Archive | ECJ

ECJ Advocate General on data retention: Strict conditions must apply

Data retention (collection of data about everybody’s phone calls, text messages, e-mails, internet connections and mobile positions) may only be used to combat serious crimes – and only if there are no other options (such as using surveillance only against people who are actually suspected of criminal activities).

This is the essence of the European Court of Justices Advocate Generals recommendation in some ongoing cases about data retention.

From the press release (PDF):

The Advocate General is of the opinion that a general obligation to retain data may be compatible with EU law. The action by Member States against the possibility of imposing such an obligation is, however, subject to satisfying strict requirements. It is for the national courts to determine, in the light of all the relevant characteristics of the national regimes, whether those requirements are satisfied.

First, the general obligation to retain data and the accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference.

Secondly, the obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the Charter.

Thirdly, the Advocate General notes that EU law requires that any interference with the fundamental rights should be in the pursuit of an objective in the general interest. He considers that solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.

Fourthly, the general obligation to retain data must be strictly necessary to the fight against serious crime, which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights.

Furthermore, the Advocate General points out that that obligation must respect the conditions set out in the judgment in Digital Rights Ireland (5) as regards access to the data, the period of retention and the protection and security of the data, in order to limit the interference with the fundamental rights to what is strictly necessary.

Finally, the general obligation to retain data must be proportionate, within a democratic society, to the objective of the fight against serious crime, which means that the serious risks engendered by that obligation within a democratic society must not be disproportionate to the advantages it offers in the fight against serious crime.

Here it is important to remember that the ECJ revoked the EU Data Retention Directive – the document all member states data retention is built upon – in the spring of 2014. This because it violates fundamental human rights, such as the right to privacy. So it is hardly possible to stick to any direct adaptations of the fallen directive.

One thing that seems to be clear is that data retention cannot be used to investigate minor crimes (e.g. illegal file sharing). And it cannot be used for non-criminal proceedings (e.g. by local councils and tax authorities). The infringement of privacy is massive with data retention. It must be in proportion to the seriousness of the suspected crime.

Point four (“which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights”) is also interesting. Of course, there are other measures – like only using surveillance against people suspected of criminal activities, instead of the entire population.

Later this fall the ECJ will give its final verdict. But it usually follows the Advocate Generals recommendations.

Links:
• ECJ press release (PDF) »
• The Advocate Generals recommendation, full text »
• EDRi – European Court confirms: Strict safeguards essential for data retention »
• Falkvinge – European Supreme Court says “Maybe” to mass surveillance of innocents »

0

UK Brexit Minister in ECJ court case against UK government on privacy

This is unusual.

The new UK “Brexit minister” David Davis is involved in a court case in the European Court of Justice (ECJ) – suing the British government over personal data rights.

Furthermore, the law he is challenging was introduced by his new boss, Prime Minister Theresa May, during her time as Minister for Home Affairs.

“The choice of Mr Davis is a remarkable one in some ways. A sincere civil libertarian, as well as a pro-Brexit campaigner, he is one of a group of claimants suing the UK government at the European Court of Justice to enforce EU law on an allegedly non-compliant UK in respect of personal data rights. This case — which is reliant on the very charter of fundamental rights loathed by many in his own party — has already seen a decision of the high court saying an act of parliament was incompatible with EU law (though this was not upheld on appeal, it was referred to the ECJ instead).”

FT: David Davis, Brexit and the shapelessness of things to come »

0

EU-US Privacy Shield adopted by the EU despite privacy flaws

The much criticized EU-U.S. Privacy Shield agreement concerning data protection for personal data transferred from the EU to the U.S. has – as expected – been approved by EU member states.

• Statement by Vice-President Ansip and Commissioner Jourová on the occasion of the adoption by Member States of the EU-U.S. Privacy Shield »

• Privacy Shield data pact gets European approval »

• EU-U.S. commercial data transfer pact clears final hurdle »

• New Privacy Shield Could Face Legal Challenge in Europe, Experts Say »

• Official: Privacy Shield dragged across finish line »

Most likely this agreement will end up in the European Court of Justice – as it is suffering from many of the same shortcomings as its predecessor, the Safe Harbour agreement. The latter was invalidated by the court for violating citizens rights to privacy.

0

Next step in EU court case on Data Retention will be July 19

Very little has been known or reported from yesterday’s hearing on data retention in the European Court of Justice (ECJ).

