R(87) 15 : A Slow death?

R(87) 15 : A Slow R(87) 15 : A Slow death?death?

Joseph A. Cannataci,Joseph A. Cannataci, Mireille M. Caruana, Mireille M. Caruana,

Jeanne Pia Mifsud BonniciJeanne Pia Mifsud Bonnici

Law & IT Research UnitLaw & IT Research UnitCentre for Communication TechnologyCentre for Communication Technology

University of MaltaUniversity of Malta

Objectives of PresentationObjectives of Presentation• Meeting the DP Champion - R(87)15Meeting the DP Champion - R(87)15

– Painful birth of R(87)15 – ‘purpose specification’ victoryPainful birth of R(87)15 – ‘purpose specification’ victory– In the ascendant – the adoption of R(87)15 at SchengenIn the ascendant – the adoption of R(87)15 at Schengen– From Recommendation to Treaty? From Recommendation to Treaty? – First skirmish – the 1994 reviewFirst skirmish – the 1994 review– Meeting the InternetMeeting the Internet– Living on – in spite of defeat in Cybercrime Convention Living on – in spite of defeat in Cybercrime Convention

negotiations; the 1998 and 2002 reviewnegotiations; the 1998 and 2002 review• Meeting the executioner? – Directive Meeting the executioner? – Directive

2006/24/EC 2006/24/EC (The Data Retention Directive)(The Data Retention Directive)– 9/11, Madrid, London – a ‘valid’ excuse to ignore purpose9/11, Madrid, London – a ‘valid’ excuse to ignore purpose– Passenger Data – first to go….is there light at the end of Passenger Data – first to go….is there light at the end of

the tunnel?the tunnel?– The resistance – Article 29 opinions, EDPS opinion, civil The resistance – Article 29 opinions, EDPS opinion, civil

societysociety– The political realitiesThe political realities

• Is R(87) 15 dead? Or dormant?Is R(87) 15 dead? Or dormant?

The painful birth of R(87)15The painful birth of R(87)15• R(87) 15 was born within the Committee of R(87) 15 was born within the Committee of

Experts on Data Protection (CJ-PD) during 1984-Experts on Data Protection (CJ-PD) during 1984-19861986

• CJ-PD characterised by strong leadership of Spiros CJ-PD characterised by strong leadership of Spiros Simitis – later involved in including data Simitis – later involved in including data protection in EU Charter of Rights, and succeeded protection in EU Charter of Rights, and succeeded by Peter Hustinx - today EU DP Commissioner.by Peter Hustinx - today EU DP Commissioner.

• Many of the data protection experts at CJ-PD in Many of the data protection experts at CJ-PD in Strasbourg accompanied by police & security Strasbourg accompanied by police & security representativesrepresentatives

• The battle: police & security reps asking for The battle: police & security reps asking for “general purpose’ collection vs. CJ-PD “general purpose’ collection vs. CJ-PD (Convention 108) position of “purpose (Convention 108) position of “purpose specification”specification”

Purpose Specification - The Purpose Specification - The victory of R(87)15victory of R(87)15

• Ambiguity created by Convention 108 by Ambiguity created by Convention 108 by allowing an exclusion from provisions for allowing an exclusion from provisions for security purposessecurity purposes

• R(87)15 resolved this ambiguity by R(87)15 resolved this ambiguity by unambiguously subjecting police data to unambiguously subjecting police data to same data protection regime as other datasame data protection regime as other data

• R(87)15 scored victory by entrenching the R(87)15 scored victory by entrenching the notion of purpose for collection and notion of purpose for collection and processing of data, even for police useprocessing of data, even for police use

In the ascendant:In the ascendant:the early years 1987-1993the early years 1987-1993

• Never popular with the policeNever popular with the police• Greeted as model for democracy and cited Greeted as model for democracy and cited

often especially in the 1989-1992 period in often especially in the 1989-1992 period in Central & Eastern EuropeCentral & Eastern Europe

• Classic post 1989 use in Stasi files in Classic post 1989 use in Stasi files in Germany-the purpose challengedGermany-the purpose challenged

• Riding the wave: in the post-1989 surge Riding the wave: in the post-1989 surge forward for democracy, adopted as data forward for democracy, adopted as data protection standard for Schengen Treatyprotection standard for Schengen Treaty

