Transcript R(87) 15. A Slow death?

R(87) 15 : A Slow death?
Joseph A. Cannataci,
Mireille M. Caruana,
Jeanne Pia Mifsud Bonnici
Law & IT Research Unit
Centre for Communication Technology
University of Malta
Objectives of Presentation
• Meeting the DP Champion - R(87)15
–
–
–
–
–
–
Painful birth of R(87)15 – ‘purpose specification’ victory
In the ascendant – the adoption of R(87)15 at Schengen
From Recommendation to Treaty?
First skirmish – the 1994 review
Meeting the Internet
Living on – in spite of defeat in Cybercrime Convention
negotiations; the 1998 and 2002 review
• Meeting the executioner? – Directive 2006/24/EC
(The Data Retention Directive)
– 9/11, Madrid, London – a ‘valid’ excuse to ignore purpose
– Passenger Data – first to go….is there light at the end of the
tunnel?
– The resistance – Article 29 opinions, EDPS opinion, civil society
– The political realities
• Is R(87) 15 dead? Or dormant?
The painful birth of R(87)15
• R(87) 15 was born within the Committee of Experts on
Data Protection (CJ-PD) during 1984-1986
• CJ-PD characterised by strong leadership of Spiros
Simitis – later involved in including data protection in EU
Charter of Rights, and succeeded by Peter Hustinx today EU DP Commissioner.
• Many of the data protection experts at CJ-PD in
Strasbourg accompanied by police & security
representatives
• The battle: police & security reps asking for “general
purpose’ collection vs. CJ-PD (Convention 108) position
of “purpose specification”
Purpose Specification - The victory
of R(87)15
• Ambiguity created by Convention 108 by
•
•
allowing an exclusion from provisions for
security purposes
R(87)15 resolved this ambiguity by
unambiguously subjecting police data to same
data protection regime as other data
R(87)15 scored victory by entrenching the
notion of purpose for collection and processing
of data, even for police use
In the ascendant:
the early years 1987-1993
• Never popular with the police
• Greeted as model for democracy and cited often
•
•
especially in the 1989-1992 period in Central &
Eastern Europe
Classic post 1989 use in Stasi files in Germanythe purpose challenged
Riding the wave: in the post-1989 surge forward
for democracy, adopted as data protection
standard for Schengen Treaty
From Recommendation to Treaty?
• No stopping R(87)15 in the early years
• Recommendation 1181 (1992)1 on police
co-operation and protection of personal
data in the police sector the member
states of the Council of Europe had agreed
to move towards a convention enshrining
the principles of R(87)15
• What happened then?
– Why don’t we have a new convention today?
– Why, instead, do we have a data retention
directive?
The first skirmish: 1993
• Would anyone dilute R(87)15?
• CJ-PD requested (by Committee of Ministers) to
•
•
review it
1994 Cannataci report ensued
Qualitative analysis of responses of some MS
– Response overview reinforced the impression that R (87) 15 continued to provide
a sound basis for data protection in the police sector
– R (87) 15 sufficiently elastic to permit the various interpretations that some
member States wished to see specifically mentioned
– “Several experts concurred that the provisions of R (87) 15 constitute an
inalterable necessary minimum”
– No overwhelming arguments advanced as to why current formulation of Principle
5 (Communication of Data) fails in providing the most balanced formula capable
of providing equitable provision for current requirements
• Status of R(87)15 preserved
Meeting the Internet
• R(87)15 was a pre-Internet animal
• Interpol & Europol were not in synch in their
•
•
data protection standards
The Police and security forces slowly started
gaining experience with Internet & cybercrime
Immigration issues with Schengen were pushing
uses of hi-tech ID systems (from mag-stripe to
biometric)
Cybercrime vs. Privacy 1996-2001
• The first signs of a losing battle
• Concern with cybercrime increased in inverse
•
•
proportion with concern with privacy
The crime lawyers were in the ascendant: the
attempts by CJ-PD to insert breach of privacy as
a substantive offence in the Cybercrime
convention failed;
The role of the US is inestimable: in order to get
the US on board a Council of Europe convention,
the PC-CY was prepared to downplay Privacy as
an issue
The role of the US
• US approach to data protection less strict
than European approach
• In Cybercrime, US were interested in
– agreeing minimum substantive offence
– Creating 24/7 collaboration for detection &
investigation
– Creating mechanism for preservation of
evidence & subsequent prosecution
• Privacy was just not an issue (but when is
it to security forces?)
