Tag: E-Privacy Directive

The impact of the CJEU ruling
invalidating the EU Data
Retention Directive

Data retention heh!? Tricky business.

Data retention heh!? Tricky business.

Data retention has been increasingly perceived as a criminal justice and law enforcement tool in the EU in the past years. As a matter of fact, the EU Data Retention Directive (the Directive 2006/24/EC) was adopted in the wake of the London bombing attacks, back in 2005, despite the fact that data retention would not actually have any relevant effect on the tragic event.

Nevertheless, the Directive requires EU Member States to compel telecommunications and Internet service providers to retain considerable amounts of communications data – including landline phones, mobile, fax and email – regarding individuals within the EU, even those never suspected of committing a crime, for a minimum period of six months and up to two years, for law enforcement purposes, namely regarding investigations of serious crimes and terrorism.

The data thus collected and retained allows for the identification of all the people with whom a user has communicated, the means employed, the time, the place and the frequency of those communications. Therefore, despite not permitting the access to the content of the communications as such, this data nonetheless provides detailed information on the private lives of individuals, in an evident interference in the private sphere of their lives.

The question to be asked, then, was: is this interference acceptable in the light of the EU Charter of Fundamental Rights?

In this regard, article 52 of the Charter states that restrictions upon the rights foreseen in the Charter must be established by law, respect the core of the right, be subjected to the principles of proportionality and necessity, aimed to fulfil public interest objectives and balanced with the rights and freedoms of others individuals.

As you certainly well remember, last April, the Court of Justice of the European Union (hereafter CJEU) ruled on the entire invalidity of the abovementioned Directive, in the light of the EU Charter of Fundamental Rights, namely the rights to privacy and data protection, respectively foreseen in its Articles 7 and 8.

Having this in consideration, recognising that there was a public safety interest subjacent to such intrusion, the Court focused, instead, on whether such interference could be somehow justified. In this regard, the Court concluded that such a collecting, processing and accessing of personal data by authorities did not comply with the principles of necessity and proportionality and, therefore, constituted an unjustified and serious interference with the fundamental rights to privacy and data protection. Indeed, while requiring the mass retention of all communication traffic of all individuals in the EU, including innocent or not suspect of any crime, the instrument was considered to go beyond what is strictly necessary for a criminal investigation.

In this context, the broad scope of the Directive, given that it refers to all means of electronic communication; the broad time period set for retention; the lack of clear rules limiting the access and use of data by authorities; the absence of an obligation to destroy the data once the retention period expires; the dissatisfying level of protection of the data from unlawful access and use; and the possibility of storage outside the EU territory were deemed particularly problematic.

This ruling has a far-reaching impact at many levels. As a direct consequence, the Data Retention Directive is deemed to be void and a new Directive will have to be built from scratch. Moreover, this ruling seems to oppose the practice of mass surveillance related to the existing EU legislation and the ongoing reforms, with an obvious direct effect on agreements concluded by the EU with third countries. To be true, it raised some practical issues regarding the data retention laws implemented by EU Member States and the validity of international agreements which require the retention of personal data, such as the PNR frameworks.

One of the main issues at stake is that, despite long years have passed since the foreseen deadline for its implementation, the Directive has still not been fully implemented by all Member States. In fact, several Member States were subjected to infringement proceedings for failing to implement national legislation on due time. Nevertheless, those which have fully implemented the Directive weren’t able to achieve a full harmonization due to the abstraction of concepts such as ‘competent national authorities’ and ‘serious crime’ and the broad scope of the time data retention period. So long for the intended harmonization.

Moreover, as the Data Retention Directive amended the e-Privacy Directive to remove prohibitions on data retention, this invalidation implies that the previous version of the e-Privacy Directive is again applicable. Member States no longer have the obligation to retain data pursuant to the Data Retention Directive. In fact, national measures transposing the Directive will need to be amended.

Where a national Court has doubts about the compatibility of the national law with the EU law, the proceeding for a preliminary ruling by the CJEU must be initiated. Alternatively, once exhausted the domestic remedies, a claim could be addressed to the ECtHR. Anyway, the European Commission or another Member State are entitled to initiate an infringement procedure in case of violation of EU law by national measures or of incomplete, inadequate transposition or non-transposition.