The hearing was conducted as a part of British and Swedish cases – arguing that data retention in the respective countries should end, as a consequence of the ECJ ruling in 2014 overthrowing the EU Data Retention Directive.

As data retention is found to be in breach of human rights on an EU level, the same should apply on a national level – the argument goes.

I will try to find out more about yesterday’s hearing. And if you find any links, please post them in the comments to this blog post.

The next step in this affair is said to be the Advocate Generals recommendation to the court – to be delivered July 19. (Normally the ECJ will follow this recommendation. But the process is slow, taking several months more.)

/ HAX

2

European court to consider legality of UK surveillance laws

“Blanket retention of communications data, without suspicion, creates a honeypot of information for criminals and hackers, and this case will have implications for personal privacy and the security of individual personal data.”

The Guardian: European court to consider legality of UK surveillance laws »

Update, also see:
The Guardian: MP calls for limit on UK surveillance powers as EU test case opens »

0

Fierce legal battle over data retention in Sweden

There is a rather interesting legal battle concerning data retention going on in Sweden. Parties are the ISP Bahnhof and the government oversight authority Post- & Telestyrelsen (PTS).

Two years ago, to the day, the European Court of Justice (ECJ) invalidated the EU data retention directive — stating that it is in violation of human rights, especially the right to privacy.

However, in Sweden data retention continues — under a cross-party political consensus. This is to be tried in the ECJ, but is still an open issue.

Meanwhile, Swedish police (and other authorities) are using data retention to demand information about Internet users and their activities from the ISPs.

Referring to the ECJ verdict, the ISP Bahnhof, has refused to share information about minor crimes with the police. After all, data retention was supposed to be about terrorism and other serious criminal activities.

To share information from data retention, Bahnhof requires that the police confirm that it will only be used for investigating serious crimes according to relevant Swedish legal definitions. And Bahnhof demands this information from the police in writing.

The police is not happy about this. Not at all. So it has asked PTS to investigate what can be done. This leading to PTS slamming Bahnhof with a penalty of five million Swedish kronor (some 550.000 euros) if not compliant.

Now, we shall remember that there still is an open case about Swedish data retention in the ECJ. Also, a Swedish administrative court has asked the ECJ for guidance when it comes to the Bahnhof case.

This has lead Bahnhof to ask the Stockholm lower administrative court (Förvaltningsrätten) for inhibition of the PTS decision concerning the fines mentioned above.

Now, this court has granted Bahnhof inhibition — until it has reached a final verdict after careful investigation in the wider context of data retention. However, PTS still can appeal against the inhibition. If so, the case will move up the three-tier Swedish administrative court system.

The bottom line is that a relatively small ISP — backed up by the first ECJ ruling — is prepared to take a fight against the government on data retention. And that the Swedish government is trying to circumvent the ECJ verdict, to maintain mass surveillance.

This is a story to be continued.

/ HAX

Disclaimer: The 5:th of July-foundation, running this blog, is the VPN provider for Bahnhof (and others). Bahnhofs lawyer is also a member of the board of the 5:th of July foundation.

1

ECJ to rule that providing open internet connection is not a crime?

In a recommendation the Advocate General to the European Court of Justice (ECJ) states that business who provide free, open Wi-Fi to customers should not be responsible for copyright infringements carried out on their network.

But there might still be national restrictions. Glyn Moody at ArsTechnica:

However, the Advocate General ruled that national courts may issue injunctions against the provider of free Wi-Fi services in the case of copyright infringement provided they are “particular, effective, proportionate and dissuasive”; and “that they are aimed at bringing a specific infringement to an end, and do not entail a general obligation to monitor.” Moreover, courts must strike a fair balance between “freedom of expression and information and the freedom to conduct business, as well as the right to the protection of intellectual property.”

The Advocate General goes on saying that there need to be no obligation to secure an open network with a password. It might even be possible that a shop or a café providing open Wi-Fi might be covered by the mere conduit principle. (Under the mere conduit principle of the EU E-Commerce Regulations of 2002, network operators have no legal liability for the consequences of traffic delivered via their networks.)

Now it is up to the ECJ to draw its final conclusions. But the court normally rules in line with the Advocate Generals recommendations.

This is good news for an open, creative society where people work and use their devices in public establishments. Providing free internet connection should not be a crime.

ArsTechnica: Free Wi-Fi providers not liable for user’s piracy, says top EU court lawyer »

/ HAX

0