23 April 2012

Some Good News On Data Retention

Image: Data Center Tech Museum San Jose California by mrkathika on Flickr
Data Center Tech Museum San Jose California

Last week the Court of the European Union issued its long awaited ruling in the case of

Bonnier Audio vs ePhone

that represents a clash between two fundamental rights, the one being that on property, or intellectual property in particular and the other one being the right to data protection and privacy of individuals.

I will not discuss the case at length, but shall invite English readers to take a look at EDRI´s analysis and German readers to the brilliant breakdown of Dr Hans Peter Lehofer, who is a member of Austria´s Supreme Administrative Court.

There is a certain portion contained in the Bonnier ruling that caused my heart to beat faster and you can find it here

44. With regard to the main proceedings, it must be noted that the legislation at issue pursues an objective different from that pursued by Directive 2006/24. It concerns the communication of data, in civil proceedings, in order to obtain a declaration that there has been an infringement of intellectual property rights.

45. That legislation does not, therefore, fall within the material scope of Directive 2006/24.

What does that mean?

Basically, the Court opines that Directive 2002/58/EC allows the EU member states to introduce a national legislation, according to which communication data may be retained for a certain period of time and be disclosed to right holders attempting to enforce their rights.

However, such retention and disclosure needs always be subjected to a fair balance between the various applicable fundamental rights.

Conversely, the data retained under the Directive 2006/24 must not be used for the enforcement of intellectual property rights, full stop.

And that is not all

You may well remember that two years ago the German Constitutional Court smashed the country´s data retention legislation. Since then the coalition parties of the German government have been desperately struggling to agree to a new set of rules, which needs to comply with said court´s prescription.

From what I read in today´s Bild Zeitung, however, that agreement is not likely to be achieved very soon.

These are really good news, are they not?

18 April 2011

Another One Bites The Dust: Czech Constitutional Court Shoots Data Retention With Five Bullets

Autumn Morningphoto © 2007 Jeff | more info (via: Wylio)

The judicial development on data retention across Europe will not cease! Following the meanwhile numerous decisions in, just to mention some, Bulgaria, Romania and Germany, some two weeks ago

The Czech Constitutional Court Abrogated Data Retention

Yes, on a sitting held on 22 March 2011 it delivered a ruling abrogating Section 97, subsections 3 and 4 of the Czech Electronic Communications Act as well as the related Decree 485/2005 on the storage of traffic and location (altogether “the contested provisions”).

Court’s ruling grounded on the following


1. The language of the contested provisions is too vague and thus fails to fulfill the constitutional requirement on certainty and clarity.
2. The contested provisions have failed to clearly and precisely define the purpose to retain data and particularly to rectify the vague serious crimes language of Directive 2006/24/EC. Such failure contradicts the requirements laid down in the Charter of Fundamental Rights and Basic Freedoms (the Charter).
3. The absence of clear legal determinations is likely to result in an abuse, i.e. in that the law enforcement agencies use retained data to combat less serious crimes. The latter view appears fortified by the following quotation from the 2008 Report on the security situation in the Czech Republic: a total number of 343 799 comitted criminal offenses resulted in the total number of 131 560 applications to access retained data.
4. The contested provisions have failed to safeguard the integrity and confidentiality of the retained data and to prevent access through (non-state) third parties. The Court opines that such safeguards are mandated by the enormous development and emergence of new and more complex information technologies and communications systems that inevitably blur the boundaries between private and public space.
5. The contested provisions have failed to provide for the destruction of the data following the retention period. The contested provisions have further failed to provide for responsibilities of and sanctions against the public authorities in case of abuse of the retained data as well as for the possibility of individuals to seek for effective relief against such abuse.

In light of the above, the Court found the contested provisions violating constitutional limits and hence unconstitutional. Besides, the Court expressed also some doubts as to the constitutionality of s. 88a of the Czech Criminal Code and urged the lawmakers to either derogate said section or provide for its constitutional compliance.

So, three cheers to the Czechs and their Constitutional Court!

Skydiver with Czech flag

photo © 2010 Ivan Pik | more info (via: Wylio)



The decision of the Czech Constitutional Court goes in a clear confrontation with the legislature.
It is the first decision in a EU member state to criticise the lack of responsibilities in dealings with retained data and to demand sanctions for negligence and misuse.
Unlike the decisions in Romania and Germany, it does not deliver  guidance as to how lawmakers should repair the contested provisions in order to achieve constitutional compliance.
In other words, the courts in Romania and Germany made really precise shots that aimed to merely injure their national data retention provisions. The Czech decision is quite the opposite: the justices shot to kill.
A righteous kill?
I would say yes.