Furthermore, in 2011, the European Commission published a proposal for the EU Passenger Name Record (PNR) Directive, which would require air carriers operating flights between the EU and third countries to transfer PNR data to the national authorities in the Member State of departure or arrival, and is currently under negotiation. In the light of the above mentioned ruling, the envisaged text will not be able to stand. For instance, the data retention period of five years is clearly not acceptable.

Additionally, the legality of several already in force and proposed international agreements which include data retention schemes has been questioned. For instance, an Irish court referred to the CJEU, asking whether the EU ‘Safe Harbour’ arrangement on data protection with the USA is compatible with the rights to privacy and data protection

Last month, the European Parliament voted to refer the EU-Canada PNR agreement, which is currently being renegotiated, to the CJEU, for an opinion, in order to assess its compliance with the EU Charter of Fundamental Rights. The Treaty of Lisbon allows the European Parliament to refer to the CJEU regarding the compatibility with EU law of a draft agreement to be concluded by the EU with third States on police or criminal law cooperation. In this regard, the EU-Canada agreement may not be concluded before a ruling on its compatibility with the EU law is issued because the consent of the European Parliament is now required for the conclusion of such international agreements.

Where does all this leave us?

Well, currently the EU has negotiated PNR data sharing agreements with the USA, Australia, and Canada.

In the light of Snowden’s revelations regarding the extent of spying by the American National Security Agency (NSA), the agreement with the USA, regarding the transfer of air passengers’ data for flights from the EU to the USA, has raised serious concerns within the EU, namely due to the access of the PNR database by the USA government for purposes other than fighting terrorism.

In this context, the ruling requested by the European Parliament regarding the EU-Canada agreement would indirectly establish if the EU/USA and EU/Australia agreements and the proposed EU PNR Directive do or do not violate those rights as well.

Subsequently to the rulings regarding the Data Retention Directive and the ‘right to be forgotten’, future judgements regarding data collection, processing and transfers are most certainly welcomed as they are expected to cast some light regarding the legality or illegality of the existing or upcoming PNR frameworks.

What would happen if the CJEU would rule that all these international agreements are in breach of the rights to privacy and data protection? The application of such agreements would need to be challenged, now that they are already in force, by individuals via their national courts or the European Parliament would have to require the other EU institutions to ensure the full respect on the EU Charter of Fundamental Rights by denouncing the agreements at stake.

Consequently, all instruments dealing with data retention will have to be subjected to necessity and proportionality tests in order to assess their compliance with the EU Charter of Fundamental Rights. Therefore, the requirements set in the ruling might unavoidably challenge the EU PNR proposal. Similarly, other EU-USA agreements, such as the agreement on the access to financial data under the USA Terrorist Finance Tracking Programme (TFTP), will need to be tested for compliance with the judgement standards.

Moreover, an analysis regarding the compliance of other legislative proposals might need to be conducted regarding the proposals for an entry-exit system to track non-EU nationals crossing EU borders, for the European Terrorist Financing Tracking System and for the governments’ access to the Eurodac database.

History has shown us that PNR data has turned into an attractive source for governments to obtain personal data regarding individuals. EU institutions should therefore question the necessity and proportionality of these and similar schemes of data collecting, data retention and bulk transfers to third countries and review the draft and existing legislation, frameworks and agreements to ensure that they do comply with the EU Charter of Fundamental Rights.

(On this subject, I recommend the reading of the following study,commissioned by the Group of the Greens/EFA in the European Parliament on initiative of the MEP Jan Philipp Albrecht)

Update: The title was modified because, due to a lapse, it referred to the Data Protection Directive, instead of the Data Retention Directive.

Are you ready for the Internet of Things?

Everything is connected.

Everything is connected. 1)Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

Imagine a world where people would receive information on their smart phone about the contents of their fridge; cars involved in an accident would call emergency services, allowing for quicker location and deployment of help; cars would suggest alternative routes in order to avoid traffic jam; personal devices would allow to monitor the health developments of patients or to control the regular medication of elderly persons; washing machines would turn on when energy demand on the grid would be lowest and where alarm clocks and coffee machines could automatically be reset when a morning appointment would be cancelled; a smart oven could be remotely triggered to heat up the dinner inside by the time you would reach home…

If it is true that these scenarios once belonged to the sci-fi world, it is not so hard to picture any of these technologies nowadays. The momentum we are living in and all the progress which is already involved in our lives brings the certitude that it is only a matter of time for us to reach such a future. Technological advancements are allowing achievements that once may have seemed impractical and are turning the sci-fi scenarios into reality.

