ANALYSIS: Data retention proposals about to become law here have been declared an invasion of privacy in Germany. Government please take note

IF THE Government fails to reconsider the terms of its Data Retention Bill, currently in its final stages before the Houses of the Oireachtas, it is likely to find that costly court challenges and a forced reworking of the legislation lie ahead.

The Retention of Data Bill 2009 seeks the overdue implementation of an EU directive on data retention (storage of call data for two years and internet-use data for one year, for everyone in the country, including children). It is the tail-end of a long process in which the right to privacy has been pitted against the needs of law enforcement to have access to records for criminal investigations.

Even as the Bill passed a Dáil vote that cements in its current provisions, there are signs that all is not well on the European front for national data retention legislation.

On Tuesday, in a significant finding, the German constitutional court threw out Germany’s existing data retention laws for a range of reasons, many of which have direct application to Ireland.

The German court echoed precisely the concerns expressed by many groups and individuals here about our own legislation – worries that were given a lone voice in the Dáil debate by Labour TD Seán Sherlock.

The German court found that enacting any data retention legislation requires a regard for what it termed the exceptional intensity of the interference with human rights that result from such measures. It therefore obligates the government to have clear and transparent measures in place to ensure data safety, data use, and adequate legal remedy available to citizens for misuse of personal data.

It said retention legislation must set a very high standard for safety of all data, and this cannot be balanced against a general burden of cost, whoever that may lie with. It underlined that access to data should only be allowed in cases targeting most serious crimes and terrorist offences. It argued that individuals must be notified after the fact that their information was accessed for an inquiry.

All of these issues have been highlighted as a concern in Ireland, where the Government has tried to downgrade the level of the crimes that our legislation applies to; does not outline a quality of service that must be met to protect data; does not cover the costs of managing and protecting data, but passes them on to the internet and telecoms sector; and does not give adequate legal remedy to citizens nor adequate oversight. Irish legislation would not meet the provisions laid out by the German court.

Privacy advocacy group Digital Rights Ireland has already brought a constitutional case against the Government in the High Court on the constitutionality of Irish legislation. This is widely expected to be referred to the European Court of Human Rights and prove a test case on the issue for the EU as a whole, where the German case will signal issues likely to prove troublesome for Irish and other EU nations’ retention laws.

Full text.

Press release by the German Working Group on Data Retention (AK Vorrat)

2 March 2010:

After data retention ruling: Civil liberties activists call for political end to retention of telecommunications data

+++ Data retention opposed by 70% of German population +++ European
Citizens’ Initiative for repealing the EU directive on data retention announced +++ Legal action to be continued +++

The German Working Group on Data Retention has today announced a Europe-wide campaign to end Internet and telephone data retention. This follows the German Constitutional Court’s ruling on a mass complaint made by more than 34,000 citizens. According to a newly-published poll, 69.3% of all Germans oppose data retention, making it the most strongly rejected surveillance law.[1]

“The recording of confidential contacts and movements of the entire population in the absence of any suspicion is unacceptable and must stop immediately”, says Florian Altherr of the Working Group. “In starting an initiative to this end, the Federal Minister of Justice can count on the support of EU Commissioner Viviane Reding as well as of many states such as Austria, Belgium and Romania, all of which do not have data retention laws in place.”

“In order to bring the massive rejection of blanket data retention home to politicians we are in the process of preparing a European Citizens’
Initiative. With the signatures of one million opponents to the permanent logging of our Internet and phone use we want to pursuade the EU to repeal its data retention directive”, announces data protection activist padeluun of the Working Group.

Patrick Breyer of the Group adds: “At the same time we will continue our legal fight against data retention. Today’s decision proclaiming the recording of the entire population’s behaviour in the absence of any suspicion compatible with our fundamental rights is unacceptable and opens the gates to a surveillance state.”

The German Working Group on Data Retention is making five political demands after today’s ruling:
1. The Federal Government, the Federal Minister of Justice and Parliaments must now cooperate with other like-minded states and bodies to take steps to repeal the redundant and detrimental data retention directive.
2. The German law on data retention, going far even beyond EU requirements and – according to the German Constitutional Court – unconstitutional, must not be re-enacted.
3. European citizens should be given the right to file constitutional complaints directly with the European Court of Justice.
4. The Federal Government must not agree to any further collection of information on citizens not suspected of any wrong-doing in the name of security, such as the air travellers file proposed by the EU. Mass data pools that were introduced in the past, such as the registration of Internet use by the Federal Office for Information Security or the employee information system ELENA, must be closed down.
5. An independent review of all existing “security” measures must take place in order to systematically examine their compatibility with our fundamental rights, their effectiveness, their cost, their harmful side-effects and alternatives.