What would you say?

26 May 2010

Will Ireland eventually overthrow data retention?

The Four Courts Dublinphoto © 2008 William Murphy | more info (via: Wylio)

There has not been much discussion in the aftermath of the German Constitutional Court’s ruling on data retention and the matter somehow started to collect legal dust. The recent Irish involvement, however, could cause the necessary aeration and preserve the issue from getting buried in oblivion.

Digital Rights Ireland, a non-governmental organization formed as a limited liability company under the Irish Companies Act, brought proceedings before the Irish High Court against the Minister for Communication, Marine and Natural Resource, the Minister for Justice, Equality and Law Reform, the Commissioner of An Garda Siochana, Ireland and the Attorney General because of latter authorities’ breaches against rights provided for by Irish statutes and Constitution as well as by European legislation. Claimant’s proceedings were triggered by Minister for Public Enterprise’s direction, issued in 2002, to the telecommunications providers in Ireland to retain data generated by customers of the telecommunications providers, purportedly in compliance with Section 110 (1) of the Postal and Telecommunications Services Act 1983. This direction was addressed by the Data Protection Commissioner who then threatened said Minister with the issuance of judicial review proceedings to challenge the validity of any and all such directions.

The response of the Irish Government was to pass the Criminal Justice (Terrorist Offences) Act 2005, and specifically the incorporation therein of the provisions of Part 7 thereof. Under that part of the Act, the Garda Commissioner may request a service provider to retain, for a period of 3 years, traffic data or location data or both.

This is also what claimant is combatting. They have asked the High Court to refer the matter to the European Court of Justice (ECJ). The questions the ECJ needs to deal with all relate to the validity of Directive 24/2006, in particular with rights under the EU and EC Treaties, the Charter of Fundamental Rights (CFR) and the European Convention on Human Rights (ECHR). The High Court, in its ruling, granted this motion of claimant.

It is somewhat surprising that another “Irish issue” will land before the ECJ in less than a year following ECJ’s ruling agaisnt Ireland in the Case C·301/06. In the latter, the ECJ found that Art 95 of the EC Treaty represented a sound fundament for the enactment of the Directive 24/2006 since it was apparent that differences between national rules adopted for the retention of data were liable to have a foreseeable direct impact on the functioning of the internal market which would become more serious over time.

However, following the debates in Bulgaria, Romania and Germany it was high time to have the ECJ rule on data retention’s – this time hopefully – not only procedural, but also material aspects. In a somewhat best case for the preservation of our all’s digital rights the ECJ might find against the Directive.

The hope, as is well-known, springs eternal – so let us hope the best.


Did you find this article informative, helpful or entertaining? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

3 March 2010

German Constitutional Court abrogates provisions on data retention

Bundesverfassungsgericht Karlsruhephoto © 2006 Johannes Bader | more info (via: Wylio)

Hear ye, hear ye, you all supporters of the fundamental right of privacy – 7 out of 8 German Constitutional Justices voted to declare the data retention provisions as applied in the Telecommunications Act and in the Code on Criminal Procedure null and void!

Enough of enthusiasm, however, we can go on observing the facts some of which may prove unlikely sobering when compared to yesterday’s news titles that went around the world.

You might remember that some months ago nearly 35 000 German citizens filed a mass-complaint in which they asked the Court to abrogate the provisions on data retention.

In reviewing the complaint, the Court makes an initial statement that the Federal German Constitution would not by itself forbid the retention of telecommunications traffic data for a certain time period. However, the data retention as transposed in German legislature interfered with the fundamental right of privacy in such a manner that the legal system was previously not familiar with. Hence to avoid such interference and, similar to the Romanian Constitutional Court, the German authority uses its ruling to create a recipe to be followed by the lawmakers in future. The main point made by the Court in its ruling, is the instruction towards lawmakers to observe the so called principle of proportionality (Verhältnismäßigkeitsgrundsatz).