From Recommendation to From Recommendation to Treaty?Treaty?• No stopping R(87)15 in the early yearsNo stopping R(87)15 in the early years• Recommendation 1181 (1992)1 on Recommendation 1181 (1992)1 on

police co-operation and protection of police co-operation and protection of personal data in the police sector the personal data in the police sector the member states of the Council of Europe member states of the Council of Europe had agreed to move towards a had agreed to move towards a convention enshrining the principles of convention enshrining the principles of R(87)15R(87)15

• What happened then? What happened then? – Why don’t we have a new convention today? Why don’t we have a new convention today? – Why, instead, do we have a data retention Why, instead, do we have a data retention

directive?directive?

The first skirmish: 1993The first skirmish: 1993• Would anyone dilute R(87)15?Would anyone dilute R(87)15?• CJ-PD requested (by Committee of CJ-PD requested (by Committee of

Ministers) to review it Ministers) to review it • 1994 Cannataci report ensued1994 Cannataci report ensued• Qualitative analysis of responses of some Qualitative analysis of responses of some

MSMS– Response overview reinforced the impression that R (87) 15 continued Response overview reinforced the impression that R (87) 15 continued

to provide a sound basis for data protection in the police sectorto provide a sound basis for data protection in the police sector– R (87) 15 sufficiently elastic to permit the various interpretations that R (87) 15 sufficiently elastic to permit the various interpretations that

some member States wished to see specifically mentionedsome member States wished to see specifically mentioned– ““Several experts concurred that the provisions of R (87) 15 constitute Several experts concurred that the provisions of R (87) 15 constitute

an inalterable necessary minimum”an inalterable necessary minimum”– No overwhelming arguments advanced as to why current formulation No overwhelming arguments advanced as to why current formulation

of Principle 5 (Communication of Data) fails in providing the most of Principle 5 (Communication of Data) fails in providing the most balanced formula capable of providing equitable provision for current balanced formula capable of providing equitable provision for current requirementsrequirements

• Status of R(87)15 preservedStatus of R(87)15 preserved

Meeting the InternetMeeting the Internet

• R(87)15 was a pre-Internet animalR(87)15 was a pre-Internet animal

• Interpol & Europol were not in synch in Interpol & Europol were not in synch in their data protection standardstheir data protection standards

• The Police and security forces slowly The Police and security forces slowly started gaining experience with Internet & started gaining experience with Internet & cybercrimecybercrime

• Immigration issues with Schengen were Immigration issues with Schengen were pushing uses of hi-tech ID systems (from pushing uses of hi-tech ID systems (from mag-stripe to biometric)mag-stripe to biometric)

Cybercrime vs. Privacy 1996-Cybercrime vs. Privacy 1996-20012001• The first signs of a losing battleThe first signs of a losing battle

• Concern with cybercrime increased in Concern with cybercrime increased in inverse proportion with concern with privacyinverse proportion with concern with privacy

• The crime lawyers were in the ascendant: The crime lawyers were in the ascendant: the attempts by CJ-PD to insert breach of the attempts by CJ-PD to insert breach of privacy as a substantive offence in the privacy as a substantive offence in the Cybercrime convention failed;Cybercrime convention failed;

• The role of the US is inestimable: in order to The role of the US is inestimable: in order to get the US on board a Council of Europe get the US on board a Council of Europe convention, the PC-CY was prepared to convention, the PC-CY was prepared to downplay Privacy as an issuedownplay Privacy as an issue

The role of the USThe role of the US• US approach to data protection less US approach to data protection less

strict than European approachstrict than European approach• In Cybercrime, US were interested inIn Cybercrime, US were interested in

– agreeing minimum substantive offenceagreeing minimum substantive offence– Creating 24/7 collaboration for detection Creating 24/7 collaboration for detection

& investigation& investigation– Creating mechanism for preservation of Creating mechanism for preservation of

evidence & subsequent prosecutionevidence & subsequent prosecution

• Privacy was just not an issue (but Privacy was just not an issue (but when is it to security forces?)when is it to security forces?)

