16 January 2012

Data Retention: EU Commission Should Facilitate Its Revocation

Image: Data Center by s_w_ellis on Flickr
Data Center

About a week ago a secret communication of the European Union Commission leaked to Quintessenz – an Austrian data protection and privacy advocacy group.

The communication basically acknowledges that both, the data retention directive (DRD) and the corresponding legislation in the member states to the EU have missed their target.

Best evidence

for the above may easily be obtained by the communication itself, however you need not read it in its entirety, since I have prepared a short summary for you:

- The EU Commission complains it has received qualitative response to its questions from only 11 out of 27 member states.
- There is next to no evidence on the value of data retention in terms of public security and criminal justice. It is unclear whether data requested would be available anyway without the retention obligation and Data Protection Authorities do not know what is being kept or deleted by operators.
- While law enforcement agencies would love to know who communicated with whom, when, where and how, they can hardly make it happen, since unclear definitions in the DRD have encouraged heterogeneous interpretations of the scope so the agents find it very difficult to get this data on time for their investigations.
- The so-called ‘serious crime are not defined at EU level and this leads to even more legal uncertainty – e.g. the entertainment industry calls upon the extension of DRD’s purpose to include copyright infringements, which may include illegal downloads / piracy.
- Telco operators complain about the considerable costs of compliance which are disproportionately high and hence discriminatory for smaller enterprises.

Putting it all together

it turns out that the DRD in its current form is useless because

- it does not solve legal uncertainties, but creates rather new ones;
- its scope is open to a debate and the EU Commission is keen to extend it (to cover also intellectual property infringements);
- it has failed in fulfilling its purpose – the harmonisation of the Internal Market.

Therefore,

the only reasonable step

of the EU Commission would be to immediately facilitate the revocation of the DRD!

Your thoughts?

4 October 2011

HTC Joins Apple On The Road To Perdition

Image: 800px-HTC_Evo_4G by Anya1986 on Flickr
800px-HTC_Evo_4G

Do you remember Apple’s disrespect of their customers’ privacy?

It now turns out that the Taiwanese

HTC ain’t any better

in that respect.

Privacy International, whom I follow on Google Reader issued an article citing a very detailed report prepared by Artem Russakovski, Justin Case and Trevor Eckhart and made available on the Android Police website.

It turns out that HTC, in the absence of any corresponding consent, collect the personal data of their users and share that data with third parties.

Assuming that HTC have deployed the same business model also within the European Union, they have committed some

serious breaches

under the applicable data protection and privacy legislation here.

First, HTC should be aware of the fact that by processing personal data they act as a data controller and are therefore under the obligation to process the data fairly and lawfully and only for an explicit and legitimate purpose.

Second, when processing personal data, HTC must ensure that the buyers and users of their mobile devices, i.e. the data subjects have served HTC with an

explicit consent

to that data processing.

Not that HTC fail to obtain that explicit consent, they moreover mislead their users!

It is said to work like that: HTC ostensibly offer their users the option not to allow the collection and use of personal information, but even if the users select that option, HTC collects and processes the data anyway.

And third, by so doing, HTC have failed to prevent an

unwarranted intrusion

into the private sphere of their users.

I think that HTC, being a major competitor to Apple, should offer its customers a set of good privacy options, in order to create an advantage over the Cupertino company.

Instead, HTC seems to have opted to spy on and fool their customers thereby joining Apple on the road to perdition…

How about you?

Would you prefer one mobile device manufacturer over another, if it offers you a better privacy protection?

2 October 2011

Hóigh, Facebook, How Deeply Do You Care About Data Protection?

Image: Hanover Quay – Dublin Docklands by informatique on Flickr
Hanover Quay - Dublin Docklands

Hanover Quay, Dublin 2.

That is the address of Facebook’s European headquarter or, strictly legally, the business seat of the Facebook Ireland Limited.

The above is important

as owing to Section 18 of Facebook’s Terms of Use, users who are not residents of the USA and Canada have their agreement to use the social network with Facebook’s Irish subsidiary.

