Tag: EU (page 1 of 3)

The limits of government surveillance according to the ECtHR

Limits? What do you mean by 'limits'?

Limits? What do you mean by ‘limits’?

In two very recent judgements, the European Court of Human Rights (hereafter ECtHR) has made several essential points in regards of surveillance conducted by public authorities and its relation with Article 8 of the European Convention of Human Rights (hereafter ECHR).

Article 8 provides that governmental interference with the right to privacy must meet two criteria. First, the interference must be done e conducted “in accordance with the law” and must be “necessary in a democratic society”. Such interference must aim to achieve the protection of the “interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

In previous cases regarding surveillance conducted by public authorities, the ECtHR had already concluded that any interference with the right to respect for private life and correspondence, as enshrined in Article 8 of the ECHR, must be strictly necessary for safeguarding the democratic institutions. However, it has now further clarified its interpretation.

In these recent decisions, the ECtHR concluded that the secret surveillance, as carried out in the manner described in the facts of the cases, violated Article 8 of the Convention.

The Roman Zakharov v. Russia decision, issued on the 4th December 2015, concerned the allegations of the editor in chief of a publishing company that laws enabling the installation of equipment which permitted the Federal Security Service (“the FSB”) to intercept all his telephone communications, without prior judicial authorisation, three mobile network operators interfered with his right to the privacy of his telephone communications.

The Court considered that “a reasonable suspicion against the person concerned, in particular, whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures, such as, for example, acts endangering national security” must be verified and the interception shall meet the requirements of necessity and proportionality.

The Szabó and Vissy v. Hungary decision, issued on the 12th January 2016, concerned the allegations of members of a non-governmental organisation voicing criticism of the Government that the legislation enabling police to search houses, postal mail, and electronic communications and devices, without judicial authorization, for national security purposes, violated the right to respect for private life and correspondence.

The Court considered that: “the requirement ‘necessary in a democratic society’ must be interpreted in this context as requiring ‘strict necessity’ in two aspects. A measure of secret surveillance can be found as being in compliance with the Convention only if it is strictly necessary, as a general consideration, for the safeguarding the democratic institutions and, moreover, if it is strictly necessary, as a particular consideration, for the obtaining of vital intelligence in an individual operation. In the Court’s view, any measure of secret surveillance which does not correspond to these criteria will be prone to abuse by the authorities with formidable technologies at their disposal.” Consequently, it must be assessed if “sufficient reasons for intercepting a specific individual’s communications exist in each case”.

In both cases, by requiring surveillance activities to be individually targeted, the ECtHR has established that any indiscriminate interception is unacceptable. This is a most welcomed position considering the well-known legislative instruments and initiatives intended to strength the legitimacy of massive monitoring programs in many EU Member States.

The ‘Safe Harbor’ Decision ruled invalid by the CJEU

Safe harbor?!? Not anymore.

Safe harbor?!? Not anymore.

Unfortunately, I hadn’t had the time to address the ruling of the CJEU issue last October, by which the ‘Safe Harbour’ scheme, enabling transatlantic transfers of data from the EU to the US, was deemed invalid.

However, due to its importance, and because this blog is primarily intended to be about privacy and data protection, it would be shameful to finish the year without addressing the issue.

As you may be well aware, article 25(1) of Directive 95/46 establishes that the transfer of personal data from an EU Member State to a third country may occur provided that the latter ensures an adequate level of protection. According to article 25(6) of the abovementioned Directive, the EU Commission may find that a third country ensures an adequate level of protection (i.e., a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter of Fundamental Rights) by reason of its domestic law or of its international commitments.

Thus said, the EU Commission adopted its Decision 2000/520, by which it concluded that the “Safe Harbour Principles” issued by the US Department of Commerce ensure an adequate level of protection for personal data transferred from the EU to companies established in the US.

Accordingly, under this framework, Facebook has been transferring the data provided by its users residing in the EU from its subsidiary in Ireland to its servers located in the US, for further processing.

These transfers and, unavoidably, the Decision had been challenged by the reference to the CJEU (judgment in Case C-362/14) following the complaint filed by Max Schrems, a Facebook user, before the Irish DPA and subsequently before the Irish High Court. The main argument was that, considering the access electronic communications conducted by its public authorities, the US did not ensure adequate protection of the thus transferred personal data.

According to the AG’s opinion, “the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data”.

