Tag: Data Protection (page 2 of 4)

Those who have copies of torrid homemade videos, beware!

Safe enough!

Safe enough! Not.

As a comeback after this very long pause, I would like to address a recent ruling of a Portuguese court, which followed the complaint of a woman against her ex-boyfriend, alleging revenge porn due to the online release of an intimate video on related websites.

Grosso modo, the details of the case are as follows: the woman and the man had a relationship. During that period, they mutually agreed to video record sexual interactions, on the condition that that record would never be watched by anyone else.

The quality and the angles of the images allowed for a clear identification of the complainant. The man retained a copy of the record and saved it in his personal computer.

After having ended the relationship, the woman found out that the video had been published and further divulged online, where it was freely available, and easily found by a simple and adequate terminological search. Moreover, it was argued that it was visualized by people who personally knew the complainant, namely from her area of residence and workplace.

It was not demonstrated in court that the man was the author of the original online release of the video. As a result, it was not demonstrated that this was a case of revenge porn. However, he admitted that the computer where a copy of the video was saved was frequently used by friends and family members.

Thus considering, the court concluded that the man was – due to the abovementioned pre-existing verbal agreement – obliged to keep safe the copy of the video he retained and to practice according necessary acts.

Therefore, by unrestrainedly permitting the access to the computer where a copy of the aforesaid recording was saved, it was deemed that he consequently had violated the duty of appropriately guarding it, i.e., by lacking to practice the acts he was obligated to.

The court hence ruled that this omission of properly secure sensitive information regarding the complainant entitled the latter to a pecuniary compensation.

In my opinion, this unprecedented ruling is very welcomed as a necessary judicial answer to the proliferation of revenge porn in the online context.

However, while I am fully aware that it is very difficult to judicially sustain allegations of revenge porn and that neither the responsibility of its authors nor the moral damages of the victims should go unanswered, I am really not sure if the procedence of such claims should rely on the ‘omission’ of an agreed act of keeping a given information secure.

It is evident that nowadays, particularly in regards of computerized information, privacy cannot be dissociated from security. However, recent history demonstrates that even large firms, processing information as sensitive, with far more resources and despite spending millions on security diligence, are unable to keep personal and sensitive data safe.

Therefore, it must be asked: what can qualify as such an omission when individuals are involved, specifically when demonstrated that an individual has no particular knowledge regarding ICT security or is convinced that all the appropriate measures were taken?

In the particular case at stake, it seems that it was the negligence – the permission of access to the computer where a copy of the video was saved – that was deemed determinant to qualify the conduct as a relevant omission.

Nevertheless, considering the lack of objective criteria, would it make a difference if the video was saved on the desktop as ‘wildnightsexwith(girlfriend’sname).mp4’ or if it was in a personal account in the computer and he forgot to log off, thus enabling others to access his personal files?

Anyway, as this is certainly the first of many ruling on similar factual issues, the courts will have plenty of opportunities to clarify the unanswered questions and to define objective criteria – or at least try – in this regard.

A spy in your living room: ‘Tu quoque mi’ TV?

How smart are you?

How smart are you?

So, it seems that the room we have for our privacy to bloom is getting smaller and smaller. We already knew that being at home did not automatically imply seclusion. Still, nosy neighbours were, for quite a long time, the only enemies of home privacy.

However, thicker walls and darker window blinds no longer protect us from external snooping as, nowadays, the enemy seems to hide in our living room or even bedroom.

Indeed, it seems that when we bought our super duper and very expensive Smart TV, we actually may have brought to our home a very sneaky and effective – although apparently innocent – spy.

As you may (or may not) already know, TV with Internet connectivity allow for the collection of its users’ data, including voice recognition and viewing habits. A few days ago many people would praise those capabilities, as the voice recognition feature is applied to our convenience, i.e., to improve the TV’s response to our voice commands and the collection of data is intended to provide a customized and more comfortable experience. Currently, I seriously doubt that most of us do look at our TV screens the same way.

To start with, there was the realization that usage information, such as our favourite programs and online behaviour, and other not intended/expected to be collected information, are in fact collected by LG Smart TV in order to present targeting ads. And this happens even if the user actually switches off the option of having his data collected to that end. Worse, the data collected even respected external USB hard drive.

More recently, the Samsung Smart TV was also put in the spotlight due to its privacy policy. Someone having attentively read the Samsung Smart TV’s user manual, shared the following excerpt online:

To provide you the Voice Recognition feature, some voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service that converts speech to text or to the extent necessary to provide the Voice Recognition features to you. (…)

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

And people seemed to have abruptly waken up to the realization that this voice recognition feature is not only directed to specific commands in order to allow for a better interaction between an user and the device, as it also may actually involve the capture and recording of personal and sensitive information, considering the conversation taking place nearby. No need to be a techie to know that this does not amount to performance improvement. This is eavesdropping. And to make it worse, the data is transferred to a third-party.

In the aftermath, Samsung has clarified that it did not retain voice data nor sell the audio being collected. It further explained that a microphone icon is visible on the screen when voice activation was turned on and, consequently, no unexpected recording takes place.

Of course you can now be more careful about what you say around your TV. But as users can activate or deactivate this voice recognition feature, my guess is that most will actually prefer to use the old remote control and to keep the TV as dumb as possible. I mean, just the idea of the possibility of private conversations taking place in front of your TV screen being involuntarily recorded is enough motivation.

