Generalized data retention not compatible with EU law

In 2006 the EU issued its Data Retention Directive. According to that Directive, EU Member States had to store electronic telecommunications data for at least six months and at most 24 months for investigating, detecting and prosecuting serious crime.

The directive was invalidated by the CJEU with its Digital Rights Ireland judgment in 2014, where it held that the directive provided insufficient safeguards against interferences with the rights to privacy and data protection.

In the aftermath of the above judgement, two references for a preliminary ruling were made to the Court, in relation to the general obligation imposed, in Sweden and in the UK, on providers of electronic communications services to retain their clients’ data.

In its eagerly anticipated Judgment in Joined Cases C-203/15, C-698/15, the Court ruled that EU law precludes a general and indiscriminate retention of traffic data and location data by the national legislation of the member-states. Targeted retention of data may only be allowed as a preventive measure, said the Court, when this is solely for the purpose of fighting serious crime. Even in this exceptional case, however, such retention should be limited to what is strictly necessary, with respect to the categories of the retained data, the means of communication affected, the duration and the persons concerned.

Finally, the Court held that access of national authorities to the retained data must be subject to certain conditions, including prior review by an independent authority and the data being retained within the EU.

In Greece, Law 3917/2011 that transposed the Data Retention Directive is still in force and obliges providers of electronic communications services to identify and retain the source, destination, date, time, duration, type and equipment of a communication for 12 months. The list of data retained only excludes the content of the information communicated and may easily identify a wide ambit of the citizens’ social interactions, a situation that leaves their data vulnerable to uses  potentially detrimental to privacy or, more broadly, fraudulent or even malicious.

The recent CJEU judgment is expected to trigger some activity at both a judicial and legislative national level, leading to the annulment and/or amendment of the relevant law. This amendment, however, should be effected in such a way that public safety is efficiently safeguarded, whereas at the same time no compromises are made to the rights of natural persons with regard to the processing of their personal data.

Law in the Age of Big Data

The following opening paragraphs could be from any contemporary data privacy journal:

“The creation of advanced computer technology has resulted in jurists having to face a range of new and awkward problems. Through interlinking, copying and other automated data processing, modern technology has made it possible to, collect, compare, and combine enormous amounts of data about every person. Also data that in and of itself is not secret can, through its currency, quantity and internal correlation place the individual under the magnifying glass and expose much of his private life …”

What makes the quote unique, though, is that it was written back in 1978, well before the internet started impacting culture and commerce, by Professor Michael Bogdan of Lund University, and published in the Swedish law journal “Svensk Juristtidning”.

The article addresses the world’s first national data privacy law, that of Sweden, elaborating private international law issues stemming from the complexities surrounding dataflykt (‘data drain’ or ‘data flight’).

Since 1978 technological advancements in the field of data processing have been breathtaking, creating challenges that were previously contemplated only by sci-fi novelists. The legal discourse, however, has not managed to keep pace. The relevance of the article referred to above highlights, before anything, that the law will never manage to keep up with the pace of technological developments. How far behind, however, should we accept it to be?

In the end, perhaps, it would be more meaningful if we distinguished between “legal thinking and knowledge” on the one hand, and “legal principles” on the other. Professor Bogdan’s 1978 article shows that academic commentary on the relevant legal issues was already then at an advanced stage. Looking, however at modern technological applications such as facial recognition, or Internet of Things, it is striking in how much detail the legal issues arising therefrom are analyzed by the academia and the international legal community. By realizing this, we may arguably assume that legal thinking and knowledge, as such, is not necessarily always the tortoise while technology is the hare disappearing into the horizon.

The question here, as posed by Dr Christopher Kuner, Editor-in-Chief of the Journal International Data Privacy Law, in an editorial note he published back in 2014, is how we can speed up this conversion of legal thinking and knowledge into appropriate legal principles and rules. This key challenge remains to be addressed.

Privacy Shield: stronger protection for transatlantic data flows

In the aftermath of the CJEU judgment in Maximillian Schrems vs Data Protection Commissioner case (Case C-362/14), and following the invalidation of the Safe Harbor in October 2015, the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic data transfers on Tuesday, 2 February 2016: the EU-U.S. Privacy Shield (IP/16/216).

The adoption procedure of the decision texts was finalized by the European Commission on 12 July 2016, after the relevant opinion of the article 29 working party (national data protection authorities) and the European Parliament resolution of 26 May.

This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States and offers legal clarity for businesses relying on transatlantic data transfers. The Shield has been drafted, among others, to further illuminate the bulk collection of data, strengthen the Ombudsperson mechanism, and set more explicit obligations on companies as regards limits on retention and onward transfers.

The EU-U.S. Privacy Shield summarily touches upon the following points:

  • Strong obligations on companies handling data: under the new arrangement, U.S. companies wishing to abide by the EU-U.S Privacy Shield will be obliged to register in the Privacy Shield register and re-certify annually. Moreover, their privacy policies will have to be updated, so as to appropriately inform data subjects on their current access rights and the available recourse mechanisms. Especially for onward transfers to third party service providers, companies will remain fully liable and will ensure that third parties’ processing data enjoy the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Notably, the U.S. Government has ruled out indiscriminate mass surveillance on personal data transferred to the US. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State. It is notable that on 24 February 2016, the Judicial Redress Act was signed. The Act permits EU data subjects to seek remedies for violation of their personal data against U.S agencies in U.S courts.
  • Effective redress mechanisms: Any citizen who considers that their data has been misused shall benefit from several dispute resolution mechanisms. Ideally, the complaint shall be resolved by the company itself, or by an Alternative Dispute resolution (ADR) process, the costs thereof shall not be incurred by the concerned individual. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.

For further information, you can have a look at the EU-U.S. Privacy Shield fact-sheet, published by the European Commission in July 2016 [link], as well as the European Commission’s practical guide to the EU-U.S. Privacy Shield  [link].