Despite considering that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU, the CJEU considered that the decision fails to comply with the requirements established in Article 25(6) of Directive and that the Commission did not make a proper finding of adequacy but merely examined the safe harbour scheme.

The facts that the scheme’s ambit is restricted to adhering US companies, thus excluding public authorities, and that national security, public interest and law enforcement requirements, to which US companies are also bound, prevail over the safe harbour principles, were deemed particularly decisive in the assessment of the scheme’s validity.

In practice, this would amount to enable the US authorities to access the personal data transferred from the EU to the US and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.

As a result, the Court concluded that enabling public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

The Court stated that the decision disregards the existence of such negative interference on fundamental rights, and that the lack of provision of limitations and effective legal protections violates the fundamental right to effective judicial protection.

Upon issuance of this ruling, the Art29WP met and concluded that data transfers from the EU to the US could no longer be legitimized by the ‘Safe Harbor’ decision and, if occurring, would be unlawful.
While its practical implications remain unclear, the ruling undoubtedly means that companies relying on the ‘Safe Harbor’ framework for the transfer of personal data from the EU to the US need to rely, instead, on another basis.

In this regard, considering that not all Member States accept the consent of the data subject or an adequacy self-assessment as a legitimizing legal ground for such cross-border transfers, Model Contractual Clauses incorporated into contracts and Binding Corporate Rules (BCR) for intragroup transfers seem to be the most reliable alternatives in certain cases.

Restrictions on data transfers are obviously also foreseen in the GDPR, which, besides BCRs, Standard Contracts and adequacy decisions, includes new data transfer mechanisms such as certification schemes.

You can find the complete version of the ruling here.

Opinion of the EDPS on the dissemination and use of intrusive surveillance technologies

We need some more surveillance here!

We need some more surveillance here! 1)Copyright by Quevaal under the Creative Commons Attribution-Share Alike 3.0 Unported

In a recently published opinion, the EDPS addressed its concerns in regards of the dissemination and use of intrusive surveillance technologies, which are described as aiming “to remotely infiltrate IT systems (usually over the Internet) in order to covertly monitor the activities of those IT systems and over time, send data back to the user of the surveillance tools.”

The opinion specifically refers to surveillance tools which are designed, marketed and sold for mass surveillance, intrusion and exfiltration.

The data accessed and collected through intrusive surveillance tools may contain “any data processed by the target such as browsing data from any browser used on that target, e-mails sent and received, files residing on the hard drives accessible to the target (files located either on the target itself or on other IT systems to which the target has access), all logs recorded, all keys pressed on the keyboard (this would allow collecting passwords), screenshots of what the user of the target sees, capture the video and audio feeds of webcams and microphones connected to the target, etc.

Therefore these tools may be adequately used for human rights violations, such as censorship, surveillance, unauthorised access to devices, jamming, interception, or tracking of individuals.

This is particularly worrisome considering that software designed for intrusive surveillance has been known to have been sold as well to governments conducting hostile surveillance of citizens, activists and journalists.

As they are also used by law enforcement bodies and intelligence agencies, this is a timely document, considering the security concerns dictating the legislative amendments intended to be implemented in several Member States. Indeed, as pointed by the EDPS, although cybersecurity must not be used for disproportionate impact on privacy and processing of personal data, intelligence services and police may indeed adopt intrusive technological measures (including intrusive surveillance technology), in order to make their investigations better targeted and more effective.

It is evident that the principles of necessity and proportionality should dictate the use of intrusion and surveillance technologies. However, it remains to be assessed where to draw the line between what is proportional and necessary and disproportional and unnecessary. That is the core of the problem.

Regarding the export of surveillance and interception technologies to third countries, the EDPS considered that, despite not addressing all the questions concerning the dissemination and use of surveillance technologies, “the EU dual use regime fails to fully address the issue of export of all ICT technologies to a country where all appropriate safeguards regarding the use of this technology are not provided. Therefore, the current revision of the ‘dual-use’ regulation should be seen as an opportunity to limit the export of potentially harmful devices, services and information to third countries presenting a risk for human rights.

As this document relates to the EU cybersecurity strategy and the data protection framework, I would recommend its reading for those interested in those questions. You can find the document here.

References   [ + ]

1. Copyright by Quevaal under the Creative Commons Attribution-Share Alike 3.0 Unported

The General Data Protection Regulation – Start the countdown!

Start the countdown.

