Technical Standards
and the law: the case
of the invalid data
retention directive
IRENE KAMARA
VRIJE UNIVERSITEIT BRUSSEL
RESEARCH GROUP ON LAW, SCIENCE, TECHNOLOGY AND SOCIETY
(LSTS)
STS CONFERENCE, GRAZ, 1O MAY 2016
Aim
Preliminary research exploring aspects of the relationship of standards and the law
In particular, what happens when a technical standard is based on a law that is annulled
A law that is found to be disproportionate to fundamental rights
Why? Broad use of standards in many aspects of our lives, technical and nontechnical. Potentially useful tool for instance in personal data protection.
Need to explore ‘boundaries’ and dependencies with law
Why now? In the aftermath of security incidents with societal impact (e.g. terrorist
attacks): tendency to adopt security measures, laws that might infringe human
rights.
The Data Retention Directive (I)
Law imposing obligations to telecommunication operators and Internet Service
Providers to retain certain types of data generated by individuals 2006/24/EC.
Aim: potential use of the retained data for investigation, detection and prosecution
of serious crime.
After the terrorist attacks in Madrid in March 2004 and in London in July 2005 (but
scope not limited to combat of terrorism).
Types of data: traffic data: source, type, date/time/duration of communication,
equipment, location etc. AND the data needed to identify the subscriber. Not the
content.
Access from national “competent authorities”
Retention periods: 6 months to 2 years
The Data Retention Directive (II)
The Directive was transposed to national legislation of the MS by September
2007.
Criticism by citizens rights groups, academics, experts, WP29, even EU
institutions:
The European Data Protection Supervisor (press release 31 May 2011):
•the necessity for data retention as provided in the Directive has not been
sufficiently demonstrated;
•data retention could have been regulated in a less privacy-intrusive way;
•the Directive leaves too much scope for Member States to decide on the
purposes for which the data might be used, and also for establishing who can
access the data and under which conditions.
Several national laws were challenged in national courts and found
unconstitutional (in whole or some articles)
Germany (2011), Romania (2009), Cyprus (2011), Bulgaria (2008), Czech Republic
(2011), Lithuania and others
CJEU landmark judgement (I)
Joined cases Digital Rights Ireland and Seitlinger and others (11.130
applicants) C-293/12 and C-594/12 (April 2014)
Two preliminary questions: High Court of Ireland and Constitutional Court of
Austria regarding:
compatibility of the Directive 2006/24 with the right to privacy protected in
Article 7 of the Charter of Fundamental Rights of the European Union and
Article 8 ECHR and the right to the protection of personal data laid down in
Article 8 of the Charter.
the permissibility of interference under art. 52 of the Charter (provided by law,
proportionate, general interest).
CJEU landmark judgement (II)
The Court declared the Directive invalid (= from the date it entered into force)
The Directive interferes in a particularly serious manner with the rights to respect for private life
and protection of personal data.
The interference satisfies an objective of general interest: public security & fight against serious
crime. BUT: non compliant with the principle of proportionality
non- justified interference.
Necessity test (interference should be limited only to what is strictly necessary)
1.
Differentiation, limitation or exception according to type of data, individuals, means of
electronic communication.
2.
Access and use of data only for purposes of prevention-detention-prosecution of serious
offences.
3.
Distinction should be made in data retention periods.
4.
Sufficient safeguards needed to ensure protection of data against risk of abuse.
5.
Provision needed that the data are retained within the EU.
Impact on national legislation in the EU
The ruling did not oblige Member States to abolish their national data retention
legislation.
BUT: criteria for assessing the compatibility with fundamental rights. Fundamental Rights
Agency (FRA): ‘MS should re-evaluate their data retention regulations’.
Several developments:
Belgium: June 2015 – Constitutional Court nullified the Belgian Law transposing the DRD. (GwH
11 juni 2015, nr 84/2015)
Slovakia: April 2015 – Constitutional Court annulled several provisions of three acts re data
retention
Sweden – Admin. Court of Appeal submitted a request to CJEU for a preliminary ruling
And others..
ETSI Lawful Interception Technical
Specifications
Normative reference (=necessary for the application of the TS): Data Retention
Directive
ETSI – one of the three European Standardisation Organisations
ETSI L.I. series: developed by ETSI Technical Committee L.I., freely accessible on ETSI
website
Development process of an ETSI Technical Specification: no public consultation or
members voting
Targeted audience: Law Enforcement Agencies
ETSI Lawful Interception Technical
Specifications
Scope
TS 102 657 v.1 14.1 (Older version/March 2014): …the present document contains handover requirements
and a handover specification for the data that is identified in EU Dir 2006/24/EC…The handover
requirements from TS 102 656 contained in and implied by the EU Directive and other national
legislations…
TS 102 656 (older version):…The present document gives guidance for the delivery and associated issues of
retained data of telecommunications and subscribers. It provides a set of requirements relating to handover
interfaces for the retained traffic data and subscriber data by law enforcement and other authorized
requesting authorities. The requirements are to support the implementation of Directive 2006/24/EC of the
European Parliament and of the Council of 15 March 2006 on the retention of data.
What happened to the ETSI Technical Specifications
after the CJEU judgement? (I)
Update of L.I. TS after the CJEU judgement
Change in scope, normative reference, terminology, annex
ETSI TS 102 657 V1.15.1 (2014-08): ”The present document is based on requirements from TS 102
656. The present document contains handover requirements and a handover specification for the
data that is identified in national legislations on Retained Data.”
ETSI TS 102 656 V1.2.2 (2014-09): ”The present document gives guidance for the delivery and
associated issues of retained data of telecommunications and subscribers. It provides a set of
requirements relating to handover interfaces for the retained traffic data and subscriber data by law
enforcement and other authorized requesting authorities”
What happened to the ETSI Technical
Specifications? (II)
Unchanged requirements due to:
Either because they already comply/ take into account/ address the criteria from the ruling: unlikely
as the TS is based on the Dir, which according to the ruling didn’t
Or the TC didn’t think is necessary to make such changes
Already valid according to national legislation?
An issue to be solved at national law level? (But then how the TS already claims to be about lawful interception?)
This is a task ‘for lawyers’ mentality
or other reason.
Result? The TS are still valid today (updated as above), despite the questions relating to whether
they is in line with the fundamental rights to private life and protection of personal data.
Standards and the law - conclusions
from the case study
Standards are not the law, but should seek to comply with the law or at least not
violate or provide a means to violate the law
How about the voluntary nature of the standards? Does it have anything to do with
this?
Where are the boundaries? How far the SB should go into seeking to comply with the
law?And which law? There might be conflicting laws. After all it is not the aim in most
of the cases
No answer yet, but what can be said from this case study is the fundamental rights enshrined
in the Charter of Fundamental Rights in the EU should be respected.
Despite it is not the aim, when standards expand to areas with societal impact instead of
solely technical ones, this should become one of the aims.
Standards and the law - conclusions
from the case study
Role of standardisation bodies : responsibility and obligation of the organisations and the
experts developing standards to respect fundamental rights
Ethical duty
Not just another task (only) for lawyers to examine if there are violations
Especially ESOs bear such a duty against EU citizens, presumption of ‘trust’ to the officially
recognised standardisation organisations in the EU
Standards should not show the way how to violate rights/the law
Built-in safeguards – ethical/legal issues to be dealt with early at the development (ethical
and legal impact assessments/ privacy impact assessments necessary)
Training of experts on societal issues
Thank you
contact: Irene.kamara@vub.ac.be