Month: June 2014
The data retention tsunami: how EU Member States are reacting to the annulment of the data retention directive
UPDATE JUNE 2015: NEWS FROM BELGIUM
Following the annulment of the Data Retention Directive in April 8, 2014, by the Court of Justice of the European Union, European Member States are hardly starting to face the consequences of that.
As stated in my previous post on the matter, the European decision did not make national data retention legislations (whether or not enacted as implementation of the annulled directive) automatically invalid. However, because of the principles laid down by the European court, most of such national legislations are at risks, because they impose data retention obligations in a too general and far-reaching way. This conclusion is shared also by a study commissioned by the Greens Group at the European Parliament which can be found here.
In fact, in §59 of the sentence the European judges stated that “blanket” data retention legislations are not allowed, they must be selective and focussed:
“Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.”
For long time Member States have hesitated in taking actions, also because of the lack of guidance from the European Commission, which is sharing its part of responsibility for this messy situation. Denmark was one of the first country in making a legal analysis whether the European decision could somehow affect their data retention legislation, but then they concluded that there was no reason to act.
In June, at a recent closed meeting of EU Justice and Home Affairs ministers, the Council’s Legal Services is reported to have stated that paragraph 59 of the European Court of Justice’s ruling on the Data Retention Directive “suggests that general and blanket data retention is no longer possible“. Therefore, should Member states not take actions, the matter will be likely submitted by individuals to a national courts, which will take the decision instead of the government, as it did just happen in Austria. In other words, today’s judgement of the Austrian Constitutional court is a clear reminder to most European member States that postponing a decision on this matter is not a good strategy. Italy is one the country mostly at risk, because their national legislation is just a copy & paste of the annulled directive.
Finally, breaking news of April 27, 2015: in an answer to a parliamentary question Dimitris Avramopoulos, Commissioner for Migration, Home Affairs and Citizenship confirmed that instead of presenting a new legislative initiative on Data Retention, the Commission intends to launch a public consultation on the matter with relevant stakeholders.
Here a list of countries which are definitively deleting DR rules (in addition to Ireland, which caused the case in front of the European Court):
On June 27, 2014 the Austrian Constitutional Court has declared invalid most parts of the Austrian law on data retention. This is the first national decision taken after the important sentence of the European Court of Justice which, on April 8, 2014 annulled the European Directive on data retention (Directive 2006/24/EC).
Austrian ISPs have to stop retaining and providing information to the Austrian authorities about data retained under the data retention regime by the end of the day following the publication of the decision. ISPs will however still be allowed to retain traffic data for their own legitimate purposes (billing, fraud prevention etc.) for a certain amount of time. Such data could still be accessible by public authorities for public securities reasons.
A source of Austrian ISP industry declared “very positive” from an ISP-angle is that the system implemented for the exchange of information with law enforcement agencies (so called “Durchlaufstelle” / “DLS”) will remain in place and will be used for the exchange of information about traffic data ISPs are still allowed to retain.
On June 11, 2015 the Belgian Constitutional Court declared invalid Belgian data retention law. The decision is here, more infos to follow.
The Bulgarian data retention law was declared incompatible with the national constitution on March 12, 2015. No further details are available at the time.
On 2 March 2010 (so, even before the European annulment judgement), the Federal Constitutional Court ruled the German data retention law unconstitutional as a violation of the guarantee of the secrecy of correspondence. As such, the directive is not currently implemented in Germany. However, we learned that the German government is trying to reintroduce a law on data retention. On April 15, 2015, the minister for Justice and Consumer Protection, Heiko Maas, and the Minister of Internal Affairs, Thomas de Maiziere, presented a document with a few guidelines: http://www.bmjv.de/SharedDocs/Downloads/DE/pdfs/20150415-Leitlinien-HSF.pdf?__blob=publicationFile. The German association Eco rose doubts about adequacy and consistency of the proposal with the principles laid down by the European court. Few weeks later, the German constitutional court issued a statement raising doubts about the proposed measure.
the Romanian data retention law was declared unconstitutional by the Constitutional Court on July 8, 2014. The ruling applies to all provisions of the law. The argumentation of the judgement is expected to be published at the beginning of August.
According to the court, the data retention law is suspended for 45 days and operators no longer have to retain data. If the government and parliament do not resolve the constitutional issues within 45 days, then the law will be annulled permanently.
On 23 April 2014, the Slovak Constitutional Court preliminary suspended effectiveness of the Slovak implementation of Data Retention Directive. Although the case is already pending for before the Court since October 2012, the Court decided to issue this preliminary measure and accept the case for the further review only now. The preliminary suspension of effectiveness means that the Slovakian retention laws are still formally valid, but have no legal effect until the Court decides on the merits of the compliant. The Court, however, suspended only provisions that are mandating data retention itself, while leaving provisions on access to those information intact for now. This means that ISPs will soon lose any legal obligation to store data about users. Any storage of personal data of users will thus need to be limited to general privacy regime.
On July 3, 2014 also the Slovenian Constitutional court annulled the national data retention legislation for reasons similar to the Austrian case. The decision is available here (only in Slovenian language, sorry): https://www.ip-rs.si/fileadmin/user_upload/Pdf/sodbe/US_RS_ZEKom-1_3julij2014.tif
In nuts, the Slovenian Court found the local data retention legislation to be disproportionate for the following reasons:
– massive and un-selective retention of data constitutes a breach of rights of a large proportion of population, while no grounded justification was provided for that;
– no justifications and grounds were provided for the selected retention periods (8 months for internet related and 14 months for telephony related data);
– the use of retained data was not limited to serious crime.