Also, it should be pointed out that, considering the personal data at stake (relating to an identified or identifiable person) involved, there are very relevant data protection concerns regarding these situations. Can it simply be accepted that the user has consented to the Terms and Conditions on the TV acquired? Were these very significant terms made clear at any point? It is quite certain that there users could not have foreseen, at the time of the purchase, that such deep and extended collection would actually take place. And if so, such consent cannot be considered to have been freely given. It suffices to think that the features used for the collection of data are what make the TV smart in the first place and, therefore, the main reason for buying the product. Moreover, is this collection strictly necessary to the pretended service to be provided? When the data at stake involves data from other devices or other wording than the voice commands, the answer cannot be positive. And the transmission of personal data to third parties only makes all this worse as it is not specified under what conditions data is transmitted to a third party or who that third party actually is. Adding to this, if we consider that these settings mostly come by default, they are certainly not privacy-friendly and amount to stealthily monitoring. Last but not the least, it still remains to be seen if the proper data anonymisation/pseudinonymisation techniques are effectively put in place.

Nevertheless, these situations brought back into the spotlight the risks to privacy associated with personal devices in the Internet of Things era. As smart devices are more and more present in our households, we are smoothly loosing privacy or, at least, our privacy faces greater risks. In fact, it is quite difficult to live nowadays without these technologies which undoubtedly make our lives so much more comfortable and easier. It is time for people to realize that all this convenience comes with a cost. And an high one.

The many dangers of the international agreements’ top secret negotiations

One thing we can agree on is that nobody has to know.

One thing we can agree on is that nobody has to know. 1)Copyright by Bigwillyoliver under the Creative Commons Attribution-Share Alike 3.0 Unported

The EU has been quite active on its external relations through the secretive negotiations for the Transatlantic Trade and Investment Partnership (TTIP) or the Trade in Services Agreement (TISA).

The irony is that, considering the unavoidable wide-ranging effects which are expected, the public at large would have great interest in scrutinizing the ongoing negotiations. However, it seems that not many individuals are fully aware of what is going on. Indeed, if some negotiating documents were not leaked, the general population – where you and I belong – would not even know what most of them is about. In this context, it is difficult to explain and believe in the need of such confidentially to ensure the conducting of effective negotiations.

One would have expected that some lessons were learned with the strong opposition from the public faced by the controversial Anti-Counterfeiting Trade Agreement (ACTA), where the same secretive strategy was employed. History, it seems, keeps repeating itself. Nevertheless, following the European Ombudsman pressure for more transparency and accessibility to the public, the European Commission published last month some TTIP negotiating documents.

Thus said, this exacerbated confidentiality and limited public participation has a serious impact regarding the awareness of the threat that their successful conclusion will entail for individuals. People are not able to contest or agree on what they do not know about. To keep information in the dark is, since the beginning of times, the most effective way to ensure that no opposition is raised.

Being negotiated by 23 member countries of the World Trade Organisation (WTO), including the EU, TISA, according to recent leaked documents, will have serious implications regarding transfer, access, processing or storing of information, including personal data, implying looser rules for service suppliers in international data transfers. Indeed, countries with stronger data protection regimes would be required to put those standards aside in order to comply with the agreement.

Similarly, the recognition that consumers should be able to access and use services and applications of their choice available on the Internet, subject to reasonable network management, raises concerns regarding net neutrality, which is an unfortunate outcome considering the progress achieved by the European Parliament on this issue in regards of the Telecoms Single Market.

Not to mention all the contentious issues at so many levels surrounding TTIP, being negotiated by the USA and the EU… From food regulations, to environmental standards, intellectual property, to the investor state dispute settlement, and data protection. If you think about any specific concern, you might actually find it associated with TTIP.

Due to time and space restrictions, I do not intend to address here in detail all the issues at stake. Moreover, and to be honest, I have not fully read the entirety of texts leaked or otherwise publicly made available. Nevertheless, I am fully aware that those versions no longer correspond to the most recent state of play of those negotiations. And no relief can be found in such circumstance.

Thus said, none withstanding all the controversies concerning the abovementioned agreements, the EU should also pay attention to the other agreements in which negotiating it does not participate. I am specifically referring to the Trans-Pacific Partnership (TPP), between the USA and 11 Asia–Pacific countries, which include Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam, some of which the EU is also bilaterally engaging.

In this context, I certainly do not want to miss raising two of my favourite issues (or should I say prior concerns?) associated with DRM (Digital Rights Management) and copyright.

Indeed, the TPP contains a chapter on intellectual property covering copyright, trademarks, and patents, intedning to address a vast range of issues, such as trade secrets, circumvention of DRM, ISP liability, copyright term lengths, and criminal enforcement measures, establishing far more restrictive standards than those currently existing on an international level.

DRM, as you may be quite well aware, refers to technical measures aiming to restrict copyrighted content, namely limiting the number of devices on which you can play a video you legally purchased. So, yes, when you try to read an eBook or listen to a song on a different platform, it can be illegal. All in the name of the ‘anti-piracy’ slogan. But do not despair: you can always buy the same book or the same song again in order to be able to use it in another format. Publishers and studios: 1 – you and I: 0.

