German Federal Constitutional Court overturns law on data retention

Privacy International: 09/03/2010

Last week the German Federal Constitutional Court overturned a law on the retention of telecommunications data for law enforcement purposes, stating that it posed a "grave intrusion" to personal privacy and must be revised. In their ruling the judges found that the law stands in contradiction to the basic right of private correspondence and does not protect the principle of proportionality, as it fails to balance the need to provide security with the right to privacy. All data on telephone calls, email and internet traffic as well as on the location of mobile phones that have so far been stored by telecommunication providers have to be deleted immediately. 

According to the Federal Constitutional Court the communications retention law does not provide adequate protection of personal data and it does not make sufficiently clear what it would be used for. The case was originally brought to the court in 2008, by a record number of almost 35.000 people, including the current Justice Minister Sabine Leutheusser –Schnarrenberger.

The Court, however, did not rule out data retention as such. The judges did not question the admissibility of the EU directive, on which the German law is based. This would have been outside the court’s competences. It merely stated that the law went far beyond the requirements of the EU directive.

The storage and usage of telecommunications data allows to draw conclusions reaching far beyond the private sphere, from which significant personal profiles can be established and people’s movements be tracked. The storage of data could "cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one’s basic rights in many areas," said the president of the court, Hans Jürgen Papier. Therefore, such interference will have to come with strings attached. The German law has not fulfilled these requirements and thus has been suspended by the Federal Constitutional Court. 

The Court requires the German legislature to establish strict measures for the retention of data, which have to be implemented by telecommunication providers, which are responsible for storing the data. In addition, the legislature has to clarify that data retention is only to be used for the prosecution of severe criminal offences. Strict measures have to be established with regard to the usage of retained data by the police for the prevention of crime. The court also demands greater "transparent control" of what the information was used for. 

A significant limitation to the Federal Constitutional Court decision is their stance that IP addressing information is not worthy of strong protections under law. According to the court, although it is possible to identify internet users through IP addresses, personal profiles, however, cannot be established, as every time when the user connects to the internet a different IP address is assigned to him. 

German civil society groups are not entirely satisfied with last week’s judgment. "The court did not find the retention of data as such unconstitutional and declared that implementing the EU directive on data retention in conformity with the German Constitution is indeed possible. For now the retention of data has been overturned, but there will be new rules", Werner Huelsmann from the German Working Group on data retention told the newspaper Sueddeutsche. "A massive amount of data about German citizens who pose no threat and are not suspects is being retained,"Germany’s Federal privacy commissioner, Peter Schaar told the German television channel ARD. 

In response to the ruling the German Working Group on data retention has announced a Europe-wide campaign to end the permanent logging of internet and phone use. With the signatures of one million opponents the group wants to persuade the EU to repeal its data retention directive. 

Source: http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-566038&als[theme]=Data%20Protection%20and%20Privacy%20Laws

ECJ: Supervisory authorities must be completely independent

By Sophie Mosca

The EU Court of Justice validated the principle of the independence of the authorities charged with guaranteeing the protection of personal data in Europe in a judgement handed down, on 9 March, against Germany for subjecting these authorities to state scrutiny (Case C-518/07 Commission v Germany). The court endorsed the position of the European Commission, which brought the action against Germany for its failure to apply correctly Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data (Directive of the Parliament and Council, of 25 October 1995) by making the authority responsible for ensuring compliance with data protection provisions subject to scrutiny by the German Länder, ie a public authority.

Directive 95/46 requires that such authorities exercise their powers with “complete independence,” an expression the Commission interprets in the broad sense. Germany applied a narrower interpretation, arguing that the directive requires only the functional independence of the supervisory authorities, who must not be exposed to outside influence. It claimed that the scrutiny exercised in the German Länder does not constitute an outside influence but rather the administration’s internal monitoring mechanism, which is not in breach of the directive.

