (1978)

• Focused on lawfulness of use of “metering” records.

Malone v. UK (1984)

• Focused on lawfulness of telephone tapping by police.

Kruslin v. France (1990)

• Focused on lawfulness of employers’ access to employees’ email communications

Copland v. UK (2007)

5

National law

Protection of communications privacy also provided for in national constitutions/other legislation: e.g., …

• Spain’s Constitution Art. 18(3)

• Germany’s Basic Law Art. 10

• Norway’s Penal Code §§ 145, 145a

• Swiss Penal Code Art. 179.

Case-law of German Federal Constitutional Court particularly protective – see espec.

• Covert surveillance of ICT systems;

• Eavesdropping on private homes;

• Retention of traffic data (see further below).

6

3. DIRECTIVE 2002/58/EC ON PRIVACY AND ELECTRONIC COMMUNICATIONS

7

A supplement

Supplements and “fine-tunes” Directive 95/46/EC

• Cannot be fully understood without consideration of latter

• (e.g., latter provides core definitions)

• Has greater reach than DPD

• (e.g., in relation to protection of legal person data)

• Still only sectoral EU data protection law (outside Third Pillar)

• Some commentators query its necessity

Replaces and repeals Directive 97/66/EC

• Focus of latter too narrow (on traditional telephony plus ISDN)

• Application to Internet was difficult to determine

8

Basic purpose

Provide for relatively detailed rules for

• protection of personal data that are

• processed in relation to certain e-communication networks and services;

harmonize national provisions on point;

create conditions for free movement of data.

9

E-Communications Framework

Framework

• Part of broader regulatory package establishing Common E-Communications Framework,

Competition

• increase competition in e-communications market;

Consumer protection

• protect consumers and users of e-communications networks/services.

10

Amended directive

Amended November 2009 by Directive 2009/136/EC

• To be transposed by June 2011.

• Consolidated version.

Main amendments:

• mandatory notification of personal data security breaches (Article 4(3));

• consent requirements for cookies (Article 5(3));

• anti-spamming measures by ISPs (Article 13(6)).

11

Scope of application (Art. 3)

Data processing in connection with

• provision of publicly available electronic communications services

• in public communications networks in the Community.

What = “electronic communication service”?

• See Framework Directive 2002/21/EC, Art. 2(c)

• content and broadcasting not covered.

12

Protection of legal persons

Protection of certain “legitimate interests” of legal persons

• in role of subscribers/users of e-communications services,

• but this protection not fully commensurate with protection of individuals

• see Arts. 12 and 13(1) dealing with

• subscriber directories and

• automated calling systems

13

Central provisions (I)

security and confidentiality of communications , (Arts. 4–5)

storage and use of communications traffic data (Arts. 6, 15)

processing of location data other than traffic data (Art. 9)

14

Central provisions (II)

calling and connected line identification

• Art. 8

content of subscriber directories

• Art. 12

unsolicited communications for direct marketing purposes

• Art. 13

• Basic rule: opt-in for spam

15

Cookies, etc.

Cookies: Art. 5(3)

• requires organizations to obtain users’ consent before placing cookies on their computers

• (previously cookies permitted only if receiver was informed and could refuse them)

Consent: how can consent be manifested?

• Does user consent when default Web browser setting is to accept cookies?

• Yes. “Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application”

• Cf. recitals 17 and 25 in consolidated version of Directive 2002/58/EC; cf. recital 66 in Directive 2009/136/EC

Encouragement of PETs

• e.g., recital 9 and Article 14 (standardization of ICT so that it is privacy-friendly)

16

Privacy vs. IPR

CJ decision Promusicae v Telefonica de Música de España

• Directive 2002/58/EC

• does not require ISPs “to communicate personal data

• in order to ensure effective protection of copyright in the context of civil proceedings”,

• but Mbr States may introduce laws with such requirement,

• if not in conflict with fundamental rights or proportionality principle

Part of broad battle between IPR-holders and ISPs over access to IP address data and identities behind these.

17

4. DATA RETENTION

18

Data retention: basic requirements

Duty to retain data for 6 m – 2 y (Art. 3)

• Police (all branches?)

• Intelligence services?

• In specific cases

• Procedures and conditions

• to be defined in national law,

• in accordance with necessity and proportionality requirements.

Access to be given to “competent national authorities” (Art. 4)

• Not data “revealing the content of … communication” (Article 5(2);

• see too Article 1(2) (“including information consulted using an electronic communications network”).

• Watertight distinction?

Does not cover content?

19

Retain data

Access

data

Use

data

ECJ case on legal basis

• claiming Directive is without proper legal basis in EU law

• claimed that Directive = First Pillar instrument dealing with Third Pillar matters.

• ECJ: legal basis = OK

Ireland (later joined by Slovakia)

• Nullifying 2004 decisions by Commission and Council on PNR transfers

• because they applied to matters currently falling outside scope of Community law – namely,

• public security and

• prevention of crime.

Cf. ECJ case re. transfer of PNR data to USA

20

Current status is uncertain

Transposition

• Several states have not yet transposed directive

National court decisions

• Several national data retention laws have been declared void by national courts.

Evaluation (Art. 14)

• Official evaluation report

• Shadow evaluation report

• Evaluation of Directive continuing with search for data

21

Cases in national constitutional courts

•Data retention breaches with proportionality principle.

Romania

•Data retention & use encroachment on interest protected by Constitution Art 10(1)

•Proportionality requires sophisticated & well-defined provisions on

•data security,

• to limit the use of data,

• for transparency and

• legal protection.

•Majority opinion: Requirements were not fulfilled, legislation is void.

Germany

•The Czech Constitutional Court declared national data retention legislation unconstitutional on 31 March 2011.

Czech Republic

22

Surveillance

Innocent people under surveillance

Without sufficiently clear legal basis

Presumption of innocence

Clarity

23

Access to and use of data

Proportionality principle

• The more severe the encroachment through data retention is

• the stricter the requirements re. access and use of data need to be.

Strict requirements: serious crimes?

• Catalogue of serious crimes is required

• Too wide: ”crime involving use of telecommunications equipment”

• Too unclear: Danger prevention and intelligence services use

24

Access

data

Use

data

Access to and use of data

Distinction required between

• Individual items of traffic data

• Limited data sets

• Complete profile (”personality” / location)

Requirements re. use required

• Immediate use

• Deletion (must be documented)

25

Access

data

Use

data

Data security

Risk

• Court considers risk to be high

Measures to be assessed

• Data to be retained on separate computers without Internet access;

• Asymmetric encryption (keys kept separate);

• A “principle of four eyes”;

• Log access to data.

26

Retain data

Surveillance and transparency

• ”Diffusely threatening feeling of surveillance”

• ”legitimate suspicion … regarding privacy and … abuses”

Suspicion

• May reduce exercise of personal freedom Panopticon

• Notification about use of retained data

• Secret use only in exceptional cases, and then with subsequent notification.

Transparency

27

Anonymity and IP-addresses

Less severe requirements

• No access to data

• No profile, only an individual item of data

• Justified by significance of Internet-based crime

• Any type of crime qualifies

No legitimate expectation of anonymity

• Internet cannot be a space outside the law in a state governed by the law

• However, transparency required: legitimate expectation to know when we don’t communicate anonymously.

28

Trust relations

Confidential communication

• Anonymous counselling

No access by law enforcement agencies

29

THANK YOU FOR YOUR ATTENTION! QUESTIONS?

30