Besides being directly prejudicial to consumers, these are also indirectly affected as such technical measures also jeopardize the exercise of fair use rights, or the ability to use copyrighted work without interfering with the copyright owner’s right. Competition and innovation are consequently choked. And considering the not so past events, I could not go on without mentioning that the technologies associated with DRM can actually involve serious security risks to consumers. It suffices to remember that, a few years ago, Sony sold millions of music CDs with software technologies which would install undisclosed files on users’ computers, exposing them to attacks by third parties.

As for the copyright term protections, TPP will extend the length of such protection. We are talking, for instance, of approximately one hundred years after publication or after creation for corporate owned works, far longer than what is currently required by the Berne Convention (WIPO) or the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS).

While it is unquestionable that copyright is needed in order to provide an incentive for creativity, it is difficult to imagine how such lengthy regimes can actually be an incentive to creativity. They certainly are highly detrimental to the general interest and I really cannot fathom who, besides large corporations, actually financially benefit from such outcome. Broader copyright regimes, which delay the entrance of works into the public domain, require obviously the payment of continued royalties for content. And considering that authors and creators usually receive low royalties, it mostly serves the interests of large corporations. It is like Mickey Mouse v. public domain all over again but now at a much larger scale.

In this context, and as if it wasn’t enough, service providers may be intended to be private enforcers of copyright, removing infringing content from the Internet without a court order. This represents a serious threat for the exercise of freedoms of expression and of speech on the Internet.

Moreover, users can be held liable for criminal copyright infringement in regards of non-commercial acts, i.e., who were not seeking financial gain from sharing or making available copyrighted works.

Why is this a much bigger problem than it already seems?

Well, despite being negotiated by twelve countries, TPP will evidently affect other countries beyond those involved in the negotiations, as those will likely also be required to comply to its requirements as a condition of bilateral trade agreements with its signatory members.

If its current spirit is indeed to be maintained, it will lead to a pressure for an extension of restrictive IP laws worldwide, affecting the freedom of speech, right to privacy of users and the possibility of creation and innovation across the globe.

Considering all this, while the EU itself has struggling over the Internet and copyright, the TPP is also something it should worry about.

References   [ + ]

1. Copyright by Bigwillyoliver under the Creative Commons Attribution-Share Alike 3.0 Unported

Microsoft or the rider on a white horse of modern times

My hero!

My hero!

Microsoft has been challenging a USA search warrant, issued within an ongoing narcotics trafficking related investigation, seeking to access the content information of the electronic communications of one of its customers, which are stored exclusively outside the jurisdiction of the USA authorities, more specifically hosted in a data centre in Dublin, Ireland.

The abovementioned warrant would require an extraterritorial search and seizure of data stored in Microsoft’s Dublin datacenter. The very particular question at stake is if and to what extent a USA warrant compels a USA communications service provider to provide data stored abroad. What is to determine territoriality for a USA based provider with data stored abroad: the location where the data is stored or where the company is headquartered?

As any other service provider company, Microsoft stores the e-mail messages sent and received by its users and related information in datacenters, both in the USA and abroad, according to the users own location and proximity, given at registration, in order to increase the quality of the communications and decrease the network latency1)The concept refers to the time it takes for data to get from one designated point to another..

In this specific case, considering that the content is hosted outside the EUA, it is quite possible that the customer at stake is a non-US citizen. And this makes this issue all the worse in the post-Snowden age.

In fact, this situation is not so vaguely reminiscent of the statements of Robert Hannigan, the head of the GCHQ, which qualified tech companies as ‘the command and control networks of choice’, precisely because they do not agree to cooperate on some very dubious terms. Or those of James Comey, the FBI director, a strong opponent of the growing market for secure private telecommunications, namely through data encryption technologies that companies such as Apple and Google have inserted to their Smartphone operating systems.

Needless to say that a “trapdoor” access to the tech companies networks by intelligence agencies and law enforcement authorities, in order to collect information about its users, is not a good idea. With such a free access door, there is no guarantee about who else would be able to gain access to these networks.

And it is quite hard to accept the need of such doubtful mechanisms when existing legal mechanisms do exist and allow achieving the same result. They are called warrants.

But it seems that when even when using the proper legal mechanisms, some governments fail to understand its territorial limitations in regards of competence and jurisdiction. That is certainly why a USA court assumes to have the authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.

According to the Court which issued the warrant, the specific nature of an SCA2)The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order. warrant differs from a normal warrant, compelling the service provider to gather and produce the data itself, rather than authorizing the entrance into the physical premises in order to conduct a search and seizure. In this context, it is not bound by the geographical restrictions of a search warrant and therefore no elements of extraterritoriality are at stake as Microsoft is merely required to produce information in its possession or control, regardless the location of that information.

The Court further considered that otherwise it would be sufficient for an individual intending to engage in criminal activities to give false residence information or to establish its residence abroad in order to have his account assigned to a server outside the USA and, thus, evade an SCA warrant.

There are, for what I managed to gather, substantial theoretical ambiguities regarding the interpretation and the historical drafting of the SCA. Nevertheless, there are others which are quite straightforward.

For instance, at an international level, such a unilateral initiative risks of negatively interfering with the sovereignty and jurisdiction of another country and may even damage diplomatic relations and foreign policies. The German Government has already stated that it will cease the storage of data in USA cloud providers.