The court first identified the scope of the requirement of independence of the supervisory authorities, explaining that as a key element of data protection, they must enjoy independence that enables them to act without influence by the supervised bodies, but also without any direct or indirect external influence that could call into question the performance by those authorities of their task consisting of establishing a fair balance between the protection of the right to privacy and the free movement of personal data.

The court considers that the scrutiny exercised by the Länder is incompatible with the requirement of independence set by the directive. It also rejected Germany’s argument that the Commission’s position would lead in its case to a violation of the principles of democracy, conferred powers, subsidiarity and proportionality. The judges held that granting these supervisory authorities complete independence from political authorities does not deprive them of their democratic legitimacy nor does it violate conferred powers or exceed what is necessary to achieve the objectives of the EC Treaty.

The Commission welcomes this first ruling in this field, noting that Commissioner Viviane Reding has made the independence of supervisory authorities a priority.

Source: Europolitics.
http://www.europolitics.info/sectorial-policies/ecj-supervisory-authorities-must-be-completely-independent-art265573-16.html

New EU Privacy Laws Could Hit Facebook

Technologies such as social networking, RFID, and even airport scanning have raced ahead of Europe's outdated data protection rules. Brussels aims to fix that

By Leigh Phillips

Two weeks ago, Mark Zuckerberg, the founder of social networking site Facebook told the world to just get over it—no one cares about privacy anymore—provoking a storm of protest across cyberspace.

On Thursday (28 January), the European Commission responded to the 24-year-old billionaire and announced plans for comprehensive new laws that have in their sights the massively popular website.

The commission is concerned that its existing rules on data protection date back to 1995, the very early days of what was at the time called the "information superhighway" and are extraordinarily out of date. Brussels is not just worried that the internet has sped ahead of its regulatory grasp, but also that many technologies, in particular Radio Frequency Identification (RFID), behavioural advertising and even airport security devices have proceeded apace, leaving EU legislation in the lurch.

The commission on Thursday, also the continent's official Data Protection Day, "warned that data protection rules must be updated to keep abreast of technological change to ensure the right to privacy."

Underscoring its new powers under the Lisbon Treaty and the legal basis given to the Charter of Fundamental Rights, the commission said it wants to create "a clear, modern set of rules" guaranteeing a high level of personal data protection and privacy.

Earlier legislation was also limited in that it was restricted to issues concerning the European Community—the so-called first pillar of the EU, but not foreign policy or policing and judicial affairs—the second and third pillars.

Mentioning Facebook, Myspace (NWS) and Twitter by name, EU Justice Commissioner Viviane Reding said she will start this year with a revision of the 1995 Data Protection Directive, in a speech that outlined the main principles and goals of her upcoming work as Europe's top fundamental rights watchdog. It is clear that privacy issues are at the forefront of her ambitions.

"Innovation is important in today's society but should not go at the expense of people's fundamental right to privacy," she said.

"Whether we want it or not, almost every day we share personal data about ourselves. These data are collected, processed and then stored out of our sight. By booking a flight ticket, transferring money, applying for a job or just using the Internet we are exposing our private lives to others. Sometimes it is necessary," she continued. "Data are being collected without our consent and often without our knowledge. This is where European law comes in."

She said that people should have the right "to say no…whenever they want."

The commissioner is frustrated that companies are tackling privacy issues—or, more commonly being forced to tackle privacy issues—only after a product or service has been developed.

"We need a change of approach: Businesses must use their power of innovation to improve the protection of privacy and personal data from the very beginning of the development cycle," she said.

Ms Reding finished by saying that Europe must set the global agenda in terms of privacy protection.

The commissioner also warned that body scanners at airports have not escaped her gaze. "I am convinced that body scanners have a considerable privacy-invasive potential. Their usefulness is still to be proven. Their impact on health has not yet been fully assessed. Therefore I cannot imagine this privacy-intrusive technique being imposed on us without full consideration of its impact."

