21 January 2011

Of Sushi and Data Protection

Just ordered a large set of sake sushi on the phone.


Credit: Ricardo Bernardo

Again, I had run a long day and needed some refreshment. I rang up, could order pretty fast and felt well-served.

Besides one thing.

They knew who I was and where I lived. I was not even supposed to tell them my name… Strange, I thought, and started speculating how could those guys have obtained my personal data. Could that be, since I have ordered there already? However, what was even more worrying: what were/are they going to do with that?

Why am I concerned? Because I do not like to represent a record in a database whose existence I could not even assume. This is the reason why data controllers have an explicit obligation to obtain data subjects’ (written) consent prior to processing their data. Otherwise such processing is not lawful according to our fancy legislation on data protection.

To the best of my knowledge, I have never allowed the sushi restaurant to process my data. In order to be absolutely sincere, I checked their website while composing this blog post. Their general terms and conditions are just as silent as the fish they make sushi of.

It is funny, but data protection provisions were once introduced to oppose the dealings of state agents. Nowadays data traders are their primary objective and that does not surprise, since data are considered tradable commodities. Some of them are – depending on their exposure to the public – deemed really precious.

So, I will let those sushi makers know of their lack to comply with stringent law. I thought of writing them an email so I will not forget to tell them how good their sushi was.

Did you find this article informative and helpful? If yes, you might want to share it by pressing one of below buttons or to otherwise tell your friends about it.

11 January 2011

Hunted on Facebook, drafted by the Israeli Defense Forces

Soldiers and the priest_1937cphoto © 2007 James Emery | more info (via: Wylio)

I am always curious to read news and articles related to social media networks and privacy. The last one I got aware of deals with Israeli women’s attempts to escape their duty to join the  military service alleging some religious reasons.

However, the Israeli Defence Forces (IDF) did not accept those allegations with just a good faith. Moreover, the IDF officers sought for applicants’ profiles on Facebook that possibly showed them being not that devoted to God. Reportedly, they were successful.

For me this incident is important for two reasons. First, it represents just another alert to all users of social media networks that ignore the consequences of sharing personal data with the world at large. Second, it comes at the same time with the EU Commission’s decision to declare Israel “an adequate” country in terms of data protection. Not that such an incident could not have happened under the jurisdiction of an EU member state, but the coincidence is somewhat symptomatic.

Now, what is the moral of the story? Once again, beware of what you share with others and do neither underestimate nor neglect the consequences. Last but not least, do not blindly trust in Commission’s choices as to a state of data protection adequacy.

 

Did you find this article informative, helpful or entertaining? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

26 May 2010

Will Ireland eventually overthrow data retention?

The Four Courts Dublinphoto © 2008 William Murphy | more info (via: Wylio)

There has not been much discussion in the aftermath of the German Constitutional Court’s ruling on data retention and the matter somehow started to collect legal dust. The recent Irish involvement, however, could cause the necessary aeration and preserve the issue from getting buried in oblivion.

Digital Rights Ireland, a non-governmental organization formed as a limited liability company under the Irish Companies Act, brought proceedings before the Irish High Court against the Minister for Communication, Marine and Natural Resource, the Minister for Justice, Equality and Law Reform, the Commissioner of An Garda Siochana, Ireland and the Attorney General because of latter authorities’ breaches against rights provided for by Irish statutes and Constitution as well as by European legislation. Claimant’s proceedings were triggered by Minister for Public Enterprise’s direction, issued in 2002, to the telecommunications providers in Ireland to retain data generated by customers of the telecommunications providers, purportedly in compliance with Section 110 (1) of the Postal and Telecommunications Services Act 1983. This direction was addressed by the Data Protection Commissioner who then threatened said Minister with the issuance of judicial review proceedings to challenge the validity of any and all such directions.

The response of the Irish Government was to pass the Criminal Justice (Terrorist Offences) Act 2005, and specifically the incorporation therein of the provisions of Part 7 thereof. Under that part of the Act, the Garda Commissioner may request a service provider to retain, for a period of 3 years, traffic data or location data or both.

