German Federal Constitutional Court overturns law on data retention

Privacy International: 09/03/2010

Last week the German Federal Constitutional Court overturned a law on the retention of telecommunications data for law enforcement purposes, stating that it posed a "grave intrusion" to personal privacy and must be revised. In their ruling the judges found that the law stands in contradiction to the basic right of private correspondence and does not protect the principle of proportionality, as it fails to balance the need to provide security with the right to privacy. All data on telephone calls, email and internet traffic as well as on the location of mobile phones that have so far been stored by telecommunication providers have to be deleted immediately. 

According to the Federal Constitutional Court the communications retention law does not provide adequate protection of personal data and it does not make sufficiently clear what it would be used for. The case was originally brought to the court in 2008, by a record number of almost 35.000 people, including the current Justice Minister Sabine Leutheusser –Schnarrenberger.

The Court, however, did not rule out data retention as such. The judges did not question the admissibility of the EU directive, on which the German law is based. This would have been outside the court’s competences. It merely stated that the law went far beyond the requirements of the EU directive.

The storage and usage of telecommunications data allows to draw conclusions reaching far beyond the private sphere, from which significant personal profiles can be established and people’s movements be tracked. The storage of data could "cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one’s basic rights in many areas," said the president of the court, Hans Jürgen Papier. Therefore, such interference will have to come with strings attached. The German law has not fulfilled these requirements and thus has been suspended by the Federal Constitutional Court. 

The Court requires the German legislature to establish strict measures for the retention of data, which have to be implemented by telecommunication providers, which are responsible for storing the data. In addition, the legislature has to clarify that data retention is only to be used for the prosecution of severe criminal offences. Strict measures have to be established with regard to the usage of retained data by the police for the prevention of crime. The court also demands greater "transparent control" of what the information was used for. 

A significant limitation to the Federal Constitutional Court decision is their stance that IP addressing information is not worthy of strong protections under law. According to the court, although it is possible to identify internet users through IP addresses, personal profiles, however, cannot be established, as every time when the user connects to the internet a different IP address is assigned to him. 

German civil society groups are not entirely satisfied with last week’s judgment. "The court did not find the retention of data as such unconstitutional and declared that implementing the EU directive on data retention in conformity with the German Constitution is indeed possible. For now the retention of data has been overturned, but there will be new rules", Werner Huelsmann from the German Working Group on data retention told the newspaper Sueddeutsche. "A massive amount of data about German citizens who pose no threat and are not suspects is being retained,"Germany’s Federal privacy commissioner, Peter Schaar told the German television channel ARD. 

In response to the ruling the German Working Group on data retention has announced a Europe-wide campaign to end the permanent logging of internet and phone use. With the signatures of one million opponents the group wants to persuade the EU to repeal its data retention directive. 

Source: http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-566038&als[theme]=Data%20Protection%20and%20Privacy%20Laws

ECJ: Supervisory authorities must be completely independent

By Sophie Mosca

The EU Court of Justice validated the principle of the independence of the authorities charged with guaranteeing the protection of personal data in Europe in a judgement handed down, on 9 March, against Germany for subjecting these authorities to state scrutiny (Case C-518/07 Commission v Germany). The court endorsed the position of the European Commission, which brought the action against Germany for its failure to apply correctly Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data (Directive of the Parliament and Council, of 25 October 1995) by making the authority responsible for ensuring compliance with data protection provisions subject to scrutiny by the German Länder, ie a public authority.

Directive 95/46 requires that such authorities exercise their powers with “complete independence,” an expression the Commission interprets in the broad sense. Germany applied a narrower interpretation, arguing that the directive requires only the functional independence of the supervisory authorities, who must not be exposed to outside influence. It claimed that the scrutiny exercised in the German Länder does not constitute an outside influence but rather the administration’s internal monitoring mechanism, which is not in breach of the directive.

The court first identified the scope of the requirement of independence of the supervisory authorities, explaining that as a key element of data protection, they must enjoy independence that enables them to act without influence by the supervised bodies, but also without any direct or indirect external influence that could call into question the performance by those authorities of their task consisting of establishing a fair balance between the protection of the right to privacy and the free movement of personal data.

The court considers that the scrutiny exercised by the Länder is incompatible with the requirement of independence set by the directive. It also rejected Germany’s argument that the Commission’s position would lead in its case to a violation of the principles of democracy, conferred powers, subsidiarity and proportionality. The judges held that granting these supervisory authorities complete independence from political authorities does not deprive them of their democratic legitimacy nor does it violate conferred powers or exceed what is necessary to achieve the objectives of the EC Treaty.

The Commission welcomes this first ruling in this field, noting that Commissioner Viviane Reding has made the independence of supervisory authorities a priority.

Source: Europolitics.
http://www.europolitics.info/sectorial-policies/ecj-supervisory-authorities-must-be-completely-independent-art265573-16.html

Google Chrome to do away with unique IDs

From the forthcoming version 4.1, Google is doing away with the Chrome feature which has attracted the most criticism: unique IDs. Until now, this token has been stored in the user_experience_metrics.user_id key in the User Data\Local State file in the Chrome installation folder (C:\User\[Name]\AppData\Local\Google\Chrome under Vista).

Supplementing other measures to improve the browser's reputation for data protection, in a white paper on Chrome data protection, Google has announced that it will in future delete the token once Google Chrome runs and checks for updates the first time. From version 4.1, the allegedly anonymous ID will only be used to report successful installation of the browser to Google.

This step is largely symbolic, as Chrome has never attempted to identify users using the client ID, which is reassigned each time the browser is updated. Investigations using network sniffers have failed to refute Google's privacy statement that this ID is used exclusively for checking for updates and for the crash reporter (which is disabled by default) – discussions over alleged attempts by Chrome to identify users have nonetheless occasionally taken on extreme dimensions.

Far more problematic from a data protection point of view is the comparison of what is typed into the address bar with search engine results, although this can also be disabled, or switched to competitors such as Yahoo! or Bing from the browser settings screen. The white paper looks at the details of this issue, as well as redirection of 404 pages to the search engine and phishing and malware protection.

Source:

http://www.h-online.com/security/news/item/Google-Chrome-to-do-away-with-unique-IDs-953601.html