Karlin Lillington has an excellent summary in today’s Irish Times, and here are some of the highlights:

Ireland is one of the countries accessing private information the most:

THE GARDA made more requests for phone-call traffic data in 2008 than police in Germany, which has 20 times the population of the Republic.

According to a leaked draft of a European Commission report, gardaí made more than 14,000 access requests for call data in 2008, a rate about 40 per cent higher than had been previously assumed by data privacy advocates, who had based an estimate of 10,000 on figures provided in the past by gardaí to the Office of the Data Protection Commissioner.

Older data is very seldom accessed:

According to the report, the vast majority of data requests across the EU – 85 per cent – are made when the data is less than seven months old, with the bulk of requests, 70 per cent, filed for data held for less than three months.

Statistics gathered from member states “support the conclusion that the relevance of data decreases significantly” with age, the report says.

The report found no concrete evidence from any state to support longer retention periods. “No objective elements were found that could support the choice of the retention period: neither the prevalence of certain forms of crime, the geography of the [member state], or (in-)efficiencies of a law enforcement organisation seem to support the choice,” it says.

The report shows there are very few requests within any state, including Ireland, for data after 12 months. Only 109 requests in aggregate from eight EU countries including Ireland were made in 2008 for mobile data held longer than 18 months. Only 39 total requests from the same eight countries were made for fixed-line call data stored longer than 18 months.

Fears of function creep have been borne out, and data retention is being used for matters such as filesharing cases:

It also notes that many member states have implemented the EU data retention directive by widening its scope and retaining data that was not retained in the past, often allowing it to be used for more purposes than outlined in the directive, such as for civil litigation on copyright in the UK. Such expansion is referred to as “mission creep” by privacy advocates.

Irish companies will be at a competitive disadvantage due to data retention:

The report says some respondents feel that in states with lengthy retention periods, private industry is at a competitive disadvantage because of the burden and costs that retention may impose directly or indirectly.

Several network operators said the need to invest in retention infrastructure had caused them to delay or abandon improvements to national networks.

Deutsche Telekom claimed it had spent €5.2 million on implementation of retention infrastructure and €3.7 million a year to facilitate about 13,000 call data requests and 6,500 internet data requests. Other operators said they had spent in excess of €4 million setting up systems for providing access to stored data.

As predicted, prepay SIM cards have made data retention measures ineffective and have led to Member States – including Ireland – attempting to ban their use:

In the Government’s response to a questionnaire on the State’s implementation of data retention, the Department of Justice noted it was considering ways to identify users of pre-paid SIM cards, an issue which was raised by several states.

In addition to these points, the full document is full of more damning details. For example, not one Member State provided any statistical information demonstrating that data retention was of use in any significant number of cases (p.7), while it’s clear from responses that the Directive – which was sold as a harmonisation measure – has completely failed to achieve this (p.8). Similarly, national data protection authorities have pointed out that they often lack proper powers to supervise data retention and that telecommunications companies often lack proper security over customer data (pp.9-10).

While the full judgment is 53 pages long, the gist is relatively simple.

Long story short: today’s decision has cleared the way for our challenge to proceed and to challenge the entire European legal basis for data retention.

(Following the wider European trend where Germany, Bulgaria and Romania have all found aspects of data retention to be unconstitutional.)

The longer version: Today’s decision dealt with three procedural issues which had to be cleared before we can argue the substance of the case: i.e. whether mass surveillance of this sort is compatible with constitutional guarantees of fundamental rights.

The first of these issues dealt with standing: could DRI (as a company, not a natural person) assert rights of privacy? And could it argue the rights of privacy of others? On this point the court held in our favour, accepting that DRI was a “sincere and serious litigant”, which raised these issues with bona fide interest and concern and ruling that it was appropriate for us to argue these points as this was a matter of “fundamental public importance”.