That means that if you have any

data protection issues

with the Zuckerberg-led company, you are entitled to approach the Irish Data Protection Commissioner.

The Austrian based data protection advocacy group Europe vs Facebook already started doing this.
They have identified several breaches and have undertaken a number of actions, thereby including complaints and access requests and, have covered each of them on their website.

Obviously

enforcing its powers

under Section 10 of the Data Protection Act, the Irish Data Protection Commissioner has started an investigation against Facebook.

I am curious what the outcome of the foregoing will be and will therefore monitor and provide for follow-ups.

By the way, how much do you care about what Facebook does with your data, but without your consent?

30 April 2011

Sony PSN: Clueless And Breaching

Playstation 3: Sixaxis Wireless Controllerphoto © 2008 włodi | more info (via: Wylio)

Not that I wish to blog so often on data protection, but some technology giants would not give me a break.

Last week I covered the (very likely) unlawful data collection practice of Apple’s iPhone and this week I decided to spend some words on the fact that

Sony Leaked Personal Data

particularly credit card data from its Play Station Network.

Ars Technica have been reporting during the last few days, here is the most current update as of the writing of this article.
According to Sony, “It is possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.”

What is this if not a

Personal Data Breach?

Some of you will remember that at the end of 2009 the European Union updated its Telecoms Package and, as a part thereof, the ePrivacy Directive. The European lawmakers sharpened the provisions on privacy and introduced a data breach notification requirement in order to prevent data loss debacles.

The updated ePrivacy Directive mandates that in the event of a personal data breach, providers of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority in charge for data protection.

Now read the italic type again. What providers does it cover? Only telcos, right? One could ask:

Must Sony Notify Its Breach?

Well, seemingly not under the ePrivacy Directive since Sony should not be defined as a telco.
Funnily, during the negotiations of the Directive’s final version, the European Parliament demanded that all providers of “information society services” be subjected to the data breach notification duty. Sony is, inter alia, a provider of information society services – check the definitions of the E-Commerce Directive (2000/31/EC). Hence, that demand would have covered Sony, had it only been implemented.

However, European Union Directives normally set only minimum requirements and leave member states with a certain amount of leeway as to the exact rules to be transposed.

Member states such as Germany, Spain, Austria and Ireland did not limit the data breach notification duty to only telcos. They rather chose to oblige the so-called data controller under the Data Protection Directive (95/46/EC). Thus, they have achieved a much broader scope of applicability.
Data controller’s definition clearly puts

Sony Under An Obligation

to notify the respective data protection authorities of above member states.
To the best of my knowledge, Sony has not yet undertaken such a notification – it has been dangerously clueless for more than two weeks instead.

What Is The Moral Of The Story?

The data breach notification was introduced as a consequence of recent years’ high-profile incidents of personal data loss across Europe.
Who forgot the T-Mobile data loss or the UK privacy debacles?
Now, it seems, Sony has joined the data breach elite.
See, what the consequence therefor will be.

 

21 April 2011

Your iPhone Disrespects Your iPrivacy

iPhone Desktopphoto © 2007 Terry Johnston | more info (via: Wylio)

No, doubt iPhone is a hip communication tool with a great design. Who would not like to have one?

But will you still want to have one if you knew that

iPhone Records Every Step You Make

Will you really? Hmm, well maybe not.

Guardian has the story and in the next few lines I will provide you with a very concise

Legal Analysis

What Apple’s iPhone seems to do is usually referred to as location data processing. In the European Union the latter is governed by Directive 2009/136/EC – the so called ePrivacy Directive.

Apple acts as a provider of a value added service in the sense of the ePrivacy Directive since it processes location data beyond what is necessary for the transmission of a communication or the billing thereof.
Apple is generally allowed to do so, however, under the condition that it fully informs its users of its data collection and processing

Prior To Obtaining Their Consent

From what I read, no users have been informed and their consent has not yet been obtained.
Besides the fact that it disrespects the privacy of its users, Apple is in a clear breach of applicable data protection and telecommunications legislation.

iPhone or iPrivacy, what will be your choice?