Living On…
The second report: 1998
• The 1998 Patijn Report …viewed against Directive
•
•
1995/46EC & negotiations on Cybercrime Convention
R (87)15 still gives adequate protection + included in
Schengen Agreement & Europol Treaty – don’t change
but…
More detailed recommendations
– Police powers, to be adequate, necessarily interfere with the
respect for private life and should therefore be restricted to the
extent that is necessary
– Proposes that the Committee of Ministers recommend that
national legislators explicitly deal with certain questions of data
protection rules for criminal data
• Result - Integrity of R(87)15 was preserved
Third Evaluation Report - 2002
• CJ-PD examined R (87) 15 and agreed
that
– No revision and no new recommendation
– Principles are still relevant especially as a
basis for the elaboration of regulations on use
of personal data by the police and as a point
of reference for activities in this field.
– CJ-PD giving up?
Changing times – 9/11
• R(87) 15 was created when Europe had largely
•
•
settled the terrorist issues which had plagued
Germany & Italy in the 70s
2001 brought with it 9/11 – a disaster which
heralded much trouble for data protection
First victim: Airline passenger lists and the
dispute between EU and the US ….is May 2006
ECJ decision a ‘small’ victory?
Waking up to the Internet
• Post-9/11 Police & Security forces became more
•
aware of terrorist & crime uses of the Internet
To Police & Security Forces, the Internet is
simply another communications system
– “to tap”
– And especially to proved “traffic data”
• Police (esp. in Germany) had been using traffic
data to locate terrorists since the seventies. The
lessons of the Clemens Wagner case from
Baader-Meinhof era were well-learnt
We want the traffic data!
• So the debate commenced
• The Internet is rich in traffic data=let’s get
at it
• Art. 29 (and many others) pointed out
(even as early as 1999) many fallacies in
Police & Security force arguments:
– There are many ways of getting around
monitoring of traffic and content data
– Monitoring all data is grossly disproportionate
measure and puts civil society at risk
Data Retention – ignoring purpose
specification
• Discussions on regulation on retention of
traffic data for law enforcement purposes
go back to G8 meeting in Moscow 1999
• 9/11 – speeded up discussions and gave a
‘justification’ for retention of traffic data
for longer periods
• By 2000 – retention of traffic data allowed
for billing and interconnection payments
The Article 29 Mantra
• Retention of traffic data for purposes of
law enforcement should be allowed only
under strict conditions:
– Kept only for a limited period
– Kept only where necessary, appropriate and
proportionate in a democratic society
From Draft Framework Decision to
Data Retention Directive
• Resistance of Article 29 group, EDPS and civil
•
•
society unaltered
Traffic data retention interferes with the
fundamental right to confidential
communications (Art. 8 ECHR)
Any restriction on this fundamental right must
be based on a pressing need, should only be
allowed in exceptional cases and be the subject
of adequate safeguards
Article 29’s 2005 Opinion
• Is it legally and factually justified to
require a compulsory and general data
retention requirement?
• Are the proposed data retention periods in
the draft Directive convincing?
Article 29’s List of desirables: A
return to basic DP principles
1.
Re-Introduce Purpose specification: The purposes of data retention should be stated clearly in the Directive
2.
Indicate Authorised Recipients of the Data Retained – access clearly defined
3.
Limit Data Mining
4.
Process only according to purpose
5.