This is also what claimant is combatting. They have asked the High Court to refer the matter to the European Court of Justice (ECJ). The questions the ECJ needs to deal with all relate to the validity of Directive 24/2006, in particular with rights under the EU and EC Treaties, the Charter of Fundamental Rights (CFR) and the European Convention on Human Rights (ECHR). The High Court, in its ruling, granted this motion of claimant.

It is somewhat surprising that another “Irish issue” will land before the ECJ in less than a year following ECJ’s ruling agaisnt Ireland in the Case C·301/06. In the latter, the ECJ found that Art 95 of the EC Treaty represented a sound fundament for the enactment of the Directive 24/2006 since it was apparent that differences between national rules adopted for the retention of data were liable to have a foreseeable direct impact on the functioning of the internal market which would become more serious over time.

However, following the debates in Bulgaria, Romania and Germany it was high time to have the ECJ rule on data retention’s – this time hopefully – not only procedural, but also material aspects. In a somewhat best case for the preservation of our all’s digital rights the ECJ might find against the Directive.

The hope, as is well-known, springs eternal – so let us hope the best.

 

Did you find this article informative, helpful or entertaining? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

3 March 2010

German Constitutional Court abrogates provisions on data retention

Bundesverfassungsgericht Karlsruhephoto © 2006 Johannes Bader | more info (via: Wylio)

Hear ye, hear ye, you all supporters of the fundamental right of privacy – 7 out of 8 German Constitutional Justices voted to declare the data retention provisions as applied in the Telecommunications Act and in the Code on Criminal Procedure null and void!

Enough of enthusiasm, however, we can go on observing the facts some of which may prove unlikely sobering when compared to yesterday’s news titles that went around the world.

You might remember that some months ago nearly 35 000 German citizens filed a mass-complaint in which they asked the Court to abrogate the provisions on data retention.

In reviewing the complaint, the Court makes an initial statement that the Federal German Constitution would not by itself forbid the retention of telecommunications traffic data for a certain time period. However, the data retention as transposed in German legislature interfered with the fundamental right of privacy in such a manner that the legal system was previously not familiar with. Hence to avoid such interference and, similar to the Romanian Constitutional Court, the German authority uses its ruling to create a recipe to be followed by the lawmakers in future. The main point made by the Court in its ruling, is the instruction towards lawmakers to observe the so called principle of proportionality (Verhältnismäßigkeitsgrundsatz).

Under reference of the above principle, the Court distills 5 requirements that need specifically be observed when drafting the prospective laws. In particular, the Court demands

- the adoption of specific provisions relating to enhanced data security and safety which the Court views mandated by the huge amounts of data to be retained;

- to safeguard that the retained data’s direct processing shall be limited to prevent only concrete danger situations arising out of  serious crimes;

- to ensure the transparency of data transfer by notifying the data subject in advance, and – where not appropriate – to subject the transfer to a respective court order and notify the data subject afterwards;

- to provide for the data subject’s legal protection amounting to, inter alia, data subject’s right to challenge the processing and transfer of their data before a court of competent jurisdiction, and – in case of breach of the above protection – to penalise such breach;

- to guarantee that indirect data processing for the purposes of IP address detection and identification, as may be the result of an enforced right of information , is not undertaken to prevent mere misdemeanours. The Court points out the importance of the latter as it states that such indirect data processing need not be subjected to a court order.

Put it all together, this long awaited ruling did hardly hit the jackpot being on stake: is the fundamental right of privacy the long expected silver bullet which is supposed to kill the vampire attempting to quench its thirst by accessing Internet users’ data? I personally read the ruling as a clear “NO”.

The Court does not really question the existence of data retention provisions. Moreover, it determines the borders of their constitutionally acceptable framing. See whether and to what extent the ruling will influence the EU member states that are still defaulting to transpone the Directive 24/2006.

