thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Saturday, July 16, 2016

Minutes from EU Court of Justice on #DataRetention

On 19th July 2016, Advocate General Øe Saugmandsgaard will present the Court of Justice of the European Union (CJEU) his opinion in the joined cases C-203/15 and C-698/15,Tele2 Sverige and Davis and Others. They concern the validity of national laws in Sweden and the UK for the retention of telecommunications data under EU law and the EU Charter of Fundamental Rights. This is a very relevant question, since the Court invalidated the EU Data retention directive in 2014.

To see what is to be expected, it is helpful to know what happened at the oral hearing on 5th April 2016. Our legal trainee Antonia Latsch attended the hearing (which is public, but not streamed or recorded). She live-tweeted from there, and has allowed me to re-publish her tweets in chronological order here. I have done minor editing to clean up the language, correct typos, etc. So here we go:

Court is in session #dataretention #dripa

Judgement first, hearing about to start #dataretention #CJEU

Hearing started. Johansson addressing question of what constitutes electronic processing of personal data #dataretention

Tele2 Lawyer Johansson: Law needs to be proportional to what is strictly necessary for the concrete objectives #tele2 #CJEU

Tele2: legislation needs to limit access of data, only to fight serious crimes & subject to ex ante court control #dataretention

Tele2: Swedish data collection law is not limited to serious crimes, nor does it grant ex ante court control #tele2 #dataretention

Watson/Davis Lawyer: The United Kingdom does not provide sufficient safeguards for personal data collection #DRIPA #dataretention

Davis/Watson: Minimum safeguards need to be in place to protect personal data to prevent abuse #dataretention #DRIPA

Davis: Court should give guidance to what necessary safeguards are, UK does not meet the safeguards #dataretention

Davis: UK allows collection of data for purposes that are not in regards to suspected crimes, constitutes breach of Art. 51 #dataretention

Brice: authorization and purpose for what it is granted for are connected; intrusiveness needs to meet seriousness of crime #dataretention

Brice: Authorization to access to data must me be granted by structural independent body #dataretention

Brice: purpose of law is only in case of serious crimes. Domestic legislation goes way beyond, including tax purposes #dataretention

Open Rights Group: Case is of global significance, challenging the courts position on personal data protection #dataretention

ORG/Privacy International: states need to be able to prevent passing of data to states that don't comply with EU privacy law #dataretention

PI: Art. 15 e-privacy directive is lex specialis, it does not allow for the individual to be completely stripped of their privacy rights #dataretention

Law Society: Limitation by independent authorization for the kind of data that can be stored is missing #dataretention

Sweden: general obligation to keep data can be proportional for very important measures #dataretention

Sweden: not all access to general data needs to be directly related to a serious crime, but be strictly necessary #dataretention

Sweden: investigations have shown that it is impossible to limit retention of data prior for measurements to be effective #dataretention

Sweden: possibility of rapid decisions is necessary for effectiveness, therefore outside review is unpractical #dataretention

UK: Law requires commercial service providers to keep the data, not authorities #dataretention

UK: We cannot know in advance what data is necessary and valuable #dataretention

UK: in matters concerning national security, member states must make assessments of what is necessary and proportionate #dataretention

UK: objective requirements for necessity of the taken measurements are different from specific rules laid out by the court #dataretention

UK: it should be up to national courts to check that specific requirements and set standards are met #dataretention

Czech: important how domestic law allows access and safety of data, if safeguards are in place, it is not disproportionate #dataretention

Czech: "We live in troubled times, do we really want to constrain the member states in this way?"#dataretention

Denmark: data retention must be general to be effective as a crime fighting tool #dataretention

Denmark: Rules on access to and retention of date go hand in hand and can not be separated #dataretention

Denmark: proportionality test strikes the right balance, provided it gives clear and precise rules/guarantees of protection #dataretention