Introduce accountability - judicial/independent scrutiny
6.
Indicate precisely who is to retain data
7.
No obligation for identification
8.
Require separation of data retained for billing from data retained under Directive
9.
Security – make sure data is retained in a secure manner
10. Identification of which data to be retained – should satisfy a strict necessity test
11. The evidence supporting these measures should be evaluated periodically
Were the desiderata addressed in
Directive 2006/24?
• Purpose specification – No. Directive 2006/24
•
does not clearly define and delineate the specific
purposes for which data should be retained.
Access limitation – Directive 2006/24 provides
that data is to be provided only to the
competent national authorities BUT it does NOT
provide that the competent national authorities
should be specifically designated law
enforcement authorities or that a list of such
designated authorities should be made public
Were the desiderata addressed in
Directive 2006/24?(2)
• No data mining – The limitation in Art 4 to
•
“specific cases” seems to prohibit data mining
activities. However the Directive does not
specify that data can only be provided if this is
needed in relation to a specific criminal offence.
Further processing – No provision ruling out or
limiting stringently further processing for other
related proceedings.
Were the desiderata addressed in
Directive 2006/24?(3)
• Access Logs – Directive 2006/24 does not
•
•
provide that any retrieval of the data should be
recorded and the records made available to the
supervisory authority
Judicial / independent scrutiny of authorized
access – Not mandated by the Directive
Retention Purposes of Providers – solely for
public order purposes, not for other purposes,
especially their own. Not specifically mandated
by the Directive.
Were the desiderata addressed in
Directive 2006/24?(4)
• System Separation – In particular, the systems
•
for storage of data for public order purposes
should be logically separated from the systems
used for business purposes and protected by
more stringent security measures. No specific
provision in the Directive.
Security Measures – General requirements on
minimum standards concerning the technical
and organisational security measures to be
taken by providers were included - Article 7 of
the Directive
Were the desiderata addressed in
Directive 2006/24?
• Short Answer – NO.
• Basically ignored all the data protection
concerns
• Ignored Article 29, EDPS, civil society &
forged ahead
Directive 2006/24/EC
The Data Retention Directive
– Providers of publicly available
communication services being forced
unprecedentedly to store billions of data
relating to the communications of any and
all citizens for investigational purposes
– From the perspective of data protection
there is a need of full harmonization of the
main elements included in the proposal
The Criticism
• “Harsh criticism”
• Measures are disproportionate
• The notion of purpose is not respected
• Not enough safeguards are established
• The cost-efficiency of data retention
nowhere demonstrated – how many
terrorists & criminals have been
apprehended because of Internet traffic
data?
Article 29 WP Opinion 3/2006
of 25 March 2006 (post Directive)
• The Directive
– Lacks some adequate and specific safeguards
– Leaves room for diverging interpretation and
implementation by the Member States
• The WP considers it crucial that
– The provisions of the Directive are interpreted and
implemented in a harmonised way
– The Directive is accompanied in each Member State
by measures curtailing the impact on privacy
The verdict
• What The Data retention Directive
achieves is the death of “purpose”
• The respect for the principle of purpose
for gathering data, in this case “traffic
data”, now takes second place to the
notional usefulness of such data in the
fight against terrorism & crime
• The danger inherent in having whole
masses of data preserved, for years AND
subject to the monitoring by police &
security forces for “their” purposes
Is R(87) 15 dead?
• Who has really funded an in-depth
implementation review of R(87) 15?
• Can we trust the Police & security forces
to be telling us the truth anyway?
• Data retention directive lowers the
standards by
– giving legitimacy to the opponents of
“purpose”
– Creates new dangers in large databases of
traffic data which previously did not exist
Is it dormant?
• Is there hope in the May 2006 ECJ
decision on illegality of transfer of Airline
Passenger Data? …is this the beginning of
the return of ‘purpose specification’?
• Will the EU stop paying only lip-service to
data protection?