18 April 2011

Another One Bites The Dust: Czech Constitutional Court Shoots Data Retention With Five Bullets

Autumn Morningphoto © 2007 Jeff | more info (via: Wylio)

The judicial development on data retention across Europe will not cease! Following the meanwhile numerous decisions in, just to mention some, Bulgaria, Romania and Germany, some two weeks ago

The Czech Constitutional Court Abrogated Data Retention

Yes, on a sitting held on 22 March 2011 it delivered a ruling abrogating Section 97, subsections 3 and 4 of the Czech Electronic Communications Act as well as the related Decree 485/2005 on the storage of traffic and location (altogether “the contested provisions”).

Court’s ruling grounded on the following

Reasoning

1. The language of the contested provisions is too vague and thus fails to fulfill the constitutional requirement on certainty and clarity.
2. The contested provisions have failed to clearly and precisely define the purpose to retain data and particularly to rectify the vague serious crimes language of Directive 2006/24/EC. Such failure contradicts the requirements laid down in the Charter of Fundamental Rights and Basic Freedoms (the Charter).
3. The absence of clear legal determinations is likely to result in an abuse, i.e. in that the law enforcement agencies use retained data to combat less serious crimes. The latter view appears fortified by the following quotation from the 2008 Report on the security situation in the Czech Republic: a total number of 343 799 comitted criminal offenses resulted in the total number of 131 560 applications to access retained data.
4. The contested provisions have failed to safeguard the integrity and confidentiality of the retained data and to prevent access through (non-state) third parties. The Court opines that such safeguards are mandated by the enormous development and emergence of new and more complex information technologies and communications systems that inevitably blur the boundaries between private and public space.
5. The contested provisions have failed to provide for the destruction of the data following the retention period. The contested provisions have further failed to provide for responsibilities of and sanctions against the public authorities in case of abuse of the retained data as well as for the possibility of individuals to seek for effective relief against such abuse.

In light of the above, the Court found the contested provisions violating constitutional limits and hence unconstitutional. Besides, the Court expressed also some doubts as to the constitutionality of s. 88a of the Czech Criminal Code and urged the lawmakers to either derogate said section or provide for its constitutional compliance.

So, three cheers to the Czechs and their Constitutional Court!

Skydiver with Czech flag

photo © 2010 Ivan Pik | more info (via: Wylio)

 

Conclusion

The decision of the Czech Constitutional Court goes in a clear confrontation with the legislature.
It is the first decision in a EU member state to criticise the lack of responsibilities in dealings with retained data and to demand sanctions for negligence and misuse.
Unlike the decisions in Romania and Germany, it does not deliver  guidance as to how lawmakers should repair the contested provisions in order to achieve constitutional compliance.
In other words, the courts in Romania and Germany made really precise shots that aimed to merely injure their national data retention provisions. The Czech decision is quite the opposite: the justices shot to kill.
A righteous kill?
I would say yes.

What would you say?

1 April 2011

Austria’s Data Protection Council On Data Retention – A Déjà Vu

Who remembers the cat scene in The Matrix?
The scene depicted Neo, Morpheus & the other good guys convinced that they had already witnessed or experienced a certain situation. What do we usually call this experience or state of mind?
Déjà vu, right?
Unlike the most cases of a déjà vu where no determination can be made as to whether the circumstances of the previous encounter were imagined or true, in that particular scene from The Matrix the cat indeed passed the door twice.
The good guys instinctively felt that something was wrong. And their feelings did not betray them: something was wrong indeed!

Data retention is The Matrix in real life

In a previous blog post I did already compared the laws on data retention with the bad guys’ attempt to maintain total control in The Matrix.
When I recently read that the Austrian data protection council had again disfavoured the then current bill on data retention in a critical statement, it felt like a déjà vu to me.