The second point dealt with an attempt by the State to stop the action in its tracks by seeking “security for costs” – i.e. requiring us to make a payment into court to cover the costs of the State should we lose the action. Because of the cost of High Court actions, requiring such a payment at the outset could effectively have prevented the case from being heard. Here the court rejected the State’s application, holding that:

the matters pleaded in this case do raise issues of significant public importance… Given the rapid advance of current technology it is of great importance to define the legitimate legal limits of modern surveillance techniques used by governments… without sufficient legal safeguards the potential for abuse and unwaranted invasion of privacy is obvious… That is not to say that this is the case here, but the potential is in my opinion so great that a greater scrutiny of the proposed legislation is certainly merited.”

Finally, the third point related to our application to refer this case to the European Court of Justice (“ECJ”). As data retention is now dealt with at a European level, it is important that we be able to challenge the European law in this area – something which can only be done before the ECJ in Luxembourg. Here the court again accepted our argument, holding that a reference to the ECJ was required and that it was appropriate that it be made at the current stage of the proceedings.

So what happens next? There will be some more legal argument next week about the precise questions which should be referred to the ECJ – after that, the case will be referred to the ECJ and will go into their system for a hearing in Luxembourg, which have implications for data retention across Europe.

ANALYSIS: Data retention proposals about to become law here have been declared an invasion of privacy in Germany. Government please take note

IF THE Government fails to reconsider the terms of its Data Retention Bill, currently in its final stages before the Houses of the Oireachtas, it is likely to find that costly court challenges and a forced reworking of the legislation lie ahead.

The Retention of Data Bill 2009 seeks the overdue implementation of an EU directive on data retention (storage of call data for two years and internet-use data for one year, for everyone in the country, including children). It is the tail-end of a long process in which the right to privacy has been pitted against the needs of law enforcement to have access to records for criminal investigations.

Even as the Bill passed a Dáil vote that cements in its current provisions, there are signs that all is not well on the European front for national data retention legislation.

On Tuesday, in a significant finding, the German constitutional court threw out Germany’s existing data retention laws for a range of reasons, many of which have direct application to Ireland.

The German court echoed precisely the concerns expressed by many groups and individuals here about our own legislation – worries that were given a lone voice in the Dáil debate by Labour TD Seán Sherlock.

The German court found that enacting any data retention legislation requires a regard for what it termed the exceptional intensity of the interference with human rights that result from such measures. It therefore obligates the government to have clear and transparent measures in place to ensure data safety, data use, and adequate legal remedy available to citizens for misuse of personal data.

It said retention legislation must set a very high standard for safety of all data, and this cannot be balanced against a general burden of cost, whoever that may lie with. It underlined that access to data should only be allowed in cases targeting most serious crimes and terrorist offences. It argued that individuals must be notified after the fact that their information was accessed for an inquiry.

All of these issues have been highlighted as a concern in Ireland, where the Government has tried to downgrade the level of the crimes that our legislation applies to; does not outline a quality of service that must be met to protect data; does not cover the costs of managing and protecting data, but passes them on to the internet and telecoms sector; and does not give adequate legal remedy to citizens nor adequate oversight. Irish legislation would not meet the provisions laid out by the German court.

Privacy advocacy group Digital Rights Ireland has already brought a constitutional case against the Government in the High Court on the constitutionality of Irish legislation. This is widely expected to be referred to the European Court of Human Rights and prove a test case on the issue for the EU as a whole, where the German case will signal issues likely to prove troublesome for Irish and other EU nations’ retention laws.

Full text.