We are smoothly entering in a new age… The age of the Internet of Things (hereafter IoT). The IoT might be indeed already start happening around us. It suffices to think about all the quite recent changes that we already accept as ordinary.

But what is the IoT all about?

The IoT is a concept which refers to a reality where everyday physical objects will be wirelessly connected to the Internet and be able, without human intervention, to sense and identify themselves to other surrounding devices and create a network of communication and interaction, collecting and sharing data. It  is therefore associated to products with machine-to-machine communication capabilities, which are called ‘smart’.

The high-tech evolution has made ‘smart’ more convenient and accessible and made the vast majority of us technologically dependent on several areas of our daily living. Connected devices have proliferated around us. Consider, for instance, the number of smart phones and other smart devices that most of us cannot conceive a life without anymore as it allows us to connect with the world as it was never possible before.

Similarly, our domestic convenience and comfort have been expanded in ways that once belonged to the imaginary. Homes, housework and household activity can be fully automatized in order to enable us to remotely control lighting, alarm systems, heating or ventilation. The domestic devices that can be connected to the Internet are usually referred to as “home automation” or “domotics”.

In parallel, we are currently able of the ‘quantified self’, which is commonly defined as the self knowledge acquired through self tracking with technology (for instance, pedometers, sleep trackers). One can now track, for example, biometrics as insulin and cortisol, or record more random information about our own habits and lifestyles, as physical activity and caloric intake. This monitoring can be done increasingly by wearables, i.e., computer-powered devices or equipment that can be worn by an individual, including watches, clothing, glasses and items alike. The Google glasses, Google Wear and the Apple Watch are the most famous recent examples.

Scarily enough, the number of objects connected to the Internet already exceeds the number of people on earth. The European Commission claims that an average person currently has at least two objects connected to the Internet and states that this is expected to grow to 7 by 2015 with 25 billion wirelessly connected devices globally. By 2020 that number could double to 50 billion.

However, every time we add another device to our lives, we give away a little more piece of ourselves.

Consequently, along with its conveniences, and due to the easy and cheaply obtained amount of data collection it allows, the idea of a hyper-connected world raises important concerns regarding privacy, security and data protection. To be true, while it is a relatively well-known fact that our mobile devices are frequently sending off data to the Internet, many of us do not understand the far-reaching implications of carrying around an always-on connection, let alone to have almost all your life connected to the Internet.

In fact, such objects will make it possible to access a humongous amount of personal data and to spread it around without any awareness nor control of the users concerned. From preferences, habits and lifestyle, to sensitive data as health or religion information, from geo-location and movements to other behaviour patterns, we will put out there a huge amount of information. In this context, the crossing of data collected by means of different IoT devices will allow the building of a very detailed user profile.

It is essential that users are given control over the data which directly refers to them and are properly informed of what purposes its processing might serve. In fact, currently, it is very common that the data generated is  processed without consent or with a poorly given consent. Quite often further processing of the original data is not subjected to any purpose limitation.

Moreover, as each device will be attributed an IP address in order to connect to internet, each one will be inherently insecure by its very own nature. Indeed, with almost everything connected to the Internet, every device will be at risk of being compromised and hackable. Imagine that your car or home could be subjected to a hacking attack through which it could take control of the vehicle or install a spying application in your TV. Imagine that your fridge could get spam and send phishing e-mails. The data collected through medical devices could be exposed. After all, it is already easier to hack routers and modems than computers.

Last but not the least, as IoT devices will be able to communicate with other devices, the security concerns would multiply exponentially. Indeed, a single compromised device could lead to vulnerability of all the other devices on the network.

Now imagine that all your life is embedded in internet connected devices… Think, for instance, fridges, ovens, washing machines, air conditioners, thermostats, light systems, music players, baby monitors, TVs, webcams, door locks, home alarms, garage door openers, just to name a few. The diversity of connected devices is just astonishing! So we may reach the point where you will have to install firewall for your toaster and a password to secure your fridge.