What does the council criticise?

1. The council has some very serious doubts as to data retention bill’s compatibility with Art 8 of both, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union.

2. While the council acknowledges that law enforcement authorities should be equipped by sufficient powers in order to fight organized crime and that access to communication data might be helpful in such context, it opines that such powers must be applied only to concrete occasions and be subject to specific controls.

Data stormphoto © 2006 Dave Herholz | more info (via: Wylio)

3. The council further urges the European Commission to eventually conduct the evaluation owing to Article 14 of the Directive 2006/24/EC.

4. In the event that Commission’s evaluation results in a review of the data retention Directive which recommends the implementation of lesser onerous measures, the council suggests that the legislature opt for the so-called quick-freeze procedure. The latter recently gained a measure of popularity because of its submission to public debate in Germany.

5. Last but not least and given the “informative value” of retained data, the council calls upon the legislature to maintain the highest possible data security standards when transposing the Directive.

Will this statement halt the transposition of data retention in Austria?

Unfortunately, it will not, because the data protection council has advisory and, hence limited, powers.
Its statement is nevertheless significant – it once again makes it very clear that data retention is at odds with fundamental human rights, and that the politicians are very well aware of this fact.

What can a single individual do?

First of all inform yourself and inform others who are not yet familiar with data retention. And since data retention is considered avoidable – learn how to either avoid it or make it appear obsolete.

Thoughts?

Did I miss an important point? What else would you suggest?

 

Did you find this article informative or helpful? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

25 March 2011

Europe’s Last Stand Against Data Retention?

The Matrix has you...photo © 2008 Roman Pinzon-Soto | more info (via: Wylio)

Do you remember Morpheus saying “Wake up Neo… The Matrix has you!”?
Do you remember Agent Smith implanting an electronic tracking bug in Neo’s body?
I bet you do, because the image transported by this film does not appear that fictional anymore.
It may be just an arm’s length away.
Yes, I am talking about the retention of your communication traffic data. By “you” I mean all of you who live under the jurisdiction of a member state of the European Union. Any member state? Hmm, well, possibly not, but let me first explain

What is data retention and its purpose?

Data retention in the sense of the Directive 2006/24/EC provides for the storage data arising out of telephone calls made and received, emails sent and received and websites visited. Since location data counts to traffic data, it is collected too.

The introduction of data retention has always been justified with combating terrorism and serious crimes, but it aims to fight file-sharing users instead.

Owing to its controversy, legislation produced by transposition of the data retention Directive has been contested in some EU member states. While Ireland challenged Directive’s compatibility with formalities under the then current EC Treaty,  the constitutional courts of Romania and Germany were asked to deal with data retention’s compatibility with fundamental human rights. As a consequence, the respective provisions got abrogated, but not annulled.

Data retention gains territory

Until recently, Austria managed to postpone the transposition of the Directive 2006/24/EC into its national law. Well, the ostensible resistance grounded on discrepancies between the two coalition forming parties rather than on human rights deliberations.

Doris Bures, Austria’s Minister of Transport, Innovation and Technology announces the upcoming enactment of data retention. Courtesy to APA (Archiv/Fohringer)

However, some weeks ago the farce went to an end and a bill amendment to the telecommunications act was nodded through the council of ministers prior to its submittal to the parliament. Reportedly, the bill is being heavily discussed among the members of the parliament justice committee. The result will be, despite all assurances, the total control of communication.

Now that Austria will no longer be a safe harbour in terms of privacy, are there any other member states that still have not implemented the data retention directive?
Let us have a look at the map of Europe…
Is someone missing?
Yes, there is!

The land of milk and honey

Flag countrysidephoto © 2009 Håkan Dahlström | more info (via: Wylio)

 

Can you imagine: the Swedes usually known for their discipline and law-abiding behaviour are now obstructing the implementation of Directive 2006/26/EC.
It seems that an arrangement among the Left Party, the Green Party and the Swedish Democrats managed to apply a procedural loophole in order to delay the transposition for at least a year.