Press release by the German Working Group on Data Retention (AK Vorrat)

2 March 2010:

After data retention ruling: Civil liberties activists call for political end to retention of telecommunications data

+++ Data retention opposed by 70% of German population +++ European
Citizens’ Initiative for repealing the EU directive on data retention announced +++ Legal action to be continued +++

The German Working Group on Data Retention has today announced a Europe-wide campaign to end Internet and telephone data retention. This follows the German Constitutional Court’s ruling on a mass complaint made by more than 34,000 citizens. According to a newly-published poll, 69.3% of all Germans oppose data retention, making it the most strongly rejected surveillance law.[1]

“The recording of confidential contacts and movements of the entire population in the absence of any suspicion is unacceptable and must stop immediately”, says Florian Altherr of the Working Group. “In starting an initiative to this end, the Federal Minister of Justice can count on the support of EU Commissioner Viviane Reding as well as of many states such as Austria, Belgium and Romania, all of which do not have data retention laws in place.”

“In order to bring the massive rejection of blanket data retention home to politicians we are in the process of preparing a European Citizens’
Initiative. With the signatures of one million opponents to the permanent logging of our Internet and phone use we want to pursuade the EU to repeal its data retention directive”, announces data protection activist padeluun of the Working Group.

Patrick Breyer of the Group adds: “At the same time we will continue our legal fight against data retention. Today’s decision proclaiming the recording of the entire population’s behaviour in the absence of any suspicion compatible with our fundamental rights is unacceptable and opens the gates to a surveillance state.”

The German Working Group on Data Retention is making five political demands after today’s ruling:
1. The Federal Government, the Federal Minister of Justice and Parliaments must now cooperate with other like-minded states and bodies to take steps to repeal the redundant and detrimental data retention directive.
2. The German law on data retention, going far even beyond EU requirements and – according to the German Constitutional Court – unconstitutional, must not be re-enacted.
3. European citizens should be given the right to file constitutional complaints directly with the European Court of Justice.
4. The Federal Government must not agree to any further collection of information on citizens not suspected of any wrong-doing in the name of security, such as the air travellers file proposed by the EU. Mass data pools that were introduced in the past, such as the registration of Internet use by the Federal Office for Information Security or the employee information system ELENA, must be closed down.
5. An independent review of all existing “security” measures must take place in order to systematically examine their compatibility with our fundamental rights, their effectiveness, their cost, their harmful side-effects and alternatives.

Background information:

Communications data enables the tracing of who has contacted whom via telephone, mobile phone or e-mail. In the case of mobile calls or text messages via mobile phone, the user’s location is also logged. Data retention allows citizens’ movements to be traced and personal and business contacts to be monitored. Information regarding the content of communications such as personal interests and individual life circumstances can also be deduced.

A study commissioned in 2008 shows that data retention is acting as a serious deterrent to the use of telephones, mobile phones, e-mail and Internet. The survey conduced by research institute Forsa found that with communications data retention in place, one in two Germans would refrain from contacting a marriage counsellor, a psychotherapist or a drug abuse counsellor by telephone, mobile phone or e-mail if they needed their help. One in thirteen people said they had refrained from using telephone, mobile phone or e-mail at least once because of data retention, which extrapolates to 6.5 mio. Germans in total.

German NGO Working Group on Data Retention (Arbeitskreis
Vorratsdatenspeicherung) organised several protest marches against the scheme. Last year, 20.000 people protested against surveillance in Berlin.[2] About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data
Retention):

The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.

Homepage and contact details: http://www.vorratsdatenspeicherung.de

Footnotes and Links:

[1] Poll on data retention (in German):

http://www.vorratsdatenspeicherung.de/images/infas-umfrage.pdf

[2] Protest march “Freedom not Fear”:

http://www.vorratsdatenspeicherung.de/content/view/333/79/lang,en/

About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data Retention):
The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.
Homepage und contact details: http://www.vorratsdatenspeicherung.de

MELISSA EDDY Associated Press Writer

5:23 AM EST, March 2, 2010

BERLIN (AP) — Germany’s highest court on Tuesday overturned a law allowing authorities to retain data on telephone calls and e-mail traffic for help in tracking criminal networks.

A law ordering data on calls and e-mail exchanges be retained for six months for possible use by criminal authorities violated Germans’ constitutional right to private correspondence and must be revised, the Federal Constitutional Court ruled.