Living On…Living On…The second report: 1998The second report: 1998• The 1998 Patijn Report …viewed against Directive The 1998 Patijn Report …viewed against Directive

1995/46EC & negotiations on Cybercrime 1995/46EC & negotiations on Cybercrime ConventionConvention

• R (87)15 still gives adequate protection + R (87)15 still gives adequate protection + included in Schengen Agreement & Europol included in Schengen Agreement & Europol Treaty – don’t change but…Treaty – don’t change but…

• More detailed recommendationsMore detailed recommendations– Police powers, to be adequate, necessarily interfere with Police powers, to be adequate, necessarily interfere with

the respect for private life and should therefore be the respect for private life and should therefore be restricted to the extent that is necessary restricted to the extent that is necessary

– Proposes that the Committee of Ministers recommend Proposes that the Committee of Ministers recommend that national legislators explicitly deal with certain that national legislators explicitly deal with certain questions of data protection rules for criminal dataquestions of data protection rules for criminal data

• Result - Integrity of R(87)15 was preservedResult - Integrity of R(87)15 was preserved

Third Evaluation Report - Third Evaluation Report - 20022002• CJ-PD examined R (87) 15 and agreed CJ-PD examined R (87) 15 and agreed

that that – No revision and no new recommendationNo revision and no new recommendation– Principles are still relevant especially as a Principles are still relevant especially as a

basis for the elaboration of regulations on basis for the elaboration of regulations on use of personal data by the police and as use of personal data by the police and as a point of reference for activities in this a point of reference for activities in this field. field.

– CJ-PD giving up?CJ-PD giving up?

Changing times – 9/11Changing times – 9/11

• R(87) 15 was created when Europe had R(87) 15 was created when Europe had largely settled the terrorist issues which largely settled the terrorist issues which had plagued Germany & Italy in the 70shad plagued Germany & Italy in the 70s

• 2001 brought with it 9/11 – a disaster 2001 brought with it 9/11 – a disaster which heralded much trouble for data which heralded much trouble for data protectionprotection

• First victim: Airline passenger lists and the First victim: Airline passenger lists and the dispute between EU and the US ….is May dispute between EU and the US ….is May 2006 ECJ decision a ‘small’ victory?2006 ECJ decision a ‘small’ victory?

Waking up to the InternetWaking up to the Internet• Post-9/11 Police & Security forces became Post-9/11 Police & Security forces became

more aware of terrorist & crime uses of the more aware of terrorist & crime uses of the InternetInternet

• To Police & Security Forces, the Internet is To Police & Security Forces, the Internet is simply another communications system simply another communications system – ““to tap”to tap”– And especially to proved “traffic data”And especially to proved “traffic data”

• Police (esp. in Germany) had been using Police (esp. in Germany) had been using traffic data to locate terrorists since the traffic data to locate terrorists since the seventies. The lessons of the Clemens seventies. The lessons of the Clemens Wagner case from Baader-Meinhof era were Wagner case from Baader-Meinhof era were well-learntwell-learnt

We want the traffic data!We want the traffic data!

• So the debate commencedSo the debate commenced

• The Internet is rich in traffic data=let’s The Internet is rich in traffic data=let’s get at itget at it

• Art. 29 (and many others) pointed out Art. 29 (and many others) pointed out (even as early as 1999) many fallacies (even as early as 1999) many fallacies in Police & Security force arguments:in Police & Security force arguments:– There are many ways of getting around There are many ways of getting around

monitoring of traffic and content datamonitoring of traffic and content data– Monitoring all data is grossly Monitoring all data is grossly

disproportionate measure and puts civil disproportionate measure and puts civil society at risksociety at risk

Data Retention – ignoring Data Retention – ignoring purpose specificationpurpose specification

• Discussions on regulation on retention of Discussions on regulation on retention of traffic data for law enforcement purposes traffic data for law enforcement purposes go back to G8 meeting in Moscow 1999go back to G8 meeting in Moscow 1999

• 9/11 – speeded up discussions and gave 9/11 – speeded up discussions and gave a ‘justification’ for retention of traffic a ‘justification’ for retention of traffic data for longer periodsdata for longer periods

• By 2000 – retention of traffic data By 2000 – retention of traffic data allowed for billing and interconnection allowed for billing and interconnection paymentspayments

The Article 29 Mantra The Article 29 Mantra

• Retention of traffic data for purposes Retention of traffic data for purposes of law enforcement should be of law enforcement should be allowed only under strict conditions:allowed only under strict conditions:– Kept only for a limited period Kept only for a limited period – Kept only where necessary, appropriate Kept only where necessary, appropriate

and proportionate in a democratic and proportionate in a democratic societysociety