Start the countdown. 1)Copyright by Julian Lim under the Creative Commons Attribution 2.0 Generic

After years and years of lengthy drafting and negotiating, the European Commission, the European Parliament and the EU Council, following the final negotiations between the three institutions (the so-called “trilogue negotiations”) have, at last, reached a political agreement on the data protection reform package, which includes the General Data Protection Regulation (“GDPR”) and the Data Protection Directive for the police and criminal justice sector, as the Civil Liberties (LIBE) Committee of the European Parliament also approved the text on 17 December.

A formal adoption from the European Parliament and the EU Council is still required though, currently foreseen to take place at the beginning of 2016.

At this pace, and optimistically, the Regulation will finally be published somewhere in the middle of 2016.

So let the countdown begin…

References   [ + ]

1. Copyright by Julian Lim under the Creative Commons Attribution 2.0 Generic

Monitoring of employees in the workplace: the very private parts of a job in the EU private sector

Let us all see what you are doing.

Let us all see what you are doing.1)Copyright by MrChrome under the CC-BY-3.0

Whilst not all employers in the U.S.A. monitor their employees’ communications and activities, the majority do so, namely to evaluate their professional performance, to protect trade secrets, to prevent information security breaches or to avoid or reduce their liability in lawsuits.

So, incoming and outgoing email correspondence, telephone calls, websites visited and documents saved on the computer may be only some of the data accessed in this context.

This surveillance of employees’ electronic communications and activities over employer-provided facilities are generally deemed unlawful under the European Union law. Member States legal systems usually include constitutional laws, telecommunications laws, labour laws and criminal laws which are intended to be dissuasive.

Currently, there is no specific EU legislation regarding the privacy and protection of workers’ personal data at work.

Nevertheless, Article 31(1) of the Charter of Fundamental Rights of the European Union, whose application is mandatory whenever Member States apply EU law, states: “Every worker has the right to working conditions which respect his or her (…) dignity”.

In parallel, there are two EU Directives which can be applicable in these professional contexts. Although they do not specifically deal with any aspect of employment relationships nor address employee monitoring, they establish some privacy principles which are applicable regarding surveillance at workplace. These provisions are then furthered by Member States through their national legislation.

Firstly, we have the 95/46/EC Directive which relates to the protection of individuals with regard to the processing of personal data. Under this framework, data subjects are provided control over the collection, transmission, and use of their personal information. In fact, this instrument foresees that data subjects have the right to be notified of collection of personal information.

In this context, employers have to ensure that their surveillance is legitimate and restricted and must be transparent regarding any surveillance conducted. Any monitoring of the employees communications and activities, namely regarding the use of e-mail, the internet or phones, without their employee’s knowledge or consent, is unlawful.

Secondly, the 2002/58/EC Directive relates to the processing of personal data and the protection of privacy in the electronic communications sector. The interception of  communications over private networks, including e-mails, instant messengers, and phone calls, and generally private communications, are not covered as the instrument only refers to publicly available electronic communications services in public communication networks.

The European Convention for the Protection of Human Rights and Fundamental Freedoms (hereafter ‘ECHR’), in its article 8, reads as follows: “Everyone has the right to respect for his private and family life, his home, and his correspondence”.

Whilst the right to privacy at work has not yet be considered by the Court of Justice of the European Union, the European Court of Human Rights (hereafter ‘ECtHR’) has already ruled that the right to privacy right is not restricted to the household and extends to the workplace environment.

In fact, in Köpke v Germany, the Court stated as follows: “(…) that the concept of private life…may include activities of a professional or business nature and may be concerned in measures effected outside a person’s home or private premises(…)”.

In the Niemietz v. Germany case, the ECtHR included business relations, e-mails, and any other form of electronic communication in the concept of ‘private life and correspondence’, no distinction being made between private or professional correspondence.

In Halford v. UK Gov., the ECtHR held that the employer’s surveillance of the employee’s calls at work unjustifiably interfered with the employee’s right to privacy and correspondence. Communications via e-mail, fax, wireless, and any technological means is covered by the concept of correspondence.

Moreover, in the ruling Copland v United Kingdom, the ECtHR concluded that the fact that the calls or the e-mail usage occur in the office and, at least in theory, are business related, was irrelevant. Business correspondence and telephone calls may contain personal information, which is protected by human rights and by data protection law.

It also found that, even if the telephone monitoring was limited to “the date and length of telephone conversations” and “the numbers dialled,” and do not involve the content of the communications, it still violates article 8 of the ECHR.