 

Did you find this article informative, helpful or entertaining? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

10 February 2010

Do not post on Facebook while wanted

Facebook for Dummies, anyone?photo © 2008 David Fulmer | more info (via: Wylio)

 

Imagine you are wanted by law enforcement officers who, upon discovery, would imprison you without any delay. What would you do? I bet you would hide and keep beneath surface. Moreover, you would very likely think twice before using social media, whereby proudly communicating your wanted poster to the public. No, you would not? Your case then would pretty much equate Christopher Crego’s current situation.

It is somehow surprising that some society’s members do not recognize social media as well as other web 2.0 applications to be “public”.  This appears even weirder as the desire to “communicate with the public” is considered the main drive behind the use of such platforms. In the field of internet, hence, public is where others could look into your content, get notice what you do or otherwise interact with you. Everything leaving your privacy almost automatically enters the public realm.

In this regard social media has the potential of great convenience – communication with others is just a click away. Equally important, however, social media has also proved problematic – think of people that got fired for being on Facebook while actually on sick leave or of recently reported recruiters’ practices.

So, be careful because the social media has you!

23 January 2010

Data retention aims to fight file sharing users rather than terrorists

Well, some have always suspected what Austria’s Die Presse has recently reported thereby quoting an official.

The gentleman in question is Christian Pilnacek who is the Head of the Criminal Procedure Department within the Austrian Ministry of Justice. When asked by a journalist, he confirmed the information, according to which the data retention provisions’ applicability should not be limited to only so called “serious crimes”. The latter is, by the way, what the Directive 2006/24 requires. It has been said that this idea has originated in the Ministry of Justice and has found support in the Ministry of Interior. Moreover, in the officials’ view retained data should be accessible in the prosecution of minor crimes and/or in dealing with civil wrongs and hence would perfectly fit in the scope of the provisions conveyed by the Enforcement Directive.

Now the show is over. Seemingly, the entertainment business’ lobbyists have done a good job for their clients. See whether the idea shall prove capable of gaining a legislative majority.

18 January 2010

Austria’s data protection council disfavours new bill on data retention

The Data Protection Council is an advisory body within the Austrian Federal Chancellery’s administration. In a recent session the Council debated on the newly presented bill on data retention and passed an opinion to the government. The authority’s chair publicly presented the opinion’s upshot: the bill conflicts with Articles 8 and 9 of the ECHR, hence the Council moves for a balance between the privacy right of the persons concerned and the public interest to maintain security and order.

The Council further calls for a restrictive definition of a “serious crime” in order to achieve the data retention directive’s goal to fight organised crime and terrorism.

The Council seems to carefully observe the international, in particular the European, development on data retention. This is mirrored in Council’s recommendation to await the inauguration of the new European Commission and the enactment of the Stockholm Programme, which, given a sufficient consideration to certain privacy aspects, may lead to the data retention directive’s annulment.

I personally share that view and strongly hope for the Council to be proved correct.

16 December 2009

Would you still use Yahoo!, if you knew they sold your personal data at a fixed price?

Have you got an e-mail account on Yahoo! or do you use any of the services, such as messenger, groups or Flickr, provided by the Sunnyvale company? You were certainly aware of Yahoo!’s privacy policy, weren’t you? What you most probably did not know is the fact that Yahoo! surveil your personal data and then offer them to law enforcement at a fixed price. Not bad, huh?

Cryptome, a website hosted in the US that functions as a repository for information about freedom of speech, cryptography, spying, and surveillance got the ball rolling since it has obtained and made Yahoo!’s Compliance Guide for Law Enforcement available on its website. Seemingly, Yahoo! were not amused and served Cryptome with a takedown notice based on the US Digital Millenium Copyright Act (DMCA). Stretching copyright law for the purposes of preventing access to information is an interesting, albeit not novel, strategy.
By the way, this is the reason why the DMCA and, particularly, its Section 512 has come under criticism – it causes a so called chilling effect on free speech.