…. and here the countries that, by contrast, are confirming DR national rules (although with some accidents, such as in the Netherlands).
In Danemark, the Parliament commissioned a study on the lawfulness of the local data retention legislation and reached the conclusion that it fully comply with the minimum proportionality requirements set out in the CJEU ruling.
While hesitating and ignoring the problem for longtime, Italy suddenly adopted a new legislation which reinforced the data retention obligations, irrespective and despite of the annulment decision of the CJEU. By virtue of art. 4-bis, comma 1, of Legislative Decree n. 7 of February 18, 2015 (confirmed by law n. 43 of April 17, 2015), the Italian authorities decided that the retention of personal data (currently 24 months for calls and 12 months for Internet communications) should be extended up to December 2016 for certain categories of crimes (terrorism, mafia ecc).
In Sweden the situation is more controversial. Just after the annulment of the DR directive, various Swedish ISPs declared their intentions to stop retaining data. PTS, the Swedish regulator, had initially announced that it would stop the enforcement of the data retention law – at least until the situation is clarified. The government ordered a a study to be carried out and, on June 12, 2014 an expert group appointed by the Ministry of Justice concluded that the Swedish legislation on data retention is lawful by maintaining that, unlike the repealed directive, such provisions contain clear rules on the conditions for providing access to retained data. As a consequence of this intervention, most of the Swedish operators resumed data retention, while some of them resist, amongst them the ISP Bahnhof which has been threatened by PTS for this reason.
In November 2014 the Dutch government proposed some minor adjustments to the national data retention legislation which did not came into force yet. In the meanwhile, a judge from The Hague declared the original law to be invalid and suspended the application, here a comment about.
On July 17, a new data retention law came into force in UK, the Data Retention and Investigation Powers Act 2014 (DRIPA). The new legislation substantively re-enacts the mandatory data retention provisions of the UK 2009 Data Retention Regulations, which was based on the provision of the annulled European Directive. The rules will continue to empower the Secretary of State to give data retention notices to public telecommunications operators ). However, instead of the previous fixed 12 month period of retention, the current retention period may vary subject to a maximum 12 months. The notice may specify different periods for different types of data. The notice may relate to an operator or description of operators. Complaints against the new regime has been already announced.
Today in London, at the International lntellectual Property Enforcement Summit, prof. Angelo Cardani, the Chairman of Italian Regulator AGCOM, reported the preliminary results of the Copyright Enforcement Regulation which recently (March 28, 2014) entered into force in Italy. The regulation is quite a unique measure in Europe – since no other telecom regulator is entrusted with copyright enforcement powers in the EU – and has been highly contested by civil society, ISPs and consumers associations, while plauded by the content industry. Experts have released different views on the matter. Likewise, the Regulation encountered different feedback at international level: while an official advisor of the United Nations argued that the measure may be dangerous for freedom of speech, the US administration welcomed the regulation and apparently because of that it dropped Italy down from the black list of “pirate” countries.
Various recourses for the annulment of the regulation are pending with Italian courts and a decision may be adopted quite soon before the end of June. A legal description of the Copyright Enforcement Regulation can be found here.
Prof. Cardani defended the regulation declaring that “no Armageddon happened“. He maintained that the measure was necessary to protect the creative industry because the judiciary remedies are not sufficiently quick. He informed the audience that 41 complaints have been filed so far with regard to photos (15), movies (11), music (7), books (4) and digital newspapers (1), video games (1). The authority started 28 proceedings, two-thirds (13) of these were closed as a result the spontaneous removal of the content. In 8 cases, the Authority adopted sanctions, ordering also the blocking of pirate sites’ DNS addresses. Most serious infringements concerned the illegal downloading of music and movies.
The data released by prof. Cardani have been made public with a PR of AGCOM.
It is still premature to make a complete assessment of such results. Probably, such outcome will be analyzed by AGCOM to eventually refine the Regulation. For instance, it is clear that many claims have been filed with regard to individual, and non massive, infringements (while the Regulation was deemed to deal only or mainly with large-scale and commercial infringements). Most of the requests concern pictures, i.e. a creative works which are not highly discussed in the piracy debate. The web-blocking measures have been imposed with regard to websites hosted abroad, however is not clear whether substantial attempts have been made in order to ask foreign police to shut down such servers and avoid web-blocking (Prof. Cardani said that international cooperation is still a problem). Web-blocking was ordered at DNS level rather than at IP level, in order to avoid over-blocking.
Remarkably, in the last weeks various ISP were informed by AGCOM about pending proceedings which could result in web-blocking. AGCOM suggested ISPs to impose a block even before a final decision was adopted. Mostly ISPs rejected this approach and experts have argued that such anticipated blocking could be legally risky.
Today in Brussels we launched Digit@lians.eu, a community of Italian (and Italian-speaking) professionals engaged in the digital sector. Guest speakers were prof. Antonio Nicita, commissioner at AGCOM, and dott. Cristiano Radaelli, president of Anitec. They entertained the audience (almost 100 professionals) with a wide range of subjects, including the role of AGCOM and the need for a new digital policy for Italy. At the end there was the intervention of Gianpiero Lotito, the visionary CEO of Facility Live.
Digit@lians.eu is an idea of Maria Rosa Gibellini, Fabrizio Porrino and myself. More events to follow!
You cam follow Digit@lians.eu via: