EU legislation on privacy and e-communications · Protection of communications privacy also...
Transcript of EU legislation on privacy and e-communications · Protection of communications privacy also...
![Page 1: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/1.jpg)
EU legislation on privacy and e-communications
Tobias Mahler
6th March 2012
JUR 5630 – 2012
1
![Page 2: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/2.jpg)
1. Disposition
Normative background
Privacy and electronic communications
• Directive 2002/58/EC as amended
Data retention
• Directive 2006/24/EC
2
![Page 3: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/3.jpg)
2. NORMATIVE BACKGROUND
3
![Page 4: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/4.jpg)
Human rights
Article 7,
EU CHARTER OF FUNDAMENTAL RIGHTS
• Everyone has the right to respect for his or her private and family life, home and communications.
Article 8(1),
European Convention on Human Rights
– – “respect for private life … and correspondence”.
4
![Page 5: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/5.jpg)
ECHR cases include
• ECtHR holds for first time that telephone conversations are covered by notions of “private life” and “correspondence” (see para. 41).
Klass v. Germany (1978)
• Focused on lawfulness of use of “metering” records.
Malone v. UK (1984)
• Focused on lawfulness of telephone tapping by police.
Kruslin v. France (1990)
• Focused on lawfulness of employers’ access to employees’ email communications
Copland v. UK (2007)
5
![Page 6: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/6.jpg)
National law
Protection of communications privacy also provided for in national constitutions/other legislation: e.g., …
• Spain’s Constitution Art. 18(3)
• Germany’s Basic Law Art. 10
• Norway’s Penal Code §§ 145, 145a
• Swiss Penal Code Art. 179.
Case-law of German Federal Constitutional Court particularly protective – see espec.
• Covert surveillance of ICT systems;
• Eavesdropping on private homes;
• Retention of traffic data (see further below).
6
![Page 7: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/7.jpg)
3. DIRECTIVE 2002/58/EC ON PRIVACY AND ELECTRONIC COMMUNICATIONS
7
![Page 8: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/8.jpg)
A supplement
Supplements and “fine-tunes” Directive 95/46/EC
• Cannot be fully understood without consideration of latter
• (e.g., latter provides core definitions)
• Has greater reach than DPD
• (e.g., in relation to protection of legal person data)
• Still only sectoral EU data protection law (outside Third Pillar)
• Some commentators query its necessity
Replaces and repeals Directive 97/66/EC
• Focus of latter too narrow (on traditional telephony plus ISDN)
• Application to Internet was difficult to determine
8
![Page 9: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/9.jpg)
Basic purpose
Provide for relatively detailed rules for
• protection of personal data that are
• processed in relation to certain e-communication networks and services;
harmonize national provisions on point;
create conditions for free movement of data.
9
![Page 10: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/10.jpg)
E-Communications Framework
Framework
• Part of broader regulatory package establishing Common E-Communications Framework,
Competition
• increase competition in e-communications market;
Consumer protection
• protect consumers and users of e-communications networks/services.
10
![Page 11: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/11.jpg)
Amended directive
Amended November 2009 by Directive 2009/136/EC
• To be transposed by June 2011.
• Consolidated version.
Main amendments:
• mandatory notification of personal data security breaches (Article 4(3));
• consent requirements for cookies (Article 5(3));
• anti-spamming measures by ISPs (Article 13(6)).
11
![Page 12: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/12.jpg)
Scope of application (Art. 3)
Data processing in connection with
• provision of publicly available electronic communications services
• in public communications networks in the Community.
What = “electronic communication service”?
• See Framework Directive 2002/21/EC, Art. 2(c)
• content and broadcasting not covered.
12
![Page 13: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/13.jpg)
Protection of legal persons
Protection of certain “legitimate interests” of legal persons
• in role of subscribers/users of e-communications services,
• but this protection not fully commensurate with protection of individuals
• see Arts. 12 and 13(1) dealing with
• subscriber directories and
• automated calling systems
13
![Page 14: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/14.jpg)
Central provisions (I)
security and confidentiality of communications , (Arts. 4–5)
storage and use of communications traffic data (Arts. 6, 15)
processing of location data other than traffic data (Art. 9)
14
![Page 15: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/15.jpg)
Central provisions (II)
calling and connected line identification
• Art. 8
content of subscriber directories
• Art. 12
unsolicited communications for direct marketing purposes
• Art. 13
• Basic rule: opt-in for spam
15
![Page 16: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/16.jpg)
Cookies, etc.
Cookies: Art. 5(3)
• requires organizations to obtain users’ consent before placing cookies on their computers
• (previously cookies permitted only if receiver was informed and could refuse them)
Consent: how can consent be manifested?
• Does user consent when default Web browser setting is to accept cookies?