From a business point of view, questions regarding the security setup and software and operating systems vulnerabilities of devices that will be connected to the internet also have to be answered. Indeed, companies are increasingly using smart industrial equipment and IoT devices and systems, from cars to cameras and elevators, from building management systems to supply chain management system, from financial system to alarm system.

On another level, the security of nations’ critical infrastructures could also be at stake. Imagine, for instance, that the the traffic system, the electric city grid or the water supply can be easily accessed by a third party with ill intentions.

Of course, the EU could not be indifferent to this emerging new reality and to the challenges it presents.

In 2012, the European Commission launched a public consultation, seeking inputs regarding a future policy approach to smart electronic devices and the framework required in order to ensure an adequate level of control of the data gathering, processing and storing, without impairing the economic and societal potential of the IoT. As a result, the European Commission published, in 2013, its conclusions.

Last month, the European data protection authorities, assembled in the Article 29 Working Party, adopted an opinion regarding the IoT, according to which the expected benefits for businesses and citizens cannot come at the detriment privacy security. Therefore, the EU Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC are deemed to be fully applicable to the processing of personal data through different types of devices, applications and services in the context of the IoT. The opinion addresses some recommendations to several stakeholders participating in the development of the IoT, namely, device manufacturers, application developers and social platforms.

More recently, at the 36th International Conference of Data Protection, Data Protection Officials and Privacy Commissioners adopted a declaration on the Internet of things and a resolution on big data analytics.

The aforementioned initiatives demonstrate the existing concerns regarding Big Data and IoT and the intention to subject them to data protection laws. In this context, it is assumed that data collected through IoT devices should be regarded and treated as personal data, as it implies the processing of data which relate to identified or identifiable natural persons.

This obviously requires a valid consent from data subjects for its use. Parties collecting IoT devices information therefore have to ensure that the consent is fully informed, freely given and specific. The cookie consent requirement is also applicable in this context.

In parallel, data protection principles are deemed to be applicable in the IoT context. Therefore, according to the principle of transparency, parties using IoT devices information have to inform data subjects about what data is collected, how it is processed, for which purposes it will be used and whether it will be shared with third parties. Similarly, the principle of purpose limitation, according to which personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes, is also applicable. Furthermore, considering the data minimization principle, the data collected should not be excessive in relation to the purpose and not be retained longer than necessary.

Considering the vast number of stakeholders involved (device manufacturers, social platforms, third-party applications, device lenders or renters, data brokers or data platforms), a well-defined allocation of legal responsibilities is required. Therefore, a clear accountability of data controllers shall be established.

In this context, the Directive 2002/58/EC is deemed applicable when an IoT stakeholder stores or gains access to information already stored on an IoT device, in as much as IoT devices qualify as “terminal equipment” (smartphones and tablets), on which software or apps were previously installed to both monitor the user’s environment through embedded sensors or network interfaces, and to then send the data collected by these devices to the various data controllers involved…

Thus said, one can only rejoice that the enchantment about the possibilities of IoT does not surpass the awareness regarding the existent vulnerabilities. But it remains to be found how can these and the other data protection and privacy requirements be effectively implemented in practice.

We certainly are in the good way to dodge any black swan event. However, it won’t be that easy to find the appropriate answers for the massive security issues that come along. And one should not forget that technology seems to always be one step ahead of legislation.

So, the big question to ask is:

Are we really ready for the Internet of Things?

References   [ + ]

1. Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

♫ I just call to say…la la la ♪: The unromantic side of telemarketing

Not another one!

Not another one!1)Copyright by methodshop .com under the Creative Commons Licence – Attribution-ShareAlike 2.0 Generic.

Missed anonymous calls that leave you wondering who it may have been… Calls from unknown numbers at the most inconvenient moment… Wasting money in returning the call… The displeasure of discovering, mainly if we were expecting a specific important call, that it is only a marketing communication… The frustration of spending long and precious minutes repeating that we are not interested in whatever product the interlocutor is trying to sell…

It most certainly sounds familiar…

Out of my personal experience I can refer quite a few examples of unsolicited marketing, some of which actually could have been qualified as marketing harassment. Not the best publicity, if you ask me…

From evening calls, to anytime calls, from participating in a raffle only to be attacked by unwanted marketing initiatives, from registering in an online shopping website only to be contacted by financial institutions intending to sell you some credit card, from ordering a body lotion only to start receiving advertising of completely unrelated products…

I am specifically referring to business-to-consumer (B2C) advertising and marketing, through all the channels technologically available to promote companies’ commercial campaigns of products and services among individual buyers.