The Court stated as well that article 8 is infringed where the monitoring is not previously communicated to the employees, as they have, in consequence, a “reasonable expectation” that they will not be.

However, a worker’s right to privacy at work is not absolute.

In Benediktsdóttir v. Iceland, the ECtHR concluded that the right to privacy and to correspondence has to be balanced with the other rights, namely those of the employer.

In this context, although not legally binding, the Article 29 Working Party (hereafter WP29) opinions provide important guidance. In fact, national data protection authorities take them into account when applying and enforcing national laws.

The WP29 issued an opinion on the processing of personal data in the employment context in 2001, concluding that “[t]here should no longer be any doubt that data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, internet access, video cameras or location data.” Therefore, monitoring must be proportionate, not excessive for the intended purposes, and carried out in the least intrusive way possible. Furthermore, it stated that, under the Data Protection Directive, employers may process data concerning their employees only with “unambiguous consent” or if the processing is “necessary.”

In 2002, the WP29 issue a Working Document on the surveillance of electronic communications in the workplace, in which was argued that the employee’s right to privacy should be balanced with the legitimate rights and interests of the employer, such specific and important business need, as efficiency or the right to protect the employer from harm caused by employees’ actions. Therefore, the monitoring activities should be necessary, proportionate and transparent.

In the WP29’s viewpoint, any monitoring of electronic communications should be exceptional, namely when necessary to obtain to obtain proof of certain actions of the worker; detect unlawful activity; detect viruses; or guarantee the security of its systems. Therefore, concealed or intrusive monitoring is generally unlawful.

In 2005, in its annual report, the WP29 has affirmed that “[i]t is not disputed that an e-mail address assigned by a company to its employees constitutes personal data if it enables an individual to be identified.

The WP29 stressed, in another Opinion, in 2006, that all online communications in the workplace are subjected to confidentiality protection, including those sent from workplace equipment for private as well as professional purposes. It suggested seven principles to ensure a proper monitoring: necessity regarding a specified purpose; a specified, explicit and legitimate purpose; prior notice to employees about the monitoring; the monitoring should be aimed to safeguard employer’s legitimate interests; personal data processed in connection with any monitoring must be adequate, relevant, and not excessive with regard to the purpose for which they are processed; data must be accurate and not retained for longer than necessary; and appropriate technical and organisational measures shall be implement regarding security.

The requirements at stake may vary according to the monitoring technologies used as some will require stricter standards according to the extent of interference with private life. For instance, in Uzun v. Germany, the ECtHR concluded that the monitoring via GPS is not as intrusive telephone tapping.

Considering that the data collected by the employer may constitute sensitive data, it can only be processed in the cases foreseen in Article 7 of the Directive 95/46. In this context, considering the disparity in the contractual positions at stake the employee’s consent may not deemed to legitimize the processing.

In this context, it is quite advisable for private employers established in the EU to set up clear and acknowledged internal policies or guidelines regarding the use of Internet and electronic equipment in the workplace, for instance as part of the work contract.

This legal and jurisdictional context highlights the challenge that companies and other organizations face when doing business in the European Union, especially those which also operate under U.S.A. law.

References   [ + ]

1. Copyright by MrChrome under the CC-BY-3.0

Microsoft or the rider on a white horse of modern times

My hero!

My hero!

Microsoft has been challenging a USA search warrant, issued within an ongoing narcotics trafficking related investigation, seeking to access the content information of the electronic communications of one of its customers, which are stored exclusively outside the jurisdiction of the USA authorities, more specifically hosted in a data centre in Dublin, Ireland.

The abovementioned warrant would require an extraterritorial search and seizure of data stored in Microsoft’s Dublin datacenter. The very particular question at stake is if and to what extent a USA warrant compels a USA communications service provider to provide data stored abroad. What is to determine territoriality for a USA based provider with data stored abroad: the location where the data is stored or where the company is headquartered?

As any other service provider company, Microsoft stores the e-mail messages sent and received by its users and related information in datacenters, both in the USA and abroad, according to the users own location and proximity, given at registration, in order to increase the quality of the communications and decrease the network latency1)The concept refers to the time it takes for data to get from one designated point to another..

In this specific case, considering that the content is hosted outside the EUA, it is quite possible that the customer at stake is a non-US citizen. And this makes this issue all the worse in the post-Snowden age.

