23 April 2012

Some Good News On Data Retention

Image: Data Center Tech Museum San Jose California by mrkathika on Flickr
Data Center Tech Museum San Jose California

Last week the Court of the European Union issued its long awaited ruling in the case of

Bonnier Audio vs ePhone

that represents a clash between two fundamental rights, the one being that on property, or intellectual property in particular and the other one being the right to data protection and privacy of individuals.

I will not discuss the case at length, but shall invite English readers to take a look at EDRI´s analysis and German readers to the brilliant breakdown of Dr Hans Peter Lehofer, who is a member of Austria´s Supreme Administrative Court.

There is a certain portion contained in the Bonnier ruling that caused my heart to beat faster and you can find it here

44. With regard to the main proceedings, it must be noted that the legislation at issue pursues an objective different from that pursued by Directive 2006/24. It concerns the communication of data, in civil proceedings, in order to obtain a declaration that there has been an infringement of intellectual property rights.

45. That legislation does not, therefore, fall within the material scope of Directive 2006/24.

What does that mean?

Basically, the Court opines that Directive 2002/58/EC allows the EU member states to introduce a national legislation, according to which communication data may be retained for a certain period of time and be disclosed to right holders attempting to enforce their rights.

However, such retention and disclosure needs always be subjected to a fair balance between the various applicable fundamental rights.

Conversely, the data retained under the Directive 2006/24 must not be used for the enforcement of intellectual property rights, full stop.

And that is not all

You may well remember that two years ago the German Constitutional Court smashed the country´s data retention legislation. Since then the coalition parties of the German government have been desperately struggling to agree to a new set of rules, which needs to comply with said court´s prescription.

From what I read in today´s Bild Zeitung, however, that agreement is not likely to be achieved very soon.

These are really good news, are they not?

16 January 2012

Data Retention: EU Commission Should Facilitate Its Revocation

Image: Data Center by s_w_ellis on Flickr
Data Center

About a week ago a secret communication of the European Union Commission leaked to Quintessenz – an Austrian data protection and privacy advocacy group.

The communication basically acknowledges that both, the data retention directive (DRD) and the corresponding legislation in the member states to the EU have missed their target.

Best evidence

for the above may easily be obtained by the communication itself, however you need not read it in its entirety, since I have prepared a short summary for you:

– The EU Commission complains it has received qualitative response to its questions from only 11 out of 27 member states.
– There is next to no evidence on the value of data retention in terms of public security and criminal justice. It is unclear whether data requested would be available anyway without the retention obligation and Data Protection Authorities do not know what is being kept or deleted by operators.
– While law enforcement agencies would love to know who communicated with whom, when, where and how, they can hardly make it happen, since unclear definitions in the DRD have encouraged heterogeneous interpretations of the scope so the agents find it very difficult to get this data on time for their investigations.
– The so-called ‘serious crime are not defined at EU level and this leads to even more legal uncertainty – e.g. the entertainment industry calls upon the extension of DRD’s purpose to include copyright infringements, which may include illegal downloads / piracy.
– Telco operators complain about the considerable costs of compliance which are disproportionately high and hence discriminatory for smaller enterprises.

Putting it all together

it turns out that the DRD in its current form is useless because

– it does not solve legal uncertainties, but creates rather new ones;
– its scope is open to a debate and the EU Commission is keen to extend it (to cover also intellectual property infringements);
– it has failed in fulfilling its purpose – the harmonisation of the Internal Market.


the only reasonable step

of the EU Commission would be to immediately facilitate the revocation of the DRD!

Your thoughts?

18 April 2011

Another One Bites The Dust: Czech Constitutional Court Shoots Data Retention With Five Bullets

Autumn Morningphoto © 2007 Jeff | more info (via: Wylio)

The judicial development on data retention across Europe will not cease! Following the meanwhile numerous decisions in, just to mention some, Bulgaria, Romania and Germany, some two weeks ago

The Czech Constitutional Court Abrogated Data Retention

Yes, on a sitting held on 22 March 2011 it delivered a ruling abrogating Section 97, subsections 3 and 4 of the Czech Electronic Communications Act as well as the related Decree 485/2005 on the storage of traffic and location (altogether “the contested provisions”).

Court’s ruling grounded on the following


1. The language of the contested provisions is too vague and thus fails to fulfill the constitutional requirement on certainty and clarity.
2. The contested provisions have failed to clearly and precisely define the purpose to retain data and particularly to rectify the vague serious crimes language of Directive 2006/24/EC. Such failure contradicts the requirements laid down in the Charter of Fundamental Rights and Basic Freedoms (the Charter).
3. The absence of clear legal determinations is likely to result in an abuse, i.e. in that the law enforcement agencies use retained data to combat less serious crimes. The latter view appears fortified by the following quotation from the 2008 Report on the security situation in the Czech Republic: a total number of 343 799 comitted criminal offenses resulted in the total number of 131 560 applications to access retained data.
4. The contested provisions have failed to safeguard the integrity and confidentiality of the retained data and to prevent access through (non-state) third parties. The Court opines that such safeguards are mandated by the enormous development and emergence of new and more complex information technologies and communications systems that inevitably blur the boundaries between private and public space.
5. The contested provisions have failed to provide for the destruction of the data following the retention period. The contested provisions have further failed to provide for responsibilities of and sanctions against the public authorities in case of abuse of the retained data as well as for the possibility of individuals to seek for effective relief against such abuse.

In light of the above, the Court found the contested provisions violating constitutional limits and hence unconstitutional. Besides, the Court expressed also some doubts as to the constitutionality of s. 88a of the Czech Criminal Code and urged the lawmakers to either derogate said section or provide for its constitutional compliance.

So, three cheers to the Czechs and their Constitutional Court!

Skydiver with Czech flag

photo © 2010 Ivan Pik | more info (via: Wylio)



The decision of the Czech Constitutional Court goes in a clear confrontation with the legislature.
It is the first decision in a EU member state to criticise the lack of responsibilities in dealings with retained data and to demand sanctions for negligence and misuse.
Unlike the decisions in Romania and Germany, it does not deliver  guidance as to how lawmakers should repair the contested provisions in order to achieve constitutional compliance.
In other words, the courts in Romania and Germany made really precise shots that aimed to merely injure their national data retention provisions. The Czech decision is quite the opposite: the justices shot to kill.
A righteous kill?
I would say yes.

What would you say?