There are indeed proper specific procedures established in bilateral agreements aimed at obtaining criminal evidence located in another country. Take for instance the Mutual Legal Assistance Treaty (MLAT), which is an international instrument designed to facilitate cross-border criminal investigations, concluded between Ireland and the USA. This is precisely because a USA Court Order is no more binding in Ireland as an Irish Court Order would be in the US. For this very reason, the data shouldn’t be transferred from Ireland to the USA other than through such a formal and official channel of co-operation.

However, this mechanism was deemed “slow and laborious” by the USA Court, which also outlined the possibility for one of the parties to decline the request for assistance as a negative feature. Apparently, the main issue is that the requested party may oppose “the exercise of jurisdiction which is in its view extraterritorial and objectionable”. The same Court considered that the fact that some MLAT require the execution of a search warrant to be operated in accordance with the laws of the requested party to be an issue.

Humm, quite self-explanatory, isn’t it? The intention is to access private emails of any customer of a USA based service provider disregarding where the data is located, and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

The interpretation according to which the search of digital data occurs where the data is remotely accessed is just a not so smart and very unfortunate attempt of bypassing the proper existing mechanisms. And it opens the door for legal uncertainty.

The search of digital data undoubtedly occurs where the data is stored when the company at stake is required to copy the data from the server. The location should dictate the competent jurisdiction. If the court has no competence to obtain through a court warrant some evidence, it cannot circumvent that limitation by compelling Microsoft to do what it has no authority to do itself.

Considering that USA-based companies can be constricted to produce documents stored anywhere worldwide – just because they are based in the USA – fails to acknowledge that different laws apply depending on the jurisdictions where the user is located. For instance, Microsoft would be compelled to breach EU data protection laws, namely the Data Protection Directive3)Directive 95/46/EC and the Framework Decision which regulates data transfers to non-EU Member States4)The Council Framework Decision 2008/977/JHA.

In this context, in a statement issued last November, the Article 29 WP stated as follows:

a public authority in a non-EU country should not have unrestricted direct access to the data of individuals processed under EU jurisdiction, whatever the conditions of this access and the location of the data. Conflicts of jurisdiction shall be resolved only under certain conditions–e.g. through prior authorisation by a public authority in the EU or through a mutual legal assistance treaty, respectively covering access by foreign law enforcement authorities to data transferred from the EU or to data stored in the EU. Foreign requests must not be served directly to companies under EU jurisdiction.

Moreover, allowing for the USA government such an access would create a dangerous precedent, potentially leading other countries to disregard the existing legal mechanisms to seek data stored abroad. Such an anarchy is certainly not a desirable outcome to be achieved!

Anyway, considering the company’s previous relation with the National Security Agency (NSA), I must admit this came as a surprise. After all, among the several very inconvenient and ugly truths, namely regarding the PRISM program, the documents provided by Edward Snowden revealed that Microsoft has collaborated closely with USA intelligence services in order to allow users’ communications to be intercepted, including enabling the NSA to circumvent the company’s own encryption.

This can really be the first time that a company challenges the USA government over a domestic warrant for data held overseas. In the meantime, the Irish government has already manifested its support, along with several other tech companies and consumer privacy advocates.

While this situation outlines the increasing role of private companies as the ultimate defendants our rights, it brings to the spotlight that the right of protection against illegal access, search and seizure of physical property needs to clearly apply also to the digital world. I mean, if governments are not entitled to freely conduct searches in a building located in another country, I cannot fathom any reason for considering that this power of search would be bestowed to them in regard of the content of an email stored overseas. The information located in the cloud should be covered by an equally high standard of protection and any exchange should be covered by a strict framework. Otherwise, it is the very cloud model that is put at risk and we all know that the trust of customers has been quite challenged already.

References   [ + ]

1. The concept refers to the time it takes for data to get from one designated point to another.
2. The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order.
3. Directive 95/46/EC
4. The Council Framework Decision 2008/977/JHA

Game of drones or the not so playful side of the use of RPAS for recreational purposes

I am watching you.

I am watching you.1)Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic

If one of the gifts you have found underneath the Christmas tree was a drone 2)The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: those which can autonomously follow pre-programmed flight routes and those which have remotely piloted aircrafts systems (RPAS). Only the latter are currently authorised for use in EU airspace., and it happens to have some camera installed on it, you should prepare yourself to embrace your new status of a data controller and face a new set of obligations regarding privacy and safety.

Indeed, whilst drones can be a lot of fun, there are serious considerations at stake which should not be ignored. In fact, the extensive range of their potential applications3)Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and government non-military activities which are more effectively or safely performed by a machine, such as such as the monitoring of rail tracks, dams, dykes or power grids., the proliferation of UAVs with a camera, the collection of data and the subsequent use of such data, namely by private individuals for personal and recreational purposes raise concerns about the impact of these technologies on the safety, security, privacy and the protection of personal data.

As a matter of fact, a drone in itself does not imply the collecting and the processing of any personal data until you attach a camera to it. However, drones are increasingly equipped with high definition optical cameras and therefore are able to capture and record images of the public space. And while there are no apparent privacy concerns regarding the recording of landscapes, having a drone filming through the sky over your neighbourhood might lead to a very different conclusion. Drones have a high potential for collateral or direct intrusion regarding privacy, considering the height at which they operate, allowing to monitor a vast area and to capture large numbers of people or specific individuals. Despite individuals may not always be directly identifiable, their identification may still be possible through the context in which the image is captured or the footage is recorded.