In fact, this situation is not so vaguely reminiscent of the statements of Robert Hannigan, the head of the GCHQ, which qualified tech companies as ‘the command and control networks of choice’, precisely because they do not agree to cooperate on some very dubious terms. Or those of James Comey, the FBI director, a strong opponent of the growing market for secure private telecommunications, namely through data encryption technologies that companies such as Apple and Google have inserted to their Smartphone operating systems.

Needless to say that a “trapdoor” access to the tech companies networks by intelligence agencies and law enforcement authorities, in order to collect information about its users, is not a good idea. With such a free access door, there is no guarantee about who else would be able to gain access to these networks.

And it is quite hard to accept the need of such doubtful mechanisms when existing legal mechanisms do exist and allow achieving the same result. They are called warrants.

But it seems that when even when using the proper legal mechanisms, some governments fail to understand its territorial limitations in regards of competence and jurisdiction. That is certainly why a USA court assumes to have the authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.

According to the Court which issued the warrant, the specific nature of an SCA2)The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order. warrant differs from a normal warrant, compelling the service provider to gather and produce the data itself, rather than authorizing the entrance into the physical premises in order to conduct a search and seizure. In this context, it is not bound by the geographical restrictions of a search warrant and therefore no elements of extraterritoriality are at stake as Microsoft is merely required to produce information in its possession or control, regardless the location of that information.

The Court further considered that otherwise it would be sufficient for an individual intending to engage in criminal activities to give false residence information or to establish its residence abroad in order to have his account assigned to a server outside the USA and, thus, evade an SCA warrant.

There are, for what I managed to gather, substantial theoretical ambiguities regarding the interpretation and the historical drafting of the SCA. Nevertheless, there are others which are quite straightforward.

For instance, at an international level, such a unilateral initiative risks of negatively interfering with the sovereignty and jurisdiction of another country and may even damage diplomatic relations and foreign policies. The German Government has already stated that it will cease the storage of data in USA cloud providers.

There are indeed proper specific procedures established in bilateral agreements aimed at obtaining criminal evidence located in another country. Take for instance the Mutual Legal Assistance Treaty (MLAT), which is an international instrument designed to facilitate cross-border criminal investigations, concluded between Ireland and the USA. This is precisely because a USA Court Order is no more binding in Ireland as an Irish Court Order would be in the US. For this very reason, the data shouldn’t be transferred from Ireland to the USA other than through such a formal and official channel of co-operation.

However, this mechanism was deemed “slow and laborious” by the USA Court, which also outlined the possibility for one of the parties to decline the request for assistance as a negative feature. Apparently, the main issue is that the requested party may oppose “the exercise of jurisdiction which is in its view extraterritorial and objectionable”. The same Court considered that the fact that some MLAT require the execution of a search warrant to be operated in accordance with the laws of the requested party to be an issue.

Humm, quite self-explanatory, isn’t it? The intention is to access private emails of any customer of a USA based service provider disregarding where the data is located, and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

The interpretation according to which the search of digital data occurs where the data is remotely accessed is just a not so smart and very unfortunate attempt of bypassing the proper existing mechanisms. And it opens the door for legal uncertainty.

The search of digital data undoubtedly occurs where the data is stored when the company at stake is required to copy the data from the server. The location should dictate the competent jurisdiction. If the court has no competence to obtain through a court warrant some evidence, it cannot circumvent that limitation by compelling Microsoft to do what it has no authority to do itself.

Considering that USA-based companies can be constricted to produce documents stored anywhere worldwide – just because they are based in the USA – fails to acknowledge that different laws apply depending on the jurisdictions where the user is located. For instance, Microsoft would be compelled to breach EU data protection laws, namely the Data Protection Directive3)Directive 95/46/EC and the Framework Decision which regulates data transfers to non-EU Member States4)The Council Framework Decision 2008/977/JHA.

In this context, in a statement issued last November, the Article 29 WP stated as follows:

a public authority in a non-EU country should not have unrestricted direct access to the data of individuals processed under EU jurisdiction, whatever the conditions of this access and the location of the data. Conflicts of jurisdiction shall be resolved only under certain conditions–e.g. through prior authorisation by a public authority in the EU or through a mutual legal assistance treaty, respectively covering access by foreign law enforcement authorities to data transferred from the EU or to data stored in the EU. Foreign requests must not be served directly to companies under EU jurisdiction.