In its ruling, the court said the law failed to sufficiently balance the need for personal privacy against that for providing security, although it did not rule out data retention in principle.

“The disputed instructions neither provided a sufficient level of data security, nor sufficiently limited the possible uses of the data,” the court said.

Nearly 35,000 Germans had appealed to the court to overturn the law, which stems from a 2006 European Union anti-terrorism directive requiring telecommunications companies to retain phone data and Internet logs for a minimum of six months in case they are needed for criminal investigations.

The court upheld the EU directive, saying the problem lay instead with how the German parliament chose to interpret it.

Under the German law, which went into effect Jan. 2008, information about all calls from mobile or landline phones was retained for six months, including who called whom, from where and for how long.

The following year, that law was expanded to include the data surrounding all contact via e-mail.

Although the laws forbid authorities from retaining the contents of either form of communication, they met with fierce opposition from civil rights groups.

“Massive amounts of data about German citizens who pose no threat and are not suspects is being retained,” Germany’s commissioner for data security issues, Peter Schaar, told ARD’s morning show.

Experts argue the information is crucial to being able to trace crimes involving heavy use of the Internet, including tracking terror networks and pursuing child pornography.

[Data retention] equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes.

The Minister for Justice in Ireland published the Communications (Retention of Data) Bill last week: it was made available on the Oireachtas website (and brought to my attention by the ever-helpful Darius Whelan), although curiously, some reputable (and normally reliable) newspapers wrote on Monday morning about the legislation being due to be published! It will presumably be debated in the Oireachtas (parliament) when its honourable members return after the summer. Data retention legislation requires service providers to keep certain types of data on the activities of their subscribers and users, and to disclose it to relevant authorities on request. I hope that this post is of interest to Irish and non-Irish audiences, though, as the issues are arising in many jurisdictions, whether through the EU’s data retention directive of 2006 or independently. I also point to this extremely helpful status report on transposition as of January 2009: it shows very clearly that many states have included both judicial authorisation and cost recovery, which are absent from the Irish proposals.

The publication of the Bill isn’t a major surprise. A draft had been leaked, and of course this is but the Irish implementation of the 2006 Directive – so we cannot blame the Irish government alone for bringing forward these proposals. The underlying Directive remains an unconvincing one. I am not opposed to all attempts to use new forms of communication in conjunction with crime prevention, detection and prosecution. Nor am I unsympathetic to the way that some in law enforcement will feel that they are falling behind those who they pursue in terms of the use of technology. But data retention carries with it a financial burden, an administrative nightmare and, most importantly, a shift in the balance between the citizen and the state that may be presumed to be irreversable: surveillance powers, once granted, are rarely rolled back. These are broad powers, requiring retention of everyone’s data even if those having data disclosed are a subset of this (rather than the alternative of notifying a service provider to retain data on a given subject for a limited, specific purpose). As is so often the case, specific information from law enforcement on the problems with existing legislation has not been forthcoming, and public statements focus on the most extreme of cases (the Irish Minister for Justice gave us international terrorism and child pornography in his public comments today). Anyway, to ten questions that occur to me after giving the Bill some consideration.

(1) We are reassured that the legislation, as with the Directive, doesn’t apply to ‘content’, but getting information on who you are communicating with and (particularly in the case of mobile telephony) where you have been over the course of two years is more than trivial – it is a very intrusive way of finding out what a person (unconvicted of any crime) has been doing in their private life. How is this acceptable?