What does it mean?

As I previously mentioned, the data retention directive has been referred to a judicial review a few times already. These reviews’ action items towards legislation always read the same: improve!
In this respect, it is likely that the Court of Justice of the European Union delivers a judgment dealing with data retention’s compatibility with fundamental human rights under the acquis.

The good news at the end

I still have hope that this madness will come to an end. Not only because hope springs eternal, but because anyone can make an effort and engage in lawfully fighting data retention.
At least anyone who cares about fundamental human rights.

And if Sweden should fail, then it could be us as individuals who form Europe’s last stand against data retention!

 

Did you find this article informative, helpful or entertaining? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

11 March 2011

Digital Oblivion: To Be Or Not To Be?

1 if 3 Zoom blur experiment - Woodphoto © 2008 Mike Baird | more info (via: Wylio)

Have you ever tried to search the web for information relating to yourself?
If yes, how accurate were the results that showed up, say, in Google?
And what would you do if you found information or data that were not really up-to-date, or were inaccurate or even libelous?

Well, you might rely on the law of data protection and undertake certain actions. And if you are domiciled in Spain, which is known for its higher standards on data protection, your actions are likely to be more fruitful than elsewhere.
This is at least what the story of the Spanish doctor Guidotti Russo evidences.

Imagine

that a 20 years old newspaper article covering some accusations against you, is still being accessible via Google’s search engine. Imagine further that, in the mean time,  you have been cleared from all those accusations.
What would you do? Or put another way, what are the remedies you may rely upon?

The law on data protection

in the European Union is approximated by the Directive 95/46/EC. Accordingly, its Article 6 provides that “… every reasonable step must be taken to ensure that data which are inaccurate or incomplete… are erased or rectified.”
This is what Dr Russo appears to have requested before the Agencia Española de Protección de Datos, namely that Google be ordered to cease the access to that newspaper article.
Not surprisingly, Google, asserting the right to information access, did not obey and the issue landed before an ordinary court in Madrid.
From what I read, this court has been considering to ask the Court of Justice of the European Union for a preliminary ruling.

Other commentators on the Web did already make a link between this case and

“The right to be forgotten”

which the European Commission recently presented in its communication COM(2010)609. That oddly named right seems to be a part of Commission’s plan to revise the data protection rules, in order to strengthen individuals’ rights.
The Commission defines it as “the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when processing is based on the person’s consent and when he or she withdraws consent or when the storage period has expired;”

Hmm, I do not see any significant difference to the language of the Data Protection Directive I quoted above. Do you?
So, I guess clarifications will follow.
Anyway, my personal opinion is that a right to be forgotten should result in a mechanism of data self-destruction or data fading away which individuals should be able to configure as they like. Equally important, such right should be incapable of being contractually waived. 

Once introduced, however, a right to be forgotten will very likely collide with another fundamental right -

The right to access information

It is obvious – in today’s information society the right to access information has become important more than ever. Data or information that is subject to a self-destruction will, however, seriously challenge that rights’s fundamental character.
At a first glance, this argument seems to hold water.
But hey! What data should the right to be forgotten concern?
Is it not about personal data?
And since it is, why should someone else’s right to access my personal data trump my right to determine whether that someone should access it in the first place?

Invitation to discuss

For me, the existence of a digital oblivion right evokes questions upon questions. It appears to be a really promising discussion topic, does it not?
Hence, do not hesitate to tell me what you think about it!

 

Did you find this article informative or helpful? If yes, you might want to share it by pressing one of below buttons or to otherwise tell your friends about it.

27 January 2011

All Quiet On The IP Enforcement Front?

Intellectual Property Zonephoto © 2008 Robert Nunnally | more info (via: Wylio)

As recently as on 22 December last year the European Commission issued its long awaited report on the application of Directive 2004/48/EC that deals with the enforcement of intellectual property rights (“IPRED”). The report represents a very interesting read and is accompanied by another, no less interesting, paper – the Commission staff working document. I strongly recommend reading those two records or, alternatively, the analysis thereof outlined in this very blog post.