So long Cryptome has not complied with Yahoo!’s demand and is still hosting the document in suit. It starts to get exciting!

14 December 2009

Will the data retention directive be fully implemented across Europe: a reprise.

About a year ago I composed one of my first blog postings and asked “Will the data retention directive be fully implemented across Europe?”. The reason behind was the then pending decision of the ECJ caused by Ireland’s concern on the data retention directive’s grounds legitimacy and, the wrong way the directive was initially  implemented in Bulgaria.

Recently, I covered the startling decision of the Romanian Constitutional Court that rejected the data retention implementing act due to inconsistency with constitutionally guaranteed and fundamental human rights, such as the right to privacy. Seemingly, this decision will not remain a single one.

In a hearing, appointed for tomorrow, the German Constitutional Court is expected to deal with the mass-complaint filed by nearly 35 000 citizens in which they ask the Court to abrogate the provisions on data retention. I believe the whole data retention concept would then fall apart, if the German Constitutional Court decided in favour of the complainants.

Press releases in Austria which, in my view, attempt to encourage the government in its Fabian position towards data retention, even call for a final ruling by the ECJ on the overall legitimacy of the data retention concept. In such a case, the ECJ will have to scrutinise whether the data retention directive is conciliate with the Charter of Fundamental Rights of the European Union that, together with the Treaty of Lisbon,  is in force as of 1 December 2009.

27 November 2009

Romanian Constitutional Court abrogates data retention act

The framers of the Data Retention Directive must have underestimated several factors in the course of its subsequent implementation. First Ireland brought a challenge before the ECJ then Austria still shows totally reluctant to implement. However, the big bang is currently unrivalled owned by Romania! This country’s Constitutional Court is the first to deliver a ruling that declares an act implementing the directive into a member state’s law unconstitutional.

Prof. Ioan Vida, Romanian Constitutional Court. Courtesy to BOGDAN MARAN / MEDIAFAX FOTO.

Now, after Dracula and Johnny Weissmuller, Romania has, in the person of Prof. Ioan Vida being the President of the Romanian Constitutional Court, good chances to be awarded a third VIP contribution to the world!

Basically, the Court pointed out that the law on data retention interfered with following articles of the Romanian Constitution: Art 25 Freedom of Movement, Art 26 Intimate, Family and private life, Art 28 Secrecy of Correspondence and Art 30 Freedom of Expression. In addition, the Court examined Art 12 of the Universal Declaration of Human Rights (UDHR), Art 17 of the International Covenant on civil and political rights (ICCPR) and Art 8 of the European Convention on Human Rights (ECHR) and found them affected too.

The Court recognized in its reasoning that neither the Romanian Constitution nor the ECHR prohibited state authorities to interfere with the rights mentioned above on a general scale. However, the Court, relying upon the judicateure of the European Court of Human Rights (ECtHR) in Klass vs Germany and Popescu vs Romania, opined that such interference was permissible only within a narrow path, fenced by sufficient safeguards to protect a person against arbitrary acts of state authorities.

The Court further opined that the legislator has created uncertainty because it used terms in the act that were either not or only ambiguously defined. Such uncertainty was contrary to the drafting techniques which the legislator was required to employ in the course of legislation.

Finally, the Court addressed critically two more issues in the act on data retention. The first critic dealt with the breadth of applicability of the act’s provisions – they were not limited only to wrongdoers, but covered also innocent bystanders. The second regarded the lengthy period of time for which the data were to be retained.

The entire above put together just fortified the majority of Court’s members to vote for the abrogation of the act.

Now, before the opponents and fighters of data retention fall in a state of euphoria, one has to consider that the Court did not reject the act per se. Quiet the contrary! To me, this ruling reads as a cooking recipe directed to the legislator. The recipe contains an enabling set of hints and aims to support the legislator to successfully implement that act later on.

 

Did you find this article informative, helpful or entertaining? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

« Older Entries
Newer Entries »