Background information:

Communications data enables the tracing of who has contacted whom via telephone, mobile phone or e-mail. In the case of mobile calls or text messages via mobile phone, the user’s location is also logged. Data retention allows citizens’ movements to be traced and personal and business contacts to be monitored. Information regarding the content of communications such as personal interests and individual life circumstances can also be deduced.

A study commissioned in 2008 shows that data retention is acting as a serious deterrent to the use of telephones, mobile phones, e-mail and Internet. The survey conduced by research institute Forsa found that with communications data retention in place, one in two Germans would refrain from contacting a marriage counsellor, a psychotherapist or a drug abuse counsellor by telephone, mobile phone or e-mail if they needed their help. One in thirteen people said they had refrained from using telephone, mobile phone or e-mail at least once because of data retention, which extrapolates to 6.5 mio. Germans in total.

German NGO Working Group on Data Retention (Arbeitskreis
Vorratsdatenspeicherung) organised several protest marches against the scheme. Last year, 20.000 people protested against surveillance in Berlin.[2] About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data
Retention):

The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.

Homepage and contact details: http://www.vorratsdatenspeicherung.de

Footnotes and Links:

[1] Poll on data retention (in German):

http://www.vorratsdatenspeicherung.de/images/infas-umfrage.pdf

[2] Protest march “Freedom not Fear”:

http://www.vorratsdatenspeicherung.de/content/view/333/79/lang,en/

About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data Retention):
The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.
Homepage und contact details: http://www.vorratsdatenspeicherung.de

MELISSA EDDY Associated Press Writer

5:23 AM EST, March 2, 2010

BERLIN (AP) — Germany’s highest court on Tuesday overturned a law allowing authorities to retain data on telephone calls and e-mail traffic for help in tracking criminal networks.

A law ordering data on calls and e-mail exchanges be retained for six months for possible use by criminal authorities violated Germans’ constitutional right to private correspondence and must be revised, the Federal Constitutional Court ruled.

In its ruling, the court said the law failed to sufficiently balance the need for personal privacy against that for providing security, although it did not rule out data retention in principle.

“The disputed instructions neither provided a sufficient level of data security, nor sufficiently limited the possible uses of the data,” the court said.

Nearly 35,000 Germans had appealed to the court to overturn the law, which stems from a 2006 European Union anti-terrorism directive requiring telecommunications companies to retain phone data and Internet logs for a minimum of six months in case they are needed for criminal investigations.

The court upheld the EU directive, saying the problem lay instead with how the German parliament chose to interpret it.

Under the German law, which went into effect Jan. 2008, information about all calls from mobile or landline phones was retained for six months, including who called whom, from where and for how long.

The following year, that law was expanded to include the data surrounding all contact via e-mail.

Although the laws forbid authorities from retaining the contents of either form of communication, they met with fierce opposition from civil rights groups.

“Massive amounts of data about German citizens who pose no threat and are not suspects is being retained,” Germany’s commissioner for data security issues, Peter Schaar, told ARD’s morning show.

Experts argue the information is crucial to being able to trace crimes involving heavy use of the Internet, including tracking terror networks and pursuing child pornography.

Before the draft Bill was published, we identified several areas which needed to be addressed to protect freedom of expression for internet users. Unfortunately, only one of these areas was ultimately covered by the Act – the introduction of a single publication rule (which means that internet users are less likely to be at risk of being sued for older material). Other areas – such as the position of hosts – were left unreformed.

In an opinion piece in today’s Sunday Times we argue that this is not just bad for fundamental rights but also bad for business. Here’s an excerpt:

Many plaintiffs will sue not the person who wrote the defamatory material but the internet business which displayed it. This may be because they cannot identify the author or because the author doesn’t have a bob. Either way, it presents a problem for online businesses in Ireland, which face the risk of substantial damages for what users say, even though they are not responsible for what is said.

Some providers, such as chatrooms and forums, do have limited protection under European law, giving them immunity from damages — provided they act quickly to remove defamatory material when they become aware of it.

But there is no guidance as to what is meant by being “aware” of defamatory material. This lack of certainty discourages internet providers from taking responsible steps to monitor user comments for fear that, if they do, they will be deemed to be aware of the content and therefore liable. It also creates a problem when someone makes a vague complaint and doesn’t specify what is defamatory. The only solution may be to remove all material referring to them.

The result of this limited immunity is often privatised censorship, with internet hosts feeling obliged to remove users’ comments in response to legal threats. Simple economics encourage this. The cost of legal advice to determine whether material is defamatory, and the risk of liability, means that the safest response is taking down content or closing off debates. Boards.ie felt compelled to ban all discussion of MCD events after the concert promoter took a libel action over users’ posts about the Oxegen festival.