(2) The proposals follow in the disreputable tradition of sidelining the judicial branch – making the powers in essence a general authority for digital search and surveillance operations without a warrant. Nothing in EU law requires that the powers of accessing data be exercisable by senior Gardai (not to mention principal officers in the Revenue Commissioners, a new addition to the Bill that was not part of the earlier draft) – although it does appear tighter than the UK version, which appears to let anyone with a tanard or a lanyard to make a request. There are some safeguards supposedly in place (annual statistical reporting, a judge with the job of monitoring the system), but we’ve seen that they are quite weak: see for example TJ McIntyre’s recent discussion of the current judicial ‘oversight’ of phone intercept and data retention legislation. Furthermore, the officer authorising the access to data merely has to be satisfied that it is required for preventing, detecting, investigating or prosecuting a serious offence – which, for example, carries no need for reasonable suspicion of criminal behaviour on the part of the person whose data is being disclosed. It’s a dragnet-style provision that gives powers to police, Army and revenue officials and enables them to carry out large-scale investigations without any disclosure of such to the affected individuals nor any effective right of appeal or transparency. Why could this system not be restricted to cases approved by an independent judge after specific evidence of necessity is presented by the requesting officer?

(3) Data retention remains doubtful in terms of fundamental rights compliance: in the ECHR, S & Marper v UK questions mass monitoring of the unconvicted, Copland v UK reiterates that traffic data is covered by Article 8 (as I argue here); the German courts are considering various challenges (summarised by Digital Rights Ireland: 1 | 2), and DRI itself is engaged in a challenge to the Directive. The prior case brought by Ireland against the Directive related purely to legal basis and did not address fundamental rights at any stage. Does this legislation comply with the high standards of the protection of fundamental rights that Ireland aspires to meet?

(4) Under the Directive, retention is required for between six months and two years. The UK provisions (SI 2009/859) require a standard 12 month period. The Irish proposals would require it for a year for Internet and two years for telephone. Supporters of the legislation are spinning this as a reduction from the existing (and supposedly stopgap) three year period under 2005 legislation, conveniently neglecting the requirement under EU law to reduce it to a maximum of 2 years in any event. Why is a 2-year period necessary, particularly where other implementing States are able to adopt shorter periods?

(5) No information is provided in the Bill, explanatory memorandum or press release on who will bear the costs of retention. Compare this with, for example, the UK regulations which at least empower the Home Secretary to reimburse ‘any expenses incurred’ (which are well into the millions) in complying with the regulations. Bear in mind, too, that while some providers will keep billing data for obvious reasons, this is not the case for all providers. Who will pick up the bill and why has it not been ‘costed’ in a published impact assessment?

(6) The Bill applies without more to all providers of publicly available electronic communications networks and publicly available electronic communications services. These are wide (and imprecise) definitions that, given that specific statutory obligations are created (’a service provider shall retain’), causes doubt for many (webmail? webmail-like? open wifi? voice IM?). This will cause panic and confusion across the sector and will have seriously damaging consequences for Ireland’s ability to promote itself as a destination for high-tech industries. Compare with s 10 of the UK regulations, which provide that the obligation is only activated when the Home Secretary notifies the provider (although the Secretary does have a statutory duty to notify all relevant providers!) Why does the Government wish to create new duties without precision on who the duties will affect?

(7) There is a ‘redundancy’ provision in the UK regulations (again s 10), which states that the Home Secretary doesn’t have to notify providers where the data is retained by another provider. Presumably, this protects downstream ISPs and similarly situated others. There is no such provision in the Irish legislation and the clear terms would require the same data to be collected at multiple locations. Why are the supporters of data retention so generous with the time, money and effort of others?

(8) The detailed instructions (Sch 2, Part 1, 5(d)) requires retention of the date, time and (cell ID) location of the activation of a ‘pre-paid anonymous (mobile telephony) service’. Is this the end of pay-as-you-go anonymity through the back door?

(9) The definition of ’serious offences’ is broad (although it is an improvement on the draft, which would have allowed the powers to be used for any offence with a 12-month sentence attached to it). Any offence carrying a five-year sentence along with selected other offences (from poisoning to the false reporting of child abuse) count. How were these offences selected and what is the basis for their inclusion?