From Draft Framework From Draft Framework Decision to Data Retention Decision to Data Retention DirectiveDirective• Resistance of Article 29 group, EDPS and Resistance of Article 29 group, EDPS and

civil society unalteredcivil society unaltered

• Traffic data retention interferes with the Traffic data retention interferes with the fundamental right to confidential fundamental right to confidential communications (Art. 8 ECHR) communications (Art. 8 ECHR)

• Any restriction on this fundamental right Any restriction on this fundamental right must be based on a pressing need, should must be based on a pressing need, should only be allowed in exceptional cases and only be allowed in exceptional cases and be the subject of adequate safeguardsbe the subject of adequate safeguards

Article 29’s 2005 OpinionArticle 29’s 2005 Opinion

• Is it legally and factually justified to Is it legally and factually justified to require a compulsory and general require a compulsory and general data retention requirement?data retention requirement?

• Are the proposed data retention Are the proposed data retention periods in the draft Directive periods in the draft Directive convincing?convincing?

Article 29’s List of desirables: A Article 29’s List of desirables: A return to basic DP principlesreturn to basic DP principles

1.1. Re-Introduce Purpose specification: The purposes of data retention should be stated clearly in the DirectiveRe-Introduce Purpose specification: The purposes of data retention should be stated clearly in the Directive

2.2. Indicate Indicate AuthorisedAuthorised Recipients of the Data Retained – access clearly defined Recipients of the Data Retained – access clearly defined

3.3. Limit Data MiningLimit Data Mining

4.4. Process only according to purposeProcess only according to purpose

5.5. Introduce accountability - judicial/independent scrutinyIntroduce accountability - judicial/independent scrutiny

6.6. Indicate precisely who is to retain dataIndicate precisely who is to retain data

7.7. No obligation for identificationNo obligation for identification

8.8. Require separation of data retained for billing from data retained under DirectiveRequire separation of data retained for billing from data retained under Directive

9.9. Security – make sure data is retained in a secure mannerSecurity – make sure data is retained in a secure manner

10.10. Identification of which data to be retained – should satisfy a strict necessity testIdentification of which data to be retained – should satisfy a strict necessity test

11.11. The evidence supporting these measures should be evaluated periodicallyThe evidence supporting these measures should be evaluated periodically

Were the desiderata addressed Were the desiderata addressed in Directive 2006/24?in Directive 2006/24?

• Purpose specification – No. Directive 2006/24 Purpose specification – No. Directive 2006/24 does not clearly define and delineate the does not clearly define and delineate the specific purposes for which data should be specific purposes for which data should be retained. retained.

• Access limitation – Directive 2006/24 provides Access limitation – Directive 2006/24 provides that data is to be provided only to the that data is to be provided only to the competent national authorities BUT it does NOT competent national authorities BUT it does NOT provide that the competent national authorities provide that the competent national authorities should be should be specifically designated law specifically designated law enforcement authoritiesenforcement authorities or that a list of such or that a list of such designated authorities should be made publicdesignated authorities should be made public

Were the desiderata addressed Were the desiderata addressed in Directive 2006/24?(2)in Directive 2006/24?(2)

• No data mining – The limitation in Art 4 to No data mining – The limitation in Art 4 to “specific cases” seems to prohibit data “specific cases” seems to prohibit data mining activities. However the Directive mining activities. However the Directive does not specify that data can only be does not specify that data can only be provided if this is needed in relation to a provided if this is needed in relation to a specific criminal offence. specific criminal offence.

• Further processing – No provision ruling Further processing – No provision ruling out or limiting stringently further out or limiting stringently further processing for other related proceedings.processing for other related proceedings.


• Access Logs – Directive 2006/24 does not Access Logs – Directive 2006/24 does not provide that any retrieval of the data provide that any retrieval of the data should be recorded and the records made should be recorded and the records made available to the supervisory authorityavailable to the supervisory authority

• Judicial / independent scrutiny of authorized Judicial / independent scrutiny of authorized access – Not mandated by the Directiveaccess – Not mandated by the Directive

• Retention Purposes of Providers – solely for Retention Purposes of Providers – solely for public order purposes, not for other public order purposes, not for other purposes, especially their own. Not purposes, especially their own. Not specifically mandated by the Directive. specifically mandated by the Directive.