However, telemarketing is, in my very personal opinion, among the most annoying direct marketing initiatives. It gets worse when calls are repetitive, insistent, and even aggressive, as many of them usually are.

Worse than that? Well, I can easily point out having a salesperson ringing on your bell door right before or, even worst, during dinner time…

If the assumption that consumers purchases are usually based on personal emotions is correct, despite not being a marketing genius myself, I am pretty sure that bothering potential clients is never (ever!) the way to go when it comes to attract consumers. As a matter of fact, I am certain that it can actually lead to the opposite effect. So, if you own a business and somehow your marketing campaign is not working, you might want to check this criterion.

Nevertheless, it is astonishing how abusive and unlawful marketing initiatives frequently are. It never ceases to amaze me the number of businesses that seem to be completely unaware of their responsibilities as data controllers. I always fail to understand if they actually ignore their duties or if they just pretend so in order to take advantage of the data subject most likely ingenuousness on the matter.

Legal requirements, as those foreseen in the E-Privacy Directive, i.e., the Directive on privacy and electronic communications and the Directive 95/46, which is applicable as direct marketing requires personal data processing, are not suitably taken into consideration. It is like some companies do not acknowledge that individuals have any rights over their personal data, including the absolute right to object to their personal data being used for marketing purposes.

However, while it is merely an inconvenience for me, as I know which reasoning I shall refer to and which means are required in order to cease any further annoyance quickly, not everybody does. Sometimes it takes people months before being able to get definitely rid of any undesirable contact.

The very basic requirement that is applicable to direct marketing – the prior consent of the data subject – seems to be easily overlooked as many companies sell or share data from customers without their authorisation. Most of the time, individuals do not even fully appreciate that they giving their consent or what they are consenting to or are not even given the possibility to refuse such use of their personal data.

This is particularly worrying considering all the changes which are on the way. If businesses keep ignoring or refusing to acknowledge the requirements they owe to comply with, they will commit the offences and suffer the sanctions which most likely will be foreseen, for instance, in the future EU General Regulation on Data Protection.

I already had the opportunity to address some of those forthcoming changes here. However, these are particularly restrictive regarding marketing initiatives.

All forms of marketing communications, including telemarketing and direct mail, will be subjected to the individual’s consent. Indeed, the current ‘opt-out’ checkboxes system will be replaced by an ‘opt in’ permission method. This means that any communication which hasn’t been the object of a previous, free, explicit and informed consent of the data subject will therefore be forbidden.

The criterion of explicit consent requires a clear statement or an affirmative action. In this context, companies collecting information will have to ensure that the data subject is well aware of the specific purposes of the data collection, namely for marketing purposes.

In parallel, the data subject would be able to access the data collected without being charged any fee. Moreover, if a data subject decides to opt out of marketing communications, marketers will have to delete any records they hold, if requested. Marketers won’t be able to retain, in that case, any detail, unless they can show legitimate grounds for retaining the data.

As a direct result, if companies cannot demonstrate that consent has been previously explicitly given to marketing purposes, they will have to delete it. Databases and contacts lists will most certainly be severely reduced.

The forthcoming changes will obviously make the conducting of marketing campaigns more difficult and, consequently, will require a shift in the marketing strategies in order to be compliant with the law.

As a consumer, I am always favourable of legislation which protects individuals regarding ambiguities related to the use of their personal information.

As lawyer, I can only provide timely and relevant information that will help my clients to comply with the law while (hopefully) simultaneously making a profit for their company.

The unpleasant side of non compliance with the rules on direct marketing does not limit itself to bad publicity or reputation. Fines, legal action and financial damages also have strikingly negative effects on businesses. For this reason, companies should start preparing for the forthcoming changes in advance in order to avoid any surprises, save time and money and make the most out of a new situation.

References   [ + ]

1. Copyright by methodshop .com under the Creative Commons Licence – Attribution-ShareAlike 2.0 Generic.

© 2017 The Public Privacy

Theme by Anders NorenUp ↑