Under reference of the above principle, the Court distills 5 requirements that need specifically be observed when drafting the prospective laws. In particular, the Court demands

– the adoption of specific provisions relating to enhanced data security and safety which the Court views mandated by the huge amounts of data to be retained;

– to safeguard that the retained data’s direct processing shall be limited to prevent only concrete danger situations arising out of  serious crimes;

– to ensure the transparency of data transfer by notifying the data subject in advance, and – where not appropriate – to subject the transfer to a respective court order and notify the data subject afterwards;

– to provide for the data subject’s legal protection amounting to, inter alia, data subject’s right to challenge the processing and transfer of their data before a court of competent jurisdiction, and – in case of breach of the above protection – to penalise such breach;

– to guarantee that indirect data processing for the purposes of IP address detection and identification, as may be the result of an enforced right of information , is not undertaken to prevent mere misdemeanours. The Court points out the importance of the latter as it states that such indirect data processing need not be subjected to a court order.

Put it all together, this long awaited ruling did hardly hit the jackpot being on stake: is the fundamental right of privacy the long expected silver bullet which is supposed to kill the vampire attempting to quench its thirst by accessing Internet users’ data? I personally read the ruling as a clear “NO”.

The Court does not really question the existence of data retention provisions. Moreover, it determines the borders of their constitutionally acceptable framing. See whether and to what extent the ruling will influence the EU member states that are still defaulting to transpone the Directive 24/2006.


Did you find this article informative, helpful or entertaining? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

18 January 2010

Austria’s data protection council disfavours new bill on data retention

The Data Protection Council is an advisory body within the Austrian Federal Chancellery’s administration. In a recent session the Council debated on the newly presented bill on data retention and passed an opinion to the government. The authority’s chair publicly presented the opinion’s upshot: the bill conflicts with Articles 8 and 9 of the ECHR, hence the Council moves for a balance between the privacy right of the persons concerned and the public interest to maintain security and order.

The Council further calls for a restrictive definition of a “serious crime” in order to achieve the data retention directive’s goal to fight organised crime and terrorism.

The Council seems to carefully observe the international, in particular the European, development on data retention. This is mirrored in Council’s recommendation to await the inauguration of the new European Commission and the enactment of the Stockholm Programme, which, given a sufficient consideration to certain privacy aspects, may lead to the data retention directive’s annulment.

I personally share that view and strongly hope for the Council to be proved correct.

14 December 2009

Will the data retention directive be fully implemented across Europe: a reprise.

About a year ago I composed one of my first blog postings and asked “Will the data retention directive be fully implemented across Europe?”. The reason behind was the then pending decision of the ECJ caused by Ireland’s concern on the data retention directive’s grounds legitimacy and, the wrong way the directive was initially  implemented in Bulgaria.

Recently, I covered the startling decision of the Romanian Constitutional Court that rejected the data retention implementing act due to inconsistency with constitutionally guaranteed and fundamental human rights, such as the right to privacy. Seemingly, this decision will not remain a single one.

In a hearing, appointed for tomorrow, the German Constitutional Court is expected to deal with the mass-complaint filed by nearly 35 000 citizens in which they ask the Court to abrogate the provisions on data retention. I believe the whole data retention concept would then fall apart, if the German Constitutional Court decided in favour of the complainants.

Press releases in Austria which, in my view, attempt to encourage the government in its Fabian position towards data retention, even call for a final ruling by the ECJ on the overall legitimacy of the data retention concept. In such a case, the ECJ will have to scrutinise whether the data retention directive is conciliate with the Charter of Fundamental Rights of the European Union that, together with the Treaty of Lisbon,  is in force as of 1 December 2009.

27 November 2009

Romanian Constitutional Court abrogates data retention act

The framers of the Data Retention Directive must have underestimated several factors in the course of its subsequent implementation. First Ireland brought a challenge before the ECJ then Austria still shows totally reluctant to implement. However, the big bang is currently unrivalled owned by Romania! This country’s Constitutional Court is the first to deliver a ruling that declares an act implementing the directive into a member state’s law unconstitutional.

Prof. Ioan Vida, Romanian Constitutional Court. Courtesy to BOGDAN MARAN / MEDIAFAX FOTO.

Now, after Dracula and Johnny Weissmuller, Romania has, in the person of Prof. Ioan Vida being the President of the Romanian Constitutional Court, good chances to be awarded a third VIP contribution to the world!

Basically, the Court pointed out that the law on data retention interfered with following articles of the Romanian Constitution: Art 25 Freedom of Movement, Art 26 Intimate, Family and private life, Art 28 Secrecy of Correspondence and Art 30 Freedom of Expression. In addition, the Court examined Art 12 of the Universal Declaration of Human Rights (UDHR), Art 17 of the International Covenant on civil and political rights (ICCPR) and Art 8 of the European Convention on Human Rights (ECHR) and found them affected too.