It must be noted that people might not even be aware that they are being filmed or by whom and, as a result, cannot take any steps to avoid being captured if such activity is not made public. People ought not to know that the device is equipped with optical imaging and has recording capabilities. Moreover, because the amateur usage of a drone may not be visible, there is a high risk of being directed to covert and voyeuristic recording of their neighbours’ lives, homes and back gardens. How would you feel if a drone was constantly looming near your windows or in your backyard? Indeed, there is no guarantee regarding the legitimacy of the end to be achieved with the use of drones. None withstanding the fact that a drone may actually pose a threat to people’s personal safety, belongings and property, considering that it may fall, its increasing popularity as a hobby outlines the issue of discriminatory targeting, as certain individuals, such as children, young people and women, are particularly vulnerable to an insidious use of RPAS. This is particularly relevant considering that the images or footage is usually intended to be made publicly available, usually on platforms such as Youtube.

Furthermore, the recording may interfere with the privacy of individuals as their whereabouts, home or workplace addresses, doings and relationships are registered. In this context, the use of drones for hobbying purposes may have a chilling effect on the use of the public space, leading individuals to adjust their behaviour as they fear their activities are being monitored.

Thus considering, the use of this type of aerial technologies is covered by Article 7 and Article 8 of the EU Charter of Fundamental Rights which respectively establish the respect for private life and protection of personal data. Taking into account the abstract nature of the concept of privacy, the main difficulty will be to define when there is a violation at stake.

In addition, there are obviously data protection implications at stake where the drone is capturing personal data. EU data protection rules generally govern the collection, processing and retention of personal data. The EU Directive 95/46/CE and the proposed General Data Protection Regulation are applicable to the collection, processing and retention of personal data, except where personal data is collected in the course of a purely personal or household activity. Hence, the recreational use of drones is a ‘grey area’ and stands almost unregulated due to this household exemption.

Nevertheless, due to the risks at stake, both to privacy and to data protection, the extent to which the ‘household‘ exemption applies in the context of a personal and private use must be questioned.

In a recent ruling, the CJEU concluded that the partial monitoring of the public space carried out by CCTV is subjected to the EU Directive 95/46, even if the camera capturing the images is “directed outwards from the private setting of the person processing the data”. As already analysed here, the CJEU considered that the processing of personal data involved did not fall within the ‘household exemption’ to data protection laws because the camera was capable of identifying individuals walking on a public footpath.

As the RPAS operations may be quite similar to CCTV, but more intrusive, because they are mobile, cover a larger territory, collect a vaster amount of information, it is not a surprise that they may and should be subjected to the same legal obligations. Subsequent to this ruling, these technologies should be considered as potentially privacy-invasive. Consequently, private operators of drones in public spaces should be ready to comply with data protection rules.

Of course, the footage needs to contain images of natural persons that are clear enough to lead to identification. Moreover, and in my opinion, it is not workable to consider, in order for the household exemption to be applied, the images collateral and incidentally captured. Otherwise, selfies unwillingly or unknowingly including someone in the background could not be freely displayed on Facebook without complying with data protection rules. The footage must constitute a serious and systematic surveillance on individuals and their activities.

Therefore, information about the activities being undertaken and about the data processing (such as the identity of the data controller, the purposes of processing, the type of data, the duration of processing and the rights of data subjects), where it does not involve disproportionate efforts, shall be given to individuals (principle of transparency). Moreover, efforts should be made in order to minimize the amount of data obtained (data minimization). Moreover, the controller might need to ensure that the personal data collected by the drone camera is anonymised, is only used for the original purpose for which it was collected (purpose limitation), will be stored adequate and securely and will not be retained for longer than what is necessarily required.

In this context, individuals having their image captured and their activities recorded by the camera of a drone should be given guarantees regarding consent, proportionality and the exercise of their rights to access, correction and erasure.

Thus said, depending on where you are geographically located in the EU, there are obviously different rules regarding the legal aspects related to the use of drones. It is therefore important for individuals intending to operate a drone to get informed and educated about the appropriate use of these devices and the safety, privacy and data protection issues at stake in order to avoid unexpected liability.

References   [ + ]

1. Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic
2. The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: those which can autonomously follow pre-programmed flight routes and those which have remotely piloted aircrafts systems (RPAS). Only the latter are currently authorised for use in EU airspace.
3. Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and government non-military activities which are more effectively or safely performed by a machine, such as such as the monitoring of rail tracks, dams, dykes or power grids.

CCTV: household security or how to be a data controller at home

CCTV, walking the thin line of protecting yourself or becoming a data processor.

CCTV, walking the thin line of protecting yourself or becoming a data processor.1)Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

Having suffered several attacks, in which the windows of the family home had been broken on several occasions, by persons unknown, Mr Ryneš, a Czech citizen, installed a CCTV camera under the eaves of his home. In a fixed position, the camera recorded the entrance to his home, the public footpath and the entrance to the house opposite. The system allowed only a visual recording, which was stored on a hard disk drive. Reaching its full capacity, the device would record over the existing recording, erasing the old material. Although the images would not be monitored in real time, this video surveillance system made it possible to identify two suspects, who were subsequently prosecuted.

However, despite the happy outcome, the operation of this camera system, installed by an individual on his household, for the purposes of protecting the property, health and life of the owner and his family, raised some questions due to the continuous recording of a public space.