Moreover, allowing for the USA government such an access would create a dangerous precedent, potentially leading other countries to disregard the existing legal mechanisms to seek data stored abroad. Such an anarchy is certainly not a desirable outcome to be achieved!

Anyway, considering the company’s previous relation with the National Security Agency (NSA), I must admit this came as a surprise. After all, among the several very inconvenient and ugly truths, namely regarding the PRISM program, the documents provided by Edward Snowden revealed that Microsoft has collaborated closely with USA intelligence services in order to allow users’ communications to be intercepted, including enabling the NSA to circumvent the company’s own encryption.

This can really be the first time that a company challenges the USA government over a domestic warrant for data held overseas. In the meantime, the Irish government has already manifested its support, along with several other tech companies and consumer privacy advocates.

While this situation outlines the increasing role of private companies as the ultimate defendants our rights, it brings to the spotlight that the right of protection against illegal access, search and seizure of physical property needs to clearly apply also to the digital world. I mean, if governments are not entitled to freely conduct searches in a building located in another country, I cannot fathom any reason for considering that this power of search would be bestowed to them in regard of the content of an email stored overseas. The information located in the cloud should be covered by an equally high standard of protection and any exchange should be covered by a strict framework. Otherwise, it is the very cloud model that is put at risk and we all know that the trust of customers has been quite challenged already.

References   [ + ]

1. The concept refers to the time it takes for data to get from one designated point to another.
2. The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order.
3. Directive 95/46/EC
4. The Council Framework Decision 2008/977/JHA

The impact of the attack against Charlie Hebdo on our rights and freedoms

This will be the excuse for more intrusion.

This will be the excuse for more intrusion.

I do not particularly appreciate the work of the satirical magazine Charlie Hebdo. I frequently find it distasteful and offensive. And I do like to live in a society where others are able to freely express themselves and I am able to openly dislike or disagree with. That is what the right of expression is about. Of course it is not an absolute right and, of course, when the critique is about sensitive issues, such as religion, race, sexual orientation or gender, someone will most certainly get offended. This is not the main purpose of the satire. As history shows us, this kind of critique has prompted reflections, discussions and cultural, political and social changes.

Thus said, a cold-blooded attack was conducted against the headquarters of the magazine, in Paris, and 12 innocent persons were killed, due to the drawing of a cartoon. I cannot help lingering on the absurdity of these words as I write them. And to feel, over again, the shock, the incredulity, the anger, the frustration, the revolt, the hope. And the fear. The fear of this invisible enemy who is able to strike anywhere, at any time, against anybody. The very same feelings that are awaken each time a terrorist attack occurs.

Looking at the solidarity marches held in Paris, it is unavoidable to outline the particular unifying effect of this particular attack. It has united those in favour of freedom of speech, freedom of information, and, ultimately, the rule of law and democracy ideals. Values that are so deeply anchored in our mindsets and yet so frequently put at risk. On the other side, it has ignited one of the most powerful and basic feelings, the fear. The same fear which has empowered anti-immigration movements with an afresh wave of arguments, increased xenophobia and fed the confusion of concepts such as Muslims, Islamism, extremism and terrorism. As strange as it can be, this event has joined in solidarity existing conflicting ideals that would not be put side to side otherwise. And this is where the scission happens.

In fact, when individuals feel insecure and threatened, intolerance, regarding minorities, cultural, ethnic and religious, for instance, arises. It has happen before. It has been happening more frequently due to the economic crisis. And it has happened again a few days ago, considering the almost immediate popularity of some extreme right political parties on social networks.

Moreover, fear does not only compel individuals to pacifically accept the sacrifice others’ rights and freedoms in order to preserve their own privileges and liberties. In the name of an alleged bigger value, such as national security, individuals also tend to more easily allow, without questioning, restrictions on their own civil and fundamental rights. Anything to feel safe again or at least live the comfort of that illusion.

Times like these, where these kinds of emotions and beliefs so vividly oppose a common threat, are therefore treacherous. One particular danger subsists in the appearance of legitimacy from which certain not so legitimate political ideals and governmental initiatives may benefit.

For instance, in the wake of the abovementioned attack, the French government has notified the European Commission of the impending publication of decrees allowing that websites advocating or promoting terrorist practices or ideals could be blocked without the intervention of a judge.