Bloggers are also affected. The Society of Homeopaths, for example, recently took offence at something written by Andy Lewis on his Quackometer website. Lewis was prepared to stand firm over his comments but, rather than sue him, the society instead threatened the web-hosting company, which promptly took down his blog.

All these problems were identified by a government-appointed legal advisory group on defamation in 2003, which recommended that any reform of Irish law should improve the position of online providers. Surprisingly, however, the Defamation Act 2009 focused on the traditional media and largely ignored the recommendations relating to online defamation.

This leaves Ireland trailing behind other jurisdictions. Since 1996, the United States has given internet providers a defence in respect of material written by users. So have many EU countries, which went further than European law requires. Ireland, however, exposes internet intermediaries to a much greater business risk of being held liable for material they did not produce.

We have been successful in attracting the likes of eBay, Facebook and Google. It would be unfortunate if failure to reform the law were to risk deterring other online businesses from setting up here.

None of these points are original. Eoin O’Dell, who was a member of the Legal Advisory Group on Defamation, has already highlighted these problems, saying that it is inexplicable and indefensible that the 2009 Act neglected the internet. However, until there is further reform it will be important to keep this issue on the agenda.

Surprisingly, though, the consultation paper has almost nothing to say about searches of computers and data. In fairness, it does note that there are some existing (rather patchy) provisions which specifically deal with computer searches – such as the power to require passwords in s.48 of the Criminal Justice (Theft and Fraud Offences) Act 2001. It also makes a very brief reference to the need for specialist forensic examination of seized computers. However it fails to consider any of the difficulties which have emerged when traditional norms are applied to data, much less current proposals which would fundamentally rewrite the law in this area.

To take just a few examples: there is no recognition of the vast quantities of personal data which are often stored on computers, making searches particularly privacy invasive in a way which is not generally true elsewhere. On a similar note, the consultation paper fails to recognise that the effect of seizing a computer and data can often be to shut down a business or to seriously disrupt an individual’s life, and that this often can be mitigated by returning a copy of the seized data. There’s no analysis of how extensive searches of data should be – if, for example, a computer is seized on suspicion of fraud offences should it be permissible to automatically scan the hard drive to detect possible child pornography images? (These and many other issues have been extensively analysed by Orin Kerr in several excellent articles, including Search Warrants in an Era of Digital Evidence and Searches and Seizures in a Digital World.) Similarly, there’s no mention of so-called remote searches (police hacking into computers at a distance), despite the fact that these have been the subject of recent EU proposals.

These and other issues will have to be addressed if the Law Reform Commission analysis is to deal with computer searches adequately in a way which protects privacy – if you’re interested in bringing any of these issues to their attention, you can email them at info@lawreform.ie or make a submission via snail mail using the details on this page.

(Cross-posted from tjmcintyre.com)

[Data retention] equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes.

Séan Sherlock (Lab.) is also on top of this issue and has put forward extremely desirable amendments designed to reduce the retention period and to establish greater transparency in the oversight of data retention – these are available on the Oireachtas website (PDF).

The Romanian Constitutional Court declared, yesterday afternoon, the data retention law (law 298/2008) as unconstitutional, as it breaches art 28 of the Romanian Constitution which provides that secrecy of the letters, telegrams and other postal communications, of telephone conversations, and of any other legal means of communication is inviolable.

So far there is no press release of the Court and the decision has not been published yet, there are only press articles about it. An English report (not entirely accurate) is available on mediafax.

As with the German decisions against data retention, this isn’t directly applicable to our High Court challenge. But it is extremely useful as evidence of a growing trend throughout Europe to find data retention laws constitutionally suspect.

I’m quoted in today’s Irish Times on the threats made by JC Decaux against Fusio resulting in their taking down their Dublin Bikes App.

Leave aside for a moment the PR stupidity of this strategy.

Ignore if you will the dubious legal basis of their claim. (Without going into the finer points of copyright in facts, database rights, clickwrap agreements or possible passing off, the vague nature of their complaint – “Following our conversion, I confirm that you do not have the rights to use the information published on the web site http://www.dublinbikes.ie/. In particular the data concerning the stations is the property of JCDecaux and cannot be used without our prior authorisation” – makes it clear that they have little idea what they are talking about.)

Think instead about the issue of principle. A body which is operating in partnership with Dublin City Council is attempting to stop an Irish company from providing – free of charge – facts to the public about the service which they offer, without giving any justification for doing so, and without offering an alternative of their own. (I’m happy to see that at least some of our politicians understand the absurdity of this.)

I spoke to the press office in Dublin City Council today, who made it clear that they regard this matter as nothing to do with them. But why not? DCC were happy to work with Fusio to develop the app. Is there no provision in their contract with JCD establishing an obligation to provide information to the public about the service? Will they make sure that future contracts address this type of situation? (And – while I’m on the topic of the contract – why does JCD own the domain dublinbikes.ie? Is there any provision in the contract for the domain to revert to DCC on its expiry?)