One of the suspects challenged the legality of Mr Ryneš recording of the images. The Czech Data Protection Authority (hereafter DPA) considered that this operation infringed data-protection rules because the data collection of persons moving along the street or entering the house opposite occurred lacked their consent; individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data; and this processing was reported to the Office as mandatory.

Mr Ryneš brought an action challenging that decision in court, which was dismissed. The case was appealed to the Czech Supreme Administrative Court which referred to the Court of Justice of the European Union (hereafter CJEU) for a preliminary ruling.

In this context, in its judgment in Case C-212/13, the CJEU addressed the application of the ‘household exception’, for the purposes of Article 3(2) of Directive 95/46/EC, which refers to the data processing carried out by a natural person in the course of a purely personal or household activity.

The CJEU considered that the image of a person recorded by a camera constitutes personal data within the meaning of the Directive 95/46 inasmuch as it makes it possible to identify the person concerned.

Moreover, the Court considered that video surveillance falls within the scope of the above mentioned directive in so far as it constitutes automatic processing, i.e., an operation which is performed upon personal data, such as collection, recording, storage.

Considering that the main goal of the this Directive is to guarantee a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, as foreseen in article 7 of the EU Charter of Fundamental Rights, the CJEU recalled that derogations and limitations must be strictly necessary.

Therefore, the Court deemed that the ‘household exception’ must be narrowly construed and applicable when the data processing activity is carried out ‘purely’ private and household context, even if it incidentally concerns the private life of other persons, such as correspondence and the keeping of address books.

In this context, the CJEU concluded as follows:

(…)the second indent of Article 3(2) of Directive 95/46 must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.

However, Mr Ryneš’s concerns, which motivated the installation of the camera, were not overlooked by the CJEU. Indeed, the Court outlined that the Directive itself allows, where appropriate, to consider the legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself. This reflection is in line with the Opinion of the Article 29 Working Party in this regard as security was mentioned as an example of a legitimate interest of the data controller.

This implies that, even if the household exception is not applicable in this very particular case, a CCTV camera recording activity such as the one in the proceedings is lawful in the light of article 7(f) of the Directive. Thus said, the referring Court will now have to take this interpretative guidance into consideration and decide if the recording and processing at stake were legitimate, for instance, in regards of article 10 of the instrument. It is possible that the Czech Court may still consider that because no information regarding the recording was provided to the public (individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data) and considering that this processing was not reported to the Office constitute a breach of the data protection rules.

This is particularly relevant considering that, precisely for security purposes, individuals are equipping their households with CCTV systems which capture public space. Only time will tell how this decision will be applied to individuals in practice. Most certainly, DPAs across the EU will update their recommendations regarding the weighing between the necessity of the recording and storing of the data to pursue an interest deemed legitimate and the interests for fundamental rights and freedoms of the data subject.

At this point, it is expectable that householders who have surveillance cameras that capture public space will need to ensure that their collection and further use of any footage which contains images of identifiable individuals complies with the data protection requirements. Thus, they will have, for instance, to at least inform people of this monitoring and ensure that no footage is illegally retained.

References   [ + ]

1. Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

(Un)Safe Harbour

Safe harbour for who?

Safe harbour for who?

As a general rule, the EU Data Protection Directive (Directive 95/46/EC) prevents businesses from transferring personal data from the EU to third-countries. Therefore, EU citizens’ personal data cannot be processed or hosted outside the EU, except if those countries do provide an adequate level of data protection. This adequacy requirement is met only when the European Commission recognize the data recipient country as providing an adequate level of protection. These decisions are commonly referred to as ‘adequacy decisions’.

It is deemed that the USA do not meet the above mentioned EU adequacy requirement, i.e., do not provide an adequate level of protection for data transfers to be accepted. Nevertheless, data can still be transferred from companies located in the EU on the basis of the Safe Harbour mechanism. In fact, by reason of the EU Data Protection Directive, the European Commission adopted a Decision (the “Safe Harbour decision”) recognising that the Safe Harbour Privacy Principles and the ‘Frequently Asked Questions’ provide an adequate protection for the purposes of personal data transfers from the EU to the USA.

The EU-USA Safe Harbour is an agreement concluded in 2000 which enables European data controllers to transfer personal data for commercial purposes, from companies located in the EU to companies in the USA that have signed up to the Principles. The framework aims to ensure that such transfers dully comply with the EU data protection law. To that end, USA companies pretending to lawfully receive personal data from the EU are required to self certificate the compliance of their personal data policies and practices to the Safe Harbour. Companies which voluntarily adhere to a set of principles issued by the Federal Trade Commission (FTC) are therefore presumed to qualify for the Safe Harbour ‘adequacy’.

This Framework has been greatly criticized since its implementation. Indeed, the Safe Harbour scheme has been used for the transfer of the personal data of EU citizens from the EU to the USA by companies required to give in data to USA intelligence agencies under the USA intelligence collection programmes. Moreover, some EU Data Protection Authorities manifested strong reservations about the rigour of the Safe Harbour framework, namely regarding the self-certification requirement. These concerns were echoed in the opinion of the Article 29 Working Party on Cloud Computing issued in July 2012, where it was suggested that EU data exporters could not rely on cloud provider’s self-certification regarding compliance.

As a result, it is no surprise that the framework has been reviewed twice, back in 2002 and 2004. Nevertheless, the Safe Harbour framework was endorsed by the European Commission, in January 2012, regarding the draft Data Protection Regulation, where adequacy decisions taken under the current Directive 95/46/CE would remain in effect unless amended, repealed or replaced by the Commission.