The Court recognized in its reasoning that neither the Romanian Constitution nor the ECHR prohibited state authorities to interfere with the rights mentioned above on a general scale. However, the Court, relying upon the judicateure of the European Court of Human Rights (ECtHR) in Klass vs Germany and Popescu vs Romania, opined that such interference was permissible only within a narrow path, fenced by sufficient safeguards to protect a person against arbitrary acts of state authorities.

The Court further opined that the legislator has created uncertainty because it used terms in the act that were either not or only ambiguously defined. Such uncertainty was contrary to the drafting techniques which the legislator was required to employ in the course of legislation.

Finally, the Court addressed critically two more issues in the act on data retention. The first critic dealt with the breadth of applicability of the act’s provisions – they were not limited only to wrongdoers, but covered also innocent bystanders. The second regarded the lengthy period of time for which the data were to be retained.

The entire above put together just fortified the majority of Court’s members to vote for the abrogation of the act.

Now, before the opponents and fighters of data retention fall in a state of euphoria, one has to consider that the Court did not reject the act per se. Quiet the contrary! To me, this ruling reads as a cooking recipe directed to the legislator. The recipe contains an enabling set of hints and aims to support the legislator to successfully implement that act later on.


Did you find this article informative, helpful or entertaining? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

22 November 2009

Data retention in Austria becomes even likelier

Austria’s DerStandard informs that the data retention bill to amend the existing Austrian Telecommunications Act was in place. In a consultation procedure, the responsible minister Doris Bures has called upon the appraisal of the participants (eg regional authorities, chamber for commerce and industry, trade unions). She thereby vowed to apply “the highest standards under the rule of law” in drafting the bill.

Austria has not implemented the data retention directive yet, wherefore the European Commission threatened the government with the launch of infringement proceedings. Austrian politicians have used the data retention related set of problems in their last election campaign in 2008. For some period thereafter and, since the subject matter is highly controversial, no one appears willing to cease the delay in implementation.

Quite often, the enforcers of intellectual property rights have been viewed as the real beneficiaries of the data retention becoming a fact. Many of their lobbyists and legal representatives utilized the duration caused by the governmental delay in addressing the public and stating the necessity to access retained internet traffic data that evidences, for instance, illegal file sharing.  However and given an implementation, it is still unclear as to whether such enforcers shall have access to data so retained.

According to recent cases on file sharing, Austrian courts seem to opine that file sharers’ interest in the protection of their traffic and identity data outweighs the enforcers’ interests to access such data.

It is clear that the data retention could easily change the so established balance. I hope to soon have certainty on that.

13 November 2009

The retention of internet traffic data saves New Yorker Teen from robbery charges

No, this is not a text dedicated to advocate company policies or governmental prescriptions on data retention, even though defenders of retaining communications networks’ data might well use it for such purposes.

It is the story of the 19-year-old New York City Teen Rodney Bradford which shows that a policy to retain user’s traffic data may also have an yet undiscovered “bright side”.
Just imagine Rodney’s life given a verdict sending him to jail….
And yes, I believe that Facebook’s policy to keep certain log files stored for a while literally saved this boy’s life.

Hence my Friday’s message to the audience: Try listening to “Always look on the bright side of life” when thinking of data retention -).

26 January 2009

A lesson in political stubborness

Bulgarians are known as notably stubborn and even bull-headed. Circumventing a supreme court’s decision, however, successfully blurs the border to the political blindness!

The circumvention attempt follows the defeat of Regulation Nr 40 (collectively issued by the Ministry of Interior and the State Agency on Information Technologies and Communication) before the Supreme Administrative Court.

Nevertheless, the logic behind it appears to have been borrowed from a bad gambler: once the transposition of the Directive 2006/24/EC by means of a statutory instrument (=Regulation Nr 40) did not work, the only way is to raise the stakes!
How should that work, you may ask? Well, in that they bluff!

Indeed, in a joint session the parliamentary Committees for Interior and for Transportation and Communication have prepared an amendment to the Act on Electronic Communications, whereupon a new regulation shall determine the procedure of retaining communication data and govern the access thereto.
Funnily, the regulation is intended to be the collective outcome of even three authorities – the Minister of Interior, the Chair of the State Agency for National Security and the Chair of the aforementioned State Agency on Information Technologies and Communication.

Sounds promissing and I will keep an eye on it!