(10) The complaints procedure under s 10 of the Irish bill is bizarre – you can find out if a disclosure request has been made about you by making a request (if you believe that your data has been disclosed!!), but you will only be told if it has been made if it turns out that the rules have been contravened. Translation: meaningless. And there’s a broad barring of legal action other than the required constitutional right of action. And ‘a decision of the (referee who deals with complaints) … is final’. And evidence obtained in violation of the statute is not automatically excluded, as it should be. Given the argument that those with nothing to fear have nothing to hide, why does the Government fear challenges so much as to bar them?

Just so there’s no confusion we’re repeating the request here – if he genuinely has nothing to hide then surely he’ll be happy to provide us with details of his (taxpayer funded!) mobile phone bills for the last two years and we’ll be happy to put them online. A request has been sent to him by email and by voicemail to his constituency office asking if he will make that information available to us and if not why not. Any reply will be posted to this blog. Though perhaps you shouldn’t hold your breath.

Update (14.07.09): The chutzpah of FF TDs knows no bounds. According to today’s Independent, at a recent FF meeting backbenchers opposed being required to use a swipe card to track attendance:

The TDs also resented the idea of a swipe card that would keep track of their comings and goings at Leinster House and prevent claims for expenses from absent members…

TDs and senators believe that a pilot scheme for civil servants where their attendance and hours in work would be monitored by a swipe card system will be used to check up on them. And while most privately acknowledge that a few may abuse their expenses and allowance privileges, they resent the idea of a “Big Brother system of electronic supervision”.

As the first German court, the Administrative Court of Wiesbaden has found the blanket recording of the entire population’s telephone, mobile phone, e-mail and Internet usage (known as data retention) disproportionate.

The decision published today by the Working Group on Data Retention (decision of 27.02.2009, file 6 K 1045/08.WI) reads: “The court is of the opinion that data retention violates the fundamental right to privacy. It is not necessary in a democratic society. The individual does not provoke the interference but can be intimidated by the risks of abuse and the feeling of being under surveillance [...] The directive [on data retention] does not respect the principle of proportionality guaranteed in Article 8 ECHR, which is why it is invalid.”

The Working Group on Data Retention which has initiated a class action of over 34,000 citizens against the total logging of the entire population’s communications and movements welcomes the court decision very much. It calls on social democrats and christian democrats to reject the latest government project to allow Internet service providers to record everybody’s Internet surfing habits.

“We call on all citizens to contact their MPs now in order to protest against the proposed retention of web surfing habits,” says Werner Hülsmann, member of the board of the forum of computer scientists for peace and social responsibility and actively working in the Working Group on Data Retention. To stop the project, which the Bundestag will debate on Thursday in the first reading, the Working Group on Data Retention has set up a campaign page on the Internet. In early March, the Federal Council of Germany (Bundesrat) also warned that the proposed “storage of all Internet usage data without a specific cause or with blanket coverage [...] violates” the Constitution.

“The recent criticism by Federal Minister of the Interior Wolfgang Schäuble (CDU) of the Constitutional Court’s preliminary decision on data retention proves that his surveillance mania is limitless”, criticizes Patrick Breyer of the Working Group on Data Retention. “It is not ‘a matter for the legislature’ to keep eroding our constitutional guarantees protecting us from errors and abuses by the authorities. We urgently need to establish a Fundamental Rights Agency to have all existing powers and programs of the security authorities systematically and scientifically reviewed as to their effectiveness, cost, adverse effects, alternatives and compatibility with our fundamental rights.”

Granted, this isn’t the end of the matter in Germany. It’s a decision of one court but may be appealed, while the highest court in Germany (the Constitutional Court) has yet to make a final ruling. It is, however, a very encouraging sign – particularly as the Constitutional Court has already indicated a provisional view that data retention may be invalid. It’s also very helpful for our own case with its finding that data retention is disproportionate and unnecessary.