By contrast, the European Parliament’s LIBE (Civil Liberties, Justice and Home Affairs) Committee has proposed amending the proposal so that such adequacy decisions would only remain in force for five years after the Regulation comes into effect.

In the wake of the Snowden revelations regarding the USA covert surveillance programme, PRISM, for the interception and access to the electronic communications of EU citizens on a large scale, namely personal data that was transferred to online service providers in the USA under the Safe Harbour, the European Data Protection Authorities (DPAs) and the European Commission have been increasingly manifesting serious concerns regarding the safety of this agreement.

This led Viviane Reding, former Justice Commissioner, to argue that “the Safe Harbor agreement may not be so safe after all” and that it “could be a loophole for data transfers because it allows data transfers from EU to U.S. companies – although US data protection standards are lower than our European ones.” Vivian Reding further announced that the Commission would conduct an assessment of the EU-USA Safe Harbour agreement.

In July 2013 the European Parliament considered that the PRISM program constituted a “serious violation” of the Safe Harbour agreement and called on the European Commission to review the framework. Last March, following its report on mass surveillance activities, the European Parliament approved a resolution calling for the reversion or suspension of the EU-USA Safe Harbour scheme, considering that it fails to provide adequate protection for EU citizens.

Instead, in November 2013, the European Commission put forward a series of 13 recommendations for the USA to put into practice, which would make the Safe Harbour safer, if implemented. Nevertheless, the most controversial features of the framework, such as the voluntary adherence, were not adequately addressed. The expected conclusion of the discussions on the 13 recommendations proposed by the European Commission was set for the end of last summer. The deadline passed without any further developments.

Last June, following a complaint brought by the Austrian campaign group Europe v Facebook regarding the company’s part on NSA’s mass electronic surveillance programme, a Irish court (the Facebook’s international headquarters are in Ireland) referred to the Court of Justice of the EU on the compliance of the Safe Harbour with the EU Charter of Fundamental Rights.

There has been extensive debate regarding the future of the Safe Harbour, considering that some DPAs no longer recognize it as a valid data transfer mechanism. DPAs can exceptionally suspend data transfers based on the Safe Harbour, namely when it is likely that the Safe Harbour Principles are being violated. To date, no DPA has done so. Considering the serious economic implications, I think that it is very unlikely that the Safe Harbour will be suspended or reversed. In the meantime, the decision of the European Commission on the adequacy of Safe Harbour remains in force, until specifically repealed or changed.

Věra Jourová, the new Justice Commissioner, already expressed strong doubts on the security of the Safe Harbour mechanism. However, she did not favour a suspension or a cancellation of the programme. Andrus Ansip, the new Commissioner for the Digital Internal Market, for its turn, did not exclude that possibility.


The impact of the CJEU ruling
invalidating the EU Data
Retention Directive

Data retention heh!? Tricky business.

Data retention heh!? Tricky business.

Data retention has been increasingly perceived as a criminal justice and law enforcement tool in the EU in the past years. As a matter of fact, the EU Data Retention Directive (the Directive 2006/24/EC) was adopted in the wake of the London bombing attacks, back in 2005, despite the fact that data retention would not actually have any relevant effect on the tragic event.

Nevertheless, the Directive requires EU Member States to compel telecommunications and Internet service providers to retain considerable amounts of communications data – including landline phones, mobile, fax and email – regarding individuals within the EU, even those never suspected of committing a crime, for a minimum period of six months and up to two years, for law enforcement purposes, namely regarding investigations of serious crimes and terrorism.

The data thus collected and retained allows for the identification of all the people with whom a user has communicated, the means employed, the time, the place and the frequency of those communications. Therefore, despite not permitting the access to the content of the communications as such, this data nonetheless provides detailed information on the private lives of individuals, in an evident interference in the private sphere of their lives.

The question to be asked, then, was: is this interference acceptable in the light of the EU Charter of Fundamental Rights?

In this regard, article 52 of the Charter states that restrictions upon the rights foreseen in the Charter must be established by law, respect the core of the right, be subjected to the principles of proportionality and necessity, aimed to fulfil public interest objectives and balanced with the rights and freedoms of others individuals.

As you certainly well remember, last April, the Court of Justice of the European Union (hereafter CJEU) ruled on the entire invalidity of the abovementioned Directive, in the light of the EU Charter of Fundamental Rights, namely the rights to privacy and data protection, respectively foreseen in its Articles 7 and 8.

Having this in consideration, recognising that there was a public safety interest subjacent to such intrusion, the Court focused, instead, on whether such interference could be somehow justified. In this regard, the Court concluded that such a collecting, processing and accessing of personal data by authorities did not comply with the principles of necessity and proportionality and, therefore, constituted an unjustified and serious interference with the fundamental rights to privacy and data protection. Indeed, while requiring the mass retention of all communication traffic of all individuals in the EU, including innocent or not suspect of any crime, the instrument was considered to go beyond what is strictly necessary for a criminal investigation.

In this context, the broad scope of the Directive, given that it refers to all means of electronic communication; the broad time period set for retention; the lack of clear rules limiting the access and use of data by authorities; the absence of an obligation to destroy the data once the retention period expires; the dissatisfying level of protection of the data from unlawful access and use; and the possibility of storage outside the EU territory were deemed particularly problematic.