In this particular case, I sincerely fail to see any relation between the attack itself and such online activities or to perceive how such decrees will somehow help to prevent any eventual similar attacks in the future. However, it is much certainly a first step to take control over the content of online communications and to achieve the desired Internet governance. In the wake of Edward Snowden’s revelations, it was already been made clear how interesting our communications can be to some intelligence services. Of course, if censorship can ever be defensible, it is particularly in this case. Nevertheless, it is a very hazardous path. Where to draw the limit? What guarantees do we have that this is just not the climbing of the first step of the staircase? When will surveillance measures be enough?

Furthermore, the fight against terrorism being primarily of their competence, and in what seems to be the result of passionate emotions and precipitation, some EU Members States are already developing extra security measures. No surprise here. Following a terrorist attack, it is quite common for governments to push for increased surveillance.

I have to admit that I am very sceptic in regards of the efficiency of a more intrusive government surveillance. I do believe that surveillance is needed to be conducted in order to tackle terrorism. But the police and the intelligence services do already conduct surveillance activities which allow for the identification of people involved in terrorist activities. For instance, the Cherif and Said Kouachi brothers, the authors of the attack conducted against Charlie Hebdo, were already known to the security services and this has not prevented the horrific murder of those people. Moreover, Charlie Hebdo was already known as a potential target, as it has been firebombed in 2011.

So to argue that more invasive powers of surveillance on a larger scale, which will imply to treat everyone as a suspect, are required in order to prevent future attacks is very unconvincing. Surveillance must be targeted and limited and the competence of courts in regards of restrictions to individuals’ fundamental rights cannot be diluted.

Considering the existing fear, it is very easy to turn terrorist attacks into the perfect excuse for the practice of mass surveillance and a full government control over the Internet. However, this would get us dangerously close to the very same political regimes we are so proud to differ of. Contrarily to what some of us might think or say, we do not want to risk living in a society where we all are monitorized and afraid to express ourselves. Mass surveillance does not only violate our privacy, it also undermines our ability to speak freely. In this context, the line to censorship can be smoothly crossed. Which is the opposite of what Charlie Hebdo actually stands for.

I mean, if this attack was primarily directed to the freedom of expression of a democratic country, counter-attacking on the same freedom of expression – although in its online manifestation – does seem a little bit odd. Shouldn’t we aim precisely the opposite: to protect the very rights and freedoms that have been attacked? Our freedoms are not protected by further limitations.

At the EU level, border management, internal security, the “foreign fighters” travelling and the online terrorist propaganda were already very vivid concerns. In the wake of the Charlie Hebdo attacks, the European Commission has pledged to present a new programme to fight terrorism. Under the present scenario, it is very likely that the discussions in regards an EU PNR will be boosted.

Only time will tell to what extent these terrorists attacks were able affect our core values. But in the aftermath, it seems that, if the intention of the attack was to undermine our fundamental rights, in the long run, they may be successful.

 

Game of drones or the not so playful side of the use of RPAS for recreational purposes

I am watching you.

I am watching you.1)Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic

If one of the gifts you have found underneath the Christmas tree was a drone 2)The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: those which can autonomously follow pre-programmed flight routes and those which have remotely piloted aircrafts systems (RPAS). Only the latter are currently authorised for use in EU airspace., and it happens to have some camera installed on it, you should prepare yourself to embrace your new status of a data controller and face a new set of obligations regarding privacy and safety.

Indeed, whilst drones can be a lot of fun, there are serious considerations at stake which should not be ignored. In fact, the extensive range of their potential applications3)Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and government non-military activities which are more effectively or safely performed by a machine, such as such as the monitoring of rail tracks, dams, dykes or power grids., the proliferation of UAVs with a camera, the collection of data and the subsequent use of such data, namely by private individuals for personal and recreational purposes raise concerns about the impact of these technologies on the safety, security, privacy and the protection of personal data.

As a matter of fact, a drone in itself does not imply the collecting and the processing of any personal data until you attach a camera to it. However, drones are increasingly equipped with high definition optical cameras and therefore are able to capture and record images of the public space. And while there are no apparent privacy concerns regarding the recording of landscapes, having a drone filming through the sky over your neighbourhood might lead to a very different conclusion. Drones have a high potential for collateral or direct intrusion regarding privacy, considering the height at which they operate, allowing to monitor a vast area and to capture large numbers of people or specific individuals. Despite individuals may not always be directly identifiable, their identification may still be possible through the context in which the image is captured or the footage is recorded.