• System Separation – In particular, the System Separation – In particular, the systems for storage of data for public systems for storage of data for public order purposes should be order purposes should be logically logically separatedseparated from the systems used for from the systems used for business purposes and protected by more business purposes and protected by more stringent security measures. No specific stringent security measures. No specific provision in the Directive. provision in the Directive.

• Security Measures – General requirements Security Measures – General requirements on minimum standards concerning the on minimum standards concerning the technical and organisational security technical and organisational security measures to be taken by providers were measures to be taken by providers were included - Article 7 of the Directiveincluded - Article 7 of the Directive

Were the desiderata addressed Were the desiderata addressed in Directive 2006/24?in Directive 2006/24?

• Short Answer – NO.Short Answer – NO.

• Basically ignored all the data Basically ignored all the data protection concernsprotection concerns

• Ignored Article 29, EDPS, civil society Ignored Article 29, EDPS, civil society & forged ahead& forged ahead

Directive 2006/24/ECDirective 2006/24/ECThe Data Retention DirectiveThe Data Retention Directive

– Providers of publicly available communication services being forced unprecedentedly to store billions of data relating to the communications of any and all citizens for investigational purposes

– From the perspective of data protection there is a need of full harmonization of the main elements included in the proposal

The CriticismThe Criticism• ““Harsh criticism”Harsh criticism”

• Measures are disproportionateMeasures are disproportionate• The notion of purpose is not respectedThe notion of purpose is not respected• Not enough safeguards are Not enough safeguards are

establishedestablished• The cost-efficiency of data retention The cost-efficiency of data retention

nowhere demonstrated – how many nowhere demonstrated – how many terrorists & criminals have been terrorists & criminals have been apprehended because of Internet apprehended because of Internet traffic data?traffic data?

Article 29 WP Opinion 3/2006 Article 29 WP Opinion 3/2006 of 25 March 2006 (post Directive)of 25 March 2006 (post Directive)

• The Directive The Directive – Lacks some adequate and specific safeguardsLacks some adequate and specific safeguards– Leaves room for diverging interpretation and Leaves room for diverging interpretation and

implementation by the Member Statesimplementation by the Member States

• The WP considers it crucial thatThe WP considers it crucial that– The provisions of the Directive are interpreted The provisions of the Directive are interpreted

and implemented in a harmonised wayand implemented in a harmonised way– The Directive is accompanied in each Member The Directive is accompanied in each Member

State by measures curtailing the impact on State by measures curtailing the impact on privacyprivacy

The verdictThe verdict• What The Data retention Directive What The Data retention Directive

achieves is the death of “purpose”achieves is the death of “purpose”• The respect for the principle of purpose The respect for the principle of purpose

for gathering data, in this case “traffic for gathering data, in this case “traffic data”, now takes second place to the data”, now takes second place to the notional usefulness of such data in the notional usefulness of such data in the fight against terrorism & crimefight against terrorism & crime

• The danger inherent in having whole The danger inherent in having whole masses of data preserved, for years masses of data preserved, for years AND subject to the monitoring by police AND subject to the monitoring by police & security forces for “their” purposes& security forces for “their” purposes

Is R(87) 15 dead?Is R(87) 15 dead?• Who has really funded an in-depth Who has really funded an in-depth

implementation review of R(87) 15?implementation review of R(87) 15?• Can we trust the Police & security Can we trust the Police & security

forces to be telling us the truth forces to be telling us the truth anyway?anyway?

• Data retention directive lowers the Data retention directive lowers the standards by standards by – giving legitimacy to the opponents of giving legitimacy to the opponents of

“purpose”“purpose”– Creates new dangers in large databases of Creates new dangers in large databases of

traffic data which previously did not existtraffic data which previously did not exist

Is it dormant?Is it dormant?

• Is there hope in the May 2006 ECJ Is there hope in the May 2006 ECJ decision on illegality of transfer of decision on illegality of transfer of Airline Passenger Data? …is this the Airline Passenger Data? …is this the beginning of the return of ‘purpose beginning of the return of ‘purpose specification’?specification’?

• Will the EU stop paying only lip-Will the EU stop paying only lip-service to data protection?service to data protection?

Documents

R(87) 15 : A Slow death?