If you are still reading this article, I assume you are definitely aware of the IPRED and I will skip its introduction. And since the above documents almost sound a charge against the Internet and its users, I will limit my explanation only to the Internet relevant issues.

Not surprisingly, the Commission stresses on the difficulties rightholders have been experiencing while pursuing IPR infringers on the Internet. Accordingly, those difficulties are attributable to “the relative anonymity of the Internet” as well as to the fact that the IPRED “does not sufficiently address this constantly growing, serious problem”. The latter appears somewhat inconsistent, since the IPRED equipped rightholders with a set of strong weapons – the so called right of information and the specific injunctive relief. The staff working document refers to the right of information as “an important tool for the rightholders to pursue … IPR infringements committed via the Internet such as illegal file-sharing of protected works through peer-to-peer protocol.” Further, and with respect to the injunctive relief the same document reads “Internet service providers, being the intermediaries between all the users of the Internet, on the one hand, and the rightholders, on the other, are often placed in a compromising position due to the infringing acts of their customers….It results from Member States’ reports that injunctions against intermediaries are used relatively often as the infringers are often unknown.

No doubt, these measures were clearly adapted to bring “intermediaries” (mainly Internet service providers, ISP) down to knees so they eventually provide the rightholders with the personal data of infringers on the Internet. So where are the difficulties?

Hmm, let us think about this one: what used to be the shield that (nearly always) managed to block rightholders’ weapons’ attacks?

Bingo, it is the law on privacy and data protection!

Indeed, the Commission notices that in some member states, pointing out Spain and Austria, ISP are practically not in the position to disclose the relevant information  in infringement proceedings. The reason therefor would often lie in that ISP are under data protection obligations resulting in the erasure of the data they might have previously gathered.

This is the point where the Commission touches the sore spot of the IP enforcement on the Internet – the fairly notorious conflict between the fundamental right to property and that to privacy. The Promusicae landmark decision is quoted as Community law’s requirement to fairly balance those two rights. However, this is followed by a caveat stating that “the European legal framework on the protection of personal data/privacy on the one hand and enforcement of intellectual property rights on the other is neutral, in that there is no rule that would imply that the right to privacy should generally take precedence over the right to property or vice versa” . I understand it like Commission’s reluctance to enter the territory of the Court of Justice of the European Union. What do you think?

Interestingly, but the Commission is very careful and even anxious on data retention. Nevertheless, their statement evidences that the purpose of data retention has never been directed to perpetrators of “serious crimes”, but rather to file-sharers.

A word should be dedicated also to the current absence of harmonized protection through criminal law. The Commission submits the fact that almost all member states provide for criminal measures to protect IPR, but the national definitions and level of penalties vary. That is, in the view of the EC, a “serious obstacle and may hinder the cross-border cooperation between the law enforcement agencies.”

All in all: the report has many bad news to tell. What could be its impact on the Internet users? Well, I guess that the Commission will initiate a new legislation to deal with the points and outcomes made in the report. Consequently, we should prepare to face more stringent civil sanctions, data protection undermining information requests and harmonized criminal measures.

Will they be capable to fight “Internet piracy”? I doubt it, unless the entertainment industry comes up with suitable lawful offerings. It is odd, but even the report admits that “file-sharing of copyright-protected content has become ubiquitous, partly because the development of legal offers of digital content has not been able to keep up with demand, especially on a cross-border basis, and has led many law-abiding citizens to commit massive infringements of copyright and related rights in the form of illegal up-loading and disseminating protected content.”

In the end, is there anything that Internet users can do in order to prevent the impact of the report? Yes, there is! You can all participate in the consultation the Commission set up on the report.

Raise your voice, because it is not all quiet on the IP enforcement front!

 

Did you find this article informative, helpful or entertaining? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

« Older Entries