This ruling has a far-reaching impact at many levels. As a direct consequence, the Data Retention Directive is deemed to be void and a new Directive will have to be built from scratch. Moreover, this ruling seems to oppose the practice of mass surveillance related to the existing EU legislation and the ongoing reforms, with an obvious direct effect on agreements concluded by the EU with third countries. To be true, it raised some practical issues regarding the data retention laws implemented by EU Member States and the validity of international agreements which require the retention of personal data, such as the PNR frameworks.

One of the main issues at stake is that, despite long years have passed since the foreseen deadline for its implementation, the Directive has still not been fully implemented by all Member States. In fact, several Member States were subjected to infringement proceedings for failing to implement national legislation on due time. Nevertheless, those which have fully implemented the Directive weren’t able to achieve a full harmonization due to the abstraction of concepts such as ‘competent national authorities’ and ‘serious crime’ and the broad scope of the time data retention period. So long for the intended harmonization.

Moreover, as the Data Retention Directive amended the e-Privacy Directive to remove prohibitions on data retention, this invalidation implies that the previous version of the e-Privacy Directive is again applicable. Member States no longer have the obligation to retain data pursuant to the Data Retention Directive. In fact, national measures transposing the Directive will need to be amended.

Where a national Court has doubts about the compatibility of the national law with the EU law, the proceeding for a preliminary ruling by the CJEU must be initiated. Alternatively, once exhausted the domestic remedies, a claim could be addressed to the ECtHR. Anyway, the European Commission or another Member State are entitled to initiate an infringement procedure in case of violation of EU law by national measures or of incomplete, inadequate transposition or non-transposition.

Furthermore, in 2011, the European Commission published a proposal for the EU Passenger Name Record (PNR) Directive, which would require air carriers operating flights between the EU and third countries to transfer PNR data to the national authorities in the Member State of departure or arrival, and is currently under negotiation. In the light of the above mentioned ruling, the envisaged text will not be able to stand. For instance, the data retention period of five years is clearly not acceptable.

Additionally, the legality of several already in force and proposed international agreements which include data retention schemes has been questioned. For instance, an Irish court referred to the CJEU, asking whether the EU ‘Safe Harbour’ arrangement on data protection with the USA is compatible with the rights to privacy and data protection

Last month, the European Parliament voted to refer the EU-Canada PNR agreement, which is currently being renegotiated, to the CJEU, for an opinion, in order to assess its compliance with the EU Charter of Fundamental Rights. The Treaty of Lisbon allows the European Parliament to refer to the CJEU regarding the compatibility with EU law of a draft agreement to be concluded by the EU with third States on police or criminal law cooperation. In this regard, the EU-Canada agreement may not be concluded before a ruling on its compatibility with the EU law is issued because the consent of the European Parliament is now required for the conclusion of such international agreements.

Where does all this leave us?

Well, currently the EU has negotiated PNR data sharing agreements with the USA, Australia, and Canada.

In the light of Snowden’s revelations regarding the extent of spying by the American National Security Agency (NSA), the agreement with the USA, regarding the transfer of air passengers’ data for flights from the EU to the USA, has raised serious concerns within the EU, namely due to the access of the PNR database by the USA government for purposes other than fighting terrorism.

In this context, the ruling requested by the European Parliament regarding the EU-Canada agreement would indirectly establish if the EU/USA and EU/Australia agreements and the proposed EU PNR Directive do or do not violate those rights as well.

Subsequently to the rulings regarding the Data Retention Directive and the ‘right to be forgotten’, future judgements regarding data collection, processing and transfers are most certainly welcomed as they are expected to cast some light regarding the legality or illegality of the existing or upcoming PNR frameworks.

What would happen if the CJEU would rule that all these international agreements are in breach of the rights to privacy and data protection? The application of such agreements would need to be challenged, now that they are already in force, by individuals via their national courts or the European Parliament would have to require the other EU institutions to ensure the full respect on the EU Charter of Fundamental Rights by denouncing the agreements at stake.

Consequently, all instruments dealing with data retention will have to be subjected to necessity and proportionality tests in order to assess their compliance with the EU Charter of Fundamental Rights. Therefore, the requirements set in the ruling might unavoidably challenge the EU PNR proposal. Similarly, other EU-USA agreements, such as the agreement on the access to financial data under the USA Terrorist Finance Tracking Programme (TFTP), will need to be tested for compliance with the judgement standards.

Moreover, an analysis regarding the compliance of other legislative proposals might need to be conducted regarding the proposals for an entry-exit system to track non-EU nationals crossing EU borders, for the European Terrorist Financing Tracking System and for the governments’ access to the Eurodac database.

History has shown us that PNR data has turned into an attractive source for governments to obtain personal data regarding individuals. EU institutions should therefore question the necessity and proportionality of these and similar schemes of data collecting, data retention and bulk transfers to third countries and review the draft and existing legislation, frameworks and agreements to ensure that they do comply with the EU Charter of Fundamental Rights.

(On this subject, I recommend the reading of the following study,commissioned by the Group of the Greens/EFA in the European Parliament on initiative of the MEP Jan Philipp Albrecht)

Update: The title was modified because, due to a lapse, it referred to the Data Protection Directive, instead of the Data Retention Directive.

Older posts Newer posts

© 2018 The Public Privacy

Theme by Anders NorenUp ↑