It must be noted that people might not even be aware that they are being filmed or by whom and, as a result, cannot take any steps to avoid being captured if such activity is not made public. People ought not to know that the device is equipped with optical imaging and has recording capabilities. Moreover, because the amateur usage of a drone may not be visible, there is a high risk of being directed to covert and voyeuristic recording of their neighbours’ lives, homes and back gardens. How would you feel if a drone was constantly looming near your windows or in your backyard? Indeed, there is no guarantee regarding the legitimacy of the end to be achieved with the use of drones. None withstanding the fact that a drone may actually pose a threat to people’s personal safety, belongings and property, considering that it may fall, its increasing popularity as a hobby outlines the issue of discriminatory targeting, as certain individuals, such as children, young people and women, are particularly vulnerable to an insidious use of RPAS. This is particularly relevant considering that the images or footage is usually intended to be made publicly available, usually on platforms such as Youtube.

Furthermore, the recording may interfere with the privacy of individuals as their whereabouts, home or workplace addresses, doings and relationships are registered. In this context, the use of drones for hobbying purposes may have a chilling effect on the use of the public space, leading individuals to adjust their behaviour as they fear their activities are being monitored.

Thus considering, the use of this type of aerial technologies is covered by Article 7 and Article 8 of the EU Charter of Fundamental Rights which respectively establish the respect for private life and protection of personal data. Taking into account the abstract nature of the concept of privacy, the main difficulty will be to define when there is a violation at stake.

In addition, there are obviously data protection implications at stake where the drone is capturing personal data. EU data protection rules generally govern the collection, processing and retention of personal data. The EU Directive 95/46/CE and the proposed General Data Protection Regulation are applicable to the collection, processing and retention of personal data, except where personal data is collected in the course of a purely personal or household activity. Hence, the recreational use of drones is a ‘grey area’ and stands almost unregulated due to this household exemption.

Nevertheless, due to the risks at stake, both to privacy and to data protection, the extent to which the ‘household‘ exemption applies in the context of a personal and private use must be questioned.

In a recent ruling, the CJEU concluded that the partial monitoring of the public space carried out by CCTV is subjected to the EU Directive 95/46, even if the camera capturing the images is “directed outwards from the private setting of the person processing the data”. As already analysed here, the CJEU considered that the processing of personal data involved did not fall within the ‘household exemption’ to data protection laws because the camera was capable of identifying individuals walking on a public footpath.

As the RPAS operations may be quite similar to CCTV, but more intrusive, because they are mobile, cover a larger territory, collect a vaster amount of information, it is not a surprise that they may and should be subjected to the same legal obligations. Subsequent to this ruling, these technologies should be considered as potentially privacy-invasive. Consequently, private operators of drones in public spaces should be ready to comply with data protection rules.

Of course, the footage needs to contain images of natural persons that are clear enough to lead to identification. Moreover, and in my opinion, it is not workable to consider, in order for the household exemption to be applied, the images collateral and incidentally captured. Otherwise, selfies unwillingly or unknowingly including someone in the background could not be freely displayed on Facebook without complying with data protection rules. The footage must constitute a serious and systematic surveillance on individuals and their activities.

Therefore, information about the activities being undertaken and about the data processing (such as the identity of the data controller, the purposes of processing, the type of data, the duration of processing and the rights of data subjects), where it does not involve disproportionate efforts, shall be given to individuals (principle of transparency). Moreover, efforts should be made in order to minimize the amount of data obtained (data minimization). Moreover, the controller might need to ensure that the personal data collected by the drone camera is anonymised, is only used for the original purpose for which it was collected (purpose limitation), will be stored adequate and securely and will not be retained for longer than what is necessarily required.

In this context, individuals having their image captured and their activities recorded by the camera of a drone should be given guarantees regarding consent, proportionality and the exercise of their rights to access, correction and erasure.

Thus said, depending on where you are geographically located in the EU, there are obviously different rules regarding the legal aspects related to the use of drones. It is therefore important for individuals intending to operate a drone to get informed and educated about the appropriate use of these devices and the safety, privacy and data protection issues at stake in order to avoid unexpected liability.

References   [ + ]

1. Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic
2. The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: those which can autonomously follow pre-programmed flight routes and those which have remotely piloted aircrafts systems (RPAS). Only the latter are currently authorised for use in EU airspace.
3. Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and government non-military activities which are more effectively or safely performed by a machine, such as such as the monitoring of rail tracks, dams, dykes or power grids.
Older posts

© 2017 The Public Privacy

Theme by Anders NorenUp ↑