The forceful speech comes just two weeks after Facebook's CEO made his own speech at the Consumer Electronics Show in Las Vegas, which has been widely interpreted as announcing "the end of privacy."

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that's evolved over time," Mr Zuckerberg said in a speech on 11 January, referring to the company's recent privacy policy change that made user's main information accessible by default. He described these changes as merely reflecting "current social norms" wherein young people have a much more relaxed attitude to privacy.

Across the Atlantic on Wednesday, Canada's privacy commissioner also announced a fresh investigation of Facebook after receiving complaints about the company's new privacy policy.

Source: Business Week

Facebook backtracks on privacy

By Maija Palmer and Tim Bradshaw in London and David Gelles in San Francisco, published on December 11, 2009

FACEBOOK has been forced to retreat on some changes to its privacy settings after the move created an outcry from data protection campaigners and left users confused and irate.

The social networking site rolled out simplified privacy controls to its 350m users this week, but faced a barrage of complaints that the new settings were leading users to reveal more information than they wanted to.

Users were particularly critical of the way Facebook opted to make “friend lists” – the catalogue of all the people users are connected to on the site – visible to the public.

Facebook quickly backtracked on that on Thursday night, allowing users to hide the information if they wished.

Richard Alan, Facebook’s director of policy for Europe, would not rule out further tweaks to the settings in response to the public outcry.

“We have people monitoring comments from blog posts and all the feedback is going back to the team. They are still looking at it,” he said.

This is the latest privacy controversy for Facebook, which was forced to scrap a targeted advertising programme in 2007 and which came under scrutiny by the Canadian Privacy Commission last summer.

The Facebook blog page was flooded with thousands of comments asking how to put the new privacy settings to work.

“I was very confused by the new privacy settings on Facebook,” said Megan Brown, a lawyer in New York City. “When I logged on, it asked me whether I wanted my old settings or new settings. I didn’t know what the old settings were, so I was unable to make an informed decision.”

Chris Applegate, a Cambridge computer science graduate who works at We Are Social, an agency dispensing advice about sites such as Facebook, was dismayed to discover that applications installed by his friends could see his data unless he chose to opt out, an option not given in Facebook’s latest reminder.

“I’ve always kept a tight rein on the apps I install. But it only takes one friend to install a malicious app and . . . my information is compromised,” he said. “There is a great potential for leakage.”

Several protest groups have been formed on the site, with titles such as “Stop Facebook from exposing our privacy. Restore security now!” and “We want the old privacy settings back!!”

Facebook insisted the change enhanced rather than detracted from privacy. It said that previously only 15-20 per cent of users had made any adjustments to their privacy settings. Yet, following the roll-out this week, 50 per cent of users had made changes.

“Millions [of users] have picked new settings and are comfortable with it,” Mr Alan said.

Source: Financial Times

EU Data Protection Meets U.S. Discovery

By DANIEL SCHIMMEL
New York Law Journal

December 18, 2009

AS a result of an increase in U.S. lawsuits requiring the transfer of personal data from France to the United States, the French Data Protection Agency (CNIL) published a recommendation in August 2009, which is designed to offer guidance on data transfers in connection with U.S. civil discovery proceedings. The CNIL's recommendation expands on the guidelines adopted by the body of European data protection agencies (the Article 29 Data Protection Working Party) in February 2009.

EU member states increasingly enforce their data protection laws. For instance, in 2008, the Spanish data protection agency imposed fines amounting in total to €22.6 million. In France and other EU countries, companies are under pressure to comply with U.S. discovery requests, which frequently call for the production of personal data about employees, clients, or customers. The CNIL's recommendation reflects a tension between a company's obligation to respond to U.S. discovery requests and its obligation to comply with EU data protection laws. Because data protection laws pursue a legitimate interest and are increasingly enforced in Europe, courts and litigants in the U.S. should take them into account when ordering discovery abroad.

Read more at Law.com