- TJ

[Update - since initially posting this I have asked DCC for a copy of any correspondence with JCD over this issue and with any relevant portions of their contract with JCD. This seems to be an issue where JCD would be likely to reverse their stance if pressure were applied (one would hope they understand the risks of bad publicity!) - and where an important point of principle about reuse of data could be established. You may wish to email JCD at info@jcdecaux.ie; you can find contact details for your local councilors here.]

A secret memorandum of understanding between State agencies and the communications industry on how to implement the as-yet non-existent Government data retention legislation, confirms longstanding concerns about who is managing the data retention agenda and to what end.

With data retention, it appears that the tail is wagging the dog, in blatant disregard for proper democratic legislative process. The agencies that want access to our call and internet data are bypassing the Oireachtas, which at least theoretically, is the body that draws up and implements legislation.

As one alarmed privacy advocate told me: “This is legislation by decree.” …

No doubt, the argument will be made – and indeed is, within the body of the 13 page memorandum – that the document exists to help streamline the process by which our data are requested and handed over to various bodies that will now be allowed to look at it. Or as the memorandum states: “to promote efficient and effective standards of co-operation between the State and the Communications Industry.”

But it is not the business of the agencies to arrange any such matters privately with the communications industry, especially in the absence of actual legislation, or any public discussion or input, or any significant Oireachtas debate on a Bill that has only recently been published and not yet debated.

A data retention bill has not been passed by the Oireachtas yet, so this extraordinary “agreement” is based on sweeping assumptions, not articles of law.

More startling is the fact that agencies and industry are making such secretive plans for co-operation at all. It is the job of the Oireachtas and, ultimately, the courts to determine how legislation will be interpreted and implemented, not the Garda Commissioner, the Revenue Commissioners or the Defence Forces by private agreement.

This is the equivalent of the Financial Regulator securing a private understanding with Irish companies and banks as to how they will be supervised and how evidence will be obtained from them for investigations.

Another concern is that the memorandum, as it stands, indicates an agreement to obtain data that goes beyond what has been proposed so far in the published data retention bill.

The memorandum arranges for communications companies to hand over ‘‘any available personal details” of an IP address user, e-mail sender or VoIP user, even though the draft Bill (as seen by The Irish Times earlier this year) only requires name and address.

The memorandum also contains an agreement to hand over the MAC address associated with a computer user – the numerical “address” of a physical piece of hardware, such as a laptop, that enables it to connect to a network – though not required by the Bill.

The memorandum concludes with supreme arrogance: a detailed schedule pertaining to what will be handed over and how, matched to the text from the “Act” – again, simply the proposed Bill the Oireachtas has not yet approved. The schedule has a column for the “mutual agreement of retained data” and another for “issues addressed and agreed”.

Excuse me? Since when do agencies and industry get to “mutually agree” how they will privately interpret and comply with publicly mandated legislation (setting aside the glaring absence of any such legislation on which to base their ‘mutual agreement’)?

The memorandum notes in conclusion that it should be disseminated within Government “where necessary” and copies of the signed agreement be filed with legal representatives and stored internally in company files.

So, we have a private deal arranged in advance, in disregard of the role of the democratically elected Oireachtas and with no public input or scrutiny, between State agencies and the communications industry on how they will interpret and act on one of the most controversial pieces of legislation proposed for the State and European Union.

Legislation that has massive privacy and security implications for citizens and for businesses, and which already has been criticised by several leading business figures from indigenous and multinational companies as a threat to Ireland’s business environment.

Such arrangements have no place in a democracy and will surely alarm businesses that have chosen to base themselves in Ireland. Revelations that they exist will not instill confidence that privacy safeguards will be respected for citizens or businesses, nor dispel concerns that other murky off the record arrangements will be made along the way.

To be fair, there are portions of the draft agreement which are highly desirable. It aims to establish a single point of contact principle, which should minimise mistakes and abuse. It seeks to have state authorities digitally sign and encrypt any email requests for information. And it clarifies the appallingly vague technical language in the draft Data Retention Bill in a way which may make it workable.

But these safeguards should be built into the legislation itself, made mandatory and enforceable by judicial supervision. Instead, this agreement leaves them to an ad hoc arrangement between the State and the telecoms industry, and admits that it is merely “a non-binding statement of understanding or agreement [which] creates no legal obligations or commitments on the signing parties”. Moreover, it does so in secret, with no public input into the process. And, as Karlin points out, in some places it goes beyond what the draft legislation would require, and commits ISPs to handing over information without any legal obligation or permission to do so.

Read the full text of the leaked agreement here.