Mass surveillance of electronic communications violates fundamental human rights
On 21 December 2016, following two references for a preliminary ruling by UK and Swedish courts of appeal asking advice on the correct interpretation of EU law, the Court of Justice of the European Union issued a very important judgment on the protection by EU law of human rights in electronic communications[1]. In fact, the CJEU declared disproportionate and incompatible with the European Charter of Fundamental Rights (Articles 7, 8 and 52 para 1 of the Charter) [2] Member States’ laws prescribing general and indiscriminate retention by public telecom operators of subscriber traffic and location data including user IDs, fixed and mobile call data, SMS, internet usage, device tracking and so on.
National data retention laws restrict human rights
After the judicial invalidation of the EU Data Retention Directive (in “Digital Rights Ireland” case of 8 April 2014)[3], the telecommunications company "Tele2 Sverige" has been prevented by the national telecoms regulator PTS to implement a user-friendly privacy policy no longer retaining customer data while erasing data previously recorded[4]. Such prohibition occurred on the basis of Swedish law requiring all public communication service providers to systematically and continuously retain, with no exceptions, all subscriber traffic and location data with respect to all means of electronic communication. As a result, the company challenged said measures before the national courts as excessive and therefore incompatible with EU law. This question was subsequently addressed for interpretation to the European Court. Similar concerns were raised before the UK courts with regard to domestic data retention obligation for 12 months of external communication data, on grounds of national security.
Privacy and confidentiality of communications is a fundamental Right
Starting from two national regimes, the Court broadly affirmed that domestic data retention laws must comply with EU data protection laws. Data retention may well be necessary in specific circumstances but with the adequate proportionate limitations in order to avoid serious intrusions in privacy and family life of all citizens. In other words, the ruling further restricted the preventive measures that so far could be introduced by Member States, as per Article 15 of the Directive on privacy and electronic communications[5] on grounds of safeguarding national and public security, defence and prevention, investigation, detection and prosecution of criminal offences or unauthorised use of electronic communication systems. From now on, communications data retention must be solely targeted on the specific purpose of fighting against serious crime and public security and access to such data should be restricted only to the competent national authorities.
Member States must review their domestic data retention rules
This Court of Justice decision is binding not only on the national court on whose initiative the reference for a preliminary ruling was made, that will issue the final judgment on the outstanding case, but also on all of the national courts of the Member States. To the extent it provides a tool to guarantee legal certainty through the uniform application of EU law by national courts, which remain competent for national proceedings, this ruling is expected to have a significant impact on the existing privacy regulations in electronic communications in Europe.
Balanced access rules on grounds of serious crime prosecution are necessary
Since any broad and unjustified domestic derogation to the fundamental rights will be considered to violate EU law, national legislators will need to amend existing national provisions accordingly, so as to restrict their in general broad scope. As a result, only a limited number of public bodies competent for the investigation of serious crimes (e.g. police, national security and intelligence services) shall be entitled to access such retained data by operators and service providers insted of todays rather laxist regime where many other authorities may request copies of such communicatuon data and metadata. Access should be made on strictly defined purposes and under adequate procedural safeguards monitored by courts or by independent administrative bodies. Where data is retained, it must be kept securely and destroyed once its retention is no longer necessary.
Implications for the Digital Single Market Strategy
While the protection of user privacy is a key political priority in the EU, any very restrictive approach would also contradict one of the fundamental goals of the Digital Single Market strategy (DSM), which aims at creating a uniform digital market where both innovation and trust can flourish. In this perspective, objective common criteria need to be established across Europe on the purposes for the retention, transmission and further use of data held by telecom companies and metadata collected from mobile apps, IoT devices, smart homes, connected cars and many other emerging systems.
In order to reach the societal and economic benefits of the digital economy, specific guidance is needed by European and national policy makers on how operators may promote their business while lawfully satisfying access requests by law enforcement and judicial authorities. On the contrary, lack of clarity is likely to compromise the broader policy objectives of the DSM.
The existence of any national conflicting provisions could compromise the security services’ capacity to effectively face illegal immigration, human trafficking and crime prosecution. At the same time, unclear and overlapping rules could activate numerous citizen complaints against service providers on illegal surveillance and unlawful interference on their privacy and their communications’ confidentiality rights. As a result, service providers would be exposed to numerous civil and penal liability claims while the subscriber trust to the digital economy would risk to be compromised.
Consistent interplay between various privacy rules
In line with the interpretation given by the European court of EU data retention rules, within the European Union (and surprisingly not in the broader European Economic Area), the on going policy review of the E-Privacy Directive should also take into account the court case law, the General Data Protection Regulation 2016/679, as well as other important pieces of legislation such as the Directive 2016/680 on the data processing by competent authorities for the prevention, investigation, detection or prosecution of criminal offences [6].
Between many difficult questions as the one of “data subjects’ consent”, one has to respond which data and metadata fall within the ambit of data protection law. In this regard, as ruled in the recent “Breyer” case [7] communications “sensitive” personal data also include “dynamic IP addresses registered by online media services providers”. This broad interpretaion of the concept of personal data by the court means that practically any type of communications data, either collected directly by the citizen or indirectly by any fixed or mobile network, by sensors, heath trackers and medical devices, may be considered as “special categories of personal data”. As such they could clearly fall within the scope of the GDPR, even if not expressly mentioned as such by the Regulation.
Implications for the electronic communications industry
In conclusion, this ruling clearly implies that all parties involved in the electronic communications value chain, including broadband network operators, ISPs, Over-The Top communications service providers (such as Skype, Gmail, Whatsapp, Facebook Messenger, Face time, Viber etc), content producers, cloud providers collecting big data, aggregators and social networking platforms fall within the scope of the General Data Protection Regulation and the E-Privacy directive under review. Accordingly, they must prepare their staff and their business partners on how to effectively accommodate the changes introduced, as for instance, conduct Privacy Impact Assessments (PIAs), implement data accountability methods, encryption, pseudonymisation tools and adequate internal processes.
Furthermore, where personal data or private information on EU citizens is controlled by communication providers or shared with data processors in and outside the EU, more than ever compliance with data protection law and human rights law, where applicable, should be at the top of the compliance agenda for all organizations involved in the communications landscape.
What TELECOM EXPERTS can do for you:
Telecom Experts can help your company securely navigate in the complex regulatory landscape while protecting your clients’ privacy and confidentiality of communications.
Telecom Experts can guide you how to lawfully retain communications “sensitive” personal data as per the GDPR and the other applicable-privacy provisions, whilst providing your customers with trustworthy and high quality services.
Telecom Experts can assist your business introduce technological changes such as cloud migration, customer big data analytics or IoT data gathering while complying with ever evolving privacy rules.
---------------------------------------------------------------------------------------------------------
[1] Joined Cases C-203/15 “Tele2 Sverige AB v Post-och telestyrelsen” and C-698/15 “Secretary of State for the Home Department v Tom Watson and Others”.
[2] The Charter of Fundamental Rights of the European Union is available at http://www.europarl.europa.eu/charter/pdf/text_en.pdf
[3] Joined Cases: C-293/12 and C-594/12 “Digital Rights Ireland and Seitlinger and Others”.
[4] Case C-203/15
[5] E-Privacy Directive 2002/58/EC as amended by Directive 2009/136/EC.
[6] Directive of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
[7]Breyer case, preliminary ruling on case C-582/14 issued on 19 October 2016 http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN&cid=1095511