Denmark: approach to data retention should be all or nothing #dataretention

Denmark: no reason to assess these national measures more stringent than other national measures #dataretention

Germany: active passing of data by private sector allows government access, this must be compatible with fundamental rights #dataretention

Germany: objective safeguard criteria can be sufficient, therefore concrete implementation determines if law is proportionate #dataretention

Antonia Latsch re-tweeted ‏@TetsuwanAstro:
Germany: Data protection guarantees should be assessed as a whole, access AND retention rules together #dataprotection

Estonia: We consider it necessary in the fight against terrorism to collect data of all people #dataretention

Estonia: Saving someone's life and effectively fighting crime is worth allowing government's intervention #dataretention

Ireland: access of data is not directly governed by EU law #dataretention

Ireland: court is providing guidance for interpretation of EU law to national courts #dataretention

Ireland: member states must be given discretion on how to provide proportional measures #dataretention

Ireland: access of data is not directly governed by EU law #dataretention

Antonia Latsch re-tweeted @JanAlbrecht

Jan Philipp Albrecht quoted Antonia Latsch:
Rubbish. The ePrivacy Directive regulates use of personal telecom data, therefore governed by EU law. #dataretention
Ireland: access of data is not directly governed by EU law #dataretention
Ireland: Diversity of different member states needs to be respected by the court #dataretention

Spain: The burden that data retention puts on the internal market and private actors should not be underestimate #dataretention

Spain: The upholding of fundamental rights must be the upper limit to granted discretion #dataretention

Spain: General data retention cannot be seen as an indispensable measure taken by all means #dataretention

France: Data can be used for prosecution as well for proof of innocence. It is impossible to know in advance what is needed. #dataretention

France: French government finds the retention period of 1 year for data absolutely necessary to combat crime and terrorism #dataretention

European Commission: Interference must be proportional as well as respect the essence of the interfered right #dataretention

Finland: Connection between retention and use means that retention can only be justified if the later use is also justified #dataretention

Finland: Practical reasons necessitate a system of universal retention of data that can be compensated by limitation #dataretention

European Commission: procedural safeguards in their entirety need to be assessed to their efficiency #dataretention

after questioned by Judge Rapporteur von Danwitz, Tele2: about 10.000 data request have been made to tele2. No overall statistic available #dataretention

von Danwitz to UK: Does DRIPA enable public authority to collect data from persons outside of the UK? #dataretention

UK: Scope of data retention of DRIPA applies to all data generated and processed in the UK #dataretention

v. Danwitz:"how far are we taking this logic that we don't know who will be a criminal tomorrow and therefore need all data?" #dataretention

v. Danwitz: "Isn't there always something more effective and also more intrusive? Where do we stop?" #dataretention

Advoc. General Saugmandsgaard to UK: can you be more precise to when general retention is indispensable? #dataretention

UK: retention of general data is vital to prevent terrorism and preventing crime but also for protecting people in general #dataretention

Advoc. General to Tele2: Are Swedish authority demanding you to secure data you would otherwise not acquire? #dataretention

Tele2: No, its data that is there, but would not be kept and deleted at once. #dataretention

Advoc. General to Sweden: Is there information about the misuse of this data retention? #dataretention

Germany: data retention is not useful if limited to specific geographical locations #dataretention

Sweden: The chancellor of the data protection agency must be informed of mistakes; here ex-post control is more efficient #dataretention

Tele2: All retention of data carries a risk of misuse, member states should look closely at what is stored and for how long #dataretention

Davis: Case regards the lack of safeguards. Access to data takes place in secret; high demands cannot be monitored adequately #dataretention

Davis: Although individuals can, it's unlikely they will bring a complaint if they don't know their information was accessed #dataretention

Sweden: if data retention is to be an effective measure in fighting crime it needs to be general by nature #dataretention

Session is closed. Advocate General opinion will be delivered on the 19th of July 2016. #dataretention

Labels: , , , , ,