• Yes. “Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application”
• Cf. recitals 17 and 25 in consolidated version of Directive 2002/58/EC; cf. recital 66 in Directive 2009/136/EC
Encouragement of PETs
• e.g., recital 9 and Article 14 (standardization of ICT so that it is privacy-friendly)
16
![Page 17: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/17.jpg)
Privacy vs. IPR
CJ decision Promusicae v Telefonica de Música de España
• Directive 2002/58/EC
• does not require ISPs “to communicate personal data
• in order to ensure effective protection of copyright in the context of civil proceedings”,
• but Mbr States may introduce laws with such requirement,
• if not in conflict with fundamental rights or proportionality principle
Part of broad battle between IPR-holders and ISPs over access to IP address data and identities behind these.
17
![Page 18: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/18.jpg)
4. DATA RETENTION
18
![Page 19: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/19.jpg)
Data retention: basic requirements
Duty to retain data for 6 m – 2 y (Art. 3)
• Police (all branches?)
• Intelligence services?
• In specific cases
• Procedures and conditions
• to be defined in national law,
• in accordance with necessity and proportionality requirements.
Access to be given to “competent national authorities” (Art. 4)
• Not data “revealing the content of … communication” (Article 5(2);
• see too Article 1(2) (“including information consulted using an electronic communications network”).
• Watertight distinction?
Does not cover content?
19
Retain data
Access
data
Use
data
![Page 20: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/20.jpg)
ECJ case on legal basis
• claiming Directive is without proper legal basis in EU law
• claimed that Directive = First Pillar instrument dealing with Third Pillar matters.
• ECJ: legal basis = OK
Ireland (later joined by Slovakia)
• Nullifying 2004 decisions by Commission and Council on PNR transfers
• because they applied to matters currently falling outside scope of Community law – namely,
• public security and
• prevention of crime.
Cf. ECJ case re. transfer of PNR data to USA
20
![Page 21: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/21.jpg)
Current status is uncertain
Transposition
• Several states have not yet transposed directive
National court decisions
• Several national data retention laws have been declared void by national courts.
Evaluation (Art. 14)
• Official evaluation report
• Shadow evaluation report
• Evaluation of Directive continuing with search for data
21
![Page 22: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/22.jpg)
Cases in national constitutional courts
•Data retention breaches with proportionality principle.
Romania
•Data retention & use encroachment on interest protected by Constitution Art 10(1)
•Proportionality requires sophisticated & well-defined provisions on
•data security,
• to limit the use of data,
• for transparency and
• legal protection.
•Majority opinion: Requirements were not fulfilled, legislation is void.
Germany
•The Czech Constitutional Court declared national data retention legislation unconstitutional on 31 March 2011.
Czech Republic
22
![Page 23: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/23.jpg)
Surveillance
Innocent people under surveillance
Without sufficiently clear legal basis
Presumption of innocence
Clarity
23
![Page 24: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/24.jpg)
Access to and use of data
Proportionality principle
• The more severe the encroachment through data retention is
• the stricter the requirements re. access and use of data need to be.
Strict requirements: serious crimes?
• Catalogue of serious crimes is required
• Too wide: ”crime involving use of telecommunications equipment”
• Too unclear: Danger prevention and intelligence services use
24
Access
data
Use
data
![Page 25: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/25.jpg)
Access to and use of data
Distinction required between
• Individual items of traffic data
• Limited data sets
• Complete profile (”personality” / location)
Requirements re. use required
• Immediate use
• Deletion (must be documented)
25
Access
data
Use
data
![Page 26: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/26.jpg)
Data security
Risk
• Court considers risk to be high
Measures to be assessed
• Data to be retained on separate computers without Internet access;
• Asymmetric encryption (keys kept separate);
• A “principle of four eyes”;
• Log access to data.
26
Retain data
![Page 27: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/27.jpg)
Surveillance and transparency
• ”Diffusely threatening feeling of surveillance”
• ”legitimate suspicion … regarding privacy and … abuses”
Suspicion
• May reduce exercise of personal freedom Panopticon
• Notification about use of retained data
• Secret use only in exceptional cases, and then with subsequent notification.
Transparency
27
![Page 28: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/28.jpg)
Anonymity and IP-addresses
Less severe requirements
• No access to data
• No profile, only an individual item of data
• Justified by significance of Internet-based crime
• Any type of crime qualifies
No legitimate expectation of anonymity
• Internet cannot be a space outside the law in a state governed by the law
• However, transparency required: legitimate expectation to know when we don’t communicate anonymously.
28
![Page 29: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/29.jpg)
Trust relations
Confidential communication
• Anonymous counselling
No access by law enforcement agencies
29
![Page 30: EU legislation on privacy and e-communications · Protection of communications privacy also provided for in national constitutions/other legislation: e.g., … •Spain’s onstitution](https://reader036.fdocuments.us/reader036/viewer/2022071116/5ffd557400174f59a44ff0bb/html5/thumbnails/30.jpg)
THANK YOU FOR YOUR ATTENTION! QUESTIONS?
30